Case Study

Advice for Overwhelmed School IT Staff from a Cybersecurity Pro: Progress, Not Perfection

• By Kristal Kuykendall
• 01/18/22

“Really good cybersecurity management at school districts has very little to do with technology and everything to do with human behavior and leadership,” said Rod Russeau, director of technology and information services for Community High School District 99 in the Chicago suburb of Downers Grove, Ill.

A frequent instructor at cybersecurity and IT workshops around the country, Russeau also serves as chairperson for the Consortium for School Networking’s Cybersecurity Educator Advisory Panel, working with CoSN member schools’ technology personnel and district leaders to improve their network protections and reduce exposure to cyber threats.

During his 45-year career, he’s seen a lot of changes; in his first role, he managed mainframe computers. Then for about 20 years, Russeau worked in software development, managing support, training, and implementations for student information systems and financial information systems for schools.

He joined CSD99 25 years ago, when “email and the internet barely existed,” Russeau said. “We’ve come a long way.”

Nowadays, it seems like the IT cybersecurity landscape is constantly expanding, and school IT departments are overwhelmed, he told THEjournal recently.

“The significance of growth in bad actors — the increase in the attacks and the frequency of the attacks — against schools is alarming,” he said.

Also overwhelming: The “feeding frenzy” of remote-learning solutions marketed to schools at the start of the pandemic, and more recently the cybersecurity solutions being offered, Russeau said.

“Since the pandemic began, vendors have been ramping up their offerings and solutions” far more than ever before, he said. “They’re pitching us this or that whiz-bang software or product, like ‘install this and you’ll be secure.’ It’s hard to know which ones are really efficient.”

Nevertheless, Russeau maintains that the biggest hurdle to an effective K–12 cybersecurity strategy isn’t technical know-how; it’s getting district leaders and decision-makers on board and ensuring communication about cybersecurity goals and best practices permeates every level and every group within the district.

“During my career I’d never emphasized getting certifications but just learned what I needed to do my job,” he said. “Then a few years ago I took a cybersecurity class with CoSN andearned my certification as a Certified Information Security Manager; next I pursued a (Certified Information Systems Security Professional) certification to learn a little more.”

Russeau was “astounded” during the certification coursework by how much emphasis was placed on human behavior and district leadership, he recalled.

“For the CISM certification, I figured that would be the case, but the CISSP is far more technical — and yet it still very much emphasized the critical importance of the district leadership and organizational buy-in,” he said.

After those certifications were completed, Russeau said, he began focusing more within his own district on working with leadership to develop good policies, procedures, and plans for various scenarios, such as an Incident Response Plan, detailing steps for detecting and responding to a cyberattack; a Disaster Response Plan, with steps for resuming normal operations after any kind of incident affecting the network, hardware, or backups; and a Learning Impact Analysis, the education sector’s version of a Business Impact Analysis, wherein leadership decides how long a particular app or IT service can be down before it has a disastrous impact on the district’s operations.

“The first thing cybersecurity efforts should focus on is identifying your risks and determining how you’re going to manage those risks,” he said. “One of the ways we involve senior leadership – and the last thing we need is another committee – is that I formed a committee for this, with senior leaders in our district office participating.”

Bottom line: The more involved district leaders are in deciding the cybersecurity policies, the more they share the accountability for cybersecurity, Russeau said.

“Sure, the technology staff deploys the security controls and solutions — but we do that according to what the district has outlined as ‘here’s level of risk we’re willing to accept,’” he explained. “It’s the organizational leadership that I like to say has accountability for security; they’re not responsible for whether a firewall works, but they set the policies.”

Anyone who touches technology has to own responsibility for a school’s cybersecurity, but “it’s up to us to educate senior leadership on our critical systems and our critical resources, and it’s up to them to tell us the level of risk they’re willing to take. Then we must come up with a solution and a cost to fulfill their policies,” Russeau said.

Advice for the Overwhelmed School IT Staff

For school IT staff who haven’t yet spent much time or resources upgrading their cybersecurity protocols, Russeau has a list of tips:

• Perform a risk assessment and establish a roadmap, and remember to go after the “low-hanging fruit.”
• Aim for progress, not perfect; the IT to-do list can be overwhelming, and “complexity is the enemy of security,” he said.
• Remember the primary goal is managing risk.
• Ensure your leaders understand they, too, are accountable; involve leaders in policy-making and include them in security decisions.
• Identify your critical assets.
• Understand and assess your risks, and evaluate all your resources. Many of the software solutions that schools have in place frequently introduce new features and functions, and many schools have solutions they don’t even know about already accessible to them, Russeau said.
• Work with district leadership to finalize updated policies and plans related to risk management and cybersecurity.
• Educate employees in every department through awareness campaigns and phishing drills, and involve personnel in vetting potential new apps.
• Make sure all data is backed up in multiple locations, including an air-gap copy and a backup that is stored on a separate server with separate credentials and that is off-site.
• Enact top-tier controls, including log management and visibility, multi-factor authentication, hardened configurations, and endpoint detection and response.
• Secure outside expertise such as from a virtual Chief Information Security Officer, or from IT security experts at nonprofits like CoSN, K12SIX, and Center for Internet Security.