An unexpected journey: Building a cybersecurity program for a tech-hungry, risk-taking state agency

Thanks everybody and actually on that note I guess I want to start by saying thank you to the volunteers to the staff Microsoft for hosting the sponsors for putting this together. I mean for a grassroots you know communitydriven event uh Bides is hella cool and um I just have a tremendous amount of gratitude to be able to be here today as a participant and to be able to share some of the stuff that we've had. So, can we get a round of applause for the volunteers for the organization? I mean, damn, super cool. So, yeah. Uh, we are from the Washington State Department of Natural Resources. I'm Ralph. I'm the chief uh information security officer.

Uh, my name is Liz. I'm the chief information officer, CIO. And, uh, before we get started, I the title is an unexpected journey. Uh, I understand that um there's potentially like I guess it's a Lord of the Ring thing. Some of you I I'm not really I don't do the sort of nerd stuff. So I apologize if I led anybody astray into thinking that it might be a nerd thing. So we What the hell is this? What? So is that how the uh journalist gets in the chat? Yeah. Okay. So I don't know how that got in there. Anyway, so we work for the Washington State Department of Natural Resources. Can anybody tell me what you

think when you hear department of natural resources? What does that mean? Count trees. Okay. Trees. is I knew we were going to get trees. Anybody else? Minerals, mining. Minerals and mining. Okay, thank you, Pi. Anybody else? What do you think of fish? Water. Fish. Very good. Okay, keep it coming. What else do you think? Department of What do we do at Department of Natural Resources? What do you think that is? I The sunlight's a new one. I'll take responsibility for that. Sure. Gooey ducks. We got gooey ducks. Gooey ducks. Yeah. So, yeah. I mean, the these are all spot on, but when I started at DNR three years ago, I was blown away by how much stuff we do, right? We've got

geology, right? Some people mentioned like rocks, minerals, surface mining, we've got engineering, we build roads and bridges, right? We've got aquatics, we um we are the first I think we're the first state agency in the nation to set aside an offshore preserve. We have a kelp forest that is now preserved land. We have direct uh derelict vessel removal. That's part of our We have a dive team. Uh we have cattle. We have LEOs. We have our own law enforcement officers. Right. Right. We have wildland fire. We have wildland fire. Yes. Uh DNR is really really big. And every time I turn around, there's a new thing that I just found out we have a meteorologist.

Uh we have our own meteorologist with with our own. When you're fighting fire, the weather's really important. Yes. Yes. We have a ton of weather apps. So we could talk about this or I could show you some pretty pictures, right? Uh several of our teams have really cool technology, really cool cameras, and they take pictures not just of the NooKack River, uh what it looked like in 2022, but also over time. And we're looking at what happens with the sediment, what happens upstream, what happens when we have uh you know, when we have recreational activity in an area, how does that affect the sediment both upstream, downstream? What are the impacts to landslides and flooding? Um,

we've got these really, really cool cameras on drones that take high resolution pictures uh over a period of time. I mean, you said we comb the state. We overfly the state every 10 years. So, and every 10 years that technology gets better and more refined and bigger, right? Larger and larger files. And we don't get rid of the old ones. We just hang on to them. And we make this kind of data available to the public. So we also not only need to collect it, store it, save it in a way that makes sense, but it needs to be available to people as well. Well, right. So we don't only use this for scientific research, we use it for

tsunami response uh to predict landslides. And like you said, we make this available legislatively mandated to make this available for the entire uh population. So there are people out there from rockhounds to oil companies that download this data every year, our entire data set. That gets expensive, right? That's a lot of data that we're keeping out there for the public and we don't charge for it. It's all free. But there's a ton of cool stuff that we do. Almost all of it touches technology. Um it gets integrated into pretty much everything we do with stewarding natural resources, with taking care of natural resources. And this is a very technologyhungry agency, right? So our software footprint is not small. Uh you

