When a cybersecurity breach happens at a K-12 district, who ultimately must answer for it?
Answer: It’s almost always the superintendent of schools.
No matter how that incident occurred, no matter what may have happened to trigger an event, the person in charge is often responsible. That is why it is so important, Lenny Schad says, for superintendents to communicate well with their technology team, to understand the risk factors in making decisions on cybersecurity and to put in place strategies to help them respond in a crisis.
“Because, when we have incidents, they are very expensive to remediate,” says Schad, the chief information officer for District Administration and former chief technology officer for the Houston Independent School District.
This year has offered a larger-than-normal sample size of breaches that show the impact of even the slightest missteps. When clear need is not presented on the tech side or when superintendents aren’t really listening, the results can be catastrophic, both financially and operationally.
However, districts can make change happen quickly and Schad plans to offer some strategies on improving cybersecurity measures and bridging those gaps in a keynote session at the Future of Education Technology Conference® 2021 on Jan. 26-29.
“What superintendents have to realize is when there is an incident, they’re the ones who are front page of the paper getting asked the question, ‘why did you allow this to happen?’ ” Schad says. “They need to understand what their risk profile is. You’re either comfortable with that risk profile, or you’re not.”
More from DA: FETC preview—Why empathy is a leadership essential
On the flip side, Schad says CIOs need to be more succinct in pointing out the consequences of not addressing certain areas or withholding funds to protect data.
“What tends to happen is CIOs go into their superintendent’s office and start talking about cybersecurity, and they go ‘propellerhead’ on them – we’ve got to add these systems, these routers and these filters and the dollar amount is $500,000. And superintendents say heck no, I would rather spend this on instruction. But what they’re not doing is articulating, ‘here is our risk.’
“If we start from the perspective of what is our risk profile, the conversation changes. It becomes real easy: you’re either comfortable with that or you’re not. And if you’re not, here’s how we can stair-step remediation.”
That then takes out of the equation the response often given by leaders fumbling to address reporters when a crisis strikes: “Well, if we would have known, we would have actually made the investment.” Instead, now it becomes a shared responsibility.
For superintendents, keeping dialogue open and promoting transparency is key when working with CIOs and other tech staff. They understand what it takes to makes a school system’s networks function and remain safe, as well as the costs involved. Though a mention of price tags for initial investments might seem steep, the cost savings on the back end might be worth it if they help prevent major breaches from happening.
Schad says either way, there should be an open dialogue about spending and feels strongly that it needs to be a mandatory line item each year.
“Cybersecurity needs to be put in the same category as insurance and fuel for buses,” he says. “It’s a non-negotiable, and it’s money we’re going to have to invest every single year.”
Of course, some might not have that luxury or feel comfortable with it, but they should still be prepared with definitive answers should an event occur.
“So then when an incident happens, a superintendent can say, yes, we knew this was a risk financially, we accepted it, and now we’re moving forward.”
Schad says regardless of size of the district, cybersecurity should be top priority.
“Some school systems think, I’m this little rural school district. I’ve only got 2,000 students. I’m not going to get attacked,” Schad says. “They’re actually more at risk than the big ones because the hackers know this is an easy target. The ransomware attacks, they’re hitting big, small, it doesn’t matter. It’s spread out all over the country. if you think for any second that you are immune to this, you’re missing the boat. You shouldn’t be asking the question, if it happens, you should be asking the question, when it happens, what is our course of action?”