Making a cybersecurity plan without an initial assessment of the status quo is like making an airplane reservation without knowing what city you’re flying out of, said Frosty Walker, CISO for the Texas Education Agency, at the Texas Computer Education Association Convention & Exposition in San Antonio on Monday.
A common starting point with cybersecurity, Walker said, is “we know where we want to get to, but we really don’t know where we are today.”
His session, “Where Are You on the Cybersecurity Roadmap?”, gave attendees strategies to evaluate and improve data security in their K–12 districts. He also shared resources from TEA’s Texas Gateway, including a 40-item checklist that can serve as a detailed guide for IT leaders on a variety of data security strategies.
Make the Case for K–12 Cybersecurity with Visual Tools
A formalized assessment method — a map, if you will — helps leaders define their current situation, develop a budget against it and make the case to senior administrators. Walker showed one chart that depicted the current security status for a hypothetical district, mapped against the 40 items on the checklist. A bright red line showed where the district was falling behind the desired level of due diligence.
“Words don’t always paint the picture that we think we’re painting, so visual aids help us a lot when we’re talking about cybersecurity,” he said.
Images like this, Walker said, give IT leaders an effective and powerful way to convey technical issues to their administrators.
“The farther away from due diligence we are, the higher the risk,” he said. “It makes a difference when they can see your security program mapped out.”
Such maps also give IT leaders a systematic way to manage their security strategies over the long term.
“Improving your security posture is not something you fix overnight,” said Walker.
Evaluate Your District Against 6 Levels of Cybersecurity Readiness
To help IT leaders assess their district’s performance on each security measure, Walker offered a six-level framework:
- Zero – At this level, security measures for the target objective are nonexistent.
- 1 – Security strategies are ad hoc, inconsistent or reactive.
- 2 – Strategies are repeatable and generally consistent, but for the most part they are still reactive and undocumented. The organization doesn’t routinely measure or enforce compliance with security policies.
- 3 – The security approach is defined, detailed and documented. The organization regularly measures compliance.
- 4 – Data security is achieved through an established risk management framework that measures and evaluates risk and integrates improvements, going beyond the minimal regulatory requirements.
- 5 – Data security is optimized. The organization has refined standards and practices focused on ways to improve its capabilities in the most efficient and cost-effective way.
Walker also noted that while requirements such as the Texas Education Code and, more broadly, the Family Educational Rights and Privacy Act can serve as a guide to data security, they are the very least that districts should strive to achieve.
“Our objective here is to get beyond our minimal requirements, and we don’t know how close we are until we actually measure that,” Walker said.
Update Security Assessments Routinely to Measure Progress
With a baseline assessment completed, routine updates become a comparatively easy lift, said Walker, adding that he finds quarterly updates manageable because they only require leaders to document changes from the previous 90 changes.
Periodic snapshots of the district’s security posture also help leaders track maturity over time and demonstrate progress to leadership, he said.
Finally, he said, the due diligence of identifying, inventorying and prioritizing sensitive data assets will be extremely valuable if a district ever has a data breach, a natural disaster or a ransomware attack and needs to rebuild its systems.
“We do a pretty good job of tracking hardware and software, but those aren’t the only valuable assets we have,” said Walker. Districts have huge amounts of sensitive information that should be inventoried and prioritized, he said.
No matter how good the disaster recovery plan is, he said, or how many times the team has run through a tabletop exercise, when you’re doing it for real, “you find things that just don’t work when you have to build the data center from scratch from backup.”
Even so, he said, he recommends that IT leaders do take their teams through tabletops and other readiness activities.
“Every time I do a cybersecurity exercise, we find out all kinds of interesting things,” he said.