Why a K-12 CIO is always on call

CIO Ed Grassia keeps watch around-the-clock to protect Tacoma Public Schools' data and anticipate tech issues
By: | Issue: November/December, 2019
October 31, 2019
The CIO's roles and responsibilities for Tacoma Public Schools’ Chief Information Officer Ed Grassia include being on guard against cyberattacks and making sure the district’s networks and data are protected in case of natural disaster or human error.The CIO's roles and responsibilities for Tacoma Public Schools’ Chief Information Officer Ed Grassia include being on guard against cyberattacks and making sure the district’s networks and data are protected in case of natural disaster or human error.

With the start of school just a week away, Ed Grassia was huddled around a table with a few senior members of his 60-plus staff, going over the CIO’s roles and responsibilities.

Meanwhile, Tacoma Public Schools’ 105-year-old Central Administration Building was humming with activity. New students were still registering and parents were stopping by for forms.

Grassia, whose office is just off the main hallway, is the chief information officer at the 30,000-student district, and the the CIO’s roles and responsibilities are many. He jokes that if something in the district has power and the green light goes off, he gets a call.

On that day a few months ago, Grassia’s team was discussing how to avert a data disaster that could be brought on by a natural disaster: earthquake, flood, fire or an eruption of nearby Mount Rainier.

The threats are real. Aside from fires, which can happen at any district, the schools in Tacoma, Washington, sit in a high-hazard zone. The Pacific Northwest is always anxiously awaiting an earthquake, and then there is Mt. Rainier, the 14,411-foot volcano looming quietly over the landscape.

Schools and communities have regular “lahar” evacuation drills so students and staff know what to do if a mudflow oozes down the mountain.

For Grassia, all of these threats are business as usual, and the CIO’s role is to develop and maintain a plan to recover data in any worst-case scenario.

During the meeting, he showed the group his spreadsheet and calmly ticked down the checklist of what to do; any disaster will call for an all-hands-on-deck approach.


More from DA4 common technology adoption barriers


Grassia then instructed his staff to meet with the district’s many business offices to see how frequently they need to back up data. Is it once per week, once per day or every hour?

“Our motto is: ‘It’s not if we are going to need disaster backup; it’s when,’” he says. “We have a disaster plan in place, but even though we’ve made our best efforts, we may still lose data. The question is: ‘How do we come back from it?’”

Handling cybersecurity challenges

While natural disasters are worrisome, the fear of hackers keeps Grassia awake at night.

“Most organizations don’t run 24/7, but hackers do,” Grassia says. “That’s why we have tools and automation, and hardware and software in place to mind the store when we aren’t here. If nothing else, it at least records what was attempted.”

Hacking attempts are staggeringly frequent, Grassia says. The district receives a half million emails every day, and only 10% are legitimate.

Changing role of the CIO

Since the early 2000s, the school district CIO’s role has transformed from a behind-the-scenes techie to a relationship-building administrator. Ed tech used to be considered a curriculum enhancement; today, ed tech is the curriculum.

“Even in the past five years, the use of technology has grown exponentially,” says Lenny Schad, chief information and innovation officer for District Administration. “We used to be worried about keeping up the networks. For the most part, we could work in our own silo. CIOs can’t do that anymore.”

CIOs have lost a lot of control over the types of technology that are used, Schad says. “Now, the end user can do a lot on their own without involving tech departments.”

The CIO’s new roles and responsibilities demand that leaders build relationships and become visionaries who are not afraid of disrupting systems, Schad says. “This role is not for the nonrisk-takers.”

As far as technology is concerned, the public- sector CIO is about eight to 10 years behind the private-sector CIO, he says, which contributes to public schools often being targeted for ransomware attacks.

“Cybersecurity has to be at the forefront of the conversation,” Schad says.

More at DAmag.me/changingcio

A couple of years ago, the district had a scare. A hacker sent a phishing email, including a PDF, to a district employee. The employee opened the PDF, which appeared to be blank but contained malware.

