May 8, 2024 • 29 mins
In today's episode of Breakfast Bytes, hosted by Felicia King, we delve into the pressing issue of cybersecurity in K-12 education with special guest, Chris Rule, a Technology Director with 25 years of experience. We discuss the urgent need for tangible action in this area and explore operational maturity practices like third-party information security risk management, vendor risk management, vulnerability management, and password management.
A focus of the episode is the need to translate cybersecurity concerns into strategic actions at the executive level. We also discuss the impact of cyber insurance programs and the severe disconnect between cybersecurity compliance requirements and their implementation at the school level. We dive into the critical necessity of creating operational structures that prioritize cybersecurity, incorporating crucial regulatory compliances such as CIPA, FERPA, and COPA.
A poignant part of our discourse is managing the 'human element' of cybersecurity as cyber-attacks are increasingly centered on social engineering. This necessitates not just a technical solution, but a cultural shift in organizations, making cybersecurity training a mandatory part of human resource management.
This episode also touches on the challenges of implementing IT security measures in small school districts. It emphasizes the importance of an institutionalized onboarding program that includes both technology aspects and basic legal knowledge. We highlight the need for better collaboration between board professional organizations and security companies, and discuss parental demands and voluntary programs that schools can utilize to assure their commitment to student data protection.
In conclusion, we explore the practice of hiring fractional CISOs and CTOs to help IT directors manage their various responsibilities within limited resources. Tune in to this comprehensive episode to learn more about the challenges of and solutions for implementing cybersecurity in K-12 education.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Yeah, good morning. You're listening to Breakfast Bites, and I'm Felicia King,
and today joining me is special guest, Chris Ruhl.
He's a technology director for the last 25 years across a wide variety of school
districts that K-12, and they're in the small and rural school districts.
However, these techniques and challenges are also applicable to larger schools.
(00:25):
And he's going to talk to us today about these technology challenges.
And Chris was just bringing up this whole point with me about how cybersecurity
has been a hot topic for the last decade in schools. And I don't believe you.
You said the needle hasn't moved. And I agree. I totally agree.
(00:52):
And and you know when you say it's a
hot topic i don't believe you because i haven't
seen the needle move we did
well you know schools we do a lot of talking a lot of talking not necessarily
a lot of doing so uh yeah but thanks for having me i'm happy to be here yeah
we know we were just talking that for the past oh go ahead well i i wonder if
(01:17):
you would when you talk about these
things, if you would kind of infuse concepts of operational maturity in there,
because I sense that what you're going to tell us about the challenges as to
why that needle hasn't moved has a lot to do with operational maturity practices,
such as like, you know, third-party information, security risk management,
vendor risk management, vulnerability management,
(01:39):
password management. Yeah.
Yeah, it's all of that. Yeah. And yeah, so what we were talking about before
we came on is there are surveys that show that cybersecurity has been the number
one topic for the past 10 years.
Do you know who they're surveying when they do that?
It's tech directors. So this is a survey that's done annually by COSEN,
(02:01):
which is the Consortium for School Networks, which is a professional organization
specifically for K-12 technology directors.
And they've been around for more than 30 years, and they offer resources like
this yearly survey to see what the hot topics are in schools.
And cybersecurity has been the number one from all the tech directors that responded.
(02:24):
Who's the audience of the survey?
Like, does it help you as a technology director or is it intended for somebody else?
No, it's intended for education.
They try to put the data together in a format that would be applicable to help
technology directors talk to the board about things that they may need.
(02:45):
Yeah. So they really try to do it at that executive level. So,
it's less, this is what Chris says, and more like, this is what the entire industry
is saying. Correct. Yes, correct.
Yeah, so you can't disseminate the data and say, look, in Virginia,
they said the top topic is this.
It's more like, across the nation, these are the things that schools are trying to prioritize.
(03:11):
And cybersecurity has been on the top of that list for a long time and it really
is listed as cybersecurity not information security do you think that that has
any correlation with like insurance requirements i think that is definitely
has kicked it up in the past few years because,
(03:31):
while most schools don't have to have cyber insurance a lot of schools it's
kind of bundled in their package.
Like, like they almost have to have it.
And so that has definitely brought it to light because, you know,
just like we were saying before these maturity models, schools don't really
have a compliance that they have to meet.
Right. And so this, this insurance requirement almost became a non-standard compliance.
(03:56):
Like you have to have MFA if you want this insurance. And so then schools had
to scramble to figure out how to.
How to even become mature enough to get cyber insurance.
So, you know, the sad thing about what you said is that from my perspective,
I've always thought that schools had compliance.
They are loaded with personally identifiable information, which puts them under, you know, FTC regs.
(04:23):
They also, I thought it was the
Child Internet Protection Act at a minimum that they had to comply with.
So there's that that you
don't actually don't have to even meet SIPA compliance
so there is a
SIPA compliance level but that the only
thing that you get by meeting SIPA
(04:45):
compliance is that you can then qualify for e-rate which is a discount on your
internet connection is essentially what it is oh sure but everybody is using
that you know every school is using that so that is That inherently what you're
saying is now they need to be SEPA compliant.
But SEPA compliance is super easy. It's just simply we're going to have a filtering
(05:08):
solution in place that will protect our kids from the bad stuff.
That's pretty much as loose as it is. Right.
So we put a filter in place that monitors Internet traffic and it blocks,
you know, malware and some malicious things.
But mostly it blocks, you know, the real bad stuff on the Internet. that violence and porn.
