Feb 01 2024

Q&A: How to Protect Your K–12 Schools from Cybercrime Using the Zero-Trust Model

The security approach can be a powerful deterrent in K–12, says CIO Marlon Shears.

Marlon Shears has spent more than 20 years working on the IT teams for some of the biggest K–12 districts in the nation. He started out as a software engineer at Los Angeles Unified School District and then moved on to Dallas Independent School District, where he soon became deputy CTO. After three years, he went on to Fort Worth ISD as CIO and now serves as CIO at IDEA Public Schools, headquartered in Texas. Before he transitioned to IDEA, he led his Fort Worth team in starting the zero-trust process.

Zero trust can be challenging and is not common in K–12. However, as cybersecurity breaches continue to rise, Shears is spreading the message that more schools need to add this security layer to their networks. Below, he shares some tips for starting the zero-trust process in K–12 schools.

EDTECH: What makes K–12 an appealing target for cybercriminals?

SHEARS: Cybersecurity for K–12, to be honest, wasn’t a priority until some of the bigger districts got hit. When you’re a school district, people think, “Why do they want to hack me?” But we have tons of data.

School districts are normally one of the largest employers in their cities, even rural cities. So, you have a lot of employees. You have students with clean credit profiles. The data is rich, and cybercriminals know that. And over the past three years or so, it’s become clear that we have skill set gaps, which add to our vulnerability.

Click the banner to learn more about implementing zero trust in your school.

EDTECH: Why is it important for K–12 schools to implement more robust cybersecurity practices?

SHEARS: I think student privacy has to be at the top of everyone’s agenda. I view it as a privacy issue for any individual, not just students. You should have the ability to protect that privacy at all costs. And so, cybersecurity is a privacy issue. No one wants their data on the black web. Nobody wants their data to be stolen.

EDTECH: K–12 is notorious for its funding challenges. What’s the impact of not getting cybersecurity funding?

SHEARS: Urban school districts and rural school districts struggle with per-pupil funding and how we spend money. Most of the money should be in the classroom, supporting teachers. Unfunded cybersecurity is just taking away from them. So, many just cross their fingers and hope they don’t end up a target.

DIG DEEPER: One student data privacy pioneer says that K–12 schools must do better.

EDTECH: What is zero trust?

SHEARS: Zero trust means that you don’t trust anything that’s on your network. You don't trust anybody. You don’t trust any device. And you track everything that’s done and you monitor everything that’s done, and when something looks suspicious, it's captured, and you put it in an isolated browser.

That browser can’t touch anything on the network. It’s the next layer of security.

Zero trust is something you can do as you become a more mature organization. It’s not something you would start with; you do it after you add other security components.

EDTECH: How did your team at Fort Worth Independent School District get involved in zero trust?

SHEARS: We started with the federal government’s NIST Cybersecurity Framework. We started to implement that, while looking at zero trust as a tool in that journey.

Marlon Shears
If you go down for two weeks and you can't recover, who cares if you have MFA? Make sure that you run your simulations and that you can recover your systems effectively in a manageable time frame.”

Marlon Shears CIO, IDEA Public Schools

EDTECH: We know you can’t just buy zero trust. Tell us more about it.

SHEARS: It’s a service. It’s in the cloud. Not all are in the cloud. Some are on-premises, but it’s more of a service that you buy, and that service tracks every transaction to make sure that it’s secure. It doesn't trust any transaction.

If you go to your bank and you log in, they use a form of zero trust that triggers suspicion if you are using a new computer. So, with zero trust, the response would be, ‘Hey, I haven't seen that computer before. Let me send you a code to confirm your identity.’

EDTECH: It sounds like multifactor authentication and identity and access management are at play here.

SHEARS: Yes, they’re using MFA and identity management and access control logic to make sure that there isn’t suspicious activity. And then, it’s going to restrict access. It checks access to make sure that you're not on a computer that has a virus. It does a lot.