know we have scientists, we have um firefighters, we have a meteorologist as we pointed out who needs his own suite of software. Only person in the agency that uses that particular set of software. Um how many apps did you say we have in the agency? We have over 16,000 different apps on our desktops across the agency. Right. I've worked at multiple state agencies. Usually we have a, you know, a list of 20 that everybody uses. That is not the case at DNR. And we have a very small security team that has to review all of those requests. And then we have a three-year cycle of re-reviewing all of our software. And a lot of this technology is increasingly

being used to fight wildland fire. We have over 600 firefighters. We had 868 fires last year. Was actually down from 2023. We had over,00 fires in 2023. And we track these things. we need to know because we're reporting to our federal partners to local uh you know fire departments, county fire departments. Um there is when I go and I talk to somebody about, hey, there's risk because you haven't patched Microsoft Office and they say there's risk cuz I just jumped out of a helicopter to fight a fire with my bare hands. We're not on the same page and that can be a difficult conversation, right? So um we just started this cyber security program three years ago. We

started at the beginning of 2022. One of the first things we invested in was a cyber security awareness program and we went big on October cyber security awareness month. This is a first class holiday for us here at DNR. I'm really proud of our dorky crossword puzzles. I'm proud of our infographics. I'm proud of the short form videos and we're now doing the new vertical Tik Tok thing because we're young and cool, right? But the important thing is that we are delivering information directly to our customers because we want to have that conversation about risk. Yes. even to the people that jump out of a helicopter. So Ralph even makes me buy coffee cards for the winners of when

they submit all of those things and our engagement has gone up year-over-year because apparently those coffee cards are pretty popular. So when we first started, we both came to the agency three years ago. Um I I is the operations manager and Ralph is the security contact uh architect. Ralph was our first security hire ever in the agency. Um the agency out of the 10 agencies of its size was number 10 in vulnerability remediation. Three years later we're number two. We have taken a very small but mighty. Yes, that's what I'm talking about. And we have we have used minimal resources to uh really build our security infrastructure. So that in the beginning of 2022, we had

zero staff in cyber security. I came on in February. When I'm talking about growing a cyber security program in a short period of time, you know, government work is not known for moving quick, but we got up to five positions in three years. I think that's pretty damn cool and that's what we want to talk about today. So, uh, we also, you know, Liz mentioned we're a small team. I think we also punch above our weight class. uh you know looking at other similarly sized agencies we have fewer staff and I think we get more stuff done and I think we have more fun doing it too. Uh so how did we build this stuff

so quickly with the one ring? What the hell? No, I'm sorry. We built this so quickly by picking a plan and sticking with it. By building relationships using empathy by marketing with security awareness and building for the long haul. So picking a plan and sticking with it. I know that like uh when you think cyber security, you want to be sitting in a dark room with a hoodie on typing away on you know your RGB keyboard, but a strategic plan is going to go a long way. So one of the first things that Liz and I did was sat down and said, what is the AY's strategic plan? How can we map this to cyber

security stuff that we want to get done? Um what does it look like mapped to the IT plan? So, we have this lineage from uh all the way the agency what the agency says is important down to what cyber security says is important. We put that in the three-year strategic plan. We make a two-year tactical plan and then every year we do the one-year operational plan to the quarter saying this is what we're going to get done and this is how it maps back. I know that's not exciting cyber security stuff, but if you want to move the needle in an agency that that doesn't care about risk, you got to be able to talk about

it at this level. And honestly that alignment with the strategic plan is how we sold this at the executive level because we were able to say here look we are looking at what's important to you and here's how we're going to support that and that was how we were able in a state agency we're getting FTEES is not easy to continue to grow this team. Second thing building relationships using empathy that asterisk is there please come to our talk at 1 pm why empathy is the critical and underrated cyber security skill. We'll go into a little bit more detail there, but empathy is not like getting along. It's not good vibes. Empathy is a kind of