(05:29):
Okay, so that's where I was like, how
do you take SIPA and turn it into an organizational acceptable use policy?
Because I have yet to actually see a school do that.
There seems to be a very severe disconnect between what SIPA,
just kind of like, I'm going to call it common sense best practices about like
(05:51):
bad stuff, as you articulated, versus nobody really at the management level
wants to be inconvenienced.
That's very true.
So how do you make that leap then, especially with schools that don't have the
time for it and probably lack the operational maturity to get there?
(06:15):
Well, there's probably three things that are the closest to compliance.
One would be SEPA, which is a compliance in order to receive some federal funding.
Then you have FERPA, which is like a child data privacy act.
Right. And then you have COPA, which is COPA is to protect kids under age 13.
(06:37):
And all of those kind of get taken into consideration when you're creating policies for a school.
Usually those policies in a school boil down to how much permission do we have
to have from parents in order to provide our kids with the tools that we want to use.
And schools rarely, even though COPA was designed to protect kids that are young,
(07:00):
schools rarely even think about what's happening with that data when they give it to a third party.
Right. They might think about, well, we have kids and they're more concerned
about kids are going to be turning age 13 sometime in middle school.
So how do we put an Internet policy in place that can let an eighth grader that
(07:21):
may have started the year at 12 years old that's now turning 13?
What do we do for that individual? I mean, those are the things that schools are thinking about.
They're not thinking about, OK, we're handing over all this information to X,
Y, Z application for all of our rostering data.
And we've not even vetted that vendor to find out what they're doing.
(07:43):
Well, OK, I have to pivot off of that because that's a fantastic point.
And it isn't just about the third party information security risk management
and that vendor risk management, which absolutely needs to be done.
And I've never I mean, frankly, most large companies don't do that well.
But the other piece is I still even in large organizations not just in schools
(08:08):
but even in large organizations I run into this thing where they're like well.
The data's in Salesforce. So therefore it's secure.
And it's like, no, that doesn't inherently make it secure.
I'm like, okay, so really when I'm looking at like a cyber insurance questionnaire,
or I'm looking at a vendor risk assessment that one of my clients is going through
(08:31):
for one of their customers.
These sorts of questions come up, which is like, what
about your employee onboarding policy right how are
you ensuring that your staff are trained
with regards to this private data handling so
this whole concept that says that it's in some sort of
a secure and i'm air quoting secure sas platform that doesn't address any of
(08:55):
the needs of i have a computing platform that i have relative assurance is not
compromised and therefore the data is getting That way,
but also that I have trained my people so that they're doing secure processes.
And it's like, how do we deal with people?
(09:17):
And how do you deal with in the education space, trying to get the right people
to make those policies to actually address really, I'm gonna call it the three legs of the stool.
One is your, we do have to know what the vendors are doing, but we have to be
training our people properly and we have to secure the endpoints that they're
(09:38):
accessing that data properly. Yeah.
I think we're seeing a trend in education, kind of a shift in the attack vector,
definitely toward social engineering,
because while we say the needle hasn't moved, there have been more technical
solutions that have been applied at schools. Schools know they need to do something.
(09:59):
And usually it's coming from an insurance compliance, right?
They need to implement MFA.
They have to have endpoint detection and response. You know,
these things that they may have never even thought about before,
suddenly they are becoming a little more hardened.
And so now the the attack vector has shifted to social engineering,
(10:20):
and it is attacking that the weakest point, right, the people.
And so, you know, a lot of schools we use know before there's there are different
platforms that aren't just phishing awareness, but that will do some, some sort of training.
And I would say probably good cyber insurance programs will require that, and some even offer it.
But what I've seen, it's not very good. Well, so we have an excellent cyber
(10:45):
awareness training platform.
However, as a CISO, I and my SOWs to clients say, you need to change these HR policies.
You need to change these onboarding policies.
You need to change the culture of your company to make it completely not only
acceptable to do training, but mandatory to do training.
(11:07):
Right. So it's like, I feel like that's the big piece that's missing in the
vast majority. of the time is that the technical controls are really kind of
a minority of the solution.
And it's like 80% of it is HR management.
It is. Well, and it's like you said, it's it's a culture thing.
It's an awareness thing.
And it's a it's a prioritizing that because if the board and your main leadership
(11:34):
team, your cabinet, whatever you want to call that in a school district,
if they're not bought into the concept that cybersecurity or information security
is not just I.T., then you're not going to, as we said, move that needle.
You're not going anywhere because, oh my gosh, yeah, you just hit on one of
my hot buttons of all time. I call it the grenade over the wall.
(11:55):
It's like, no, we'll shoot it over to IT. yeah
they'll they'll take care of it well i see it
all the time even so recently we put
in a emergency response solution which
is basically a tool that everybody has on their phone
that if you have a lockdown it alerts or if you're doing a
drill it'll alert that and suddenly that
(12:16):
became an it thing because it handles incidents
well you know a fire or
an earthquake or a active shooter is
not an it incident and well and
even if it were it's it still involves everybody
and so i'm sorry i see this
all the time hilarious yeah well i don't know why am i setting up fire drills
(12:40):
now all of a sudden you know what if it is in charge of active shooter i totally
got a solution to that problem it's called the terminator yeah perfect problem ai yes.
Most of the time I actually would prefer it,
If they would just say, yes, you know what you IT, you are the resource owner,
(13:05):
because if they would just make me the resource owner, oh, I would write the
policy, you know, and that's the problem, too, is right.
It is. It is a flip side of the coin because they're like, oh,
yep, it's an IT thing here.
