An Unexpected Journey: Building a Cybersecurity Program at a Risk-Taking Agency

[music]

[music] [applause] Good afternoon. Thank you all so much. I'm Ralph Heheim. I'm the CISO at the Department of Natural Resources. >> Hi, I'm Liz Lewis Lee. I'm the CIO at the Department of Natural Resources. And before we get started, I would like to say thank you to all the volunteers who make weekends like this um possible. I besides in several different states and it wouldn't happen without the volunteers. So, thank you very much. >> YEAH. [cheering] [applause] And I want to apologize. Somebody asked me what like unexpected journey it's some book or movie, some Lord of Ring nerd thing, and I I'm sorry if I led you astray. You came to the wrong talk. So,

what the hell is this? >> So, you know, if you wanted another monitor, you can just put in a ticket. >> I don't know how that got in here. Next slide, please. Uh, so what do you think of when you think of the Department of Natural Resources? I'm literally asking you right now. What do you think this work is? Yes. >> Uh, well, your talk talks a lot about uh firefighting and and forestry and stuff. And >> the news of being from California, I I think about that. >> You've done some Osent. Good. Who else? What else? >> Manage tourists. >> Yes. Okay, I'll take one or two more. Yes. >> Manage waterways. >> Ah, excellent.

>> That were mine. >> Okay, then I'll take yours. >> Rights management for land. >> Yes. Okay. Excellent. Yeah, Liz. >> Yeah. So, we have over uh 2.1 million acres of forest that we manage, >> but the managed waterways is correct. We've got more waterlands. We've got 2.6 6 million acres of aquatic waterways. I'm talking about estuaries, rivers, straits, nearshore environments. >> And then there's the geology of the state. Uh our geology department manages surface mining permits. They study geological hazards to help with natural disaster preparedness for things like volcanoes and tsunamis. >> And we built the nation's first vertical tsunami escape uh tower. Um super cool. It's down in Ocean Shores. uh right outside Aosta.

>> We track eelgrass growth and recession uh using underwater cameras and computer vision image recognition. We do that to help track the health of our waterways >> and we have real estate. We have cattle. We have an extensive LAR and photoggramometry, a series of photoggramometry and LAR operations. Uh we have law enforcement officers. >> We have a large fleet of drones. We have airplanes. We have helicopters. We have boats. Our aquatics division has a dive team for underwater derelct vessel removal. >> We have uh recently uh created our first policy internal policy for employees for handling bear spray. And I have to believe that that from your issued your state issued bear spray. And I have to

believe that came from a series of events of mishandling your bear spray which I would really like the background. I know some stories. Yeah. Okay. I would like to know. We have 39 conservation areas. We have eight aquatic reserves and we have a ton of recreation areas. >> We build forest roads, bridges, and recreation trails. >> We fight wildland forest fires. >> We build our own fire trucks, which honestly is my favorite thing. >> In 2025, shout out to the person who was talking about wildland fire response. In 2025, we had over 1,100 fires in Washington state where we responded to those fires. This year we had almost 60,000 acres burned due to wildland fire,

>> which sounds like a lot until I tell you that last year we had 136,000 acres of land that was burned. >> So when it comes to talking about security at our agency, given all of that, it is very hard to talk to users about risk to a laptop with Windows 10 that's unpatched when they are literally at fire half of the year. It takes a lot of technology to support our lines of business. For being a bunch of people who like to hang out in the woods, we are a very tech-hungry agency. Um, we have meteorologists because they have to kind of predict the weather to keep the firefighters aware of what's happening um during the week. And they

have an incredibly unique stack of software that is just for them. We have software that tunes our helicopter blades. We have software that reports our flight plans to the FAA. Um, we have software that when you take a picture of a tree, it counts the leaves on the tree. Um, we have multiple apps that decipher uh bird calls. Um, we have Python scripts that run machine use machine learning and um probabilistic simulations to predict wildfire pathing and landslides. >> But we don't want to just tell you about this technology. We want to show you some pictures because when technology comes together with the natural resources, there is some drop dead gorgeous things that get created. This

is a LAR photograph of the NooKack River up in is that Wacom County? I think it's Watcom. >> Yeah. And not just this one from 2022, but we check it like regularly every year. And we're able to with the LAR see the bedrock underneath and see the path that the river takes. So, we're able to track its health, how much sediment is coming down. And there's actually several LAR photos in here, which is amazing. Each one of these is a huge huge file that has to get stored on our server. We have multiple uh different versions of it. This is just a fraction of the technology that our scientists use. Just this is just the LAR