And some people may say, “This is all you need.” But, sometimes you need a second opinion. With cybersecurity, you need to have multiple layers to make sure that you aren’t putting all your eggs in one basket.

RELATED: Identity and access management solutions for K–12.

EDTECH: For schools that have MFA and identity and access management already installed, does this means they are one step closer to zero trust?

SHEARS: Not exactly. I would say the first step is to pick a framework, regardless of if you can go through it all or not. Then define your policies. I know everybody wants to do two-factor, but the first thing I would do is disaster recovery.

If you go down for two weeks and you can't recover, who cares if you have MFA? Make sure that you run your simulations and that you can recover your systems effectively in a manageable time frame.

Only then would I say, you can move on to MFA.

EDTECH: So, MFA is important. But is it important for everyone on a school network to have it, especially when it might be challenging to implement with students?

SHEARS: I would say that not everyone needs to have it. The individuals who need to have multifactor are the ones who have access to critical applications. That ends up being most of your staff, because teachers need access to the student information system, and your financial employees need access to payroll.

All staff members should have MFA, so they can access their self-service employee portals or other critical data.

Students, on the other hand, don't really need MFA. Students only need access to the internet. If you are on a limited budget, then MFA for every student probably isn’t the best use of that budget.


The percentage of K–12 schools that use backups for data recovery

Source: Sophos, “The State of Ransomware in Education 2023,” July 2023

EDTECH: What’s another challenge in implementing zero trust, and what’s a solution to that challenge?

SHEARS: It’s always going be funding. Zero-trust implementation takes time. But once you get past that, the solutions themselves hold the complexity. So as an end user, you don’t feel that complexity. The solutions, for the most part, handle that seamlessly.

But you do have to spend a lot of time configuring it, so that the right groups and the right folks are impacted in the manner that you expect them to be impacted. Once you do that, the rest is easy. The solutions handle themselves, but that comes at a cost.

DISCOVER: The key principles of the zero-trust model.

EDTECH: How important are the right vendor relationships to making zero trust in K–12 a reality?

SHEARS: I tend to try to stray away from saying, ‘Hey, you should use this vendor or this solution,’ because it may not fit the technology stack. It may not fit the vendor relationships in place. I think that the key to zero trust is to make sure that it’s cloud-based.

Make sure it has browser isolation. Make sure that it’s tracking every transaction and not partial transactions, and that it protects all of your resources and not a subset of resources. You also want to make sure that it can handle BYOD.

You’ll want a very robust, cloud-based platform that doesn’t rely on you to maintain it, because we’re already stretched as it is. You don’t want to put that kind of stress on your team.

EDTECH: You’re continuing the zero-trust process with IDEA Public Schools, which is a charter school operator, so there might be differences from a traditional public school. Any insights so far?

SHEARS: There is little difference in the approach. At IDEA, we have 78,000 kids in Texas and we have 140 schools so it’s the same journey.

They started the journey before I got there. You don’t want to skip steps. I went in and added some steps. It’s a recipe. You don't want to alter it unless you just want to put in a little bit of extra seasoning. The key is to never take away from the recipe, but you can add to taste.

LEARN MORE: Eight ways to diversify K–12 IT leadership.

EDTECH: What is your philosophy or goal as an IT leader of color in the K–12 space?

SHEARS: That goes beyond security. One of my goals is to ensure equity. For me, it’s about seeing more people of color and more women in IT. I want to actually open the doors to more college students looking at working in K–12 and working in the public sector.

But a lot of it is going to be about how we fund education and how we look at security and other technical aspects. A lot of learning is done on technology now, and I think we need to promote that and promote the importance of technology, innovation and creation in this space, along with the funding that needs to come along with it.

To sum it all up, I want to ensure that all kids of all abilities and from all socioeconomic backgrounds have the most innovative education for the 22nd century and that we can effectively bridge the learning gap between school and home.

Photography by Trevor Paulhus

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.