School districts across the country are struggling to meet the challenge of cybersecurity threats. Ransomware attacks continue to plague K-12 schools, threatening teaching time and the theft of sensitive personal information belonging to students, teachers and administrators. Along with having a strong cybersecurity plan in place to protect their districts, schools should also have someone on their IT team who is dedicated to cybersecurity.
According to a risk assessment survey of 120 school systems carried out in 2020-2021 by the Consortium for school networks and the security studio, over 75% of those surveyed had someone responsible for cybersecurity; however, more than half of the respondents did not have a formal cybersecurity program supported by management.
Hiring a dedicated cybersecurity expert could help in both cases. But hiring can be difficult for schools, which must compete with well-funded tech companies, financial institutions, and other industries for scarce cybersecurity talent. Administrators might find it difficult to protect their districts from a critical threat simply because they can’t afford to hire the talent needed to solve the problem.
Click on the banner to learn more about cybersecurity measures to protect your neighborhood.
Close the cybersecurity gap for K-12 IT teams
Other industries have already addressed this challenge by outsourcing components of their cybersecurity infrastructure. In fact, a 2019 Deloitte survey of 500 senior executives found that 99% of organizations outsource some cybersecurity operations. School districts have been slower to adopt this approach, but outsourcing could gain traction in K-12 districts and may be the answer to the lack of cybersecurity talent plaguing educational institutions.
A particular problem for districts is the lack of a senior manager who is knowledgeable in cybersecurity and has the skills to provide the district with well-motivated, risk-based advice. Large organizations typically hire an information security officer for this role, but qualified CISOs command salaries in the hundreds of thousands of dollars – beyond the reach of most school districts. There is simply no room in the budget to hire a qualified person to fill this role full time, and there is not much demand for part time roles, as qualified people tend to looking for a full time job.
The virtual CISO model allows districts to outsource the leadership and strategy components of their cybersecurity programs. By contracting with a security service provider, the district has access to a trained CISO who gets to know the district and its needs but simultaneously serves multiple clients, allowing each client to pay the provider less than the cost of hiring of a full-time CISO. These services can also evolve with the needs of the district, adding more time as needed.
The number of schools in 2001 that posted student personal information online after falling victim to ransomware attacks
Source: nbcnews.com, “Hackers leak children’s data – and there’s not much parents can do,” September 10, 2021
Ask the right questions during an interview with a vCISO
Districts that choose to hire a vCISO will find themselves evaluating a range of service providers and should ask these essential questions throughout the process:
- How many other clients will vCISO serve and what percentage of their time should you expect to receive?
- How will the service operate when the district experiences a cybersecurity emergency?
- What types of services are included in the vCISO scope and what would prompt the service to bring in additional resources?
- If additional resources are required, are they available at negotiated rates? Is it possible to use certain vCISO hours to cover other subject matter experts?
The vCISO relationship is not just between the district and the service provider – the person chosen for the vCISO role must also work well with district leaders and staff. Directors should insist on interviewing candidates to ensure they are a good match and consider asking some of the following questions:
- What experience do you have in cybersecurity?
- What experience have you had working with – and within – school districts?
- How well will you manage communication with different stakeholders including senior managers, school board members, teachers, parents, media and law enforcement?
- What do you think of creating a secure operating environment where free access to educational resources is idealized?
- What is your knowledge of the neighborhood’s cloud and on-premises technologies?
It’s important to remember that just like employee relationships, vCISO relationships will also end. Be sure to discuss the terms of any changes in advance. Districts should understand the conditions under which the provider will change the person assigned to the account, the procedure for changing staff at the district’s request, and the selection process when a new candidate is to be identified.
Set reasonable schedule expectations for vCISOs
After hiring a virtual CISO, district administrators should set reasonable expectations for that person’s performance. Realistically, vCISO is not going to come in and solve all of the district’s cybersecurity issues on day one. Engagement should begin with a cybersecurity program assessment that assesses the current state of the program, compares it to the desired state, and identifies gaps requiring correction. The vCISO and district leadership can then work together to prioritize filling these gaps and develop an action plan to advance the status of the district’s cybersecurity program.
DIVE MORE DEEP: Find out how a vCISO can help a K-12 school meet their cybersecurity goals.
Although districts should not expect an immediate response to all of their problems, they should expect vCISO to meet clearly defined and agreed performance standards. It is reasonable to define a set of goals for each month, quarter, and year, and then regularly assess the performance of vCISO against those goals. Although the vCISO is not technically an employee of the district, he or she should still receive regular performance reviews to ensure that the district is achieving a return on its investment.
Outsourcing cybersecurity operations and leadership can help school districts move beyond their weight class. Districts have access to talent they could not otherwise afford by sharing access to a senior cybersecurity manager. They also benefit by continuing to develop a relationship with a cybersecurity service provider who can bring other resources to the table.