photographs that they use to help manage, watch, steward these natural resources. Not only do we use this for scientific research and resource management, we use it for things like predicting landslides, uh, tsunami response, earthquake preparedness, we are also legislatively mandated to make a lot of this data available to the public for free, which has multiple challenges. So, for example, we might want to share endangered species information with people who need it while not telling poachers where to find a Canada links breeding population. So to step back a little bit, in 2022 the Department of Natural Resources had no cyber security staff. There was no cyber security program. It wasn't on the radar. Of all of the state agencies in

terms of patching, our vulnerability management for our ranking in in how out of date we were with patching, we were dead last. And the people in it were not able to get any traction with security initiatives. Nobody wanted to give them the time a day. there just wasn't any ability to do that. Fast forward to today, we've got five full-time staff. We are number two and often we're number one on monthtomonth uh for patching for the 10 largest agencies in the state. We do get a lot of internal traction now. Um we get invited to those meetings. We get added to the email chains where people say, "Hey, we're implementing a new system or we're talking about it.

Can you come in early on the design phase and help us out?" We are sought after partners at the state level among other agencies. They want to talk to us about cyber security. They want to engage with us. And we just had a trade magazine that did a feature on our cyber security program. So there's international recognition as well. For a state agency that is so cool to move that fast. So um we are still really tiny too and we get a lot of stuff done. these uh if you look at brand B and brand C here, you will see that they have more employees and I would argue we're kicking ass a little bit more than

they are. >> So, how did we build this so quickly >> with one ring with Sauron? >> That guy. So, there's four things we want to talk about today. Uh security awareness training is really really important. That little bit as marketing we're going to talk about in a second. building relationships with people. I I know that you've heard that at a few other talks today. Really, really important. We're going to go into more detail. >> Picking a plan and sticking with it and building for the future. >> Yeah. So, let's dig into the first one. Uh the delivering worldclass security awareness training. I can't think of anybody else who looks at security awareness training as

anything more than something to get through, something to tolerate. And from the very beginning when we started at DNR in 2022, we said we want to flip that on its head. Uh nobody knows who we are. They don't know why they should care about cyber security. It's something that happens on their computer and most of their job happens out in the field. So making a really conscious decision to say we're going to deliver security awareness training and we're going to make it a firstass experience. It's going to be a highquality experience. We're going to connect with people. We're going to make it matter. became a a strategic foundation for saying this is how we're going to build

our program. Uh and here is what I mean. Um I think it's yes. >> So here's some of the tools that we've created over the last couple of years for our cyber security month. Um I mean you know they're fun. We've got some word searches and some cross word puzzles. We ask people to send these in and then once a week we pull a one and we give them a coffee card. So, I don't really care if they fill this out, right? I don't I mean, I love Ralph's stuff, but I don't really care if they read it all. Um, but what I want them to do is send this into the sock. So, now

they know the address to the sock. And so, now when they start to type it, it's an autocomplete in their um Outlook. So, we're using social engineering for good. >> Not not super high-tech either. People are able to get access and do something with it, right? Engage with cyber security right off the bat in a in a way that they recognize. We've also been making more and more short form video content. This is stuff with a lifespan. It expires after cyber security awareness month. It's meant for them for that short period. And I'm actually getting stupider. I'm adding wigs and doing little skits. The reason I'm doing this is because people respond to it. Uh

they know who I am. They know that they're in for at least some entertainment if it's if it's not interesting. You know, the shorter the better with these things, right? But um I I also want to talk about this slide for a second. This is a slide that I kind of agonized over. This was part of a training that I did. Uh I took training to every single division and I gave that training uh as inperson as I could. And I spent a lot of time with people. And here's why I agonized over this slide. >> It's because he didn't like the version of it I wrote. [laughter] [gasps] >> I'm putting this thing together and I'm

thinking I'm an IT person. I'm why am I spending all of this time doing graphic design? Like that's not my job. I'm doing like this is a this is a bad waste of of state resources. I don't have a a communications or a graphics team that does work for it. But also I'm not sure I would trust them. I think data categorization information I think communicating with people is so important to do it as accurately as possible that I wanted to control every aspect of this and I didn't want to give them a word document that had turned into a PDF. I didn't want to give them a PowerPoint slide. I wanted to give them

something that they might consider making their wallpaper. I wanted something that was pretty, something that was attractive so that when they came to my training, they knew I was rolling out the hospitality and I was going to take care of them. Same thing with this next slide. This is a slide from that same training. If I'm talking about sensitive data to a bunch of foresters, I'm not going to be talking about credit card information because it's irrelevant. But the location of the Oregon silver spot butterfly, which was expatriated from Washington in 1996, we have not found any species since then. Um, we're preparing 19 sites in Pacific County uh in the next couple of years to

