Protecting personal information is vital in Johnson County Government

“We want our people to feel empowered by knowledge instead of being afraid they will be disciplined if they make a phishing training mistake,” says Donna Gomez, a Security Risk and Compliance Analyst for Johnson County Government in Kansas.

Johnson County’s successful security awareness training program was recently recognized by the 2019 Infosec Inspire Security Awareness Awards with the Impact Award. The award celebrates the most innovative and inspiring programs that deliver high-impact security awareness and training initiatives to empower employees and motivate effective security habits.

The program, which enjoys an 87% satisfaction rate among Johnson County Government learners, is managed by Gomez, who credits a successful implementation from those at the top of the organization, including CIO Bill Nixon.

“Having the full support and encouragement of the leadership team is foundational for anyone implementing a security awareness program. It’s the first thing I encourage colleagues to lock down before they start because the support is fundamental to driving the needed employee behavior change,” said Gomez.

Gomez has managed security awareness training programs for 20 years — even before there was a specific name for it.

“Back in 1999, it was included as part of new hire orientation. There weren’t nearly the security risks like we face today. Managing training programs was always part of my early career, so taking on the security awareness sort of naturally became part of what I did and still enjoy,” Gomez said. Her training philosophy is built on the idea of discovering what her audiences don’t know and then working to fill those knowledge gaps.

Johnson County is a local government located in northeast Kansas organized in 1857. The county’s five agencies and 34 departments serve a diverse and expanding population of more than 600,000 residents. More than 4,000 public servants are dedicated to helping Johnson County remain a safe, vibrant community, with a mix of healthcare, financial services, agriculture, aviation and the auto industry. Barbecue is king in the region and if you ask the locals, they will point you toward Joe’s Kansas City Bar-B-Que. Try the pulled pork.

Johnson County’s cybersecurity risk is no different than those faced by county governments across the country. They have to fiercely protect the personal and private information of thousands of citizens and it takes the responsibility seriously. Gomez is excited about her program to educate Johnson County employees and hopes to share her lessons learned with other county HR, information security and compliance officers charged with securing their citizen’s private information.

“We scrapped the program that was previously used and rolled out Infosec IQ in 2019,” Gomez says. ‘We’re headed in the right direction because the program received an 87% learner satisfaction rating in the first year’s survey.”

For the new program, Gomez chose Infosec IQ learning modules on phishing, social engineering, password security, safe web browsing and malware because those topics are of high concern for her government administration and its employees. Gomez found using elements of the humor-based “WORKed” series a popular option to reinforce the modules and lessons.

Gomez recommends using clever program ties to holidays, national security recognition days and seasonal events as a good way to build employee engagement.

“We started off with our fun version of ‘Phish Week’ as a spin on Discovery Channel’s ‘Shark Week’ which is always buzzing on social media,” Gomez said. “We hung the phishing posters and used that week to launch PhishNotify. We also started using Infosec’s Catch of the Week email as a conversation starter and a way to get people thinking about the cyber threats around us.”

Other seasonal events to use include privacy issues in January, changing passwords on World Password Day in May, National Cyber Security Awareness Month in October and Black Friday with holiday shopping and credit card security awareness in November and December.

Gomez gets help from “security champions” who strengthen lessons and serve as ambassadors throughout the organization.

“Our security champions help reinforce the idea that security is everyone’s responsibility,” Gomez explained. “We have one champion in every department. They do a great job building awareness with our 4,000+ employees. They can answer questions about the phishing campaigns and alert their groups to breaking news in the cybersecurity world. They are an extremely valuable tool to get the entire organization rowing the security awareness boat in the same direction!”

Gomez raised the fun bar with a surprise certificate and traveling Captain America trophy for the department that completed its program first — creating a friendly bragging rights rivalry for next year.

Gomez points to short “Cyber Chats” — a quick coffee or lunch gathering — to help keep communication flowing and security front-of-mind as another successful tactic. Longer lunch-and-learn sessions were also well-attended.

One of the bigger wins with employees during the 2019 program was replacing a disliked and dreaded test at the end with a simple 10 question survey to measure learner engagement.

“I replaced the old test with a survey because I am more interested in collecting data on learner satisfaction with the program and to assess if we needed to make changes for the next year. For example, some people expressed they’d like a deeper learning dive in one area, so we’ll adjust for that in 2020,” Gomez said.

Focusing on education and training that engages and empowers learners, while removing hurdles to learning and the fear of retribution and discipline for security awareness errors has proven to be a strong motivator at Johnson County Government. Motivating with the idea that security awareness is everyone’s responsibility has won the organization the first Impact Award from Infosec, while also serving as a top example of an effective security awareness training program.