Leadership weaves the foundation of a strong cybersecurity culture into school systems. Yeah Yeah Yeah, but how? 

The lofty answer is that school leaders must actively participate in cybersecurity initiatives, govern cybersecurity policies, and underscore its importance in all communications and decisions. When leadership prioritizes cybersecurity, it governs the entire organization to take responsibility for it.

The practical and honest answer is to give me some easy-to-understand guidance on how to improve my culture so I can start today.

First, what does organizational context have to do with cybersecurity culture?

In cybersecurity, organizational context refers to the specific atmosphere, characteristics, and facets within the school system that shape its approach to cybersecurity. It includes factors influencing school leaders to manage security risks and implement cybersecurity strategies. 

But, precisely, in plain terms, organizational context is all of these factors.

orgcontextgraphic

Top 10 Tips for Governing Cybersecurity Culture

So, let’s get started! How can we improve cybersecurity culture by connecting the organizational context to conduct and change? Here are the top 10 key strategies you can implement to foster a strong cybersecurity culture.

  1. Leadership Buy-In and Support: Cybersecurity culture starts at the top. School leaders must demonstrate a commitment to cybersecurity by actively participating in initiatives, supporting cybersecurity policies, and emphasizing its importance in all decisions. When leadership prioritizes security, it sends a clear message to the rest of the school system.
  2. Regular and Engaging Training: Cybersecurity training must be frequent, interactive, and tailored to different roles within the organization. Employees should understand how cyber threats (e.g., phishing, malware) impact their specific job functions and what steps they can take to prevent them. Use real-life scenarios, simulations, and gamification to make training more engaging and relatable.
  3. Foster Open Communication: Encourage open communication about cybersecurity concerns. Employees should feel comfortable reporting suspicious activities or potential vulnerabilities without fear of retribution. A transparent reporting process can help detect issues early and foster a culture of trust around security.
  4. Promote Awareness and Accountability: Raise awareness about cybersecurity by regularly communicating about emerging threats, incidents, and best practices. Newsletters, posters, and internal communications can keep security at the forefront of people’s minds. Make cybersecurity part of every employee’s responsibility, emphasizing that everyone, not just the technology team, has a role in protecting the organization’s assets.
  5. Recognize and Reward Good Behavior: Recognizing staff and students who follow the best cybersecurity practices can reinforce positive behavior. Incentives such as public recognition, awards, or other perks for completing security training or identifying phishing attempts can motivate everyone to be more vigilant.
  6. Integrate Cybersecurity into Daily Activities: Make cybersecurity integral to daily work processes. Implement simple, user-friendly security practices, such as stringent password requirements, multi-factor authentication, and regular software updates. When embedded in everyday tasks, cybersecurity becomes a natural part of the workflow.
  7. Tailor All Documentation to Fit the Organization: Create clear, easy-to-understand cybersecurity policies, processes, and guidelines that align with the organization’s needs and risks. Policies should be flexible enough to accommodate different departments and roles, avoiding a one-size-fits-all approach. Ensure that everyone understands these policies and the rationale behind them to increase compliance.
  8. Simulate Cybersecurity Threats: Use phishing simulations and other cyberattack drills to test employees’ readiness and ability to respond to threats. These exercises can highlight weaknesses and provide opportunities for real-time learning. Based on the results, follow up with feedback and additional training.
  9. Leverage Technology to Support Behavior: Deploy security tools that complement user behavior rather than hinder productivity. For example, implementing automatic updates, secure configurations, and password managers can help employees follow security protocols without adding extra burdens. Efficiency ensures the right tools are in place to support a security-conscious culture.
  10. Continuous Improvement: Cybersecurity culture isn’t static; it must evolve as threats change. Regularly assess the organization’s security posture, conduct surveys to gauge employee understanding, and adapt training and policies accordingly. Keeping the culture dynamic ensures that employees remain engaged and informed.

Isn’t that simple? By connecting the organizational context to conduct and change, we can improve our cybersecurity culture and govern our school systems so they are resilient and capable of mitigating risks.

To find out more information about governing cybersecurity culture, see The NIST Cybersecurity Framework (CSF) 2.0.

AUTHOR: Frankie Jackson, CoSN Policy Committee, Cybersecurity Advisory Committee, Professional Development Committee, NIST Cybersecurity Practitioner.

Published on: October 8, 2024

CoSN is vendor neutral and does not endorse products or services. Any mention of a specific solution is for contextual purposes.

cc by nc

Frankie Jackson is a nationally recognized Chief Technology Officer (CTO) in K-12, leading education technology initiatives for 30+ years at the state and national levels, working in medium to large districts with students between 25K-118K. She is the project lead and senior advisor for the Cybersecurity Coalition for Education and consults independently as an education technology leader and success advocate. Her unique value proposition in the K-12 industry is her technical and leadership expertise combined with performance excellence frameworks, including the National Institute for Standards and Technology (NIST) Baldrige Education program, CoSN’s CETL program, ITIL service management, the methodologies from best practices of the APQC and the information technology elements of American School Business Official (ASBO) curriculum strand.

Frankie serves on the CoSN Policy Committee, Cybersecurity Advisory Committee, and Professional Development Committee. As a lifelong learner, Frankie is a NIST Cybersecurity Practitioner. Additional information about Frankie is available at www.frankiejackson.net/curriculum-vitae.html.