You do it. But then when we try to do it, you have no authority to do it. Right.
Yeah. There's no authority. Right. Even if we write a policy.
I have board members right now that they won't use a district provided email.
(13:29):
Email they want to use either a work email or a
home email which is is
kind of a legal nightmare anyway because if there's a foia request
they're they're opening up their own private data right there
and and we can't get right see it yeah i
mean that's exactly right i mean that that's one of those things where
it's like a lot of times i get behavioral change by articulating how
(13:50):
it's going to benefit them like no no you don't want
that nightmare in your personal right bucket it yes yep
yeah but sometimes they still don't see it schools are
very unique in that they're ran
by the school board oftentimes those are
not educated people for one not not educated as much as their staff is anyway
(14:12):
they have varying roles within the community oftentimes they're being a board
member just because they have an agenda they want to you know i have a problem
with the Address code. And that's why they decided to be a board member.
So you suddenly have this group of very diverse individuals running your school
(14:33):
with strong opinions that maybe don't even align to what your school culture is.
Are these mostly volunteer positions as well?
Almost always. I think some school board positions are paid in maybe some of
the larger districts, but in smaller districts, and I think 85% of the school
(14:53):
districts in the country are 2,500 students or less.
So the majority of the school districts are small, but the majority of students
are in, of course, the larger school districts.
But yeah, in those small school districts, the board is just a volunteer position.
Well, it's got to be difficult to get them to make time to elevate their own
(15:16):
knowledge to the point where they can be an informed risk decision maker when
it's volunteer time. It is.
Yeah. And they have other things going on.
And so for as a tech director to try to get some time during the board meeting,
if you get five minutes during the board meeting, that's not enough time to
(15:37):
to convey a solid message of, you know, even awareness of a training program.
It is a unique challenge. Have you ever tried a curricula for new board members
and have that as an instituted policy?
Because this isn't just a technology thing, right? This is about the legal things
(15:58):
that board members need to know. Yes.
It would seem to me there would need to be a specific onboarding program just for directors.
There should be. But, I mean, there's no...
Official onboarding program even for a teacher right it's and it varies from district to district,
and so it does become tough there you know
(16:21):
the board has professional organizations that
they go to that that that you know that's what
they try to do they try to to educate the board of what
their job is they're not there to micromanage they're there to govern
to oversee and you know to manage and and you
will get board members that definitely improve you know if you have
a board member that's been on your board for 15 20 years
(16:42):
they're they're far more educated and experienced of course than the younger
ones i think there needs to be more collaboration with that board professional
organization and with security companies to find out what that need is to try to,
to try to raise that awareness and and
(17:03):
it's we keep saying the needle's not moving it is
slowly moving there's there's becoming more awareness and it is slowly changing
but it's partly driven by the events that are happening you know the schools
are getting hit with ransomware and everyone knows of school that's fairly close
it's been hit by something and unfortunately,
(17:24):
schools are more likely to react than to be proactive but when it happens to
someone that you know, or someone that.
Someone you know who you know through someone else, it becomes a little bit
more personal, and that helps.
I feel like there's an aspect of this that needs to be on the demand side as well.
(17:45):
Like, let me tell you what I mean by that. I'm always...
A big proponent of, you know, free choice and fixing issues on the demand side, right?
So, like, if I'm a parent and I have my three kids and I want to decide what
school I'm going to put them in,
one of the factors that I should be evaluating is how well is that school going
(18:11):
to protect my child's information?
Absolutely. And I feel like there's no mechanism for them to do that at this point in time.
And I don't have a lot of warm fuzzies. I don't even have 50% warm fuzzies about
most of the schools that are out there.
(18:31):
And I'm not picking on schools. It's just, I would also make that statement
about most of the businesses that are out there.
And so I think it's not necessarily exclusively an education problem.
I mean, I did a couple Apple podcasts on the topic of how most people who are
getting their taxes prepared are not actually doing an appropriate vetting of
(18:54):
their selected tax preparer.
And so it's like a lot of these things I feel like need to be fixed on the demand side.
So if you're a parent, I don't think there's any resources right now that you
could go to to get that sort of evaluation criteria. Are you aware of it?
There's not from that standpoint. I mean, you've got good schools and different
(19:15):
things where people will go out and put this kind of like Yelp for schools,
right? That's they'll go out and put a just a general review.
There's nothing for data privacy and security.
There is COSEN put out a TLE certification, which is a voluntary program that
schools can go through. That's the trusted learning environment.
And in order to meet that, it's a several year process of going through and
(19:37):
meeting kind of like a certification level that just says, yes,
we're dedicated to protecting student data.
And these are the hoops that we had to jump through to do it,
more or less. Does it help a school become more competitive?
I mean, like, what's the incentive for doing that? I guess the incentive is
to build community trust.
I think it's two things. It would be to build community trust because,
(19:58):
I mean, you want to have trust from your parents and your community.
But it's also they're going to improve along the way.
So if you have a pretty insightful technology director, or maybe they're fortunate
enough to have a CISO on staff,
if they go through that process without having to hire a third-party consultant,
they can go through and use this light framework and come up with some controls
(20:22):
and put measures in place to improve.
What kind of overlap is there between that and something like CIS?
I mean, there's definitely overlap, right? Most of the control systems,
as you know, have overlap.
I think it's built partly with CIS, the 18 controls, and then some NIST framework.
(20:44):
We're seeing there's no, we talked
before, there's no compliance level at schools, but I think it's coming.
