ISTELive 24: Takeaways From the National Cybersecurity Framework for K–12

Seek a National Cybersecurity Model

Instead of reinventing the wheel, panelists said, several cybersecurity frameworks already exist that schools can use to build their own cybersecurity strategies. 

The NIST Cybersecurity Framework 2.0 takes the original five pillars (identify, protect, detect, respond and recover) for strengthening cybersecurity and then layers in governance throughout the document.

Frankie Jackson, a former school CTO and current Cybersecurity Coalition for Education project lead, said that the governance piece is critical, as it means cybersecurity is “no longer really seen as a technology initiative, and it requires leadership commitment.”

The Cybersecurity Coalition for Education has also created a framework based on the NIST framework that more closely aligns with education.

RELATED: What do K–12 IT leaders need to know about cyber liability insurance?

Why K–12 Needs an Outside Cybersecurity Assessment

Panelists noted that it can be difficult to get school administrators to see the value of investing in cybersecurity, so external assessments can be extremely enlightening. And while free or paid assessment options abound, panelists pointed to the Cybersecurity Rubric 2.0, which ranks organizations from 1 to 5 on each of their cybersecurity pillars.

The tool could help technology leaders see what areas of their cybersecurity strategies need strengthening and can also make the gravity of addressing cybersecurity gaps clear to nontechnical leadership teams.

“I’ve never met a superintendent that didn't want to be up there as a Level 4 or Level 5, because in their mind, that's an A or a B,” Jackson said. “And when they come down to the multifactor authentication part of the rubric and they see that not having that means they are on Level 1, they see that as an F. They're pretty quick to get on board for critical improvements.”

DIVE DEEPER: What happens when school districts turn to outside experts to beef up cybersecurity?

Understand and Communicate Your Level of Risk

While an assessment can result in some valid security recommendations, panelists noted that most schools cannot get everything done right away.

“It takes a long time, and there are a lot of different levels of work that need to happen to get to a mature level of cybersecurity,” said Rich Boettner, CTO at Hilliard City Schools in Ohio. “Figuring out what your risk tolerance is as a district takes conversations with senior management, so you've got to bring in the people who aren't normally in the room.”

Stacy Hawthorne, chief academic officer at Learn21, said that having key performance indicators could be another strategy for communicating data showing the need for improved cybersecurity.

“I know in education, people don't want to hear about KPIs, but once you’ve done that cybersecurity risk assessment, you could create some KPIs for maintaining cybersecurity and track those and align them with your school and organizational objectives,” she said.

“The only way we’re going to solve cybersecurity is with human interaction,” she continued. “You must have a team of people with you. Your boards need to be aware of this, and KPIs give you the ability to communicate metrics to senior leadership and keep them informed.”

Know How Your Supply Chain Handles Student Data

The group then raised the subject of supply chains. School technology leaders may erroneously think they never have to worry about supply chain management, as schools are not big corporations. Boettner challenged that notion.

“The reality is that some of the keywords you’re going to see in the description for supply chain management are things like the products and the services that you are already interacting with, such as third parties, vendors, suppliers and their security practices,” he said. “Education is much more vulnerable than large corporations, because corporations aren’t working with 200 vendors like schools are. We have all kinds of data all over the place. Is every one of those vendors and suppliers treating your student data with the same care you think your data needs?”

He said that this is why schools should consider adopting the National Data Privacy Agreement from the Student Data Privacy Consortium, which folds in national student data privacy regulations. “This is an agreement that puts the control of how your data is managed by your vendors in your hands,” Boettner said. “We need to be telling them, this is what our expectations are, and this is how you handle our children’s data and what you do with that data.”

Schools can present the document to vendors to sign as a condition of doing business with them.

LEARN MORE: A student data privacy pioneer says K–12 schools must do better.

Update or Develop Cybersecurity Policies

Policies are the backbone of any school organization, but schools may not have policies that specifically address cybersecurity.

Sean Whelan, director of technology at Garfield Heights City Schools in Ohio, says that many school policies on issues such as information security and device use might already have some cybersecurity policies embedded in them, but they could be outdated and not meet compliance requirements.

“People don’t know what they don’t know,” Whelan said. “And we should know each person responsible for making sure the district is compliant with its policies. But a lot of times, we haven't looked at those policies in a long time.”

He noted that one way to get up to speed is to rely on partnerships with other internal teams, such as HR, that can make certain policies part of the onboarding process.

To stay up to date on everything at this year’s ISTE conference, bookmark this page and follow along on the social platform X at @EdTech_K12 or with the hashtag #ISTELive.