understanding that gets us in a position where we can solve hard problems together. And uh it it is a really if you're not counting that as a KPI, if you're not asking people on your one-on- ones on your team, what relationships have you built today? How have you helped someone? Then I think you're leaving some opportunity on the table. Uh let's do Q&A at the end just in case we turn into wind bags and run out of time. So yeah, what I'd like to say about this is when uh the reason it took this agency till 2022 to hire their first security person is there was a belief throughout the agency that no was the answer security was going to give

people. That security was there to be no. And so we have spent three years building relationships with people and letting them know that we are a path to yes. That is our job is to get them to yes, not to give them a no. Yeah. So marketing by security awareness training. One of the first things that we talked about is how did we uh implement security? How did we or how do we implement training? How did we talk to our end users? So one of the things we did is we started creating very small very targeted trainings that we delivered to small teams. We take them to management teams. We take them to team meetings. We take them to um

operational teams. If you want to hear about it, we're willing to come talk to you. We do it in person. We do it over teams. We do it live. We did not create videos and then tell everybody in the agency they had to go watch the video. We give them a chance to interact with us to ask questions. Um you know, and one of the things we do in that training is we really try to connect to the jobs that the people in our agency are doing. So, you want to talk about butterflies for a second? I always want to talk about butterflies. So, uh, a very boring conversational topic taking to a team. Hey, your data

is all over the place. There is some sensitive data in there. The state has a data classification. We're supposed to protect certain data. People's eyes are glazing over. And I say, remember the Oregon silver spot butterfly which was extrapated in 1986 and there's only five sites in the world left and we're preparing 19 sites in Pacific County to reintroduce this butterfly. Yeah, that's category 3 data, baby. That's endangered species location information. That's why we're trying to protect this information. That's why data categorization is important. And I was in some of those meetings and people's eyes light up. Oh, I was part of that. Oo, I did some of the data analysts on that. Yeah, they get excited because

we're talking about what they're doing and we connect to them with that. Um, and then the other thing that we have found is that uh so we started talking about generative AI about a year and a half ago. What is it? Why is it important? Why are you seeing it in the news? What are we doing about it in the agency? Um, and what we found is that people like to tell on themselves and we had a group that said, "Oh yeah, we put this spreadsheet in chat GPT." Yeah, that spreadsheet had a lot of FII in it. So, we had some options at that point, right? We could like yell at them. We could do some discipline. We could go to

their supervisors. You know, we still treated it as a breach, but we also had took that opportunity to work with that team to talk about why that was a bad idea, what they could do in the future, how do we change that behavior. So we took that opportunity to build that bridge rather than do discipline. Ah building for the long haul. Sorry. So uh then we did a couple of things. So when I started I was operations manager and Ralph worked for me. But I knew that security didn't belong in operations as it was in its infancy. It was a good place for it to be because I had experience with security and Ralph had experience with

security. So we were kind of pulling those resources. But I knew that eventually I'd want it to be within its own structure. So I did things like create its own budget code, which in a state agency takes a little while. Um, I did things like start building out PDS. What is this going to look like? What is our structure going to be? What positions do we need? And we slowly added those people. We uh finally got permission to create a CISO position, which I was the, you know, de facto CISO, but I wasn't really Ralph did all the work. Um, so we now have a actual CISO position which Ralph uh started in officially on the 16th. Yeah. And that

position has now been moved out of operations. It reports to the CIO and so there's a lot more visibility and that gives Ralph the opportunity to work across the agency in a different role than when he was a security architect. I I want to underscore the importance of this administrative plumbing. I know that we want to secure all these devices. because I know that DNR wants to have a secure footprint, but that doesn't happen without somebody doing the leg work of saying, "Let's write a good position description. Let's get that position filled. Let's do the hiring. Let's do all of that stuff." That doesn't sound like cyber security, but that administrative plumbing and that forethought allowed us to grow as

