While creating a secure computing environment is a tough task in every industry, it can be herculean in a K–12 school district. Part of the difficulty arises from the diverse set of stakeholders involved in educating and protecting students.
Information security (InfoSec) team members must balance the competing priorities of teachers, administrators, parents and students. Most of these stakeholders have little knowledge of information security, and therefore, little willingness to embrace InfoSec efforts. That’s especially true when those efforts seem, on the surface, misaligned with educational priorities. In order to succeed, InfoSec leaders must counter the unique threats and challenges faced in K–12 settings, while simultaneously attracting top-notch security professionals, all in a budget-constrained organization.
Skilled Workers Will Be Drawn to a Mission
K–12 school districts have suffered many well-publicized security breaches and, consequently, are attempting to become more security focused, but a serious lack of skilled workers makes this an uphill battle.
Public K–12 educational institutions gain funding from federal and state governments, and the resulting pay scale is lower than the private sector. Lower pay makes it difficult to attract highly skilled professionals, except for those drawn to the mission of educating our country’s youth. Given this talent drought, the InfoSec team is typically made up of other IT team members who are deputized to work on security and lack formal InfoSec training.
Networking, application development or infrastructure team members are given new, security-related tasks, often with little budget available for training or direction. Policies are loosely defined or nonexistent, and reporting lines are often drawn to IT leaders that have equally little security experience. Immediately “in place,” district leadership expects that the newly formed, but novice, team will be able to secure a very complex threat environment. The school system often fails to allocate the necessary ongoing investment in skill development, countermeasure technology and strategic direction.
Breaking the vicious cycle of inability to hire or retain InfoSec talent in the K–12 environment is a difficult challenge and requires a long-term strategic vision that must have support from executive leadership.
Districts must fund training and development initiatives, secure access to state-of-the-art technology and create a modern and fulfilling working environment if they want to build a successful InfoSec team. If properly stimulated, InfoSec professionals can be retained by providing ongoing career development, progression and recognition — even in the face of tough competition for their talent from the commercial sector.
Encourage Feedback, Demonstrate Initiative with Your Team
There are an estimated two open information security positions for every trained information security professional, leading to unprecedented choice in roles for those most qualified. How does a school district compete? With training and empowerment.
Organizations should focus on staff training, beginning with foundational information security principles and concepts, strengthening their skill sets, which as previously discussed, might be in disciplines other than security. The team should be able to identify threats from patterns, making them less reliant on tools and able to react to issues or challenges using the greatest tool they have — their brains.
With basic training in place, the focus must then shift to empowerment. Leaders should allow staff to make mistakes. If they aren’t making mistakes, then they aren’t being pushed to the outer limits of their expertise. When, inevitably, mistakes are made, challenge them with two simple questions: How do we fix this? How do we make sure it does not happen again? Policies and procedures, while critical, cannot be so rigid that they limit creativity and action orientation. Additionally, encouraging open, transparent feedback will help introduce new perspectives and continue to instill in your team a sense of empowerment.
And, of course, empowerment requires leading by example. Be the leader you wish you had in your career. Do you sit in your office waiting for information to come to you, or do you get out among the people in your community to extract the data? Do you treat the school network as a business network or do you think “it’s only K–12, we just have to be good enough?” Do you exhibit a fixed mindset or a growth mindset? Changing the way you think or see your environment opens your mind as a leader. It’s important to see the possibilities of what could be with your InfoSec program and demonstrate to your team that they too can expand their horizons and demonstrate initiative with new ideas.