Industry Coverage icon

Build an Information Security Strategy for K-12 Schools

Create value by aligning your strategy to your school’s or district’s goals and risks.

Unlock a Free Sample
  • Many K-12 schools struggle to decide how best to prioritize their scarce information security resources and lean budgets.
  • The need to move from a reactive approach to security toward a strategic planning approach is clear. The path to getting there is less clear.
  • It can be difficult to strike a balance between academic freedom and a reasonable amount of control over IT resources.

Our Advice

Critical Insight

The most successful information security strategies are:

  • Holistic. They consider the full spectrum of information security,
    including people, processes, and technologies.
  • Risk-Aware. They understand that security decisions should be made based on the security risks facing their organization, not just on best practice.
  • Business-Aligned. They demonstrate an understanding of the goals and strategies of the organization, and how the security program can support the school or district.

Impact and Result

  • Gain knowledge of organizational pressures and the drivers behind them.
  • Achieve insight into stakeholder goals and obligations.
  • Determine security risk tolerance and baseline.
  • Develop a comprehensive knowledge of security current state and summary initiatives required to achieve security objectives.

Build an Information Security Strategy for K-12 Schools Research & Tools

1. Build an Information Security Strategy for K-12 – A step-by-step document that helps you build a holistic, risk-based, and business-aligned IS strategy.

Your security strategy should not be based on trying to blindly follow best practices but on a holistic risk-based assessment that is risk aware and aligns with your business context. Use this storyboard to augment your security strategy by ensuring alignment with business objectives, assessing your organization's risk and stakeholder expectations, understanding your current security state, and prioritizing initiatives and a security roadmap.

2. Information Security Requirements Gathering Tool for K-12 – A tool to make informed security risk decisions to support business needs.

Use this tool to formally identify goals and stakeholder and compliance obligations and make explicit links to how security initiatives propose to support these interests. Then define the scope and boundaries for the security strategy and the risk tolerance definitions that will guide future security risk decisions.

3. Information Security Pressure Analysis Tool – An evaluation tool to invest in the right security functions using a pressure analysis approach.

Security pressure posture analysis helps your organization assess your real security context and enables you to invest in the right security functions while balancing the cost and value in alignment with business strategies. Security pressure sets the baseline that will help you avoid over-investing or under-investing in your security functions.

4. Information Security Program Gap Analysis Tool – A structured tool to systematically understand your current security state.

Effective security planning should not be one size fits all – it must consider business alignment, security benefit, and resource cost. To enable an effective security program, all areas of security need to be evaluated closely to determine where the organization sits currently and where it needs to go in the future.

5. Information Security Strategy Communication Deck for K-12 – A best-of-breed presentation document to build a clear, concise, and compelling strategy document.

Use this communication deck template to present the results of the security strategy to stakeholders, demonstrate the progression from the current state to the future state, and establish the roadmap of the security initiatives that will be implemented. This information security communication deck will help ensure that you’re communicating effectively for your cause.

6. Information Security Charter – An essential document for defining the scope and purpose of a security project or program.

A charter is an essential document for defining the scope and purpose of security. Without a charter to control and set clear objectives for this committee, the responsibility of security governance initiatives will likely be undefined within the enterprise, preventing the security governance program from operating efficiently. This template can act as the foundation for a security charter to provide guidance to the governance of information security.

Unlock a Free Sample

Build an Information Security Strategy for K-12 Schools

Create value by aligning your strategy to your school's or district's goals and risks.

Analyst Perspective

Set your security strategy up for success.

Today's rapid pace of change in business innovation and digital transformation is a call to action for information security leaders.

Too often, chief information security officers find their programs stuck in reactive mode, a result of years of mounting security technical debt. Shifting from a reactive to proactive stance has never been more important. Unfortunately, doing so remains a daunting task for many.