reintroduce this species. the location of that endangered species of those sites is absolutely important to our foresters. So, centering on the work that they're doing and really connecting why we're doing this cyber security training to the work that those people are doing, really, really important work. So, I said before we would come back to that marketing point and here's what I mean. When I'm doing a data categorization training or a fishing awareness training or whatever the security awareness training is, I don't need these people to memorize all of the controls. I don't need them to be able to fill out the crossword exactly accurate and knowing all the terms. I need them to know who I am, what my team

does, and like me enough to invite me to those meetings and add me to the email chain. I need that positive relationship. And a security awareness training program is my way to do marketing to the entire agency and say, "Hey, we're here the we're the good guys and we're here to help." So the second point here is working relationships as a core deliverable. And by this I mean I think relationship building with people is a cyber security control that leads to better outcomes. When I talk to my staff, I say at our weekly one-on- ones, I say, "Who have you helped this week? What relationships have you been building? We talk about finding out what people need and how to

connect to that. That is an expectation of my staff in in their job role. It's also just important as a human being to care about the people that we work with and I get that point across. >> It's not just the security team, right? As the CIO, it's part of my job to create opportunities for the security team to build those relationships. Even at the management and executive level, you can't only focus on peers. The relationships and education have to extend into the seauite as well if you want those decision makers to give you attention. >> No, I think I got it. >> Naomi's uh speech. >> Oh, yeah. That's right. I did want to

name drop Naomi. Right. So, the last point I wanted to make about the working relationships for those who saw Naomi Meyer talk yesterday about threat models always being centered on the system. Uh one of the points she made was that we should expand that to um not just for threat models being centered on human beings as where the real harm is happening but all cyber security metrics programs I think and probably all it because without people why have the servers right if our threat models should be focused on humans all of our all of our metrics all of our KPIs we really need to focus the vulnerabilities should be human- centered. [clears throat] >> Yeah. So, uh, picking a plan and

sticking with it. I'm going to talk about strategic plans. I know nobody here probably thinks that's like cool and fun. It's not AI going out and finding your vulnerabilities and patching them for you. Um, but without a strategic plan, you're just not going to get anywhere. The strategic plan tells you where you're going. It tells you how the tactical plan tells you how you're going to get there. And your operational plan tells you what you're going to do next. You have to be in alignment with your organization. That is key. Um they will not give you resources meaning people and money unless you are in alignment. So one of the things that we do is we crosswalk.

So we have a state um strategic plan, we have an agency strategic plan, we have an IT strategic plan and we have a security strategic plan. And we have a very beautiful big bold beautiful spreadsheet that crosswalks all of those so that when we add something to it or we think about it or we uh go to refresh it, we are making sure that we are in alignment with what our organization needs. We don't have a shortage of problems to fix. We have a shortage of attention from decision makers and executives. >> Yes, >> a strategic plan gives you a road map that exec can see and understand that tells them where you're going and how

you're going to get there. So, building for the future is our last bullet point. Um, and I'm going to say when I came to the agency, when we both came to the agency three and a half years ago, I actually came as the operations manager and Ralph was the um, security architect and it was he was the first security person that they had ever hired. They had hired me out of a security team at another agency and they said, "Can you the two of you just start a security program, please?" Um so we intentionally went into what are the things that we need to do. Um and I knew that while security in its infancy was going to be

in that operational team that eventually it needed to stand on its own. So I started planning for it at that point. I created a budget that was separate from operations for security. Um Ralph started working on position descriptions for jobs that we hadn't even been given FTEES for. um we started working on strategic plans and we really built out what a program would need and um now three years later we're kind of at that point. So what do we do next? Now we're pivoting. One of the things that I've been working on is creating language to put in all of our IT position descriptions in the agency that embeds security in everybody's job. I want

security to be part if you're a developer, if you're a pro project manager, if you're a business analyst, I don't care. I want security to be part of your job if you work in it. Um, and then we have ongoing conversations about the future. Um, how do we talk to exec? Um, what are we going to do? We're in a huge budget crisis in Washington and then we've got federal budget shortcuts and what do we do? How do we keep going? How do we keep moving forward in the face of all of that? >> Yep. So those four points that is our key takeaway. Um it is delivering that worldclass security awareness training and then the the building of

relationships. Um super super important. >> Picking a plan and sticking with it and building for the future. >> So we've got a uh couple of QR codes if you want to get your camera out. Um those beautiful LAR photos, those are all on our Flickr page. Um, Flickr is this really cool new website. Uh, >> you may not have heard of it. >> May not have heard of it yet, but you will. >> And if you're in college, you probably haven't heard of it. >> Yeah. Um, and then if you're interested, uh, love to get connected with you on LinkedIn. Um, use QR codes here. And then I think, um, Boramir had a final parting gift for us. Yeah. Thank you,

