April 26, 2023 • 30 mins
We must invest in effective cybersecurity to mitigate these risks and increase the health of our K12 schools.
In the third part of this three-part series on K-12 Education and Cybersecurity, our guests share backgrounds, standards, and strategies for cybersecurity success. Overall this conversation highlights the multitude of factors that add up to increase the health and security of K12 data systems and cybersecurity. There is no doubt that the work of our guests and IT professionals across the education sector is essential.
Today’s guests are Mayank Agarwal and Scott Gilhousen.
Mayank Agarwal is the Head of the Cybersecurity business in North America for Infosys. He is responsible for customer engagements, sales, analyst engagement, GTM strategies with tech partners and start-ups in North America. In addition, Maynak is proficient in managing strategic relationships with CIOs, CISO’s, Head of Cloud and Infrastructure, etc. Mayank is an accomplished and astute professional with the perfect mix of sales acumen and technology expertise.
Scott Gilhousen is the Chief Information Technology Officer for the Houston Independent School District (HISD), where he leads all aspects of information technology, data and analytics, and information security. With over two decades of experience in strategic and operational leadership roles, Scott brings a wealth of expertise to his current position as CITO.
This episode of The CoSN Podcast is supported by Infosys.
Engage further in the discussion on Twitter.
Follow: @CoSN, @edCircuit, @Infosys
The CoSN Podcast is produced in partnership with edCircuit. To learn more about CoSN, visit www.cosn.org, and to learn more about at edCircuit, visit www.edcircuit.com.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:03):
Welcome to the coast and podcast.
Produced in partnership with Ed circuit media.
In organization focused entirelyon the K20, Ed tech industry and
empowering. The voices that can provide
guidance and expertise in facilitating.
The appropriate usage of digital, technology in
education, Ed circuit Elevate, the voices of today's Innovative
(00:25):
thought, leaders and experts koston represents over 13
million. It's in districts and
educational institutions, Nationwide and continues to grow
as a powerful and influential voice in K-12 education.
This high-profile series showcases industry, thought
leaders and Executives who provide timely Market insights
(00:47):
and critical guidance on variouseducational technology
strategies. Alright, welcome to the kosan
podcast series. My name is Jeff angle and on
behalf of kosan and today's sponsor Infosys We're excited to
bring you part 3 of a 3 part series on K-12 education and
cyber security. Joining me today are Mike, I'll
(01:08):
go Wally and Scott gelnhausen Mike has been associated with
emphasis for more than 17 years.And his current role Mike, is it
have a cyber security business in North America?
He's responsible for customer engagement sales and analyst
engagement go to market strategies with tech partners
and startups in North America. Mike is proficient in managing
(01:28):
strategic relationships with Cios sizzles.
Head of cloud and infrastructure.
Mike is it accomplished and astute professional with the
perfect mix of sales, Acumen, and Technology, expertise.
Welcome to the podcast make timefor having me here, Jeff.
Thank you. And also joining us is Scott
Gill housing. Scott is the Chief Information
(01:50):
Technology officer for the Houston Independent School
District, where he leads all aspects of Information
Technology data and analytics and information security is
Archie mission is to ensure Equitable access to Advanced
learning Technologies. Modernize the existing
application software portfolio and bolster cybersecurity data.
Privacy to safeguard the interest of students teachers
(02:13):
and employees across the organization.
Scott has over two decades of experience in strategic and
operational. Leadership roles brings a wealth
of expertise to its current position as the CIT.
Oh, and prior to assuming this role, he served as the Director
of it. Sure.
Engineering operations at Houston is D where he led the
(02:34):
delivery operation maintenance of Technology, infrastructure,
telecommunications, and Computing Services.
That were aligned with the organization's educational and
business programs throughout hiscareer.
Mr. Gil housing has been involved in the educational
community and IT professional organizations such as the
Council of great City Schools Center for digital education,
(02:55):
Consortium for school networking, Texas Education,
technology leaders, And Gardner Scott received his Bachelors of
Science in management information systems from the
University of Houston. Clear Lake, welcome to the
podcast, Scott, thank you Chad. I'm glad to be here.
So let's kick off today's discussion by identifying some
challenges in K-12 schools, and Scott, this is the directors,
(03:17):
first question to you, you know.So from your Vantage Point,
we're running a very, very largeDistrict, substantial technology
infrastructure. What are the current challenges
for K-12 schools? In the areas of it and
cybersecurity, I can speak on behalf of Eric Houston.
I stay just in the challenges that we face on a day-to-day
(03:39):
basis. One of them, I think most of the
industry here in K-12 is pretty pretty knowledgeable about the
increased number of threats targeting education.
And so we are continuing continuing to be attacked both
internally and externally with in the environment, through
phishing scams ransomware attacks and other type of Our in
(04:00):
the environment. In addition to that we're faced
with limited budgets, and k12. And so outside of having to
support the core infrastructure,application Service delivery
Computing devices cyber securityis not necessarily an area that
there's a lot of investment in and that's one of the areas that
we're looking to bring us more investment in the areas.
(04:22):
The other part is the, you know,balancing security and
accessibility, and the environment.
So we know that it's real We start to tighten the the
controls within the environment.We may be impacting some
instructional applications for instructional content, delivery.
And that happens for most Educators and students, in our
environments, another area that's Rising for us is being
(04:45):
able to protect our student employee data.
So, as a district, we've got to comply with FERPA and Coppa
regulations to protect that personal information of our
students, and it can be somewhatchallenging and given the large
size of our district. Because we're not only looking,
For record student population orexisting employee population.
(05:05):
But we have literally Decades ofStudent Records or student
information employee informationwithin the district.
So overall you know there's there quite a bit of challenges
that were faced and one more I'll just kind of refer back to
is the human Talent aspect of it.
(05:25):
So with it being a pretty competitive environment today.