While easy to develop, security plans premised on the need to blindly follow "best practices" are unlikely to win over many stakeholders. To be truly successful, an information security strategy needs to be holistic, risk-aware, and business-aligned.

Photo of Kate Wood
Kate Wood
Practice Lead, Security & Privacy
Info-Tech Research Group

Executive Summary

Your Challenge

Many K-12 schools struggle to decide how best to prioritize their scarce information security resources and lean budgets.

The need to move from a reactive approach to security toward a strategic planning approach is clear. The path to getting there is less clear.

It can be difficult to strike a balance between academic freedom and a reasonable amount of control over IT resources.

Common Obstacles

Developing a security strategy can be challenging. Complications include the following:

  • Accurately assessing your current security program can be extremely difficult when you do not know what to assess or how.
  • Determining the appropriate target state for security can be even more challenging.
  • A strategy built around following best practices is unlikely to garner significant support from teachers and administrators.

Info-Tech's Approach

Info-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for 7+ years with hundreds of organizations.

This unique approach includes tools for:

  • Ensuring alignment with business objectives.
  • Assessing organizational risk and stakeholder expectations.
  • Enabling a comprehensive current state assessment.
  • Prioritizing initiatives and building out a security roadmap.

Info-Tech Insight

The most successful information security strategies are:

  • Holistic. They consider the full spectrum of information security, including people, processes, and technologies.
  • Risk-aware. They were developed with an understanding that security decisions should be made based on the security risks facing the educational organization, not just on best practice.
  • Business-aligned. They show an understanding of the goals and strategies of the organization, and how the security program can support the school or district.

It's not a matter of if you have a security incident, but when

K-12 schools need to expect and prepare for the inevitable security breach.


The number of publicly disclosed incidents affecting public education organizations between 2016 and 2021, with anecdotal evidence indicating that nondisclosed incidents may be 10 to 20 times greater [1]


The number of ransomware incidents publicly disclosed by K-12 education organizations in 2021 [1]


The number of public education organizations that experienced two or more cyber incidents [1]

A diagram that shows Causes of Data Breach Between 2016 and 2021
— Source: [1] K12 SIX, "State of K-12 Cybersecurity: Year in Review 2022"

Info-Tech Insight

Effective IT leaders approach their security strategy from an understanding that attacks on their organization will occur. Building a strategy around this assumption allows your security team to understand the gaps in your current approach and become proactive instead of being reactive.

An information security strategy can help protect your students and institution

Schools will be impacted by the inevitable security breach.

2.6 million Number of students impacted by ransomware between 2019 and 2021 [1]

Up to 21 days Number of teaching days lost as a result of a cyberattack [1]

2 to 9 months Range of recovery time after a cyberattack [1]

A diagram that shows Average Cost of a Data Breach for Education

Sources: [1] GAO, "CRITICAL INFRASTRUCTURE PROTECTION Additional Federal Coordination Is Needed to Enhance K-12 Cybersecurity"; [2] IBM Security, "Cost of a Data Breach 2022"

Persistent Security Concerns

Lack of Funding
On average, only about 8% or less of the total IT budget is set aside for cybersecurity. Nearly one-fifth of K-12 schools used less than 1% of their IT budget on cybersecurity. [1]

Threat Evolution
According to a report by the Multi-State Information Sharing and Analysis Center (MS-ISAC), approximately 29% of their K-12 members reported being a victim of a cyber attack. [1]

Lack of Process
Of the MS-ISAC's members that are K-12 schools, only 37% reported having an incident response plan. [1]

Inadequate Skills
Only 21% of K-12 schools have an employee who is dedicated to cybersecurity; 33% of schools assign cybersecurity duties as responsibilities for other IT positions. [2]

Emerging Trends

1-to-1 Computing
With Covid 19, many schools and districts have moved to a 1-to-1 computing model, greatly increasing the number of endpoints that schools must manage. About 90% of middle and high schools have at least one device per student. [3]

Sources: [1] Center for Internet Security, "K-12 Report: A Cybersecurity Assessment of the 2021-2022 School Year"; [2],CoSN, "Cybersecurity Staffing Resource for K-12", [3] Klein, "During COVID-19, Schools Have Made a Mad Dash to 1-to-1 Computing. What Happens Next?"