quickly as we did in an agency not known for growing their cyber security very quickly. And then also, we're implementing 11 Z's by 2026. That's my next vacation. That's that's what that is. gibberish. Anyway, in conclusion, good cyber security is not a checklist. It's about people. Unless your cyber security program is focused on people, you're going to have problems. Well, it's a checklist. It just needs to include people. Sure. It's about collaboration and how stuff gets done. Um, you have to build these bridges and one of the things we talk about a lot is building the bridges before you need them, right? Uh, we have a new field engineer who just started and, uh, she's been given the

instruction to go out and just create relationships. go meet the people, go talk to them because, you know, she needs to have and she's actually right here in the crowd. Um, when she needs to have those difficult conversations with people, she will already have that social lubrication and that trust built up. And then bad cyber security happens in a vacuum. I I I this was really clear to me when the MGM hacks and the casino hacks happened in Las Vegas, right? I gotta believe they had highly paid cyber security people that were paying attention to stuff and that their, you know, CIS controls were all buttoned up and somehow things that the business was doing drifted in a way that cyber

security no longer had that visibility. They weren't partners. They weren't participating and that's where those gaps come through. I really believe if you get in line with what your business is doing and you get out there and you know people and you find out what they're doing, then your cyber security is going to fall in place. Uh so yeah, come see us at one o'clock. We are open for questions and answers. Um, but come see us at one talk about empathy and cyber security. Thank you folks. So, I know you had your hand up. Let me bring the microphone just in case. And I've been told you need to speak into it like a snow cone.

Perfect. Um, I think you kind of made the point. I when you said empathy, I thought like business context or not the vacuum. Like I think that's like sounded like the same thing to me. What do you mean? Like uh empathy people think of like emotional state and things like that whereas you know as you've described it it's be aware of it's not just security. It's what does the business need to do? Yeah. I think totally. Yeah. Come at one o'clock. Let's talk more about that. Anybody else? Um just curious about starting off with a small team. How did you partner with like external partners or did you need to bring in external people to help

assist with things or how did that relationship work? Yeah. Did everybody hear that question? Starting with a small team, uh how did you partner with people? How did you get the how did you get the social juices flowing? Right. Well, luckily we had some um incidents and uh technical debt that we got to uh start to to to chew on uh to to break our teeth on. Um and then, you know, I was working at it kind of at a management level. I was working um I meet with all the managers across the agency on a regular basis and I would do things like, "Hey, hey, Ralph, could you write a a little 15inute training about

generative AI and can you come to these meetings? we can get your face known, we can talk about this, we can bring security in kind of a fun interesting way to these teams. Um, so it was really just taking every opportunity. Um, we now have communities of practice and we have um multiple meetings that we present at. I I bugged with our executives till I got, you know, the opportunity to do 10, five, 10, 15 minute presentations at our executive meetings. Any opportunity we have to get out there and kind of evangelize, we've taken. Yeah, that's I just want to follow up on that. That's security awareness training I think of as a bit of a secret weapon. Most security

training, all security training sucks. It's bad. And so to think, okay, I have an opportunity to sit in front of a business unit and and lecture them about something. I'm going to make this the best 10 minutes uh that I possibly can. I'm going to center them in everything that I do. I'm going to make it about them. I'm going to research them. I mean, I did my opsseack on that team. Like, what are they into? what work did they do? Cuz I'm going to make my presentation relate directly to their work. I'm going to make it interactive. I'm going to ask them questions right off the bat to make sure they're awake and not just do an email. That

opportunity to give them security awareness training and just go hard on that. Go all in on that opened a lot of doors. But no Lord of the Rings references. No, zero. Zero. Yeah, you had a question. Yeah, one of the things that I've noticed is um with work in a larger organization, a lot of the information security content and communication goes out anonymously. Uh or it can go out with a name attached to it, right? So like you know Malcolm wrote this thing, whatever. It helps to build community, I think, if my name's attached to it, but also it seems to attach to me more than the security team as a whole. Do you have

any thoughts on how to kind of balance that? I mean, I believe in attribution. I don't think things should come out for the from the service desk, from the help desk, from security without attribution. I think that um there is uh an importance of learning who those people are and getting to know them even in a large organization. However, you're right. You don't want people to call you and think you're the whole security team. So, you know, my my suggestion is that multiple people in the team have communication or OCM or whatever responsibilities and they all use attribution and that the it comes out from a a general email so that the response doesn't go back to one person.