The industry. One of the forms that have the
privilege to be a part of was a garter CIO formed.
And it was very interesting to see roughly about 1,500 cios out
there looking at what their tellthem to pull was and most of
(05:46):
their vacancies were sitting at a 6 to 9 month had a window
before their field. So sometimes just having the
lack of human Talent OR expertise in the environment.
Tends to be a challenge for us because the teleporter always
that comes up quite frequently. Like some of the statistics I've
seen in terms of the number of roles that are open.
They are looking to be filled right now just with in the US as
(06:08):
over 500,000 in the cyber security space, my anything.
You would like to add to that. The four points that looked off
the boat, I think they look pretty but prevalent, that we
have seen across the board as well attacks.
Obviously have become lot, more complicated.
The budgets are constrained. Talent is the challenge as well
(06:28):
as Privacy is a big issue as well.
I think just two additional points, which I like to kind of
add to this particular makes is one which is around around the
Advent of say things, things like the OT technology which has
been there and how attackers areleveraging, not just the it
(06:52):
landscape but also OT systems. And we know there are lots and
lots of OT devices which are there Any casual schools so it
could be a tendon systems. It could be small dispensers and
so on and so forth. So OD devices and the kind of
challenges that they bring in, that's interesting pieces, which
(07:15):
are there. And the second piece that we
have seen out here is while someof the school districts are
larger. They have Manpower budget which
are there. We also work with Some of the
school districts which are much smaller in in nature, which are
there, or maybe Central organization that supports maybe
(07:40):
100 or schools and each of theseschools are very, very small
schools in remote locations. So how do we support those kind
of schools and that's where it'sa very different Paradigm.
We're at a overall level. We have to set up certain basic
cyber security controls and Beeper V8 them to all the
(08:02):
organizations, which are there so that everyone gets a
protected and they are part of the larger ecosystem and they're
not just trying to solve this complex cybersecurity problem,
only by themselves, that's a great point that we quickly talk
about the large districts in thechallenges that they have.
But is that if you start moving out from into a Json in schools,
(08:27):
into the rural areas, how do they support that?
That they have the same challenges.
Do you know, Infosys, cybernetics can defend you
against lethal cyber attacks andkeep you hyper connected at the
same time. Our platform provides a
comprehensive cybersecurity solution to Enterprises that
otherwise need to invest in dozens of security Technologies,
(08:48):
to attain Swift security maturity.
This is provided by highly skilled security analysts in our
specialized globally. Distributed network of cyber
Defence Centre. For more information, please,
visit www.is fo sys.com or rightto a mighty r.
(09:10):
A n, KU r, m @i. N fo sys.com Scott.
There are several trends that are unique to K12 people.
You mentioned some of them protecting the pii information
of students of teachers of Staff.
You've got content, moderation. But at the same time, you have
(09:31):
to provide this technology, it infrastructure to Educators what
are some of the trends that you're seeing in this area?
I can speak on behalf of our district and one of the ones
that were really focusing on is around data privacy within our
own district and it's not necessarily something that I T
is taking on but it's a collaborative group of our
(09:52):
academics or research group as well as it.
So, with increased Focus around multiple vendors that are
Lasting data out of our systems and whether that's Pi or non pii
information, we need to have better policies in place and
procedures in order to be able to access the data.
And we've got good board policies that are implies to
(10:14):
help reject things around, FERPAand HIPAA Copa regulations that
are there. So we're putting an emphasis on
data privacy. Another area for Us is around
the digital citizenship, so we're really trying to focus on
working with our teachers. Hers and our students to really
Implement and operate our digital Citizen and to be able
(10:37):
to teach our students and teachers about the
responsibilities of Hawaiian Behavior.
Anything that may be inappropriate for content
sharing respecting other people's privacy.
We're also implementing entire content filtering, and
moderation controls within our environment through some of our
providers about today. So we're trying to make sure
(10:57):
that their students are exposed to the Sent and that whether
they're on the network or off the network.
In addition to some of those tools using some, some of the
artificial intelligence to be able to start looking at
information that may be sitting low quality device.
And that may, you know, move into things like bullying or
(11:18):
harmful Behavior to to the self or any other acts.
That could be deemed that gives a little bit more visibility
into that cyber security. Awareness training is a Chris
for us as well. And it's not one of those things
that we're looking to do one time of year, but we're looking
to do repetitive video sessions,email articles as well as
(11:41):
testing through efficient campaigns for, for our staff,
inner our teachers, in our employees, inside the district.
And then another Trend that we are starting to see that we have
not necessarily embarked. On ourselves is really in that
artificial in machine, learning environments, so being able to
use that In a better manner to improve our security defenses
(12:03):
and being able to respond to threats in a much quicker and
timely manner so that we're focusing on the threats that we
need to focus on and then also ensuring that we're able to
continue to provide a learning environment for students through
and my t-shirts and trends that you are seeing it.
Houston is D. Yeah, in fact, say I was telling
(12:25):
this earlier too scarred, I livein the Houston, mayor.
Complex area. So my my daughter's they
actually went to HISD and thank you Scott and rest of the HISD
staff it's been a great pleasure.
Being a parent with the kids aregoing to H is T and the kind of
(12:46):
work that is being done out there.
Some of the things Scott kind ofalluded to earlier and if I look
at it from 3 perspective one as a parent S as a Student and
third as as the function that the IT team has to provide as a
(13:06):
parent. It's really heartening to see
one that the kids have access toInternet while they are in the
school premises and obviously, the content is getting governed
moderated, which is there. So that is extremely good thing.
And that's where Scott talked about the fact that we are using
(13:27):
AI machine learning to really Filter, the content not just
from from the content requirements, which is looking
at the offensive content versus others but also provide calcium
providing an inclusive environment, which is their
second important. Diary Dimension is as a parent
(13:49):
when I really look at it. Things as a parent we have to
interact a lot with the school districts.
