EDTECH: Do you recommend investing in cybersecurity insurance?
Bourgeois: Yes. Our cybersecurity liability policy just came up for renewal. Insurers are taking a deeper look at their ability to recover their investment and are more diligent about knowing the security status of their customers. We’re under much deeper scrutiny. K–12 needs to be ready for insurers to ask hard questions.
Just: Yes. Our insurance company is coming to us with an increasing number of requirements. We do a pretty good job — we get complimented on what we do —but eventually we might not be good enough for cybersecurity insurers.
Larsen: Yes. This is an area where we’re seeing a dramatic shift. A few years ago, getting the insurance was as simple as answering a couple of questions. Now, not only is the insurance more expensive, but we also have to answer several pages of in-depth questions about our controls, and the insurance company follows up on our answers.
EXPLORE: Grade your cybersecurity preparedness with this downloadable checklist.
EDTECH: What are your top cybersecurity priorities for the near future?
Bryan: Continuing to educate users. We have some good security appliances in place, like Sophos and cloud-based security, and we do frequent backups in multiple locations. But educating everyone — from the superintendent to the youngest students — is the most important.
Bourgeois: We just adopted Cisco’s security suite, and as an IT organization, we’ve prioritized learning about cybersecurity. It isn’t just one person’s role, it’s every person’s role. Cybersecurity has to be part of the culture. One person will never make a dent with all of our cybersecurity needs.
Just: We’ve started to network with local businesses, not necessarily in K–12. For example, Indiana’s state CISO leads a community of CTOs, which is critical for helping us network. A multinational pharmaceutical company doesn’t have the same security needs as a K–12 school, but their CTO can help us with enterprise-level security solutions.
Krueger: There is so much more vulnerability than there used to be. Everything runs on the network — the HVAC system, security cameras, lights and more. And as major local employers, schools store Social Security numbers, so they are at risk for identity theft. What’s most important is for schools, districts and our federal government to recognize the importance of continuous investment in cybersecurity.
Jackson: Through the Texas Education Technology Leaders association, we are working on getting more schools certified as a Trusted Learning Environment. While the National Institute of Standards and Technology provides a framework of choice for many states, including Texas, TLE is tailored for K–12 school districts, and I’m working with school cybersecurity experts to map NIST requirements to TLE. When I was a CTO for a large district, it took us about two years to earn our TLE seal, which is about average.
DIVE DEEPER: Rockingham County Public Schools shares how it earned its TLE seal this year.
EDTECH: How do you handle budget and cybersecurity funding concerns with district administrators and the public?
Bourgeois: A big part of it is trust. The public trusts us, and that trust is invaluable. Part of the justification for our budget is what would happen if we lost that trust. It would be detrimental to every other opportunity we have as a district. The less time we have in reactive mode gets us in a better position for what we want to be doing.
Bryan: There’s a balance, for sure, with security on one side and budget on another. We’re blessed in that respect. Our district has made a significant investment in cybersecurity. We haven’t hit a wall in funding yet.
Just: Many organizations have cybersecurity information that’s specifically geared toward administrators. Nationally, there’s CoSN, the Association of School Business Officials International and The School Superintendents Association. The Indiana K–12 Cybersecurity Task Force has made presentations locally to the Indiana ASBO. When we’re speaking with other non-IT administrators, we try to keep it very high level, but help them understand their part.
Larsen: Our administration and the public support ongoing funding for cybersecurity. Our funding stream is part of a tax levy passed seven years ago. Initially, the funding was primarily for physical security — things like building locks, access and cameras. However, over time, the funding has shifted from physical security to cybersecurity.
Click the banner below to find additional information on keeping your district safe from cyber threats.