Over one weekend, the virus spread through the network to other computers. On Monday morning, the IT department noticed a lot of outbound email traffic, which was the virus “trying to phone home,” Grassia says.

The network security system blocked the virus’ attempts to communicate with its source. The IT department staffers then went around the district to unplug all the computers from the network.


More from DAWhat K-12 leaders should know about 5G technology


Though disaster was averted, the incident underscored the district’s need to beef up its security software. An emergency board meeting provided more funds to improve network protections.

It took weeks to get the situation straightened out, Grassia says, but it could have been much worse.

“You don’t have to be a security expert, but you do have to be aware,” Grassia says. “Hackers take advantage of holes in your software, so you need to keep closing those holes. If you keep up on the patches, there’s a 90% chance you’re not going to be affected.”

Grassia recommends using multifactor authentication when it’s available, as it adds an additional layer of security.

“The thought is that even if someone clicks on a malicious link in a phishing email or enters their credentials on a fraudulent site, the person who accessed the credentials still won’t be able to log in to the account without a phone number or secondary email address,” he says.

When the district sees failed login attempts, administrators can change the password, for instance, before the attacker gains access. This safety strategy can be implemented if the correct cybersecurity programs are in place.

“Security has always been important, but the threat has changed,” Grassia says, adding that there is a need for increased awareness and stronger passwords.

IT department members aren’t trying to make staffers’ lives more difficult. They are protecting everyone’s personal information.

Educating educators

Standing on stage before hundreds of employees during a late-summer training session at a local high school, Grassia explained to staff members how hackers can access the network through phishing emails that include attachments and links.

Ed Grassia continually works with his staff to keep the district's software and hardware up-to-date, train educators to use instructional ed tech, and anticipate issues, such as bandwidth need, before they become problems.

Ed Grassia continually works with his staff to keep the district’s software and hardware up-to-date, train educators to use instructional ed tech, and anticipate issues, such as bandwidth need, before they become problems.

He went over the safety precautions the district has in place to prevent such schemes. For example, hackers obtain employees’ information through platforms such as Facebook, Instagram and Twitter, and they harvest emails from the school website or other websites associated with the users.

By being aware of the vulnerability of these targets, employees can guard against accidentally providing access to the district’s network.

Grassia also reminded staff about the safeguards in place to protect student information in accordance with the Family Educational Rights and Privacy Act and the Children’s Online Privacy Protection Act. He explained the reason for blocking certain sites and the process that is required for unblocking necessary ones.

He also told the group how personal devices fit into the overall security picture, and how and why wireless access and usage is monitored.

When Grassia became a CIO at Nevada’s Washoe County School District in 2010, students and staff didn’t access the wireless networks with their own devices.

“Now, we are in saturation mode,” he says. “Everyone has two or three devices connected, even teachers.”


More from DA: How to control online courses in K-12 education


Bandwidth usage is monitored to determine if—and when—an increase is needed.

“Ideally, we stay ahead and anticipate demand since once the network slows down, it takes some time to do upgrades and catch up,” Grassia says.

When Grassia first started, data used to live in the schools’ own data centers, which required buying and installing CDs. Now, all data, including student and staff information, is stored both in a cloud environment and on-site.

Constant communication

In addition to managing the IT department, Grassia serves as the technology liaison between departments. He attends school board and district administrator meetings, vets ed tech to make sure it’s safe, and oversees professional development for new ed tech initiatives.

“What it comes down to is that I spend a lot of time at my desk on my computer answering emails,” he says. “Then, I go home and sit on my couch and answer more emails.”

And if he can’t be found via electronic device, there’s always a less tech-savvy approach.

“People pop their head through my door all the time and say, ‘Hey, Ed, I have a question,’” Grassia says. “I’m always happy to help.”

Shawna De La Rosa is a freelance writer in Washington state.

 


Interested in edtech? Keep up with DA's Future of Education Technology Conference®.