Build an Information Security Strategy for K-12 Schools

Create value by aligning your strategy to your school's or district's goals and risks.

Analyst Perspective

Set your security strategy up for success.

Today's rapid pace of change in business innovation and digital transformation is a call to action for information security leaders.

Too often, chief information security officers find their programs stuck in reactive mode, a result of years of mounting security technical debt. Shifting from a reactive to proactive stance has never been more important. Unfortunately, doing so remains a daunting task for many.

While easy to develop, security plans premised on the need to blindly follow "best practices" are unlikely to win over many stakeholders. To be truly successful, an information security strategy needs to be holistic, risk-aware, and business-aligned.

Kate Wood
Practice Lead, Security & Privacy
Info-Tech Research Group

Executive Summary

Info-Tech Insight

The most successful information security strategies are:

• Holistic. They consider the full spectrum of information security, including people, processes, and technologies.
• Risk-aware. They were developed with an understanding that security decisions should be made based on the security risks facing the educational organization, not just on best practice.
• Business-aligned. They show an understanding of the goals and strategies of the organization, and how the security program can support the school or district.

It's not a matter of if you have a security incident, but when

K-12 schools need to expect and prepare for the inevitable security breach.

— Source: [1] K12 SIX, "State of K-12 Cybersecurity: Year in Review 2022"

Info-Tech Insight

Effective IT leaders approach their security strategy from an understanding that attacks on their organization will occur. Building a strategy around this assumption allows your security team to understand the gaps in your current approach and become proactive instead of being reactive.

An information security strategy can help protect your students and institution

Schools will be impacted by the inevitable security breach.

2.6 million Number of students impacted by ransomware between 2019 and 2021 [1]

Up to 21 days Number of teaching days lost as a result of a cyberattack [1]

2 to 9 months Range of recovery time after a cyberattack [1]

Sources: [1] GAO, "CRITICAL INFRASTRUCTURE PROTECTION Additional Federal Coordination Is Needed to Enhance K-12 Cybersecurity"; [2] IBM Security, "Cost of a Data Breach 2022"

Persistent Security Concerns

Lack of Funding
On average, only about 8% or less of the total IT budget is set aside for cybersecurity. Nearly one-fifth of K-12 schools used less than 1% of their IT budget on cybersecurity. [1]

Threat Evolution
According to a report by the Multi-State Information Sharing and Analysis Center (MS-ISAC), approximately 29% of their K-12 members reported being a victim of a cyber attack. [1]

Lack of Process
Of the MS-ISAC's members that are K-12 schools, only 37% reported having an incident response plan. [1]

Inadequate Skills
Only 21% of K-12 schools have an employee who is dedicated to cybersecurity; 33% of schools assign cybersecurity duties as responsibilities for other IT positions. [2]

Emerging Trends

1-to-1 Computing
With Covid 19, many schools and districts have moved to a 1-to-1 computing model, greatly increasing the number of endpoints that schools must manage. About 90% of middle and high schools have at least one device per student. [3]

Sources: [1] Center for Internet Security, "K-12 Report: A Cybersecurity Assessment of the 2021-2022 School Year"; [2],CoSN, "Cybersecurity Staffing Resource for K-12", [3] Klein, "During COVID-19, Schools Have Made a Mad Dash to 1-to-1 Computing. What Happens Next?"

Info-Tech's approach

Maturing from reactive to strategic information security

The Info-Tech difference:

1. A proven, structured approach to mature your information security program from reactive to strategic
2. A comprehensive set of tools [1] to take the pain out of each phase in the strategy-building exercise
3. Visually appealing templates to communicate and socialize your security strategy and roadmap to your stakeholders

[1] Icon indicates Info-Tech tools included in this blueprint

Info-Tech's Security Strategy Model

The Info-Tech difference
An information security strategy model that is:

• Business-aligned – Determines business context and cascades educational goals into security alignment goals
• Risk-aware – Understands the security risks of the business and how these risks intersect with the overall organizational risk tolerance
• Holistic – Leverages a best-of-breed information security framework to provide comprehensive awareness of organizational security capabilities

Info-Tech's best-of-breed security framework

Info-Tech's approach

Creating an information security strategy

The Info-Tech difference
Evolve the security program to be more proactive by leveraging Info-Tech's approach to building a security strategy.

• Dive deep into security obligations and security pressures to define the business context.
• Conduct a thorough current-state and future-state analysis that is aligned with a best-of-breed framework.
• Prioritize gap-closing initiatives to create a living security strategy roadmap.

Use Info-Tech's blueprint to save one to three months

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting
"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks are used throughout all four options.

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical Guided Implementation is between 2 to 12 calls over the course of 4 to 6 months.

What does a typical GI on this topic look like?