I think from the federal level, within the next five years, we'll probably be
seeing something, edu-ramp or something that'll be a compliance level for schools.
Because when schools get hit with ransomware, the money's got to come from somewhere,
(21:06):
and it's all government funding, whether it's state or federal.
And I think with the attention that schools are getting and the money that's
being lost and the education that's being interrupted, I think we're going to
see something, and I don't know what that'll look like.
And there are third-party companies and organizations that are putting things
together to try to help schools.
There was recently a consortium of security companies that put together a cybersecurity
(21:30):
rubric trying to focus it primarily on education.
And they looked at a number of different control systems from NIST and CIS.
They even looked at Security Studios platform and some different ones to try
to crosswalk and figure out what was going to be the best platform or the best controls to do that.
(21:53):
And so they kind of settled on something that's very similar to NIST,
almost kind of designed their own NIST EDU framework, and they even updated it for the new 2.0.
It's free to schools, and so that's, I think, has helped.
But the problem is, is that, I mean, there are resources out there.
You know CIS has all these tons of resources, and it's a great platform for schools.
(22:15):
But most schools don't have the time, you know, or the education to do it,
you know. Or the focus, I guess, would be what we should say, the priority.
I think the core issue that I see is that they... And I'll put schools in the
same bucket with a bunch of businesses that I know of as well.
(22:36):
They think that...
The IT director has time to do that stuff as well as somehow has the power and
authority to do that stuff.
And I don't, I've never seen it.
Instead, the only time I've seen those efforts really be successful,
I mean, certainly, yes, there are going to be edge cases, but the times that
(22:58):
I've seen those efforts be really successful is when there is at least a fractional
CTO or a fractional CISO involved,
but on an engagement, you know, like on an ongoing engagement.
So there's like this kind of long-term relationship because I feel like it's
(23:20):
just asking too much of an IT
director to be like, well, manage the whole budget, manage the technology,
respond to support tickets, do all this, manage the staff and blah, blah, blah.
And then somehow you're supposed to manufacture some more time.
And I mean, you're very different than most IT directors.
(23:41):
I mean, most IT directors do not have your level of skill with regards to compliance
and on the CISO side, in my opinion.
And so most IT directors, I think, are just, they struggle with even articulating
the value proposition of why these other efforts actually need to happen.
And so without that kind of executive level initiative being pushed,
(24:06):
then there is no one at the executive level pushing it.
And to your point, the priorities always get overridden.
Right, right. Yeah.
We're, we're so, I hate to say the word underfunded, but the reality is,
is that if you work in technology and education, you can probably go into the
(24:27):
public sector and make twice as much just by changing jobs.
So most people who work in education, especially in technology,
they do it because they have kids in school or they're doing it because they
get great benefits or maybe they get the summer off.
There's some other thing other than, than the financial that's keeping them
there. So that tends to not bring out the best talent for an education environment.
(24:54):
But that's part of why having a fractional CTO or a fractional CISO involved is very good.
The other thing, too, is that cultures in school kind of, if someone's an outside
expert, they're almost valued better than an inside expert.
You could have someone in a school that's super qualified. and
when they make a recommendation for some reason when you
(25:16):
hire a consultant the consultant may not have
even as much experience as someone in-house but that opinion
is regarded higher and so you're right when you bring in someone like a fractional
cso or even just someone who's going to maybe do a one-time risk assessment
it's taken with more authority than your in-house staff which is unfortunate.
(25:40):
I that's so I mean I know you've seen that and I definitely understand that.
You know that that paradigm i've seen it in some organizations as
well i i do see though
there appears to be this sort of like budgetary pressure
that just changes people's mindset
instead of thinking about how do we get a relationship
(26:03):
with a fractional cso for let's just say
i don't know twenty six thousand dollars a year okay so instead
of coming up 24 the math would be easier well okay
but but you get what i'm saying like it's
a it's a paradigm change of saying let's at
least do something on a regular ongoing
basis as part of this relationship as opposed to no we can't do anything because
(26:29):
it costs too much money it's like well no you know what's really gonna cost
too much money is when you didn't plan properly yes and yeah when you If you
succumb to that ransomware event, that's going to be expensive.
Yeah. Yeah. So I think the paradigm problem that I see most of the time,
and this isn't just education,
it's that they really have this sort of like budget block mindset and they're
(26:55):
not even willing to allocate fairly minor amounts of money to the problem.
And so then they just pile it on to the IT director. And I've seen this so many
times, you know, it's like, well, the IT director works for us full time.
She's already working for us. Yeah. Yeah. Just keep piling on, piling on.
(27:16):
And then it becomes a matter of too many priorities, always constantly competing priorities.
And this is exactly, it's not just an IT director problem,
but I see that that problem itself is exactly why a lot of internal IT departments
don't get their systems patched and that maintenance isn't done or lifecycle
asset management isn't done because really it's only the IT people that care about that stuff.
(27:41):
Right. Absolutely. It only is. And a lot of times we don't care. No, I'm just kidding.
Well, it's hard, you know, it's hard to care, right?
It's hard to prioritize that. I mean, there are some days you just walk home,
you just go home and you're like, I can't do anymore.
I'm, you know, all this stuff needs to be done, but I'm done for the day.
Well, not only that, but, you know, it's smart to walk away sometimes because
(28:04):
you know that That if you go open that can of worms at 6 p.m.,
you don't have enough time or energy and maybe the right people at that particular
change window to be able to do a recovery if poo-poo goes the wrong way. Right.