Also things like pudding. Amount in the lunch kit which
are there or say interacting with the teachers looking at the
course content. So there is lot of interaction
(14:10):
that happens with the school district systems which are
there. And that's where taking care of
the privacy of the information which is they're making sure the
right controls are put in place when we are accessing this
information. So, all of that is a very
important diary Dimension, whichis Is storing the data in
(14:31):
Transit making sure the data is encrypted while in transit at
rest, right? Amount of policies, which are,
which are there. And nobody is snooping in when
these kind of sessions are stablished.
And lastly, as Educators and sayand as the largest school
district, one of the things thatwe have seen is a lot of school
(14:55):
districts. They have systems which have
been little antiquated. Talk about lack of budgets.
As a, as a big area of concern and that way, if your systems
are old Antiquated, they are more susceptible to attacks
because they could be having oneherbal teas which can get
(15:16):
exploited by attackers. And right now, we are seeing a
very big Trend where attackers are coming after school
district. So, I think Scott and his team
are doing a fabulous job in protecting the Eh IH, D it
environment. Thank you Scott for that is it's
a great point that I want to emphasize to like we always
(15:36):
talked about encryption with data in transit, but from a zero
trust aspect, not a lot of people are focusing at that data
when it's at rest, so, great point there.
So, my multi-cloud adoption is becoming the new normal.
And for those of you out there multi-cloud is using more than
one cloud service provider, how can the K-12 sector secure
(15:58):
itself while? Opting for this multi-cloud
strategy, Jeff, I like to Definemulti-cloud in a little bit of a
broader context as well, becauseone obviously there are multiple
hyper scalars. Which essentially means we could
be leveraging AWS your or Googleor Oracle cloud or even IBM
(16:22):
Cloud at the same time. Second important Dimension to,
it could be the fact that maybe it's a single cloud.
Ow, but then we are leveraging multiple SAS platforms which are
there. And when you leverage multiple
SAS platform, then you are interacting with multiple
clouds, which are there. So there are three important
(16:44):
Dimensions which we have to focus on when we have to protect
a multiple Cloud environment. First and foremost retails, what
we call is, as the cultural aspect where lot of times when
we are moving Cloud. Just the whole dimension of
protecting the environment. Everyone thinks it's the cloud
(17:06):
providers or the staff providersresponsibility.
And that's where there is lot ofEducation that needs to go in
with the application teams more so where we have to educate them
and say that the security of theenvironment, it becomes a shared
responsibility. And that what it means is there
(17:29):
are things that I have to be done by the cloud provider and
the SAS provider but there are things that the it teams or the
applications, or the infrastructure or the security
teams, they have to do. So the taxi whole dimension of
secure by design that comes intoplay sticking part 2.
It is all about putting the right native controls which are
(17:52):
there be it, the SAS product or the hyper scalar that comes into
play. So like the Wii Take the on-prem
environment. Similarly all the say of
controls along the seven layers of the OSI, they have to be put
into place from a Access Networkperspective, data, protection.
(18:13):
So all of those have to be put into place, which is the third
important Dimension to. It is more around governance and
making sure the controls are pasted on an ongoing.
Basis, which is there a cloud for example, the most important
(18:33):
pieces about Cloud are one. It's about flexibility second,
it's about Speed and Agility andthird is something where Cloud?
We know it kind of it is a formal in nature because of the
fact that certain safety requirements would be there
today and maybe we just spin up a container instance, it's not
(18:54):
there tomorrow. So how do we really do a
real-time segawa? Inch, which is there.
So that's the other three important things if I were to
kind of summarize first is more about the cultural aspects which
is embedding secured by Design. Second it's implementing.
The native control and aligning to the controls which are there
(19:15):
on on-prem environment and thirdis doing governance, which is
more real-time governance, checking in line, say policies,
which are there and doing it on an ongoing basis.
So those were the three dimensions.
That we have to cover. That's great.
Thank you, Scott question for you.
So we've got, you know, we were seeing this emergence of
(19:36):
security Platforms in the marketplace.
What do you see their role playing within your District?
So, within our district, I wouldsay that we've got a different
or, or different grouping, or plethora of different security
tools with learn moments. And one of the things that were
pressing for is tighter integration into the different
(19:59):
ecosystems, Systems that are there.
So whether they're around threatened response, whether the
Run content filtering around data protection, could be
elements of what we would be looking to integrate our
environment. There has to be some sort of
correlation that takes place, and we're spending quite a bit
of time, just logging into multiple systems, multiple
(20:19):
dashboard multiple tools to be able to correlate information
when we find a threat within environment.
So threat detection response system, so that we can better
respond in fishing. Scams and that we can respond
respond to potential ransomware.Attacks malware texture, any
threats that are coming in. The environment is something
that we definitely need. We talked a little bit about the
(20:40):
content, filtering, or about being able to detect threats,
and both off the network. And on the network, looking for
security platforms that are wrapped around data protection
so that we can understand what data is sitting there.
As my talked about, you know, data at rest, it encrypted data.
In motion data in transit. Those are pieces that we need to
(21:03):
look at. We also need a better integrated
user management Access Control within the environment, knowing
where our users are coming from as we provision and then
provision them into multiple applications and around there.
In addition to that, we use third-party risk monitoring
services. So so we, look at all our third
(21:24):
parties out there that have the highest criticality of risk in
our environment. So it's a little over.
Hundred different vendors for our financial HR System student
information system or benefit system to be able to look and
see how their posture is in the industry as well.
So not only just trusting what we're doing in the environment
in putting in tighter controls but also understanding where
(21:46):
their threats are in the environment and what's been
public after will be posted and what they're doing to address
that. So for us it's just looking for
tighter integration into the security tools that we already
have and to give us a little bit.
Invisibility or better visibility and then be able to
respond to those threats and in a timely manner.
