Creating a Culture of Cybersecurity in Schools
Educators choose their profession because they have a passion for helping children. They don’t necessarily have that same passion for information technology (IT). But times are changing and so must schools to stay ahead of threats that might put student and family data and information at risk. Growing cybersecurity incidents are having a significant impact on education. For example, the Los Angeles Unified School District was struck by a massive cyberattack in September that shut off access to email, the district website, and lesson and attendance systems.
Increasingly, schools are hiring more IT professionals to support devices and connectivity, which are necessary to stay current on technology and to address the digital divide that’s been made worse by a global pandemic, but this often leaves out cybersecurity—a comprehensive challenge facing schools.
Only 21 percent of districts have a full-time equivalent employee dedicated to network security. Schools need to create a culture of cybersecurity to tackle this issue head on, and that involves mixing and matching strategies from the school to the district levels. This new Cybersecurity Positions Project paper from CoSN identifies and addresses four strategies for staffing cybersecurity within school systems.
Strategy 1: Develop Dedicated Cybersecurity Positions
Dedicated cybersecurity positions offer the advantages of specialized training and experience in implementing and monitoring preventative measures and managing and coordinating incident response in the event of a cyber incident. However, it’s important to acknowledge that “cybersecurity” is not a single position description with uniform duties regardless of organization; it’s an entire career field with many skills and focuses.
When selecting a person to fill a cybersecurity position, consider which of the following make most sense for your school’s capacity and needs:
- Policy and compliance leadership and management;
- Network and systems defense and security analysis;
- Security operations and incident response; and
- Training, education, and awareness.
Strategy 2: Incorporate Cybersecurity Duties in Existing Technology Positions
Cybersecurity is no longer an activity that happens in a technical silo; it’s an essential element of every technology position. All technology positions—chief technology officer or IT director; network or systems analyst; applications developer; and help desk or end user support—should have cybersecurity included as a standard statement of expectations in their position descriptions. Adding cybersecurity responsibilities to existing positions is not enough to close the risk gap, the report says, so schools must work with districts to plan for initial and ongoing training to ensure technology staff understand and can fulfill their cybersecurity responsibilities.
Strategy 3: Leverage Cross-District Collaboration
Schools and districts are pulled in many directions when it comes to resource allocation. The report suggests that pooling resources to use a centralized cybersecurity service through the district or a service provider can serve as an alternative to hiring full-time cybersecurity staff, which often is prohibitive to many schools and districts.
Collaborative cybersecurity approaches offer many benefits, including:
- Smaller organizations that can’t afford full time cybersecurity staff or highly specialized staff can access trained and experienced personnel; and
- This is a cost-effective approach that can allow school districts to leverage aggregation of equipment, licensing, and staffing to avoid having to create their own end-to-end cybersecurity monitoring and response technologies and staffing.
Strategy 4: Non-IT Positions With Cybersecurity Roles
Many positions outside of the technology department have access to either data or systems that require secure handling and knowledge of student data privacy and, by extension, cybersecurity and cyber safety practices. At the school level, this could be office staff handling student and parent information and data and faculty and staff who handle student information.
In today’s education environment, everyone is responsible for cyber safety and cybersecurity, as no employees are exempt from interfacing with or using these systems.
While each of these strategies offers opportunities to increase cybersecurity protections in schools, it is important to note that adding a single position focused on cybersecurity will help address the challenges, but it will not address all the risks facing a school or district. The field of cybersecurity is diverse with many focus areas and specializations, and it is essential to identify and leverage the right combination of skills and resources to protect the school district.