The latest high-profile cyberattacks targeting Tucson Unified School District in Arizona and Nantucket Public Schools in Massachusetts are just two more examples in a sprawling list reminding districts of their networks’ vulnerabilities — and reminders of the need for qualified staff to help.
Finding resources and staff to focus on a school district’s cybersecurity “is so needed because it’s really not a matter of if you will have a cyberattack, it’s a matter of when you will have a cyberattack,” said Clar Rosso, CEO of the International Information System Security Certification Consortium, or (ISC)2, an international nonprofit organization that looks at securing cybersecurity on a global scale.
The education sector ranked among the bottom five industries in confidence levels for mitigating cybersecurity risks, according to a recent (ISC)2 cybersecurity workforce study.
Education sector lags in its confidence to mitigate cybersecurity risks
Yet only 21% of districts have a full-time-equivalent employee dedicated to network security, according to the Consortium for School Networking, an association for school technology leaders. Districts often struggle to find resources to boost cybersecurity personnel considering the median salary of a cybersecurity professional in the U.S. is $135,000, the (ISC)2 study found. That compares to the average $65,293 salary for a teacher, according to the National Education Association.
“First of all, K-12 probably pays less, so they have a problem of recruiting and they have a problem of retaining,” said Keith Krueger, CEO of CoSN.
And salary isn't the only stumbling block. “Even if you wanted to hire someone, it’s very difficult to find them,” Krueger said.
Despite these hurdles, cybersecurity experts shared the following approaches to alleviate workforce shortages and address the pressing need for stronger K-12 network security.
Consider training interested teachers
To overcome the difficulty of providing competitive salaries for cybersecurity positions in comparison to the private sector, Rosso said districts can hire entry-level candidates and offer training instead.
And interested teachers could be a good fit for this recruiting strategy, she said.
When Rosso thinks of the skills required of cybersecurity professionals — like teamwork, presentation, problem solving, desire to learn, project management and communication — that describes the abilities of most teachers she knows. This could also give educators a chance to get a decent salary boost, she said.
“There is something to be said for nontraditional sources,” Rosso said. One solution could be people who split their time between the classroom and cybersecurity work, she said.
Still, Krueger said, it’s rare that once a district hires and trains an entry-level cybersecurity professional, that they’ll even stay for three years.
For Rosso, three years is plenty.
“If you can get three really good years out of an individual, and that is securing the information and systems for your school and school district — take that,” Rosso said. “It’s OK to rotate them through, because, again, entry-level individuals have shown over and over that they can do the jobs that need to be done that would protect 80% of your information and systems within your school district.”
Outsource to a managed service provider
At Maine Township High School District 207 in Illinois, the school system uses a managed service provider for day-to-day cybersecurity operations like surveillance and mitigation work, said Don Ringelestein, the district’s chief technology officer.
The district relies on a third party, he said, because the job market for cybersecurity professionals is so competitive. For Ringelestein, it doesn’t feel practical to hire for the position at the K-12 level, unless the district that’s hiring is a large one like Los Angeles Unified School District or Chicago Public Schools.
“If we hire entry-level people, we’re not going to be protected to the extent that we’d like to be,” Ringelestein said. “They’ll be with us for two years, gain some skills, and then go make money in the private sector.”
Managed service providers can also offer 24/7 coverage, which one full-time person could not do, he said. This move also makes more sense financially, Ringelestein said, adding that a district could expect to pay between $90,000 to $110,000 annually for a top tier provider.
Share a CISO among districts
Another option is for districts to pool resources and hire a chief information security officer, or CISO, together, Ringelestein said. This could be a solid alternative if “districts could get on the same page,” he said.
This is also a cost-effective approach, said Amy McLaughlin, a subject matter expert at CoSN and the executive director of Technical and Solutions Architecture at Oregon State University.
Or districts can hire a virtual CISO — someone who can consult with them online — to advise on how to address risks and business impacts of a cybersecurity attack, according to Ringelestein and McLaughlin.
Most important, districts should ensure that backup services are available when working with a shared or virtual CISO, McLaughlin said. This will be crucial if, for example, all five districts need the CISO’s help at the same time, she said.
Be realistic when advertising positions
As districts advertise for cybersecurity positions, they should be careful not to require unattainable experience — like five years — to meet the job qualifications, McLaughlin said. That is especially true for a position with an entry-level salary, she said.
“This is an area where there are hundreds of thousands of unfilled positions, so if you want to get somebody into those roles, you have to stop setting the bar so high that it makes your position undesirable,” McLaughlin said.
Instead, districts should look at what they can offer beyond salary, such as training and benefits, she said. They should also keep an eye out for candidates who are recent college graduates and have lots of training but perhaps little experience.
Tap into higher ed
School leaders can reach out to local vocational schools and colleges that offer IT degrees to offer students studying cybersecurity the opportunity to work for the district, Krueger said. Such a partnership could provide college students with credits, internships or even a part-time job, he said.
Krueger has heard that some districts are already beginning to take on this approach. These districts often pitch to higher ed institutions the idea that the opportunity for students to work with K-12 can provide solid cybersecurity experience to help them in their future careers.
“People are going to have to be really creative, because they are vastly understaffed,” Krueger said.