So excellent like anything, you would like to add on that topic.
(22:08):
But scarf touched about this integrated threat Intel.
I think that's a very important part that we have seen in a lot
of school districts. Because today, if we look at
threat actors, each of these threat actors have a very
important or very distinct way of Working and what we call as
(22:32):
the attribution for a great actor.
And these threat actors, they work like specialized interest
rate. So there are three tasks cells
which focused on K12 as school K12 school districts which are
they, they are quite actors which focus on healthcare
industry. So that's that's a very, very
important piece that we have to look at and we have to think
(22:56):
from their perspectives and thencome back and defend.
Of system which are there. I think that's a trend that I'm
seeing that. It's this whole thing is getting
so much specialized and that's where integrated monitoring
threat, Intel threat hunting andvulnerability management.
That becomes a key concern is the Premier membership.
(23:16):
Organization designed to meet the needs of K-12 education,
technology leaders their resources, support the entire it
infrastructure of the school system kosan offers members,
access to their thought, leadersacross the country.
Tree. And the ability to actively
participate in local coast and chapters.
Join the network today, by visiting cosom dot-org, and
become another influential voicein K-12 education.
(23:40):
That's great. And actually, the build off that
one. Next question, I have for you is
with the Advent of covid and having would take all those
devices outside of the Ring fence and people logging and
students logging in through their own, you know, own
networks to be in a unsecured VPN or Unsecured Network.
(24:01):
How do you see challenges like BYOD?
We talked a little bit about OT devices.
How do you see those challenges impact in K-12?
Yeah, I think that's a very important piece for BYOD,
especially when we look at high schools or maybe even middle
schools where kids are carrying their own devices to the
(24:24):
schools, it's a very, very important thing because these
devices are BYOD devices. They are based in, say, in a
school district, a connect with the school district, they are
physically in the location whichare there and they may not be as
secure as the devices which are provided by the school district.
(24:45):
So how do we ensure that? Maybe if some of these devices
they themselves could be infected with malware could be
infected with viruses they don'tcome and they don't infect the
larger. Systems.
And that's where the zero trust based approach that has been
implemented by most of the school districts.
(25:06):
Its kind of helps quite a lot, where one obviously, it's the
secure connection apart to it. And earlier, the whole Paradigm
of connecting to a network was there?
And that's where, what what has happened is now with the whole
Advent of zero trust, rather than connecting to a network of
(25:27):
what we are talking about is Owing to an application so that
you directly connect to an application and you are not
connected to the network. It's like when I get into a
school district at the front desk, I get say escorted into
the classroom where I have to goand that's and then I come out.
(25:47):
I don't have a permission to go in any other place within the
school, which are there. And that's the whole concept
that that schools are kind of working on and that also enables
Advanced protection capabilitieslike data protection, see
capabilities, content filtering,and so on and so forth.
(26:07):
The second point, just like you talked about was around OT.
I think this is still a pretty nascent space in most of the
school districts. And the first and foremost, the
most important thing, which is out there is just to go out and
discover the OT systems, which are there and it does take some
(26:31):
amount of effort because becauseof the fact that say, a lot of
times would be systems, are not within even the purview of the
IT team. So just starting with the
program where we can discover the OT assets, that's a great
picnic that's great insight and Skype from your standpoint and
(26:52):
we kind of touched on it with the BYOD devices or BYOD and my
he brought up the Fact, you have, you know, that middle
schoolers you could have elementary students bringing in
those devices and we know socialengineering is just constantly
evolving. So, it's got a question for you.
How important is it getting thatSavage security awareness to
(27:17):
help mitigate risk from those devices being brought in or
those students who may access devices within the district.
And going to places that you maynot want to go.
You know, my belief is that cybersecurity Earnest and
education and K12 is critical that providing the students and
with this Knowledge and Skills to be able to protect themselves
(27:38):
and their personal information from cyber threats.
They're not necessarily thinkingabout this.
At the age of, you know, six, seven, eight, nine years old,
yet alone, we do 12. There are 16 17 year olds that
are thinking. They're so one of the things
that I want to be able to reiterate is that, you know, not
only, is it not K12 problem. But it's more about Humanity
(28:01):
issue when it comes to service security.
Because when they start to grow up in and start applying for
credit cards or credit checks, and this will be information
that could have potentially beenused drawer or been leaked or
disseminated out there on the, on the dark web.
So being able to protect our students from cyber security
(28:22):
threats. And you know, this is about
teaching them online safety fromour standpoint.
It's also protecting them from those.
Cyber threats of identity theft.Cyberbullying any online
predators that may be out there.Lurking, we saw that during the
pandemic when we opened up the team's environment that was kind
of our first exposure into possibly outside people looking
(28:44):
in into our environment. Second area, I would say, is
around, you know, the digital citizenship that I talked about
a little bit earlier. So that's really helping those
students, develop the skills andthe knowledge to become
responsible students out there. On the web and also the
importance of protecting their privacy.
Another part in that education aspect, and we've got a couple
(29:06):
snares what that we've done on the application side.
But we're looking to develop ourstudents on the cyber security
or the security side, information security size,
giving them the chance to becomeemployable, right after, you
know, the graduate from high school or college.
So, being able to provide them with the skills, you need to
(29:27):
become the part. Of that, that forensic or
separate security staff that theinterest that Workforce, and
then the other part is just making sure that there were
meeting the compliance of Copa, cipa in any purple requirements,
that may we have to ensure that we have compliance within our
environment. Let's do that a lot.
(29:49):
These days with school starting to bring in more training around
cybersecurity and those different areas to build up the
students knowledge skills. Abilities to make them
employable, but also is a way tohelp educate them around the
risks that are that are out there in that, in that
environment. Well gentlemen, I'd like to
(30:09):
thank you for your time consideration and insight.