Boramir. Uh, that's all we got for you today. I think we have time for questions. We do. YEAH. THANK YOU. >> [applause]

[applause] >> THANK YOU FOR THE TALK. IT WAS REALLY fun and interesting. I think one of the questions that I have is um I see you have videos for your security awareness training. How do you approach integrating like e-learning? >> Well, there is a state requirement. So, they all have to take the state requirement, which is once a year. It's not bad. It's gotten better over the years, but it's the same. It's not I mean it's it's it's what it is. Um so, [snorts] and then all of our stuff is it's not it's just snippets. It's it's fast. It's something you can do in the morning during cyber security month. I will add uh as the state has been

preparing their AI policy that's going to apply to all state agencies um I went out of my way to get on that committee because there was writing that policy because I wanted to make sure that there was a requirement for training and to figure out what that was and then to start building my own training material which I did because I my thought well my confidence that my training material would be tolerable is here. I'm not so sure about the alternative and I want my people to have the best training material. >> We have really good training. >> So I we have four videos that are about to come out that are part of an

e-learning course that take about 25 minutes total. They talk about the data categorization. They talk about the ethical risks. They talk about the damage to underserved uh communities where these data centers are being built as a factor you should consider when you're thinking whether or not I want chat GPT to write that email. And so seizing that opportunity and saying if there's an alternative, we're going to one up it and get that integrated into our learning system. Absolutely. A strategic choice. >> Well, look, I have a microphone. Uh I just wanted to say thank you so much uh especially for talking right at the end of the conference here. It's much appreciated. Um I love the focus on

people in cyber security. Um but you also talked about how many systems you had. Uh and I'm curious if you can talk very very briefly about your journey and uh like getting your arms around the technology and and how that actually managed to happen. Um that gap between like how you closed that in those three years. >> You want me to start? >> You go for it. I'll jump in. >> Um the first year and a half was learning a new new system existed every day. Uh one of the first things >> three and a half years in we sometimes find things. >> Yeah. Yeah. We're still finding new systems. Um, we one of the first things

Liz uh really strongly strong armed me to do was an internal security risk assessment process. Right? We've got a bajillion different apps. It's the wild west. Let's build a review process and as these things come in, let's kick the tires on them. And I think it was 9 months into the job when the review came in for the electric uh cattle collar shocker. And I went, "What the hell is this?" And I found out that we have cattle, fenceless cattle on land. And so we needed a security review for the mobile app that would control these, well, I would argue cruel shock callers for cows. Um, and so that went on the list. And it the the latest

version of getting our hands around this technology was Liz going to bat with Exec and with our field our region staff and saying we need funding for a field security person. So we were able to bring on a senior cyber security engineer. Her job is field work, which I would say is 50% relationships and 50% going out into the field and saying this is a difficult problem. You've got a um uh like a snap server or something serving files on a on a wagon that we deploy to fires and it has a default password and it's using web. Let's fix that. And so getting her hands dirty, cleaning up these things as she sees them. We we have a decentralized uh IT

model. We have regions offices around the state with their own IT um who are beholden to us for policy and procedure but um have their own budgets and don't always run their decisions past us. Um so in addition to the we actually created two kind of liaison positions. Their job is to create relationships, to offer training, but it's also to walk around and see what's going on and then bring it back so we can talk about how do we standardize it. Thank you so much. This was wonderful and exact this this talk alone has made it worth the two-hour drive for me to get here. [laughter] Um my question to question question to you is that given the sector I'm working

in I know that you intersect that the DN DNR intersects with a large number of land trusts watershed councils other uh environmental conservation organizations and my question is do you share your training with them or is that something you would consider doing and making training resources available to those organizations. >> If you reach out on LinkedIn, I bet we could share some training with you. >> Yeah, be happy to. >> Your tax dollars helped write it. >> Heck yeah. >> Time for one more. >> I'm curious about what framework you're working towards. Are you following SP853 for example? >> No, we are benchmarking ourselves right now against uh CIS, the SESAT, the uh self- assessment. uh we do that every

year and we're measuring our progress. There are some state standards that follow uh NIST risk management framework and those are frankly like those people at the that control the state audit uh are a lot closer to home than NIST is and so we're getting ourselves in compliance there. I it's it's always fun to do that annual self- assessment uh test through CIS because every time I'm like, "Hey, we scored better than we thought. What is it?" Oh, it's the network team. Yeah, they're they're dragging all of our scores up because our network team is just they are unstoppably awesome. Uh but yes, that's that's what we're following. >> Thank you again to Ralph and Liz.

>> Thank you. >> Thank [applause] you. >> Thank you, Bides. [music]