New threat trends in information security are not new.

Previously understood attacks are simply an evolution of prior implementations, not a revolution.

Traditionally, most organizations are not doing a good enough job with security fundamentals, which is why attackers have been able to use the same old tricks.

However, information security has finally caught the attention of organizational leaders, presenting the opportunity to implement a comprehensive security program.

Info-Tech's approach

Maturing from reactive to strategic information security

A diagram that shows Reactive Security and Strategic Security

The Info-Tech difference:

  1. A proven, structured approach to mature your information security program from reactive to strategic
  2. A comprehensive set of tools [1] to take the pain out of each phase in the strategy-building exercise
  3. Visually appealing templates to communicate and socialize your security strategy and roadmap to your stakeholders

[1] Icon indicates Info-Tech tools included in this blueprint
A tool icon

Info-Tech's Security Strategy Model

A diagram that shows Info-Tech's Security Strategy Model

The Info-Tech difference
An information security strategy model that is:

  • Business-aligned – Determines business context and cascades educational goals into security alignment goals
  • Risk-aware – Understands the security risks of the business and how these risks intersect with the overall organizational risk tolerance
  • Holistic – Leverages a best-of-breed information security framework to provide comprehensive awareness of organizational security capabilities

Info-Tech's best-of-breed security framework

A diagram that shows Info-Tech's best-of-breed security framework

Info-Tech's approach

Creating an information security strategy

A diagram that shows security strategy

The Info-Tech difference
Evolve the security program to be more proactive by leveraging Info-Tech's approach to building a security strategy.

  • Dive deep into security obligations and security pressures to define the business context.
  • Conduct a thorough current-state and future-state analysis that is aligned with a best-of-breed framework.
  • Prioritize gap-closing initiatives to create a living security strategy roadmap.

Use Info-Tech's blueprint to save one to three months

A diagram that shows how Info-Tech's blueprint save time and effort

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Photo of Information Security Strategy Communication Deck

Key deliverable: Information Security Strategy Communication Deck

Present your findings in a prepopulated document that can summarizes all key findings of the blueprint.

Photo of Information Security Requirements Gathering Tool

Information Security Requirements Gathering Tool

Define the institution, students, and compliance alignment for your security program.

Photo of Information Security Pressure Analysis Tool

Information Security Pressure Analysis Tool

Determine your organization's security pressures and ability to tolerate risk.

Photo of Information Security Program Gap Analysis Tool

Information Security Program Gap Analysis Tool

Use our best-of-breed security framework to perform a gap analysis between your current and target states.

Photo of Information Security Charter

Information Security Charter

Ensure the development and management of your security policies meet the broader program vision.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks are used throughout all four options.

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical Guided Implementation is between 2 to 12 calls over the course of 4 to 6 months.

What does a typical GI on this topic look like?

A diagram that shows Guided Implementation in 4 phases.

Workshop overview

Day 1: Assess Security Requirements

1.1 Understand business and IT strategy and plans
1.2 Define business and compliance requirements
1.3 Establish the security program scope
1.4 Analyze the organization's risks and stakeholder pressures
1.5 Identify the organizational risk tolerance level

1. Security obligations statement
2. Security scope and boundaries statement
3. Defined risk tolerance level
4. Risk assessment and pressure analysis

Day 2: Perform a Gap Analysis

2.1 Define the information security target state
2.2 Assess current security capabilities
2.3 Identify security gaps
2.4 Build initiatives to bridge the gaps

