January/February 2020

K-12 Cybersecurity: The Role of the School Board

Commentary by Doug Levin

Born in the 20th century, most school board members are not experts in issues of technology, much less cybersecurity. Nonetheless, they are charged with creating policy and performing oversight of schools that are growing increasingly reliant on 21st century technology for teaching, learning, assessment, and school operations.
 
In 2018, to its credit, the National School Boards Association launched an initiative, “Cyber Secure Schools,” to bring the issue of cybersecurity to the fore for its members, as well as to offer resources and strategies to help school board members fulfill their responsibilities. NSBA generously invited me to help frame the relevant issues facing school board members.
 
While I primarily focus on helping school board members understand the evolving threat landscape facing schools (based on data compiled for the K-12 Cyber Incident Map), in my presentations I always strive to offer some advice on concrete steps that people can take to reduce (or better manage) the cybersecurity risks facing the use of technology in schools.
 
To that end, I suggested that school board members might most productively engage their peers and district administrators on the topic of cybersecurity risk management by probing for answers to the following four questions:
 
(1) How many significant cyber incidents has the district experienced in the last few years?
Districts have long managed and tried to protect school communities from online scams, viruses, and other malware. Whether the result of actions of district employees, students, or school vendors, the district that has not managed the response to an incident in recent years is far and away the exception. In fact, claims of absolute security (‘we’ve never had a data breach or cybersecurity incident‘) should be met with considerable skepticism. Related questions here include how district administrators monitor the frequency and severity of these incidents (processes and metrics), what their process for responding to incidents is, and how and under what circumstances the board should be made aware of incidents when they occur.
 
(2) How do we measure the sufficiency and effectiveness of our district’s cybersecurity program?
Perhaps the most important question facing board members is how to ensure that district administrators are appropriately managing school cybersecurity risks. This is a question of liability (districts have been sued for negligent security practices), as well as legal compliance under federal and state privacy and data breach laws. Which risks should be mitigated through policy, practice, and/or technology investments? For which risks should insurance coverage be sought? Which risks can be accepted? Has the school district adopted and implemented a cybersecurity risk management framework? Does the district benchmark its practices against other districts? Does the district subject itself to regular third-party, independent security evaluations? School board members should anticipate that when their district experiences a significant data breach or cybersecurity incident, school community members, state agencies and law enforcement, insurance providers, and the media all will come seeking a public answer to this question.
 
(3) How much of our IT budget is being spent on cybersecurity-related activities and risk management? 
The point of this question is not to suggest that there is a magic dollar figure or percentage of a school IT budget that should be spent on cybersecurity-related activities as evidence of good practice. Instead, it is to suggest that — as part of their fiduciary oversight of school districts — board members should be able to crosswalk cybersecurity risk mitigation strategies to budget expenditures. Districts often seek to maximize technology budgets in ways that can obscure the total cost of ownership of initiatives within and across budget categories (hardware, software, infrastructure, maintenance, support, training/professional development, breakage/obsolescence). In order to ensure that cybersecurity risk mitigation strategies are being carried out, board members should be able to identify those expenditures (and FTEs) in the district budget and to track them over time. In this way, board members can help ensure that their district’s risk mitigation strategies are sufficient or garner the data they need to re-allocate (or seek out) additional investments.
 
(4) What metrics do we use to evaluate cybersecurity awareness across the district?
While the district’s IT department has a key role to play in providing input into district policies and implementing technical cybersecurity controls, everyone associated with the district has a role to play in keeping IT assets and sensitive data safe. In fact, board members would do well to view cybersecurity risk prevention similar to issues of school health and wellness, such as vaccinations or even hand-washing. All it takes is for one member of the school community to make a mistake — click on a phishing link, download a malicious file, or lose control of a sensitive file — and the security of the district could be placed at risk. As such, the district should have an education and awareness program in place (including by providing cybersecurity training to school board members themselves) and board members should know how the district is assessing its effectiveness over time.
 
In most cases, school board members do not need to be technology experts to perform their policy development and oversight responsibilities with respect to cybersecurity. By focusing their work around a small set of key questions, board members — working in partnership with district administrators — can help to establish a culture of risk management that will position their school districts for success over the long-term.
 
I applaud NSBA and the forward-thinking work they are doing on this issue and look forward to continuing to engage with them and others to offer practical tools and tactics to address the emerging cybersecurity issues facing schools.
 
Doug Levin is president and founder of The K-12 Cybersecurity Resource Center, which tracks school district cybersecurity events and offers resources for public school officials and administrators. Resources for the Center and others mentioned in this article are available at bit.ly/JF20-Jres.