Welcome to National Cybersecurity Awareness month!

Every October, The National Cybersecurity Alliance collaborates with government and private industry to raise awareness about digital security and empower everyone to protect their data from digital forms of crime. With so many cybersecurity news stories about massive data breaches, destructive ransomware attacks, and international hackers, it can seem overwhelming and feel like we are powerless. Cybersecurity Awareness Month reminds everyone that there are all kinds of ways to keep our data protected. It can make a massive difference by practicing the basics of cybersecurity. nca

This year, The Alliance is focused on four critical, basic behaviors:

    • Enabling multi-factor authentication
    • Using strong, unique passwords and a password manager
    • Updating software on a regular and timely basis
    • Recognizing and reporting phishing attempts

The basics are an essential foundation for a robust cybersecurity program. There is, however, much more involved in keeping our networks, data, and users safe. As technology leaders, we often face the assumption that responsibility for all cybersecurity decisions and outcomes rests solely with us. Some assume that managing cybersecurity risk is too technical for any district leadership involvement. Nothing could be further from the truth!

I am fortunate to work for a Superintendent who understands technology and cybersecurity plus trusts me to do what is necessary for the district. And our leadership team, with ongoing discussion and education, follows suit. Unfortunately, not all technology leaders are blessed with highly informed, supportive leadership regarding cybersecurity in their districts. 

Here are a few things I’d like all Superintendents to know about cybersecurity:

Managing cybersecurity is all about managing risk

  • Senior leadership determines a district’s risk tolerance.
  • Based on risk tolerance and budget considerations, leadership decisions are made around risk mitigation strategies that meet the district’s threshold criteria.

It’s not “If we get attacked”; it’s “When we get attacked.”

  • Risk cannot be eliminated, no matter how sophisticated or expensive the cybersecurity protection strategies are. 
  • Planning and preparation are essential, involving all levels of the organization.
  • All school districts, big or small, are data-rich environments; criminal hackers are increasing their malicious attempts to target us and our data networks.
  • We must always be ready to respond by regularly assessing our environment, risks, vulnerabilities, and practices.

Accountability: Grab your district’s organization chart. Find the person/people at the top of the chart; This is the correct answer for accountability; Always!org

  • No matter how or where an incident occurs, whether it’s a cybersecurity incident or anything else negatively impactful to the district, the Superintendent will be the accountable one on the news, answering for it.
  • The deliberations and decisions of school system leaders must reflect an understanding of data privacy and security. Senior leadership must be committed and involved in cybersecurity decisions, not simply endorse them.
  • Only once the accountability of senior leadership is
    realized and demonstrated in this mission-critical area can we effectively begin to make sound decisions and determine all
    responsibilities around cybersecurity.

Chief Technology Officers (CTO) and Chief Information Security Officers (CISO) have two core responsibilities around cybersecurity:  

  • Serve as a consultant on information security risk and mitigation options, enabling district leadership to make sound risk decisions in alignment with their tolerance.
  • Implement district leadership’s risk decisions in the best manner possible.

Foster a dialogue around cybersecurity with your Chief Technology Officer, Chief Information Security Officer, Business Manager, and your entire leadership team.

  • Shared focus, knowledge, and regular conversations are essential to establishing a culture where information security and data privacy are embedded in all conversations and decisions.
  • Consider CoSN’s Trusted Learning Environment Seal (TLE) program a great place to start having those leadership-level conversations about where you stand and what gaps need to be addressed. The self-reflective conversations around the TLE self-assessment are valuable even if you do not pursue earning the actual seal.

Cybersecurity readiness is a learning management issue, not solely a technology issue.

  • District leaders are accountable for ensuring all systems and data usage effectively manage digital risks introduced by the widespread use of technology, just as they are accountable for managing risks to students’ physical safety and well-being.
  • Cybersecurity management is primarily about setting up organizational structures and processes that ensure your organization’s critical assets and associated risks are appropriately identified, prioritized, protected, and managed; the human stuff.

District leaders must ensure adequate resources are available to meet data privacy and cybersecurity needs, including funding, staff, technology, and outside expert resources.

  • Cybersecurity must be treated the same as other mandatory district expenses. It’s reached a mission-critical state, and we must invest in it accordingly.
  • Price tags for some cybersecurity controls might seem steep. Still, district risk assessments must weigh the costs of prevention, and mitigation, against the potentially significant and costly damage caused by security incidents or data breaches. Reputational harm must also be considered.
  • Investments in time and focused, sustained professional development are essential resources that must also be developed and maintained.

Chairperson, CoSN Cybersecurity Initiative
Director, Technology & Information Services, Community High School District 99, Downers Grove, IL
CoSN Trusted Learning Environment Seal Recipient

Published on: Oct 4th, 2022

CoSN is vendor neutral and does not endorse products or services. Any mention of a specific solution is for contextual purposes.