Building a comprehensive cyber defense strategy with unified training from Infosec

It’s a tough task. State agencies handle sensitive information and manage critical functions, making them perfect targets for sophisticated phishing campaigns and internal vulnerabilities. All state employees need up-to-date security awareness training, which can be overwhelming and even out of reach for small agencies with small budgets.

Government security is only as strong as its most vulnerable agency, so inconsistent training across agencies weakens the security posture for the entire state government.

With such high stakes, the State of Kansas wanted to do more than deploy security software. They wanted to create a comprehensive defense strategy, so the legislature enacted the Kansas Information Security Office (KISO), which protects the cybersecurity of all executive branch agencies. Within KISO, I’m a security analyst, responsible for state employees’ security awareness training and ensuring everyone is on the same page. We partnered with Infosec Institute to do it.

Getting the best value for public money

The biggest advantage of working with a security education company is gaining more consistent methods and messaging, and Infosec helped us develop a more consistent approach to security. In addition, Infosec offered:

• Cost efficiency. As stewards of public money, we want to get the most bang for our buck. Infosec delivers good value when considering the price per license and the quality of the information.
• Easy compliance. Infosec’s comprehensive training module portfolio and module customizations allow us to meet all our compliance requirements easily. These modules offer a range of delivery methods — including animation and their “Work Bytes” live-action series — to suit different learning styles and preferences.
• Continuous improvements and updates. Infosec constantly improves and updates programs to include new modules and learnings from recent security incidents. They even take our suggestions on new themes and topics to cover.
• A responsive partner. The Infosec team is a pleasure to work with. They’re quick to respond to questions or issues.

I now use Infosec to create and share our training sessions with all state employees. They access the training through their Infosec dashboard, where they can find supplementary security resources, including additional modules that Infosec suggests based on the individual’s history.

Effective training that meets state-specific needs

In addition to mandatory training, we run phishing email simulations through Infosec to test the training’s effectiveness. Since partnering with Infosec, the number of agencies participating in our optional phishing test has increased significantly. Email is the vector in 90% of ransomware attacks, and agencies are fast becoming aware of the risk posed by ransomware — and the vulnerability in employees’ inboxes. As a result, multiple agencies have recently joined our ongoing phishing campaigns.

Some agencies previously experienced phishing attack rates of more than 8%. Now, the State of Kansas is consistently below the national average. At their latest test, one of our agencies reduced its phishing susceptibility from over 8% to just 2%, showcasing a dramatic improvement in cyber resilience. That’s one of the best indicators we can take to the state legislature to show value for money.

Infosec also made it profoundly easier for me to address specific state requirements. State policy dictates the subject matter of our security training, including industry standard compliance regarding HIPAA, FERPA, IRS, and PCI DSS standards. Infosec has built-in modules for all these topics, meaning I don’t have to spend time creating it.

That said, Kansas also has some particular subjects that may be unique to our state. In that case, Infosec’s flexible platform allows me to create custom modules. I organized the information the same way I would prepare a slide deck, and the platform took care of the rest while addressing accessibility needs. I can cover everything state policy requires without compromising on quality.

Beyond boring workplace training

Bad actors are using increasingly sophisticated tools, so employee security training has to be just as sophisticated, with up-to-date information. Infosec provides real-time updates, or “Hacker Headlines,” on emerging threats like the CrowdStrike incident in July 2024.

Within days of the CrowdStrike incident, Infosec had published a module explaining what happened, how it happened and what employees can watch out for in the future. The update equipped Kansas agencies with the latest information. It turned a complex cybersecurity issue into an accessible learning moment, showing employees how their actions relate to this real-world example. The proactive approach reinforces the state’s defenses and provides valuable insights into the fast-evolving security landscape.

High-relevance topics keep employees engaged, addressing one of workplace training’s biggest challenges: boring, out-of-touch content. Everybody hates the grind of mandatory training, but we live in a digital world where someone practically has to be a security expert to avoid getting scammed. Infosec produces timely and relevant mini-modules to help people navigate the existing threats in everyday life: what to look out for while online shopping, for example, or the most common holiday scams. When people understand how cybersecurity training impacts their daily lives, they’re more likely to pay attention.

I know employees are interested and engaged because they continue to complete more than their mandatory training. They complete the models Infosec suggests and get additional value from that information, too.

Raising the bar for agencies across the state

Infosec’s model ensures uniform training across all state government agencies, eliminating the disparities that arise from budget differences. State employees at small agencies or those with a low profile get the same training as employees at larger, more prominent agencies, just as it should be. The more agencies use these tools, the more consistent we can be in our approach and develop a more cohesive and unified defense strategy.

We recently underwent an RFP process and ultimately renewed our partnership with Infosec because of the platform’s adaptability and their ongoing commitment to our security. The State of Kansas’s experience with Infosec is a powerful example of how a dedicated cybersecurity partner can transform a government organization’s approach to security. With Infosec, Kansas strengthened its overall security framework, protecting the state — and its citizens — from a cybersecurity crisis.