“Something that is now understood in schools is that technology is a foundational, essential portion of the learning that happens in schools. And because it now so deeply impacts the learning process, it is has to be considered safe for people to use,” Dascoli adds.
Using the term “safety” when talking about the importance of cybersecurity helps a wider range of stakeholders appreciate the need to prioritize it, he says.
Now that CISA is speaking with districts and examining the cyberthreats facing K–12 schools, more administrators and board members can be brought into the conversation about the potential impacts of cybersecurity.
Guidelines Will Create Actionable Steps for K–12 IT Teams
IT leaders can expect actionable and manageable guidelines in the wake of CISA’s review as part of the K–12 Cybersecurity Act. While there are many frameworks that school IT staff can use as a resource — such as those from the Consortium for School Networking and the National Institute of Standards and Technology — frequently missing are the steps for how to meet those goals.
“One of the things that happens often with great frameworks developed for cybersecurity is that they have to be robust, they have to be deep. But they become so robust and deep that they become paralyzing for schools,” Dascoli says. “Something really beneficial to come from this would be some very simple guidelines of prevention and detection, resilience and response, that can be easily interpreted by people who may not be equipped to do this.”
While more schools are implementing cybersecurity in the form of penetration testing, professional development and phishing awareness, most districts — especially small and medium-sized districts — don’t have the resources to hire a CISO.
The CISA review process and subsequent guidelines could help IT teams understand “the different areas that you need to consider, from endpoint to network to dashboards to incident response,” Garry says.
“The hope is that they will bring order to some of this chaos with frameworks and resources and money,” he adds.
Schools Will Need IT Funding to Follow CISA’s Guidelines
Because many of CISA’s recommendations will likely require a cybersecurity budget schools don’t currently have, IT admins can expect some type of funding to follow the creation of the guidelines — but shouldn’t count on it.
“Schools don’t have the resources to pay for a senior-level leader,” Dascoli says. “One of the things that we would have to do is help school systems find the right funding to be applied for these types of positions.”