1. Information security target state
2. Security current state assessment
3. Initiatives to address gaps

Day 3: Complete the Gap Analysis

3.1 Continue assessing current security capabilities
3.2 Identify security gaps
3.3 Build initiatives to bridge the maturity gaps
3.4 Identify initiative list and task list
3.5 Define criteria to be used to prioritize initiatives

1. Completed security current state assessment
2. Task list to address gaps
3. Initiative list to address gaps
4. Prioritization criteria

Day 4: Develop Roadmap

4.1 Conduct cost/benefit analysis on initiatives
4.2 Prioritize gap initiatives based on cost, time, and alignment with the business
4.3 Build effort map
4.4 Determine start times and accountability
4.5 Finalize security roadmap and action plan
4.6 Create communication plan

1. Information security roadmap
2. Draft communication deck

Day 5: Communicate and Implement

5.1 Finalize deliverables
5.2 Support communication efforts
5.3 Identify resources in support of priority initiatives

1. Security strategy roadmap documentation
2. Detailed cost and effort estimates
3. Mapping of Info-Tech resources against individual initiatives

Contact your account representative for more information.

Executive Brief Case Study

Kamehameha Schools

Logo of Kamehameha Schools

  • INDUSTRY: Education (K-12)
  • SOURCE: Info-Tech Research Group

Kamehameha Schools was founded on October 16, 1884, as a charitable educational trust, through the Last Will of Princess Bernice Pauahi Bishop. Today, Kamehameha Schools provides services to more than 7000 students across three K-12 campuses and 30 preschools in the State of Hawaii.

Spurred on by the Covid-19 pandemic, Kamehameha Schools started to work toward an IT strategy that put mobility and cloud first, in order to support working from home permanently. They wanted to limit dependency on core infrastructure to protect remote workers and they wanted to facilitate collaboration with external entities. While shifting to working from home, Kamehameha Schools also wanted to ensure security of their financial assets and education functions.

Kamehameha Schools undertook a Guided Implementation of Info-Tech's Build an Information Security Strategy blueprint. This effort took them through activities to determine the appropriate maturity level for their Information Security program, assess the current state of their security program, and plan steps to close the gaps between the program's current maturity and desired maturity.

When Kamehameha Schools completed their Guided Implementation, they had:

  • Assessed 199 security controls for the current and target maturity levels of their security program and developed 21 initiatives to close gaps between their current and target maturity state.
  • Prioritized initiatives into a security roadmap that clearly articulated the necessary steps to evolve their current security program. The first wave of initiatives included initiatives to refine security governance structure, evaluate Secure Access Service Edge solutions, and improve data classification awareness and data handling standards.

*Some details have been changed for client privacy.

Phase 1

Assess Security Requirements

A diagram that shows phase 1 to 4.

This phase will walk you through the following activities:

  • 1.1 Define goals and scope of the security strategy.
  • 1.2 Assess your organization's current inherent security risks.
  • 1.3 Determine your organization's stakeholder pressures for security.
  • 1.4 Determine your organization's risk tolerance.
  • 1.5 Establish your security target state.

1.1 Define the goals of your security strategy

Input: Educational and IT strategies
Output: Your goals for the security strategy; High-level understanding of recent threats and incidents
Materials: Laptop; Projector
Participants: Security Team; IT Leadership; Stakeholders; Risk Management; Compliance; Legal

Estimated Time: 1-2 hours

  1. As a group, brainstorm the primary and secondary goals of the organization.
    1. Review relevant educational and IT strategies.
    2. Review the business goal definitions in the Information Security Requirements Gathering Tool, including the key goal indicator metrics.
  2. Record the most important business goals in the Information Security Requirements Gathering Tool. Try to limit the number of business goals to no more than two primary goals and no more than three secondary goals. This limitation will be critical to helping prioritize your security roadmap later.
  3. For each business goal, identify one to two security alignment goals. These should be objectives for the security strategy that will support the identified business goals.

Download the Information Security Requirements Gathering Tool

Analyze your goals

Identifying goals is the first step in aligning your strategy with your organization's vision.