Yep. You know, so I would call it adult to go home and go to bed.
(28:25):
I'll wrap it up with a real quick story here. Many, many, many years ago,
I worked with this gentleman who was at the time he was in his 60s.
And i mean he would come to work at like 5 a.m you know some
ridiculously early hour and and you know
going out the door one day he says to me oh yeah i'm gonna go home i don't
work on the thing and i said no dude nothing good happens after 6 p.m please
(28:46):
do not go home and work on the server from home please do not and and he made
a mistake in some scripting and he basically Basically blew up the home drives for like 13,000 users.
You know, it's like super bad.
Okay. Well, we're over for today. So thank you much for your time. Thanks for having me.
Yeah, good morning. You're listening to Breakfast Bites, and I'm Felicia King,
and today joining me is special guest, Chris Ruhl.
He's a technology director for the last 25 years across a wide variety of school
districts that K-12, and they're in the small and rural school districts.
However, these techniques and challenges are also applicable to larger schools.
(00:25):
And he's going to talk to us today about these technology challenges.
And Chris was just bringing up this whole point with me about how cybersecurity
has been a hot topic for the last decade in schools. And I don't believe you.
You said the needle hasn't moved. And I agree. I totally agree.
(00:52):
And and you know when you say it's a
hot topic i don't believe you because i haven't
seen the needle move we did
well you know schools we do a lot of talking a lot of talking not necessarily
a lot of doing so uh yeah but thanks for having me i'm happy to be here yeah
we know we were just talking that for the past oh go ahead well i i wonder if
(01:17):
you would when you talk about these
things, if you would kind of infuse concepts of operational maturity in there,
because I sense that what you're going to tell us about the challenges as to
why that needle hasn't moved has a lot to do with operational maturity practices,
such as like, you know, third-party information, security risk management,
vendor risk management, vulnerability management,
(01:39):
password management. Yeah.
Yeah, it's all of that. Yeah. And yeah, so what we were talking about before
we came on is there are surveys that show that cybersecurity has been the number
one topic for the past 10 years.
Do you know who they're surveying when they do that?
It's tech directors. So this is a survey that's done annually by COSEN,
(02:01):
which is the Consortium for School Networks, which is a professional organization
specifically for K-12 technology directors.
And they've been around for more than 30 years, and they offer resources like
this yearly survey to see what the hot topics are in schools.
And cybersecurity has been the number one from all the tech directors that responded.
(02:24):
Who's the audience of the survey?
Like, does it help you as a technology director or is it intended for somebody else?
No, it's intended for education.
They try to put the data together in a format that would be applicable to help
technology directors talk to the board about things that they may need.
(02:45):
Yeah. So they really try to do it at that executive level. So,
it's less, this is what Chris says, and more like, this is what the entire industry
is saying. Correct. Yes, correct.
Yeah, so you can't disseminate the data and say, look, in Virginia,
they said the top topic is this.
It's more like, across the nation, these are the things that schools are trying to prioritize.
(03:11):
And cybersecurity has been on the top of that list for a long time and it really
is listed as cybersecurity not information security do you think that that has
any correlation with like insurance requirements i think that is definitely
has kicked it up in the past few years because,
(03:31):
while most schools don't have to have cyber insurance a lot of schools it's
kind of bundled in their package.
Like, like they almost have to have it.
And so that has definitely brought it to light because, you know,
just like we were saying before these maturity models, schools don't really
have a compliance that they have to meet.
Right. And so this, this insurance requirement almost became a non-standard compliance.
(03:56):
Like you have to have MFA if you want this insurance. And so then schools had
to scramble to figure out how to.
How to even become mature enough to get cyber insurance.
So, you know, the sad thing about what you said is that from my perspective,
I've always thought that schools had compliance.
They are loaded with personally identifiable information, which puts them under, you know, FTC regs.
(04:23):
They also, I thought it was the
Child Internet Protection Act at a minimum that they had to comply with.
So there's that that you
don't actually don't have to even meet SIPA compliance
so there is a
SIPA compliance level but that the only
thing that you get by meeting SIPA
(04:45):
compliance is that you can then qualify for e-rate which is a discount on your
internet connection is essentially what it is oh sure but everybody is using
that you know every school is using that so that is That inherently what you're
saying is now they need to be SEPA compliant.
But SEPA compliance is super easy. It's just simply we're going to have a filtering
(05:08):
solution in place that will protect our kids from the bad stuff.
That's pretty much as loose as it is. Right.
So we put a filter in place that monitors Internet traffic and it blocks,
you know, malware and some malicious things.
But mostly it blocks, you know, the real bad stuff on the Internet. that violence and porn.
(05:29):
Okay, so that's where I was like, how
do you take SIPA and turn it into an organizational acceptable use policy?
Because I have yet to actually see a school do that.
There seems to be a very severe disconnect between what SIPA,
just kind of like, I'm going to call it common sense best practices about like
(05:51):
bad stuff, as you articulated, versus nobody really at the management level
wants to be inconvenienced.
That's very true.
So how do you make that leap then, especially with schools that don't have the
time for it and probably lack the operational maturity to get there?
(06:15):
Well, there's probably three things that are the closest to compliance.
One would be SEPA, which is a compliance in order to receive some federal funding.
Then you have FERPA, which is like a child data privacy act.
Right. And then you have COPA, which is COPA is to protect kids under age 13.
(06:37):
And all of those kind of get taken into consideration when you're creating policies for a school.
Usually those policies in a school boil down to how much permission do we have
to have from parents in order to provide our kids with the tools that we want to use.
