- Many K-12 schools struggle to decide how best to prioritize their scarce information security resources and lean budgets.
- The need to move from a reactive approach to security toward a strategic planning approach is clear. The path to getting there is less clear.
- It can be difficult to strike a balance between academic freedom and a reasonable amount of control over IT resources.
Our Advice
Critical Insight
The most successful information security strategies are:
- Holistic. They consider the full spectrum of information security,
including people, processes, and technologies. - Risk-Aware. They understand that security decisions should be made based on the security risks facing their organization, not just on best practice.
- Business-Aligned. They demonstrate an understanding of the goals and strategies of the organization, and how the security program can support the school or district.
Impact and Result
- Gain knowledge of organizational pressures and the drivers behind them.
- Achieve insight into stakeholder goals and obligations.
- Determine security risk tolerance and baseline.
- Develop a comprehensive knowledge of security current state and summary initiatives required to achieve security objectives.
Build an Information Security Strategy for K-12 Schools
Create value by aligning your strategy to your school's or district's goals and risks.
Analyst Perspective
Set your security strategy up for success.
Today's rapid pace of change in business innovation and digital transformation is a call to action for information security leaders.
Too often, chief information security officers find their programs stuck in reactive mode, a result of years of mounting security technical debt. Shifting from a reactive to proactive stance has never been more important. Unfortunately, doing so remains a daunting task for many.
While easy to develop, security plans premised on the need to blindly follow "best practices" are unlikely to win over many stakeholders. To be truly successful, an information security strategy needs to be holistic, risk-aware, and business-aligned.
Kate Wood
Practice Lead, Security & Privacy
Info-Tech Research Group
Executive Summary
Your ChallengeMany K-12 schools struggle to decide how best to prioritize their scarce information security resources and lean budgets. The need to move from a reactive approach to security toward a strategic planning approach is clear. The path to getting there is less clear. It can be difficult to strike a balance between academic freedom and a reasonable amount of control over IT resources. |
Common ObstaclesDeveloping a security strategy can be challenging. Complications include the following:
|
Info-Tech's ApproachInfo-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for 7+ years with hundreds of organizations. This unique approach includes tools for:
|
Info-Tech Insight
The most successful information security strategies are:
- Holistic. They consider the full spectrum of information security, including people, processes, and technologies.
- Risk-aware. They were developed with an understanding that security decisions should be made based on the security risks facing the educational organization, not just on best practice.
- Business-aligned. They show an understanding of the goals and strategies of the organization, and how the security program can support the school or district.
It's not a matter of if you have a security incident, but when
K-12 schools need to expect and prepare for the inevitable security breach.
1,331The number of publicly disclosed incidents affecting public education organizations between 2016 and 2021, with anecdotal evidence indicating that nondisclosed incidents may be 10 to 20 times greater [1] |
62The number of ransomware incidents publicly disclosed by K-12 education organizations in 2021 [1] |
155The number of public education organizations that experienced two or more cyber incidents [1] |
— Source: [1] K12 SIX, "State of K-12 Cybersecurity: Year in Review 2022"
Info-Tech Insight
Effective IT leaders approach their security strategy from an understanding that attacks on their organization will occur. Building a strategy around this assumption allows your security team to understand the gaps in your current approach and become proactive instead of being reactive.
An information security strategy can help protect your students and institution
Schools will be impacted by the inevitable security breach.
2.6 million Number of students impacted by ransomware between 2019 and 2021 [1]
Up to 21 days Number of teaching days lost as a result of a cyberattack [1]
2 to 9 months Range of recovery time after a cyberattack [1]
Sources: [1] GAO, "CRITICAL INFRASTRUCTURE PROTECTION Additional Federal Coordination Is Needed to Enhance K-12 Cybersecurity"; [2] IBM Security, "Cost of a Data Breach 2022"
Persistent Security Concerns
Lack of Funding
On average, only about 8% or less of the total IT budget is set aside for cybersecurity. Nearly one-fifth of K-12 schools used less than 1% of their IT budget on cybersecurity. [1]
Threat Evolution
According to a report by the Multi-State Information Sharing and Analysis Center (MS-ISAC), approximately 29% of their K-12 members reported being a victim of a cyber attack. [1]
Lack of Process
Of the MS-ISAC's members that are K-12 schools, only 37% reported having an incident response plan. [1]
Inadequate Skills
Only 21% of K-12 schools have an employee who is dedicated to cybersecurity; 33% of schools assign cybersecurity duties as responsibilities for other IT positions. [2]
Emerging Trends
1-to-1 Computing
With Covid 19, many schools and districts have moved to a 1-to-1 computing model, greatly increasing the number of endpoints that schools must manage. About 90% of middle and high schools have at least one device per student. [3]
Sources: [1] Center for Internet Security, "K-12 Report: A Cybersecurity Assessment of the 2021-2022 School Year"; [2],CoSN, "Cybersecurity Staffing Resource for K-12", [3] Klein, "During COVID-19, Schools Have Made a Mad Dash to 1-to-1 Computing. What Happens Next?"