Executive Brief Case Study

Kamehameha Schools

• INDUSTRY: Education (K-12)
• SOURCE: Info-Tech Research Group

Kamehameha Schools was founded on October 16, 1884, as a charitable educational trust, through the Last Will of Princess Bernice Pauahi Bishop. Today, Kamehameha Schools provides services to more than 7000 students across three K-12 campuses and 30 preschools in the State of Hawaii.

Situation
Spurred on by the Covid-19 pandemic, Kamehameha Schools started to work toward an IT strategy that put mobility and cloud first, in order to support working from home permanently. They wanted to limit dependency on core infrastructure to protect remote workers and they wanted to facilitate collaboration with external entities. While shifting to working from home, Kamehameha Schools also wanted to ensure security of their financial assets and education functions.

Solution
Kamehameha Schools undertook a Guided Implementation of Info-Tech's Build an Information Security Strategy blueprint. This effort took them through activities to determine the appropriate maturity level for their Information Security program, assess the current state of their security program, and plan steps to close the gaps between the program's current maturity and desired maturity.

Results
When Kamehameha Schools completed their Guided Implementation, they had:

• Assessed 199 security controls for the current and target maturity levels of their security program and developed 21 initiatives to close gaps between their current and target maturity state.
• Prioritized initiatives into a security roadmap that clearly articulated the necessary steps to evolve their current security program. The first wave of initiatives included initiatives to refine security governance structure, evaluate Secure Access Service Edge solutions, and improve data classification awareness and data handling standards.

*Some details have been changed for client privacy.

Phase 1

Assess Security Requirements

This phase will walk you through the following activities:

• 1.1 Define goals and scope of the security strategy.
• 1.2 Assess your organization's current inherent security risks.
• 1.3 Determine your organization's stakeholder pressures for security.
• 1.4 Determine your organization's risk tolerance.
• 1.5 Establish your security target state.

1.1 Define the goals of your security strategy

Input: Educational and IT strategies
Output: Your goals for the security strategy; High-level understanding of recent threats and incidents
Materials: Laptop; Projector
Participants: Security Team; IT Leadership; Stakeholders; Risk Management; Compliance; Legal

Estimated Time: 1-2 hours

1. As a group, brainstorm the primary and secondary goals of the organization.
   1. Review relevant educational and IT strategies.
   2. Review the business goal definitions in the Information Security Requirements Gathering Tool, including the key goal indicator metrics.
2. Record the most important business goals in the Information Security Requirements Gathering Tool. Try to limit the number of business goals to no more than two primary goals and no more than three secondary goals. This limitation will be critical to helping prioritize your security roadmap later.
3. For each business goal, identify one to two security alignment goals. These should be objectives for the security strategy that will support the identified business goals.

Download the Information Security Requirements Gathering Tool

Analyze your goals

Identifying goals is the first step in aligning your strategy with your organization's vision.

• Security leaders need to understand the direction of the educational organization.
• Wise security investments depend on aligning your security initiatives to the educational objectives.
• Information security should contribute to your organization's objectives by supporting operational performance, upholding the reputation of the school or district, and meeting the expectations of stakeholders.
  • For example, if your organization is working on a new initiative that requires handling credit-card payments, the security organization needs to know as soon as possible to ensure that the security strategy will enable your organization to be PCI compliant.
• If a well-defined business strategy exists, use this to describe existing goals.
• If organizational goals cannot be identified, use educational goals instead.
• If a well-defined business strategy does not exist, these questions can help you pinpoint objectives:
  • What is the message being delivered by the Board of Directors, superintendents, or other senior leadership?
  • What are the main themes of investments and projects?
  • What criteria are the senior leaders measured on?

Info-Tech Insight

Developing a security strategy is a proactive activity that enables you to get in front of any upcoming projects or industry trends, rather than having to respond reactively later. Make sure you consider as many foreseeable variables as possible.

1.1.1 Record your business goals

Once you have identified your primary and secondary business goals, as well as the corresponding security alignment goals, record them in the Information Security Requirements Gathering Tool. The tool provides an activity status that will let you know if any parts of the tool have not been completed.

A common challenge for security leaders is how to express their initiatives in terms that are meaningful to non-security executives. This exercise helps make an explicit link between what the school cares about and what security is trying to accomplish.

1.1.2 Review your goals cascade

Estimated Time: 15 minutes

1. When you have completed the goals cascade, you can review a graphic diagram that illustrates your goals. The graphic is found on the Results tab of the Information Security Requirements Gathering Tool.
   • Security must support the primary business objectives. A strong security program will enable the organization to function in new and creative ways, rather than simply acting as an obstacle.
   • Failure to meet business obligations can result in operational problems, impacting the organization's ability to function and the organization's bottom line.
2. Once you have reviewed the diagram, copy it into the Information Security Strategy Communication Deck.