The North Carolina Department of Information Technology last Friday announced the appointment of Torry Crass, the chief information security officer for the North Carolina State Board of Elections, as the new statewide chief risk officer.
Crass, who’s led election-security efforts since 2019, fills a vacancy opened last December with the retirement of former chief risk officer Rob Main. Crass’ new role puts him in charge of a cybersecurity office that’s been at the forefront of developing a “whole-of-state” strategy — a top-down approach in which the state government shares its resources with local governments, public school systems and critical infrastructure sectors.
As the State Board of Elections’ CISO, Crass oversaw an operation responsible for the cyber and physical security of North Carolina’s voting technology, developing incident response policies and tabletop drill exercises, analyzing threat intelligence and serving as a liaison to the federal government and other state agencies, including NCDIT. Crass worked for the elections board as a contractor — an arrangement the board created in 2019 when it wanted to build out its cyber program, but lacked the financial resources to hire a fully internal staff.
“It brings a team to a table,” Crass told StateScoop in a 2020 interview. “There’s a team that allows different industry experiences to come together and compare notes to give NC the best information possible for what a path forward in any given situation is, rather than have to pay for two, three, four people at those salary points.”
Chief risk officer will be Crass’ first full-time public-sector job after more than 20 years in private-sector cybersecurity roles. Among his new duties is to help lead the recently strengthened North Carolina Joint Cybersecurity Task Force, an interagency panel that includes officials from the IT department, state Department of Emergency Management, the National Guard and members of a local-government IT association. Gov. Roy Cooper last year signed an order giving the task force a greater hand in providing incident-response and technical support to local governments and academic institutions, as well as expanding its information sharing with public and private critical infrastructure operators.
“We can’t be so myopic to focus only on state agencies and local governments,” Main said in an interview earlier this year. “It’s the whole of state of North Carolina, and the whole state includes our critical infrastructure partners.”
In addition to his long private-sector career, Crass has also been a volunteer director of a cyber camp program run by InfraGard, an FBI-backed threat-intelligence nonprofit group, as well as an adjunct instructor of cybersecurity for a National Guard program at the Citadel, the military college in South Carolina.