New threat trends in information security are not new. Previously understood attacks are simply an evolution of prior implementations, not a revolution. Traditionally, most organizations are not doing a good enough job with security fundamentals, which is why attackers have been able to use the same old tricks. However, information security has finally caught the attention of organizational leaders, presenting the opportunity to implement a comprehensive security program. |
Info-Tech's approach
Maturing from reactive to strategic information security
The Info-Tech difference:
- A proven, structured approach to mature your information security program from reactive to strategic
- A comprehensive set of tools [1] to take the pain out of each phase in the strategy-building exercise
- Visually appealing templates to communicate and socialize your security strategy and roadmap to your stakeholders
[1] Icon indicates Info-Tech tools included in this blueprint
Info-Tech's Security Strategy Model
The Info-Tech difference
An information security strategy model that is:
- Business-aligned – Determines business context and cascades educational goals into security alignment goals
- Risk-aware – Understands the security risks of the business and how these risks intersect with the overall organizational risk tolerance
- Holistic – Leverages a best-of-breed information security framework to provide comprehensive awareness of organizational security capabilities
Info-Tech's best-of-breed security framework
Info-Tech's approach
Creating an information security strategy
The Info-Tech difference
Evolve the security program to be more proactive by leveraging Info-Tech's approach to building a security strategy.
- Dive deep into security obligations and security pressures to define the business context.
- Conduct a thorough current-state and future-state analysis that is aligned with a best-of-breed framework.
- Prioritize gap-closing initiatives to create a living security strategy roadmap.
Use Info-Tech's blueprint to save one to three months
Blueprint deliverables
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
|
Key deliverable: Information Security Strategy Communication DeckPresent your findings in a prepopulated document that can summarizes all key findings of the blueprint. |
|
Information Security Requirements Gathering ToolDefine the institution, students, and compliance alignment for your security program. |
|
Information Security Pressure Analysis ToolDetermine your organization's security pressures and ability to tolerate risk. |
|
Information Security Program Gap Analysis ToolUse our best-of-breed security framework to perform a gap analysis between your current and target states. |
|
Information Security CharterEnsure the development and management of your security policies meet the broader program vision. |
Info-Tech offers various levels of support to best suit your needs
DIY Toolkit
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."
Guided Implementation
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."
Workshop
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."
Consulting
"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."
Diagnostics and consistent frameworks are used throughout all four options.
Guided Implementation
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical Guided Implementation is between 2 to 12 calls over the course of 4 to 6 months.
What does a typical GI on this topic look like?
Workshop overview
Day 1: Assess Security Requirements
Activities
1.1 Understand business and IT strategy and plans
1.2 Define business and compliance requirements
1.3 Establish the security program scope
1.4 Analyze the organization's risks and stakeholder pressures
1.5 Identify the organizational risk tolerance level
Deliverables
1. Security obligations statement
2. Security scope and boundaries statement
3. Defined risk tolerance level
4. Risk assessment and pressure analysis
Day 2: Perform a Gap Analysis
Activities
2.1 Define the information security target state
2.2 Assess current security capabilities
2.3 Identify security gaps
2.4 Build initiatives to bridge the gaps
Deliverables
1. Information security target state
2. Security current state assessment
3. Initiatives to address gaps
Day 3: Complete the Gap Analysis
Activities
3.1 Continue assessing current security capabilities
3.2 Identify security gaps
3.3 Build initiatives to bridge the maturity gaps
3.4 Identify initiative list and task list
3.5 Define criteria to be used to prioritize initiatives
Deliverables
1. Completed security current state assessment
2. Task list to address gaps
3. Initiative list to address gaps
4. Prioritization criteria
Day 4: Develop Roadmap
Activities
4.1 Conduct cost/benefit analysis on initiatives
4.2 Prioritize gap initiatives based on cost, time, and alignment with the business
4.3 Build effort map
4.4 Determine start times and accountability
4.5 Finalize security roadmap and action plan
4.6 Create communication plan
Deliverables
1. Information security roadmap
2. Draft communication deck
Day 5: Communicate and Implement
Activities
5.1 Finalize deliverables
5.2 Support communication efforts
5.3 Identify resources in support of priority initiatives
Deliverables
1. Security strategy roadmap documentation
2. Detailed cost and effort estimates
3. Mapping of Info-Tech resources against individual initiatives
Contact your account representative for more information.