And schools rarely, even though COPA was designed to protect kids that are young,
(07:00):
schools rarely even think about what's happening with that data when they give it to a third party.
Right. They might think about, well, we have kids and they're more concerned
about kids are going to be turning age 13 sometime in middle school.
So how do we put an Internet policy in place that can let an eighth grader that
(07:21):
may have started the year at 12 years old that's now turning 13?
What do we do for that individual? I mean, those are the things that schools are thinking about.
They're not thinking about, OK, we're handing over all this information to X,
Y, Z application for all of our rostering data.
And we've not even vetted that vendor to find out what they're doing.
(07:43):
Well, OK, I have to pivot off of that because that's a fantastic point.
And it isn't just about the third party information security risk management
and that vendor risk management, which absolutely needs to be done.
And I've never I mean, frankly, most large companies don't do that well.
But the other piece is I still even in large organizations not just in schools
(08:08):
but even in large organizations I run into this thing where they're like well.
The data's in Salesforce. So therefore it's secure.
And it's like, no, that doesn't inherently make it secure.
I'm like, okay, so really when I'm looking at like a cyber insurance questionnaire,
or I'm looking at a vendor risk assessment that one of my clients is going through
(08:31):
for one of their customers.
These sorts of questions come up, which is like, what
about your employee onboarding policy right how are
you ensuring that your staff are trained
with regards to this private data handling so
this whole concept that says that it's in some sort of
a secure and i'm air quoting secure sas platform that doesn't address any of
(08:55):
the needs of i have a computing platform that i have relative assurance is not
compromised and therefore the data is getting That way,
but also that I have trained my people so that they're doing secure processes.
And it's like, how do we deal with people?
(09:17):
And how do you deal with in the education space, trying to get the right people
to make those policies to actually address really, I'm gonna call it the three legs of the stool.
One is your, we do have to know what the vendors are doing, but we have to be
training our people properly and we have to secure the endpoints that they're
(09:38):
accessing that data properly. Yeah.
I think we're seeing a trend in education, kind of a shift in the attack vector,
definitely toward social engineering,
because while we say the needle hasn't moved, there have been more technical
solutions that have been applied at schools. Schools know they need to do something.
(09:59):
And usually it's coming from an insurance compliance, right?
They need to implement MFA.
They have to have endpoint detection and response. You know,
these things that they may have never even thought about before,
suddenly they are becoming a little more hardened.
And so now the the attack vector has shifted to social engineering,
(10:20):
and it is attacking that the weakest point, right, the people.
And so, you know, a lot of schools we use know before there's there are different
platforms that aren't just phishing awareness, but that will do some, some sort of training.
And I would say probably good cyber insurance programs will require that, and some even offer it.
But what I've seen, it's not very good. Well, so we have an excellent cyber
(10:45):
awareness training platform.
However, as a CISO, I and my SOWs to clients say, you need to change these HR policies.
You need to change these onboarding policies.
You need to change the culture of your company to make it completely not only
acceptable to do training, but mandatory to do training.
(11:07):
Right. So it's like, I feel like that's the big piece that's missing in the
vast majority. of the time is that the technical controls are really kind of
a minority of the solution.
And it's like 80% of it is HR management.
It is. Well, and it's like you said, it's it's a culture thing.
It's an awareness thing.
And it's a it's a prioritizing that because if the board and your main leadership
(11:34):
team, your cabinet, whatever you want to call that in a school district,
if they're not bought into the concept that cybersecurity or information security
is not just I.T., then you're not going to, as we said, move that needle.
You're not going anywhere because, oh my gosh, yeah, you just hit on one of
my hot buttons of all time. I call it the grenade over the wall.
(11:55):
It's like, no, we'll shoot it over to IT. yeah
they'll they'll take care of it well i see it
all the time even so recently we put
in a emergency response solution which
is basically a tool that everybody has on their phone
that if you have a lockdown it alerts or if you're doing a
drill it'll alert that and suddenly that
(12:16):
became an it thing because it handles incidents
well you know a fire or
an earthquake or a active shooter is
not an it incident and well and
even if it were it's it still involves everybody
and so i'm sorry i see this
all the time hilarious yeah well i don't know why am i setting up fire drills
(12:40):
now all of a sudden you know what if it is in charge of active shooter i totally
got a solution to that problem it's called the terminator yeah perfect problem ai yes.
Most of the time I actually would prefer it,
If they would just say, yes, you know what you IT, you are the resource owner,
(13:05):
because if they would just make me the resource owner, oh, I would write the
policy, you know, and that's the problem, too, is right.
It is. It is a flip side of the coin because they're like, oh,
yep, it's an IT thing here.
You do it. But then when we try to do it, you have no authority to do it. Right.
Yeah. There's no authority. Right. Even if we write a policy.
I have board members right now that they won't use a district provided email.
(13:29):
Email they want to use either a work email or a
home email which is is
kind of a legal nightmare anyway because if there's a foia request
they're they're opening up their own private data right there
and and we can't get right see it yeah i
mean that's exactly right i mean that that's one of those things where
it's like a lot of times i get behavioral change by articulating how
(13:50):
it's going to benefit them like no no you don't want
that nightmare in your personal right bucket it yes yep
yeah but sometimes they still don't see it schools are
very unique in that they're ran
by the school board oftentimes those are
not educated people for one not not educated as much as their staff is anyway
(14:12):
they have varying roles within the community oftentimes they're being a board
member just because they have an agenda they want to you know i have a problem
with the Address code. And that's why they decided to be a board member.
