At Johnson County Government, success starts with engaging employees

With over 4,000 employees and an obligation to protect the sensitive data of its 600,000 residents, Johnson County knows it takes more than traditional, compliance-based training to stay secure. Learn what made Johnson County an Infosec Inspire award finalist and how they continue to push the boundaries of security awareness training.

At Johnson County Government, success starts with engaging employees

Turning cybersecurity into a celebration

Led by Donna Gomez, security risk and compliance analyst, Johnson County is always seeking better ways to prepare employees and protect the community’s sensitive data.

“We deliver training from the Need to Know series, run routine phishing simulations and supplement training with events throughout the year,” explained Gomez.

Each July, Gomez launches Phish Week, an internal event built to bring awareness to phishing, reinforce secure behaviors and have some fun in the process. “This year, we introduced the Choose Your Own Adventure® Security Awareness Game focused on social engineering,” explained Gomez. “We plan on launching the next game, Zombie Invasion, in October to tie in with Halloween and Cybersecurity Awareness Month.”

During Phish Week, Gomez also organized games of Security Feud — a take on the popular Family Feud game show — which tests employee knowledge in a fun and (sometimes) competitive environment.

“It was fun to have different groups of people participating and taking a break from work to learn,” said Gomez. “We made it a no-judgment zone where everyone could take a break from work and have a little fun. The CIO even attended!”

While Security Feud provided a fun alternative to traditional training, it also came in handy for specific training purposes. “We even played Security Feud with our HIPAA compliance group. We covered healthcare compliance, which can otherwise be fairly dull,” explained Gomez.

We’ve maintained the back and forth communication between employees and the security team. Even though we've been in a remote world, we haven’t lost that connection with people.

Training starts with listening

Training employees is an important step, but for Gomez, building cybersecurity into the culture of Johnson County is about people. That’s why a core component of Johnson County’s security awareness efforts is employee feedback. This includes routine surveys to measure satisfaction with specific training resources and themes.

This year Gomez took another step in measuring employee sentiments towards cybersecurity by sending a Cybersecurity Culture Survey. “I have been in meetings where I hear ‘security is just going to tell us no,’” explained Gomez. “When in reality, my job is not to say ‘No.’ My job is to say, ‘Hey, have you considered?’”

Measuring the organization’s cybersecurity culture gave Gomez data around employee feelings and perceptions towards cybersecurity and clear direction on how to measure success and make improvements.

“The good thing about it is that we’ve maintained the back and forth communication between employees and the security team,” explained Gomez. “Even though we've been in a remote world, we haven’t lost that connection with people.”

Turning engagement into lasting change

While most organizations are still trying to regain their security footing and develop a plan to mitigate their cyber risks, Johnson County is pushing their awareness and engagement numbers higher while seeing real behavior change.

Last year, Johnson County increased its email reporting rate by 10%. But for Gomez, perhaps a more powerful sign is the response from employees.

“What I’m really happy about is employees don’t fear being made an example of,” Gomez notes, “Employees tell me when they've done something — like click a phishing email — versus trying to sweep it under the rug. They're telling us and, to me, that is a huge change in culture.”

Johnson County Government is an Engagement Award finalist in the 2021 Infosec Inspire Security Awareness Awards. The Engagement Award is a salute to the most engaging and influential security awareness training programs. These are the programs that go “outside of the box” to harness the power of creativity, learner engagement or gamification to drive lasting behavioral change.