Security Analyst III

Johnson County Government is seeking a skilled and experienced Security Analyst III to join our team. In this role, you will play a critical part in maintaining and enhancing our security posture and ensuring compliance with legal and regulatory requirements. You will lead major security initiatives, drive continuous improvement in our security practices, and safeguard our information assets by developing and enforcing robust security architecture, policies, and procedures. A strong commitment to professional growth is essential, demonstrated through active participation in Johnson County's training opportunities, including specialized programs such as SANS cybersecurity courses and other professional development resources.

This position is currently eligible to work in a hybrid work environment with both onsite and remote work. Residency within the Kansas City-Overland Park-Kansas City, MO-KS Combined Statistical Area, which generally includes the Kansas counties of Johnson, Wyandotte, Leavenworth, Miami, and Linn, and the Missouri counties of Jackson, Clay, Platte, Cass, and Ray, is required. We offer wonderful benefits, retirement plans, wellness incentives, a great organizational culture, and much more! If you're searching for something more than just a job, something akin to a calling, then consider the challenge and opportunity of being a member of Johnson County Government! First review of applications will begin on Tuesday, November 6, 2025.

Key Responsibilities:

Strengthen the county's security posture through technology evaluation, process improvement, and penetration testing.
• Lead and execute web application penetration tests, identifying vulnerabilities in custom and third-party applications, and working with development teams to remediate findings.
• Conduct and analyze vulnerability scans and penetration tests across infrastructure and applications.
• Collaborate with other teams within the Department of Technology and Innovation to standardize and improve security processes across all business units.
• Conduct reporting and auditing of Identity and Access Management.
• Identify and analyze current and evolving threats and vulnerabilities, especially those targeting web applications.
• Ensure compliance of enterprise IT architecture with federal health, privacy, and financial regulations.
• Conduct comprehensive risk assessments of the current environment and proposed changes to the hardware and software stack to identify potential security vulnerabilities and ensure alignment with organizational security standards.
• Develop and document security policies and procedures aligned with industry best practices and emerging threats.
• Lead security projects, including the deployment of new technologies and tools for application security testing.
• Analyze and respond to security incidents, advisories, and alerts.
• Promote secure development practices and provide guidance to developers on secure coding.
• Work with end users to address business functionality needs while ensuring secure methodologies.
• Train end users and promote security awareness for improved system security and efficiency.
• Monitor and manage security-related contracts and tools.
• Utilize forensic tools for data collection and incident response.
• Participate in on-call rotation.

Special Knowledge and Skills Needed:

• Analytical skills, including the ability to research, interpret data, conceptualize data, analyze information, and write formal recommendations based on findings.
• Experience in threat hunt using SIEM and EDR tools on Windows and Unix systems.
• Comprehensive understanding and substantive experience in network systems engineering, computing systems and software applications.
• Demonstrated expertise in web application penetration testing, including manual and automated testing techniques, OWASP Top 10, and secure development lifecycle practices.
• Experience with tools such as Burp Suite, OWASP ZAP, Metasploit, and custom scripts for web app testing.
• Comprehensive understanding and substantive experience in network systems engineering, computing systems and software applications.
• Experience working in a change-controlled environment.
• Experience working with:
  • Network and security management software
  • Network analysis tools
  • Scripting languages including UNIX command line utilities
  • Vulnerability Management tools
  • Layer7 firewalls (NGFW)
  • Vendor access systems
  • Active Directory
  • Log management tools
  • Network Security monitor tools

Required Experience

• Bachelor's degree in Information Technology or relevant field*
• 8+ years of experience in information technology.
• 5+ years of experience in information security, including risk analysis and management.

*Experience may be substituted for education. Education may be substituted for experience.

Preferred Qualifications

• 3+ years of experience in project management.

• Familiarity with IT security standards (ISO, NIST) and regulatory frameworks (CJIS, HIPAA, PCI).

• Experience implementing security control frameworks such as the Center for Internet Security (CIS) Benchmarks and/or Security Technical Implementation Guides (STIGs) to ensure system hardening and compliance.

• Experience supporting Microsoft business applications (Active Directory, Exchange, Azure, Entra, Purview, Defender for Office).

• Experience working with SCADA (Supervisory Control and Data Acquisition) and ICS (Industrial Control Systems).

• Experience using network analysis tools, scripting languages including UNIX command line utilities, software vulnerabilities, exploits and malware.

• CISSP certification.

Soft Skills

• Strong interpersonal and collaboration skills.
• Curiosity and a proactive approach to problem-solving.
• Written communication skills, including business writing, report writing, summarizing, and editing skills.
• Oral communication skills, including presentations to: individuals, small groups, and large groups.
• Facilitation skills, including ability to use group decision making to gain commitment and/or ability to encourage participation.