So you suddenly have this group of very diverse individuals running your school
(14:33):
with strong opinions that maybe don't even align to what your school culture is.
Are these mostly volunteer positions as well?
Almost always. I think some school board positions are paid in maybe some of
the larger districts, but in smaller districts, and I think 85% of the school
(14:53):
districts in the country are 2,500 students or less.
So the majority of the school districts are small, but the majority of students
are in, of course, the larger school districts.
But yeah, in those small school districts, the board is just a volunteer position.
Well, it's got to be difficult to get them to make time to elevate their own
(15:16):
knowledge to the point where they can be an informed risk decision maker when
it's volunteer time. It is.
Yeah. And they have other things going on.
And so for as a tech director to try to get some time during the board meeting,
if you get five minutes during the board meeting, that's not enough time to
(15:37):
to convey a solid message of, you know, even awareness of a training program.
It is a unique challenge. Have you ever tried a curricula for new board members
and have that as an instituted policy?
Because this isn't just a technology thing, right? This is about the legal things
(15:58):
that board members need to know. Yes.
It would seem to me there would need to be a specific onboarding program just for directors.
There should be. But, I mean, there's no...
Official onboarding program even for a teacher right it's and it varies from district to district,
and so it does become tough there you know
(16:21):
the board has professional organizations that
they go to that that that you know that's what
they try to do they try to to educate the board of what
their job is they're not there to micromanage they're there to govern
to oversee and you know to manage and and you
will get board members that definitely improve you know if you have
a board member that's been on your board for 15 20 years
(16:42):
they're they're far more educated and experienced of course than the younger
ones i think there needs to be more collaboration with that board professional
organization and with security companies to find out what that need is to try to,
to try to raise that awareness and and
(17:03):
it's we keep saying the needle's not moving it is
slowly moving there's there's becoming more awareness and it is slowly changing
but it's partly driven by the events that are happening you know the schools
are getting hit with ransomware and everyone knows of school that's fairly close
it's been hit by something and unfortunately,
(17:24):
schools are more likely to react than to be proactive but when it happens to
someone that you know, or someone that.
Someone you know who you know through someone else, it becomes a little bit
more personal, and that helps.
I feel like there's an aspect of this that needs to be on the demand side as well.
(17:45):
Like, let me tell you what I mean by that. I'm always...
A big proponent of, you know, free choice and fixing issues on the demand side, right?
So, like, if I'm a parent and I have my three kids and I want to decide what
school I'm going to put them in,
one of the factors that I should be evaluating is how well is that school going
(18:11):
to protect my child's information?
Absolutely. And I feel like there's no mechanism for them to do that at this point in time.
And I don't have a lot of warm fuzzies. I don't even have 50% warm fuzzies about
most of the schools that are out there.
(18:31):
And I'm not picking on schools. It's just, I would also make that statement
about most of the businesses that are out there.
And so I think it's not necessarily exclusively an education problem.
I mean, I did a couple Apple podcasts on the topic of how most people who are
getting their taxes prepared are not actually doing an appropriate vetting of
(18:54):
their selected tax preparer.
And so it's like a lot of these things I feel like need to be fixed on the demand side.
So if you're a parent, I don't think there's any resources right now that you
could go to to get that sort of evaluation criteria. Are you aware of it?
There's not from that standpoint. I mean, you've got good schools and different
(19:15):
things where people will go out and put this kind of like Yelp for schools,
right? That's they'll go out and put a just a general review.
There's nothing for data privacy and security.
There is COSEN put out a TLE certification, which is a voluntary program that
schools can go through. That's the trusted learning environment.
And in order to meet that, it's a several year process of going through and
(19:37):
meeting kind of like a certification level that just says, yes,
we're dedicated to protecting student data.
And these are the hoops that we had to jump through to do it,
more or less. Does it help a school become more competitive?
I mean, like, what's the incentive for doing that? I guess the incentive is
to build community trust.
I think it's two things. It would be to build community trust because,
(19:58):
I mean, you want to have trust from your parents and your community.
But it's also they're going to improve along the way.
So if you have a pretty insightful technology director, or maybe they're fortunate
enough to have a CISO on staff,
if they go through that process without having to hire a third-party consultant,
they can go through and use this light framework and come up with some controls
(20:22):
and put measures in place to improve.
What kind of overlap is there between that and something like CIS?
I mean, there's definitely overlap, right? Most of the control systems,
as you know, have overlap.
I think it's built partly with CIS, the 18 controls, and then some NIST framework.
(20:44):
We're seeing there's no, we talked
before, there's no compliance level at schools, but I think it's coming.
I think from the federal level, within the next five years, we'll probably be
seeing something, edu-ramp or something that'll be a compliance level for schools.
Because when schools get hit with ransomware, the money's got to come from somewhere,
(21:06):
and it's all government funding, whether it's state or federal.
And I think with the attention that schools are getting and the money that's
being lost and the education that's being interrupted, I think we're going to
see something, and I don't know what that'll look like.
And there are third-party companies and organizations that are putting things
together to try to help schools.
There was recently a consortium of security companies that put together a cybersecurity
(21:30):
rubric trying to focus it primarily on education.
And they looked at a number of different control systems from NIST and CIS.
They even looked at Security Studios platform and some different ones to try
to crosswalk and figure out what was going to be the best platform or the best controls to do that.
(21:53):
And so they kind of settled on something that's very similar to NIST,
almost kind of designed their own NIST EDU framework, and they even updated it for the new 2.0.