Today I think was a great conversation and once again,
we'd like to thank our sponsor of Infosys for supporting this
series on K-12 education and cybersecurity and we look
forward to having future conversations down the road.
Thank you, gentlemen, on behalf of the leadership team at kosan.
Thank you for listening. Meaning to this episode of the
(30:30):
coats and podcast to access other podcasts in the series
visit kosan dot org or Ed circuit.com for complete lineup
of engaging technology, topics, Ed circuit and Powers the voices
of Education. With hundreds of trusted
contributors changemakers and Industry, leading education,
innovators. Meaning to this episode of the
coats and podcast to access other podcasts in the series
visit kosan dot org or Ed circuit.com for complete lineup
of engaging technology, topics, Ed circuit and Powers the voices
of Education. With hundreds of trusted
contributors changemakers and Industry, leading education,
innovators.
Welcome to the coast and podcast.
Produced in partnership with Ed circuit media.
In organization focused entirelyon the K20, Ed tech industry and
empowering. The voices that can provide
guidance and expertise in facilitating.
The appropriate usage of digital, technology in
education, Ed circuit Elevate, the voices of today's Innovative
(00:25):
thought, leaders and experts koston represents over 13
million. It's in districts and
educational institutions, Nationwide and continues to grow
as a powerful and influential voice in K-12 education.
This high-profile series showcases industry, thought
leaders and Executives who provide timely Market insights
(00:47):
and critical guidance on variouseducational technology
strategies. Alright, welcome to the kosan
podcast series. My name is Jeff angle and on
behalf of kosan and today's sponsor Infosys We're excited to
bring you part 3 of a 3 part series on K-12 education and
cyber security. Joining me today are Mike, I'll
(01:08):
go Wally and Scott gelnhausen Mike has been associated with
emphasis for more than 17 years.And his current role Mike, is it
have a cyber security business in North America?
He's responsible for customer engagement sales and analyst
engagement go to market strategies with tech partners
and startups in North America. Mike is proficient in managing
(01:28):
strategic relationships with Cios sizzles.
Head of cloud and infrastructure.
Mike is it accomplished and astute professional with the
perfect mix of sales, Acumen, and Technology, expertise.
Welcome to the podcast make timefor having me here, Jeff.
Thank you. And also joining us is Scott
Gill housing. Scott is the Chief Information
(01:50):
Technology officer for the Houston Independent School
District, where he leads all aspects of Information
Technology data and analytics and information security is
Archie mission is to ensure Equitable access to Advanced
learning Technologies. Modernize the existing
application software portfolio and bolster cybersecurity data.
Privacy to safeguard the interest of students teachers
(02:13):
and employees across the organization.
Scott has over two decades of experience in strategic and
operational. Leadership roles brings a wealth
of expertise to its current position as the CIT.
Oh, and prior to assuming this role, he served as the Director
of it. Sure.
Engineering operations at Houston is D where he led the
(02:34):
delivery operation maintenance of Technology, infrastructure,
telecommunications, and Computing Services.
That were aligned with the organization's educational and
business programs throughout hiscareer.
Mr. Gil housing has been involved in the educational
community and IT professional organizations such as the
Council of great City Schools Center for digital education,
(02:55):
Consortium for school networking, Texas Education,
technology leaders, And Gardner Scott received his Bachelors of
Science in management information systems from the
University of Houston. Clear Lake, welcome to the
podcast, Scott, thank you Chad. I'm glad to be here.
So let's kick off today's discussion by identifying some
challenges in K-12 schools, and Scott, this is the directors,
(03:17):
first question to you, you know.So from your Vantage Point,
we're running a very, very largeDistrict, substantial technology
infrastructure. What are the current challenges
for K-12 schools? In the areas of it and
cybersecurity, I can speak on behalf of Eric Houston.
I stay just in the challenges that we face on a day-to-day
(03:39):
basis. One of them, I think most of the
industry here in K-12 is pretty pretty knowledgeable about the
increased number of threats targeting education.
And so we are continuing continuing to be attacked both
internally and externally with in the environment, through
phishing scams ransomware attacks and other type of Our in
(04:00):
the environment. In addition to that we're faced
with limited budgets, and k12. And so outside of having to
support the core infrastructure,application Service delivery
Computing devices cyber securityis not necessarily an area that
there's a lot of investment in and that's one of the areas that
we're looking to bring us more investment in the areas.
(04:22):
The other part is the, you know,balancing security and
accessibility, and the environment.
So we know that it's real We start to tighten the the
controls within the environment.We may be impacting some
instructional applications for instructional content, delivery.
And that happens for most Educators and students, in our
environments, another area that's Rising for us is being
(04:45):
able to protect our student employee data.
So, as a district, we've got to comply with FERPA and Coppa
regulations to protect that personal information of our
students, and it can be somewhatchallenging and given the large
size of our district. Because we're not only looking,
For record student population orexisting employee population.
(05:05):
But we have literally Decades ofStudent Records or student
information employee informationwithin the district.
So overall you know there's there quite a bit of challenges
that were faced and one more I'll just kind of refer back to
is the human Talent aspect of it.
(05:25):
So with it being a pretty competitive environment today.
The industry. One of the forms that have the
privilege to be a part of was a garter CIO formed.
And it was very interesting to see roughly about 1,500 cios out
there looking at what their tellthem to pull was and most of
(05:46):
their vacancies were sitting at a 6 to 9 month had a window
before their field. So sometimes just having the
lack of human Talent OR expertise in the environment.
Tends to be a challenge for us because the teleporter always
that comes up quite frequently. Like some of the statistics I've
seen in terms of the number of roles that are open.
They are looking to be filled right now just with in the US as
(06:08):
over 500,000 in the cyber security space, my anything.
You would like to add to that. The four points that looked off
the boat, I think they look pretty but prevalent, that we
have seen across the board as well attacks.
Obviously have become lot, more complicated.
