When the sensitive information of citizens is at risk, cybersecurity is more important than ever. Chris Santucci took over as Chief Information Security Officer (CISO) at State of Montana in August 2023, he brought with him a passion for security and a desire to drive the State’s needs home through a culture shift.
Santucci cut his teeth in the US Navy. He worked in law enforcement with his canine partner before attending graduate school to study criminology. He got into a method of social science called network science – specifically, illicit networks. Through delving into cybercrime, Santucci naturally fell into cybersecurity, which sparked a passion for it.
“I just became enamored with the field,” Santucci explains. After finishing his graduate program, he got a job with Montana’s Department of Public Health and Human Services. He managed some IT systems there, eventually leading the enterprise incident response team. And, when the previous CISO decided to move on, Santucci stepped in as acting CISO.
Serving the People of Montana
Santucci’s MO, and the MO of his team, is to make sure the citizens of Montana get the services they rely upon. They exist to safeguard the data that people have entrusted to the government. The State of Montana has privacy baked into its constitution, so the public is very protective of its data, and Santucci’s team has a statutory responsibility to protect what’s been given to them.
Now, as Chief Information Security Officer, Santucci is in one of two IT roles defined in statute. He’s in charge of enforcing security and protecting the state’s information assets, “meaning all of our cabinet-level agencies, with the exclusion of most of our elected officials,” he explained. “There are some agencies that have adopted executive security strategies. I connect with them once a month to make sure we’re all on the same page. We have a great working relationship, and my team is outstanding. I love my job.”
Overcoming Shadow IT
Santucci identified a need to change unintentional behaviors that could pose security risks. When questioned about why things needed to change, he stepped back and asked himself why he had received that message at all.
“I was acting CISO at the time and wanted to understand what the problem was. In the end, we worked to mitigate the impact on business while complying with the requirements. I realised that when security blocks business, we create an environment that weakens what we are working to strengthen, since some choose not to comply to save time or bypass it altogether. That’s what shadow IT is. Most people aren’t trying to be bad; they just need to do something, and security isn’t letting them, so they find a way around it.”