It's free to schools, and so that's, I think, has helped.
But the problem is, is that, I mean, there are resources out there.
You know CIS has all these tons of resources, and it's a great platform for schools.
(22:15):
But most schools don't have the time, you know, or the education to do it,
you know. Or the focus, I guess, would be what we should say, the priority.
I think the core issue that I see is that they... And I'll put schools in the
same bucket with a bunch of businesses that I know of as well.
(22:36):
They think that...
The IT director has time to do that stuff as well as somehow has the power and
authority to do that stuff.
And I don't, I've never seen it.
Instead, the only time I've seen those efforts really be successful,
I mean, certainly, yes, there are going to be edge cases, but the times that
(22:58):
I've seen those efforts be really successful is when there is at least a fractional
CTO or a fractional CISO involved,
but on an engagement, you know, like on an ongoing engagement.
So there's like this kind of long-term relationship because I feel like it's
(23:20):
just asking too much of an IT
director to be like, well, manage the whole budget, manage the technology,
respond to support tickets, do all this, manage the staff and blah, blah, blah.
And then somehow you're supposed to manufacture some more time.
And I mean, you're very different than most IT directors.
(23:41):
I mean, most IT directors do not have your level of skill with regards to compliance
and on the CISO side, in my opinion.
And so most IT directors, I think, are just, they struggle with even articulating
the value proposition of why these other efforts actually need to happen.
And so without that kind of executive level initiative being pushed,
(24:06):
then there is no one at the executive level pushing it.
And to your point, the priorities always get overridden.
Right, right. Yeah.
We're, we're so, I hate to say the word underfunded, but the reality is,
is that if you work in technology and education, you can probably go into the
(24:27):
public sector and make twice as much just by changing jobs.
So most people who work in education, especially in technology,
they do it because they have kids in school or they're doing it because they
get great benefits or maybe they get the summer off.
There's some other thing other than, than the financial that's keeping them
there. So that tends to not bring out the best talent for an education environment.
(24:54):
But that's part of why having a fractional CTO or a fractional CISO involved is very good.
The other thing, too, is that cultures in school kind of, if someone's an outside
expert, they're almost valued better than an inside expert.
You could have someone in a school that's super qualified. and
when they make a recommendation for some reason when you
(25:16):
hire a consultant the consultant may not have
even as much experience as someone in-house but that opinion
is regarded higher and so you're right when you bring in someone like a fractional
cso or even just someone who's going to maybe do a one-time risk assessment
it's taken with more authority than your in-house staff which is unfortunate.
(25:40):
I that's so I mean I know you've seen that and I definitely understand that.
You know that that paradigm i've seen it in some organizations as
well i i do see though
there appears to be this sort of like budgetary pressure
that just changes people's mindset
instead of thinking about how do we get a relationship
(26:03):
with a fractional cso for let's just say
i don't know twenty six thousand dollars a year okay so instead
of coming up 24 the math would be easier well okay
but but you get what i'm saying like it's
a it's a paradigm change of saying let's at
least do something on a regular ongoing
basis as part of this relationship as opposed to no we can't do anything because
(26:29):
it costs too much money it's like well no you know what's really gonna cost
too much money is when you didn't plan properly yes and yeah when you If you
succumb to that ransomware event, that's going to be expensive.
Yeah. Yeah. So I think the paradigm problem that I see most of the time,
and this isn't just education,
it's that they really have this sort of like budget block mindset and they're
(26:55):
not even willing to allocate fairly minor amounts of money to the problem.
And so then they just pile it on to the IT director. And I've seen this so many
times, you know, it's like, well, the IT director works for us full time.
She's already working for us. Yeah. Yeah. Just keep piling on, piling on.
(27:16):
And then it becomes a matter of too many priorities, always constantly competing priorities.
And this is exactly, it's not just an IT director problem,
but I see that that problem itself is exactly why a lot of internal IT departments
don't get their systems patched and that maintenance isn't done or lifecycle
asset management isn't done because really it's only the IT people that care about that stuff.
(27:41):
Right. Absolutely. It only is. And a lot of times we don't care. No, I'm just kidding.
Well, it's hard, you know, it's hard to care, right?
It's hard to prioritize that. I mean, there are some days you just walk home,
you just go home and you're like, I can't do anymore.
I'm, you know, all this stuff needs to be done, but I'm done for the day.
Well, not only that, but, you know, it's smart to walk away sometimes because
(28:04):
you know that That if you go open that can of worms at 6 p.m.,
you don't have enough time or energy and maybe the right people at that particular
change window to be able to do a recovery if poo-poo goes the wrong way. Right.
Yep. You know, so I would call it adult to go home and go to bed.
(28:25):
I'll wrap it up with a real quick story here. Many, many, many years ago,
I worked with this gentleman who was at the time he was in his 60s.
And i mean he would come to work at like 5 a.m you know some
ridiculously early hour and and you know
going out the door one day he says to me oh yeah i'm gonna go home i don't
work on the thing and i said no dude nothing good happens after 6 p.m please
(28:46):
do not go home and work on the server from home please do not and and he made
a mistake in some scripting and he basically Basically blew up the home drives for like 13,000 users.
You know, it's like super bad.
Okay. Well, we're over for today. So thank you much for your time. Thanks for having me.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Ridiculous History
History is beautiful, brutal and, often, ridiculous. Join Ben Bowlin and Noel Brown as they dive into some of the weirdest stories from across the span of human civilization in Ridiculous History, a podcast by iHeartRadio.