The budgets are constrained. Talent is the challenge as well
(06:28):
as Privacy is a big issue as well.
I think just two additional points, which I like to kind of
add to this particular makes is one which is around around the
Advent of say things, things like the OT technology which has
been there and how attackers areleveraging, not just the it
(06:52):
landscape but also OT systems. And we know there are lots and
lots of OT devices which are there Any casual schools so it
could be a tendon systems. It could be small dispensers and
so on and so forth. So OD devices and the kind of
challenges that they bring in, that's interesting pieces, which
(07:15):
are there. And the second piece that we
have seen out here is while someof the school districts are
larger. They have Manpower budget which
are there. We also work with Some of the
school districts which are much smaller in in nature, which are
there, or maybe Central organization that supports maybe
(07:40):
100 or schools and each of theseschools are very, very small
schools in remote locations. So how do we support those kind
of schools and that's where it'sa very different Paradigm.
We're at a overall level. We have to set up certain basic
cyber security controls and Beeper V8 them to all the
(08:02):
organizations, which are there so that everyone gets a
protected and they are part of the larger ecosystem and they're
not just trying to solve this complex cybersecurity problem,
only by themselves, that's a great point that we quickly talk
about the large districts in thechallenges that they have.
But is that if you start moving out from into a Json in schools,
(08:27):
into the rural areas, how do they support that?
That they have the same challenges.
Do you know, Infosys, cybernetics can defend you
against lethal cyber attacks andkeep you hyper connected at the
same time. Our platform provides a
comprehensive cybersecurity solution to Enterprises that
otherwise need to invest in dozens of security Technologies,
(08:48):
to attain Swift security maturity.
This is provided by highly skilled security analysts in our
specialized globally. Distributed network of cyber
Defence Centre. For more information, please,
visit www.is fo sys.com or rightto a mighty r.
(09:10):
A n, KU r, m @i. N fo sys.com Scott.
There are several trends that are unique to K12 people.
You mentioned some of them protecting the pii information
of students of teachers of Staff.
You've got content, moderation. But at the same time, you have
(09:31):
to provide this technology, it infrastructure to Educators what
are some of the trends that you're seeing in this area?
I can speak on behalf of our district and one of the ones
that were really focusing on is around data privacy within our
own district and it's not necessarily something that I T
is taking on but it's a collaborative group of our
(09:52):
academics or research group as well as it.
So, with increased Focus around multiple vendors that are
Lasting data out of our systems and whether that's Pi or non pii
information, we need to have better policies in place and
procedures in order to be able to access the data.
And we've got good board policies that are implies to
(10:14):
help reject things around, FERPAand HIPAA Copa regulations that
are there. So we're putting an emphasis on
data privacy. Another area for Us is around
the digital citizenship, so we're really trying to focus on
working with our teachers. Hers and our students to really
Implement and operate our digital Citizen and to be able
(10:37):
to teach our students and teachers about the
responsibilities of Hawaiian Behavior.
Anything that may be inappropriate for content
sharing respecting other people's privacy.
We're also implementing entire content filtering, and
moderation controls within our environment through some of our
providers about today. So we're trying to make sure
(10:57):
that their students are exposed to the Sent and that whether
they're on the network or off the network.
In addition to some of those tools using some, some of the
artificial intelligence to be able to start looking at
information that may be sitting low quality device.
And that may, you know, move into things like bullying or
(11:18):
harmful Behavior to to the self or any other acts.
That could be deemed that gives a little bit more visibility
into that cyber security. Awareness training is a Chris
for us as well. And it's not one of those things
that we're looking to do one time of year, but we're looking
to do repetitive video sessions,email articles as well as
(11:41):
testing through efficient campaigns for, for our staff,
inner our teachers, in our employees, inside the district.
And then another Trend that we are starting to see that we have
not necessarily embarked. On ourselves is really in that
artificial in machine, learning environments, so being able to
use that In a better manner to improve our security defenses
(12:03):
and being able to respond to threats in a much quicker and
timely manner so that we're focusing on the threats that we
need to focus on and then also ensuring that we're able to
continue to provide a learning environment for students through
and my t-shirts and trends that you are seeing it.
Houston is D. Yeah, in fact, say I was telling
(12:25):
this earlier too scarred, I livein the Houston, mayor.
Complex area. So my my daughter's they
actually went to HISD and thank you Scott and rest of the HISD
staff it's been a great pleasure.
Being a parent with the kids aregoing to H is T and the kind of
(12:46):
work that is being done out there.
Some of the things Scott kind ofalluded to earlier and if I look
at it from 3 perspective one as a parent S as a Student and
third as as the function that the IT team has to provide as a
(13:06):
parent. It's really heartening to see
one that the kids have access toInternet while they are in the
school premises and obviously, the content is getting governed
moderated, which is there. So that is extremely good thing.
And that's where Scott talked about the fact that we are using
(13:27):
AI machine learning to really Filter, the content not just
from from the content requirements, which is looking
at the offensive content versus others but also provide calcium
providing an inclusive environment, which is their
second important. Diary Dimension is as a parent
(13:49):
when I really look at it. Things as a parent we have to
interact a lot with the school districts.
Also things like pudding. Amount in the lunch kit which
are there or say interacting with the teachers looking at the
course content. So there is lot of interaction
(14:10):
that happens with the school district systems which are
there. And that's where taking care of
the privacy of the information which is they're making sure the
right controls are put in place when we are accessing this
information. So, all of that is a very
important diary Dimension, whichis Is storing the data in
(14:31):
Transit making sure the data is encrypted while in transit at
rest, right? Amount of policies, which are,
which are there. And nobody is snooping in when
these kind of sessions are stablished.
And lastly, as Educators and sayand as the largest school
district, one of the things thatwe have seen is a lot of school
(14:55):
districts. They have systems which have
been little antiquated. Talk about lack of budgets.
