In 2022, the Washington State Department of Natural Resources (DNR) had no formal cybersecurity function to speak of. Several people — including a lead developer and a network infrastructure engineer — wore the cybersecurity hat. The organisation had no vulnerability management or software evaluation program. In a small organisation this could have continued for years. People in the IT team approving requests as necessary and periodically updating software. Not great, but good enough.
For DNR, which employs just over two thousand people full time (plus close to another thousand seasonal employees) across diverse business units and regions — from wildland fire fighters and geological surveyors to some of the world’s leading experts in conservation and land management — ‘not great but good enough’ wasn’t good enough.
“It was seat-of-the-pants decision-making,” explains Ralph Hogaboom, Chief Information Security Officer (CISO) at DNR. Looking back at the organisation Hogaboom started at, he reflects that — especially in the context of a large public sector agency — cybersecurity at DNR today is more or less unrecognisable. “When I started in February 2022, we had zero cybersecurity staff. Now we’re at five. That’s real progress, especially in a public sector agency,” he says. “How did we do it so quickly? We had a plan, and we stuck to it. We built relationships. We led with empathy, marketing security to the organisation through awareness and building for the long haul.”
DNR: Staggering Scope and Unique Challenges
DNR, Hogaboom reflects, often feels like 65 different agencies rubber-banded together. “People outside the agency often assume DNR is ‘just trees,’” he laughs, “And, to be fair, we do a lot with forests, but it’s all so much more complicated.” DNR has not one but three discrete business units dedicated to forests — Forest Regulation, Forest Resilience, and Forest Resources. But that’s just the tip of the iceberg. The State Geologist is housed within the department — specifically in the Washington Geological Survey (WGS), the team responsible for surface mining permits, landslide emergency management, and the state’s volcanic emergency response programs.
Building a People-Focused Cybersecurity Function
When Hogaboom arrived at DNR, the IT division had a reputation — as it does in many organisations — for using security as an excuse to say ‘no.’
“We’ve spent three years changing that. Now we’re the team that helps people get to ‘yes’,” says Hogaboom. The core of it, he explains, is an approach to cybersecurity focused on people, their needs and outcomes, rather than a systems or technology-centric approach.
Fundamentally, it’s about trying the things cybersecurity does to real-world successes in the agency — an enabler rather than a gatekeeper — and working diligently to dismantle the assumption that there’s a “big, invisible wall between cybersecurity and the rest of the business,” Hogaboom says.