workshops@infotech.com
1-888-670-8889
Executive Brief Case Study
Kamehameha Schools
- INDUSTRY: Education (K-12)
- SOURCE: Info-Tech Research Group
Kamehameha Schools was founded on October 16, 1884, as a charitable educational trust, through the Last Will of Princess Bernice Pauahi Bishop. Today, Kamehameha Schools provides services to more than 7000 students across three K-12 campuses and 30 preschools in the State of Hawaii.
Situation
Spurred on by the Covid-19 pandemic, Kamehameha Schools started to work toward an IT strategy that put mobility and cloud first, in order to support working from home permanently. They wanted to limit dependency on core infrastructure to protect remote workers and they wanted to facilitate collaboration with external entities. While shifting to working from home, Kamehameha Schools also wanted to ensure security of their financial assets and education functions.
Solution
Kamehameha Schools undertook a Guided Implementation of Info-Tech's Build an Information Security Strategy blueprint. This effort took them through activities to determine the appropriate maturity level for their Information Security program, assess the current state of their security program, and plan steps to close the gaps between the program's current maturity and desired maturity.
Results
When Kamehameha Schools completed their Guided Implementation, they had:
- Assessed 199 security controls for the current and target maturity levels of their security program and developed 21 initiatives to close gaps between their current and target maturity state.
- Prioritized initiatives into a security roadmap that clearly articulated the necessary steps to evolve their current security program. The first wave of initiatives included initiatives to refine security governance structure, evaluate Secure Access Service Edge solutions, and improve data classification awareness and data handling standards.
*Some details have been changed for client privacy.
Phase 1
Assess Security Requirements
This phase will walk you through the following activities:
- 1.1 Define goals and scope of the security strategy.
- 1.2 Assess your organization's current inherent security risks.
- 1.3 Determine your organization's stakeholder pressures for security.
- 1.4 Determine your organization's risk tolerance.
- 1.5 Establish your security target state.
1.1 Define the goals of your security strategy
Input: Educational and IT strategies
Output: Your goals for the security strategy; High-level understanding of recent threats and incidents
Materials: Laptop; Projector
Participants: Security Team; IT Leadership; Stakeholders; Risk Management; Compliance; Legal
Estimated Time: 1-2 hours
- As a group, brainstorm the primary and secondary goals of the organization.
- Review relevant educational and IT strategies.
- Review the business goal definitions in the Information Security Requirements Gathering Tool, including the key goal indicator metrics.
- Record the most important business goals in the Information Security Requirements Gathering Tool. Try to limit the number of business goals to no more than two primary goals and no more than three secondary goals. This limitation will be critical to helping prioritize your security roadmap later.
- For each business goal, identify one to two security alignment goals. These should be objectives for the security strategy that will support the identified business goals.
Download the Information Security Requirements Gathering Tool
Analyze your goals
Identifying goals is the first step in aligning your strategy with your organization's vision.
- Security leaders need to understand the direction of the educational organization.
- Wise security investments depend on aligning your security initiatives to the educational objectives.
- Information security should contribute to your organization's objectives by supporting operational performance, upholding the reputation of the school or district, and meeting the expectations of stakeholders.
- For example, if your organization is working on a new initiative that requires handling credit-card payments, the security organization needs to know as soon as possible to ensure that the security strategy will enable your organization to be PCI compliant.
- If a well-defined business strategy exists, use this to describe existing goals.
- If organizational goals cannot be identified, use educational goals instead.
- If a well-defined business strategy does not exist, these questions can help you pinpoint objectives:
- What is the message being delivered by the Board of Directors, superintendents, or other senior leadership?
- What are the main themes of investments and projects?
- What criteria are the senior leaders measured on?
Info-Tech Insight
Developing a security strategy is a proactive activity that enables you to get in front of any upcoming projects or industry trends, rather than having to respond reactively later. Make sure you consider as many foreseeable variables as possible.
1.1.1 Record your business goals
Once you have identified your primary and secondary business goals, as well as the corresponding security alignment goals, record them in the Information Security Requirements Gathering Tool. The tool provides an activity status that will let you know if any parts of the tool have not been completed.
A common challenge for security leaders is how to express their initiatives in terms that are meaningful to non-security executives. This exercise helps make an explicit link between what the school cares about and what security is trying to accomplish.