As a, as a big area of concern and that way, if your systems
are old Antiquated, they are more susceptible to attacks
because they could be having oneherbal teas which can get
(15:16):
exploited by attackers. And right now, we are seeing a
very big Trend where attackers are coming after school
district. So, I think Scott and his team
are doing a fabulous job in protecting the Eh IH, D it
environment. Thank you Scott for that is it's
a great point that I want to emphasize to like we always
(15:36):
talked about encryption with data in transit, but from a zero
trust aspect, not a lot of people are focusing at that data
when it's at rest, so, great point there.
So, my multi-cloud adoption is becoming the new normal.
And for those of you out there multi-cloud is using more than
one cloud service provider, how can the K-12 sector secure
(15:58):
itself while? Opting for this multi-cloud
strategy, Jeff, I like to Definemulti-cloud in a little bit of a
broader context as well, becauseone obviously there are multiple
hyper scalars. Which essentially means we could
be leveraging AWS your or Googleor Oracle cloud or even IBM
(16:22):
Cloud at the same time. Second important Dimension to,
it could be the fact that maybe it's a single cloud.
Ow, but then we are leveraging multiple SAS platforms which are
there. And when you leverage multiple
SAS platform, then you are interacting with multiple
clouds, which are there. So there are three important
(16:44):
Dimensions which we have to focus on when we have to protect
a multiple Cloud environment. First and foremost retails, what
we call is, as the cultural aspect where lot of times when
we are moving Cloud. Just the whole dimension of
protecting the environment. Everyone thinks it's the cloud
(17:06):
providers or the staff providersresponsibility.
And that's where there is lot ofEducation that needs to go in
with the application teams more so where we have to educate them
and say that the security of theenvironment, it becomes a shared
responsibility. And that what it means is there
(17:29):
are things that I have to be done by the cloud provider and
the SAS provider but there are things that the it teams or the
applications, or the infrastructure or the security
teams, they have to do. So the taxi whole dimension of
secure by design that comes intoplay sticking part 2.
It is all about putting the right native controls which are
(17:52):
there be it, the SAS product or the hyper scalar that comes into
play. So like the Wii Take the on-prem
environment. Similarly all the say of
controls along the seven layers of the OSI, they have to be put
into place from a Access Networkperspective, data, protection.
(18:13):
So all of those have to be put into place, which is the third
important Dimension to. It is more around governance and
making sure the controls are pasted on an ongoing.
Basis, which is there a cloud for example, the most important
(18:33):
pieces about Cloud are one. It's about flexibility second,
it's about Speed and Agility andthird is something where Cloud?
We know it kind of it is a formal in nature because of the
fact that certain safety requirements would be there
today and maybe we just spin up a container instance, it's not
(18:54):
there tomorrow. So how do we really do a
real-time segawa? Inch, which is there.
So that's the other three important things if I were to
kind of summarize first is more about the cultural aspects which
is embedding secured by Design. Second it's implementing.
The native control and aligning to the controls which are there
(19:15):
on on-prem environment and thirdis doing governance, which is
more real-time governance, checking in line, say policies,
which are there and doing it on an ongoing basis.
So those were the three dimensions.
That we have to cover. That's great.
Thank you, Scott question for you.
So we've got, you know, we were seeing this emergence of
(19:36):
security Platforms in the marketplace.
What do you see their role playing within your District?
So, within our district, I wouldsay that we've got a different
or, or different grouping, or plethora of different security
tools with learn moments. And one of the things that were
pressing for is tighter integration into the different
(19:59):
ecosystems, Systems that are there.
So whether they're around threatened response, whether the
Run content filtering around data protection, could be
elements of what we would be looking to integrate our
environment. There has to be some sort of
correlation that takes place, and we're spending quite a bit
of time, just logging into multiple systems, multiple
(20:19):
dashboard multiple tools to be able to correlate information
when we find a threat within environment.
So threat detection response system, so that we can better
respond in fishing. Scams and that we can respond
respond to potential ransomware.Attacks malware texture, any
threats that are coming in. The environment is something
that we definitely need. We talked a little bit about the
(20:40):
content, filtering, or about being able to detect threats,
and both off the network. And on the network, looking for
security platforms that are wrapped around data protection
so that we can understand what data is sitting there.
As my talked about, you know, data at rest, it encrypted data.
In motion data in transit. Those are pieces that we need to
(21:03):
look at. We also need a better integrated
user management Access Control within the environment, knowing
where our users are coming from as we provision and then
provision them into multiple applications and around there.
In addition to that, we use third-party risk monitoring
services. So so we, look at all our third
(21:24):
parties out there that have the highest criticality of risk in
our environment. So it's a little over.
Hundred different vendors for our financial HR System student
information system or benefit system to be able to look and
see how their posture is in the industry as well.
So not only just trusting what we're doing in the environment
in putting in tighter controls but also understanding where
(21:46):
their threats are in the environment and what's been
public after will be posted and what they're doing to address
that. So for us it's just looking for
tighter integration into the security tools that we already
have and to give us a little bit.
Invisibility or better visibility and then be able to
respond to those threats and in a timely manner.
So excellent like anything, you would like to add on that topic.
(22:08):
But scarf touched about this integrated threat Intel.
I think that's a very important part that we have seen in a lot
of school districts. Because today, if we look at
threat actors, each of these threat actors have a very
important or very distinct way of Working and what we call as
(22:32):
the attribution for a great actor.
And these threat actors, they work like specialized interest
rate. So there are three tasks cells
which focused on K12 as school K12 school districts which are
they, they are quite actors which focus on healthcare
industry. So that's that's a very, very
important piece that we have to look at and we have to think
(22:56):
from their perspectives and thencome back and defend.
Of system which are there. I think that's a trend that I'm
seeing that. It's this whole thing is getting
so much specialized and that's where integrated monitoring
threat, Intel threat hunting andvulnerability management.