  • Security leaders need to understand the direction of the educational organization.
  • Wise security investments depend on aligning your security initiatives to the educational objectives.
  • Information security should contribute to your organization's objectives by supporting operational performance, upholding the reputation of the school or district, and meeting the expectations of stakeholders.
    • For example, if your organization is working on a new initiative that requires handling credit-card payments, the security organization needs to know as soon as possible to ensure that the security strategy will enable your organization to be PCI compliant.
  • If a well-defined business strategy exists, use this to describe existing goals.
  • If organizational goals cannot be identified, use educational goals instead.
  • If a well-defined business strategy does not exist, these questions can help you pinpoint objectives:
    • What is the message being delivered by the Board of Directors, superintendents, or other senior leadership?
    • What are the main themes of investments and projects?
    • What criteria are the senior leaders measured on?

Info-Tech Insight

Developing a security strategy is a proactive activity that enables you to get in front of any upcoming projects or industry trends, rather than having to respond reactively later. Make sure you consider as many foreseeable variables as possible.

1.1.1 Record your business goals

Once you have identified your primary and secondary business goals, as well as the corresponding security alignment goals, record them in the Information Security Requirements Gathering Tool. The tool provides an activity status that will let you know if any parts of the tool have not been completed.

A diagram that shows how to record business goals

A common challenge for security leaders is how to express their initiatives in terms that are meaningful to non-security executives. This exercise helps make an explicit link between what the school cares about and what security is trying to accomplish.

Build an Information Security Strategy for K-12 Schools preview picture

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 4-phase advisory process. You'll receive 8 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Assess security requirements
  • Call 1: Introduce project and complete pressure analysis.

Guided Implementation 2: Build a gap initiative strategy
  • Call 1: Introduce the maturity assessment.
  • Call 2: Perform gap analysis and translate into initiatives.
  • Call 3: Consolidate related gap initiatives and define, cost, effort, alignment, and security benefits.

Guided Implementation 3: Prioritize initiatives and roadmap
  • Call 1: Review cost/benefit analysis and build an effort map.
  • Call 2: Build implementation waves and introduce Gantt chart.

Guided Implementation 4: Execute and maintain
  • Call 1: Review Gantt chart and ensure budget/buy-in support.
  • Call 2: Three-month check-in: Execute and maintain.


Kate Wood

Bob Wilson


  • Peter Clay, Zeneth Tech Partners, Principal
  • Ken Towne, Zeneth Tech Partners, Security Architect
  • Luciano Siqueria, Road Track, IT Security Manager
  • David Rahbany, The Hain Celestial Group, Director IT Infrastructure
  • Rick Vadgama, Cimpress, Head of Information Privacy and Security
  • Doug Salah, Wabtec Corp, Manager of Information Security and IT Audit
  • Peter Odegard, Children’s Hospitals and Clinics, Information Security Officer
  • Trevor Butler, City of Lethbridge, Information Technology General Manager
  • Shane Callahan, Tractor Supply, Director of Information Security
  • Jeff Zalusky, Chrysalis, President/CEO
  • Candy Alexander, Independent Consultant, Cybersecurity and Information Security Executive
  • Dan Humbert, YMCA of Central Florida, Director of Information Technology
  • Ron Kirkland, Crawford & Co, Manager ICT Security & Customer Service
  • Jason Bevis – FireEye, Senior Director Orchestration Product Management - Office of the CTO
  • Joan Middleton, Village of Mount Prospect, IT Director
  • Jim Burns, Great America Financial Services, Vice President Information Technology
  • Ryan Breed, Hudson’s Bay, Information Security Analyst
  • James Fielder, Farm Credit Services – Central Illinois, Vice President of Information Systems
Bobbie Bastian, Adams 12 Five Star Schools – Bollman Technical Education Center, Computer Science Instructor
Visit our Exponential IT Research Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019