School districts around the country are struggling to rise to the challenge of cybersecurity threats. Ransomware attacks continue to plague K–12 schools, threatening instructional time and the theft of sensitive, personal information belonging to students, teachers and administrators. In addition to having a robust cybersecurity plan in place to protect their districts, schools should also have someone on their IT team who is dedicated to cybersecurity.
According to a risk assessment survey of 120 school systems conducted in 2020-2021 by the Consortium for School Networking and Security Studio, more than 75 percent of respondents had a person responsible for cybersecurity; however, more than half of those responding didn’t have a formal cybersecurity program supported by leadership.
Recruiting a dedicated cybersecurity expert could help in both instances. But hiring can be tough for schools, which must compete with technology firms, financial institutions and other well-funded industries for scarce cybersecurity talent. Administrators could find themselves struggling to protect their districts against a critical threat simply because they can’t afford to hire the talent required to address the problem.
Click the banner to learn more about cybersecurity measures to protect your district.
Fill the Cybersecurity Gap for K–12 IT Teams
Other industries have already addressed this challenge by outsourcing components of their cybersecurity infrastructure. In fact, a 2019 Deloitte survey of 500 C-suite executives found that 99 percent of organizations outsourced some portion of cybersecurity operations. School districts have been slower to adopt this approach, but outsourcing could gain traction in K–12 districts and may be the answer to the cybersecurity talent gap plaguing educational institutions.
One particular pain point for districts is the lack of a senior leader proficient in cybersecurity matters and with the skill set to provide the district with well-reasoned, risk-based advice. Large organizations typically hire a chief information security officer for this role, but qualified CISOs command salaries in the hundreds of thousands of dollars –– outside the reach of most school districts. There’s simply no room in the budget to bring on someone qualified to fill this role on a full-time basis, and there’s not much demand out there for part-time roles, as qualified individuals tend to seek full-time employment.
The virtual CISO model allows districts to outsource the leadership and strategy components of their cybersecurity programs. By contracting with a security service provider, the district gains access to a qualified CISO who gets to know the district and its needs but simultaneously serves multiple clients, allowing each client to pay the provider less than the cost of hiring a full-time CISO. These services can also scale with the needs of the district, adding more time when required.
1,200
The number of schools in 2001 that had student personal information posted online after falling victim to ransomware attacks
Source: nbcnews.com, “Hackers are leaking children’s data — and there’s little parents can do,” Sept. 10, 2021
Ask the Right Questions When Interviewing a vCISO
Districts that choose to hire a vCISO will find themselves evaluating a range of service providers and should ask these critical questions as they walk through the process:
- How many other clients will the vCISO serve, and what percentage of their time should you expect to receive?
- How will the service work when the district experiences a cybersecurity emergency?
- What type of services are included in the vCISO scope, and what would prompt the service to bring in additional resources?
- If additional resources are required, are they available at negotiated rates? Is it possible to use some vCISO hours to cover other subject matter experts?
The vCISO relationship isn’t just between the district and the service provider — the individual chosen for the vCISO role must also work well with district leaders and staff. Administrators should insist on interviewing candidates to ensure a good fit and consider asking some of the following questions:
- What experience do you have in cybersecurity?
- What experience do you have working with — and within — school districts?
- How well will you handle communication with different stakeholders, including senior administrators, school board members, teachers, parents, the media and law enforcement?
- What are your thoughts about creating a secure operating environment where open access to educational resources is idealized?
- What is your familiarity with the district’s cloud and on-premises technologies?
It’s important to remember that, just like employee relationships, vCISO relationships will also come to an end. Be sure to discuss the terms of any changes in advance. Districts should understand the conditions under which the provider will change the individual assigned to the account, the procedure for changing personnel at the district’s request, and the selection process when a new candidate must be identified.
Set Reasonable Timeline Expectations for vCISOs
After hiring a virtual CISO, district administrators should set reasonable expectations for that individual’s performance. Realistically speaking, the vCISO is not going to come in and solve all of the district’s cybersecurity woes on day one. The engagement should begin with a cybersecurity program assessment that evaluates the current state of the program, compares that with the desired state and identifies any gaps that require remediation. The vCISO and district leadership may then work together to prioritize filling those gaps and develop an action plan for advancing the state of the district’s cybersecurity program.
DIVE DEEPER: Learn how a vCISO can help a K–12 school meet its cybersecurity goals.
While districts shouldn’t expect an immediate answer to all of their problems, they should expect that the vCISO will meet clearly defined and agreed-upon performance standards. It’s reasonable to outline a set of goals for each month, quarter and year, and then evaluate the vCISO’s performance against those goals on a regular basis. While the vCISO isn’t technically an employee of the district, he or she should still receive regular performance evaluations to ensure that the district realizes a return on its investment.
Outsourcing cybersecurity operations and leadership can help school districts punch above their weight class. Districts gain access to talent that they would not otherwise be able to afford by sharing access to a senior cybersecurity leader. They also benefit by continuing to develop a relationship with a cybersecurity services provider that may bring other resources to the table.