That becomes a key concern is the Premier membership.
(23:16):
Organization designed to meet the needs of K-12 education,
technology leaders their resources, support the entire it
infrastructure of the school system kosan offers members,
access to their thought, leadersacross the country.
Tree. And the ability to actively
participate in local coast and chapters.
Join the network today, by visiting cosom dot-org, and
become another influential voicein K-12 education.
(23:40):
That's great. And actually, the build off that
one. Next question, I have for you is
with the Advent of covid and having would take all those
devices outside of the Ring fence and people logging and
students logging in through their own, you know, own
networks to be in a unsecured VPN or Unsecured Network.
(24:01):
How do you see challenges like BYOD?
We talked a little bit about OT devices.
How do you see those challenges impact in K-12?
Yeah, I think that's a very important piece for BYOD,
especially when we look at high schools or maybe even middle
schools where kids are carrying their own devices to the
(24:24):
schools, it's a very, very important thing because these
devices are BYOD devices. They are based in, say, in a
school district, a connect with the school district, they are
physically in the location whichare there and they may not be as
secure as the devices which are provided by the school district.
(24:45):
So how do we ensure that? Maybe if some of these devices
they themselves could be infected with malware could be
infected with viruses they don'tcome and they don't infect the
larger. Systems.
And that's where the zero trust based approach that has been
implemented by most of the school districts.
(25:06):
Its kind of helps quite a lot, where one obviously, it's the
secure connection apart to it. And earlier, the whole Paradigm
of connecting to a network was there?
And that's where, what what has happened is now with the whole
Advent of zero trust, rather than connecting to a network of
(25:27):
what we are talking about is Owing to an application so that
you directly connect to an application and you are not
connected to the network. It's like when I get into a
school district at the front desk, I get say escorted into
the classroom where I have to goand that's and then I come out.
(25:47):
I don't have a permission to go in any other place within the
school, which are there. And that's the whole concept
that that schools are kind of working on and that also enables
Advanced protection capabilitieslike data protection, see
capabilities, content filtering,and so on and so forth.
(26:07):
The second point, just like you talked about was around OT.
I think this is still a pretty nascent space in most of the
school districts. And the first and foremost, the
most important thing, which is out there is just to go out and
discover the OT systems, which are there and it does take some
(26:31):
amount of effort because becauseof the fact that say, a lot of
times would be systems, are not within even the purview of the
IT team. So just starting with the
program where we can discover the OT assets, that's a great
picnic that's great insight and Skype from your standpoint and
(26:52):
we kind of touched on it with the BYOD devices or BYOD and my
he brought up the Fact, you have, you know, that middle
schoolers you could have elementary students bringing in
those devices and we know socialengineering is just constantly
evolving. So, it's got a question for you.
How important is it getting thatSavage security awareness to
(27:17):
help mitigate risk from those devices being brought in or
those students who may access devices within the district.
And going to places that you maynot want to go.
You know, my belief is that cybersecurity Earnest and
education and K12 is critical that providing the students and
with this Knowledge and Skills to be able to protect themselves
(27:38):
and their personal information from cyber threats.
They're not necessarily thinkingabout this.
At the age of, you know, six, seven, eight, nine years old,
yet alone, we do 12. There are 16 17 year olds that
are thinking. They're so one of the things
that I want to be able to reiterate is that, you know, not
only, is it not K12 problem. But it's more about Humanity
(28:01):
issue when it comes to service security.
Because when they start to grow up in and start applying for
credit cards or credit checks, and this will be information
that could have potentially beenused drawer or been leaked or
disseminated out there on the, on the dark web.
So being able to protect our students from cyber security
(28:22):
threats. And you know, this is about
teaching them online safety fromour standpoint.
It's also protecting them from those.
Cyber threats of identity theft.Cyberbullying any online
predators that may be out there.Lurking, we saw that during the
pandemic when we opened up the team's environment that was kind
of our first exposure into possibly outside people looking
(28:44):
in into our environment. Second area, I would say, is
around, you know, the digital citizenship that I talked about
a little bit earlier. So that's really helping those
students, develop the skills andthe knowledge to become
responsible students out there. On the web and also the
importance of protecting their privacy.
Another part in that education aspect, and we've got a couple
(29:06):
snares what that we've done on the application side.
But we're looking to develop ourstudents on the cyber security
or the security side, information security size,
giving them the chance to becomeemployable, right after, you
know, the graduate from high school or college.
So, being able to provide them with the skills, you need to
(29:27):
become the part. Of that, that forensic or
separate security staff that theinterest that Workforce, and
then the other part is just making sure that there were
meeting the compliance of Copa, cipa in any purple requirements,
that may we have to ensure that we have compliance within our
environment. Let's do that a lot.
(29:49):
These days with school starting to bring in more training around
cybersecurity and those different areas to build up the
students knowledge skills. Abilities to make them
employable, but also is a way tohelp educate them around the
risks that are that are out there in that, in that
environment. Well gentlemen, I'd like to
(30:09):
thank you for your time consideration and insight.
Today I think was a great conversation and once again,
we'd like to thank our sponsor of Infosys for supporting this
series on K-12 education and cybersecurity and we look
forward to having future conversations down the road.
Thank you, gentlemen, on behalf of the leadership team at kosan.
Thank you for listening. Meaning to this episode of the
(30:30):
coats and podcast to access other podcasts in the series
visit kosan dot org or Ed circuit.com for complete lineup
of engaging technology, topics, Ed circuit and Powers the voices
of Education. With hundreds of trusted
contributors changemakers and Industry, leading education,
innovators. Meaning to this episode of the
coats and podcast to access other podcasts in the series
visit kosan dot org or Ed circuit.com for complete lineup
of engaging technology, topics, Ed circuit and Powers the voices
of Education. With hundreds of trusted
contributors changemakers and Industry, leading education,
innovators.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!