Security awareness

At Johnson County Government, success starts with engaging employees

Patrick Mallory
November 3, 2021 by
Patrick Mallory

Security awareness isn’t new to the Johnson County Government in the state of Kansas. And with over 4,000 employees and an obligation to protect the sensitive data of its 600,000 residents, they know it takes more than traditional, compliance-based training to stay secure.

Learn what made Johnson County an Infosec Inspire award finalist and how they continue to push the boundaries of security awareness training.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

Turning cybersecurity into a celebration

Led by Donna Gomez, security risk and compliance analyst, Johnson County is always seeking better ways to prepare employees and protect the community’s sensitive data.

“We deliver training from the Need to Know series, run routine phishing simulations and supplement training with events throughout the year,” explained Gomez.

Each July, Gomez launches Phish Week, an internal event built to bring awareness to phishing, reinforce secure behaviors and have some fun in the process. “This year, we introduced the Choose Your Own Adventure® Security Awareness Game focused on social engineering,” explained Gomez. “We plan on launching the next game, Zombie Invasion, in October to tie in with Halloween and Cybersecurity Awareness Month.”

During Phish Week, Gomez also organized games of Security Feud — a take on the popular Family Feud game show — which tests employee knowledge in a fun and (sometimes) competitive environment.

“It was fun to have different groups of people participating and taking a break from work to learn,” said Gomez. “We made it a no-judgment zone where everyone could take a break from work and have a little fun. The CIO even attended!”

While Security Feud provided a fun alternative to traditional training, it also came in handy for specific training purposes. “We even played Security Feud with our HIPAA compliance group. We covered healthcare compliance, which can otherwise be fairly dull,” explained Gomez.

Training starts with listening

Training employees is an important step, but for Gomez, building cybersecurity into the culture of Johnson County is about people. That’s why a core component of Johnson County’s security awareness efforts is employee feedback. This includes routine surveys to measure satisfaction with specific training resources and themes.

This year Gomez took another step in measuring employee sentiments towards cybersecurity by sending a Cybersecurity Culture Survey. “I have been in meetings where I hear ‘security is just going to tell us no,’” explained Gomez. “When in reality, my job is not to say ‘No.’ My job is to say, ‘Hey, have you considered?’” 

Measuring the organization’s cybersecurity culture gave Gomez data around employee feelings and perceptions towards cybersecurity and clear direction on how to measure success and make improvements.

“The good thing about it is that we’ve maintained the back and forth communication between employees and the security team,” explained Gomez. “Even though we've been in a remote world, we haven’t lost that connection with people.”

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Turning engagement into lasting change

While most organizations are still trying to regain their security footing and develop a plan to mitigate their cyber risks, Johnson County is pushing their awareness and engagement numbers higher while seeing real behavior change.

Last year, Johnson County increased its email reporting rate by 10%. But for Gomez, perhaps a more powerful sign is the response from employees.

“What I’m really happy about is employees don’t fear being made an example of,” Gomez notes, “Employees tell me when they've done something — like click a phishing email — versus trying to sweep it under the rug. They're telling us and, to me, that is a huge change in culture.”

Johnson County Government is an Engagement Award finalist in the 2021 Infosec Inspire Security Awareness Awards. The Engagement Award is a salute to the most engaging and influential security awareness training programs. These are the programs that go “outside of the box” to harness the power of creativity, learner engagement or gamification to drive lasting behavioral change.

Patrick Mallory
Patrick Mallory

Patrick’s background includes cyber risk services consulting experience with Deloitte Consulting and time as an Assistant IT Director for the City of Raleigh. Patrick also has earned the OSCP, CISSP, CISM, and Security+ certifications, holds Master's Degrees in Information Security and Public Management from Carnegie Mellon University, and assists with graduate level teaching in an information security program.

Patrick enjoys staying on top of the latest in IT and cybersecurity news and sharing these updates to help others reach their business and public service goals.