Yeah. I I don't know if I can speak to a large organization. How large is large for you? 8 10,000 people probably. Okay. Yeah. I've never worked at any place that large. So I I don't I don't know that I could give you advice. I can tell you what worked for us. That same sort of problem for us is with outofstate travel notifications, right? We use geo fencing on our login. And when people say, "Hey, I'm I'm going to Florida or I'm I'm going to Ukraine," which happened last year. A couple of our folks went to Ukraine and needed special permissions, do you redirect that to the generic cyber security email address when it's the same person who's replying

every time? So, so for our organization, being known is important. We need to be visible because the organization doesn't want to worry about cyber security being a barrier. And so, I encourage my staff, look, use the shared mailbox for that, but sign it with your name. The reply comes to that shared mailbox, but any of us have the possibility to pick that up and reply to it, and let's put our names in there. Let's put our signature in there. And I will be honest, I did some micromanaging coaching about some of the initial emails because they came across as clinical and um cyber security that's clinical is cyber security it gets ignored. And so, you know, jazz it up,

tell them have a good trip, ask them where they're going. It takes like three more minutes to have that email. It extends the ticket life another like, you know, day and a half while the ticket stays open. But my boss isn't punishing us on ticket time yet, so I get we get to get away with that, right? Make it personable and make it memorable so that it's not a pain in the ass to say, "I'm traveling to the Ukraine." It's like, "Oh, these people care." And it's a good experience. So next time they'll tell us maybe two days in advance instead of the day after they left. I think we have time for uh one

more question. Do we have two more? Let's let's try to squeeze two more in. Let's do it. Let's go for broke. I'll just talk. From an operational standpoint, building this unit, um, how much did you have to rely on, uh, outside or external, non-state constituencies to try to help make your case? Can you repeat the question so it gets picked up? So, uh, how much did I have to rely on, um, non-state? Is that Yeah. Um, how did that play into your strategy for building? So my strategy is that I have spent 25 years in state service and 20 of those have been working for an independently elected official. So I really kind of understand what uh

motivates them and so I wasn't really looking at outside of our agency. I I'm very focused on in the state in this political environment that we're in um what works for us. So, uh, I I I know I know the I know some of the I'm sure we have some holes in our our coverage, right? We I was talking to some people this morning about ABSAC and I'm like, "Oh, damn." Yeah, there's some gaps there. I I think for us it was just doing the next right thing. Uh, last question. How can I get there? I can throw it. First of all, great presentation. Thank you. Um, as someone who loves both technology and the

outdoors, I was just curious how does your job kind of differ working with all of these environment technologies and this team at DNR from what might be a more corporate technology and cyber security job? Yeah. So, one of the one of the weaknesses that we've had and we we talked about hiring this new field engineer. That's a big step for us. That's our our most recent position. uh and it is going to give us the opportunity to send people out and uh I'll give you an example. We did a pilot program. We're converting our fleet of vehicles to electric and so we've started to put charging stations in. We have over 200 sites around the state and

uh how is that going to get connected? Some of them in this pilot project were done cowboy style and they're on the guest Wi-Fi. That's not the best way to build infrastructure, right? So sending our engineer out there to say hey your objective here is to meet people have a good time and get taken out to lunch. Uh we need to build these relationships and then start talking about standardization and start uh so in direct answer to your question there's a ton of opportunities to go out there and meet people and see a lot of these sites. A natural resources agency is very uh has a great hospitality for inviting. Sure. Come on out and see what we're doing in Forks.

Come see what we're doing out in Kleville. Um, it's a very You'd love it if you like the outdoors. Uh, if we had a position, we should hire you. It's cool. Cool job. Uh, I think we're out of time. Thank you so much, everybody. Um, come see us at 1