Frankie Jackson, project director for a group of ed-tech organizations called the Cybersecurity Coalition for Education (CCE) and a former technology administrator for large districts in Texas, challenged audience members at the International Society for Technology in Education’s ISTELive 23 conference in Philadelphia to “defend your school like a pro.” Then, through her presentation about a new K-12 cybersecurity framework that draws from the National Institute of Standards and Technology and other sources, Jackson showed them how to do it.
The framework, listed on cybersecurityrubric.org, has been in place for about three months now, but presumably some school administrators across the nation are not aware of it. The project was prompted by feedback from ed-tech professionals who annually list cybersecurity as their most serious concern and highest priority. They also complained about the skyrocketing costs of cybersecurity insurance.
“You can throw good money after bad money at the problem, but the reality is … we need a road map of improvement starting from where we are,” Jackson said.
In addition to the rubric, CCE also published free self-assessment training and scoring guidelines, plus a certified cybersecurity evaluator program consisting of an online training module and a test to obtain credentials for $99.
CCE’s rubric outlines five function levels at which schools can assess their progress, or lack of it, in being ready for cyber attacks: (1) Initial, with little to no efforts made yet; (2) Repeatable, in which a plan is in place, but only in the early stages; (3) Defined, with a standard process in place; (4) Managed, with a well-established defense system that is proactively monitored; and (5) Optimal, indicating no improvements needed. The rubric uses 23 categories to score districts and determine their function level.
Since the rubric was released in March, 600 school districts completed the self-assessment trainings, and 500 more are in the process, Jackson said. So far, the average district score is 1.7, meaning schools need significant improvements in cybersecurity, she said, adding that she is optimistic that schools will approach level 3 (Defined) within the next year.
“But we would love to see some leaders that are at level 4 or level 5,” she said. “This goes on in business and industry. Why wouldn’t we do it in education?”
Keith Price, technology director for Vestavia Hills City Schools in Alabama, is among the 600 school leaders who completed the training and is using the rubric to improve school cybersecurity. His district scored a 2.5 in the self-assessments and is working toward reaching level 3. He also took the cybersecurity evaluator training and earned the credential, which will allow him to help with other evaluations at other districts. CCE encourages schools to work together in this process.
“What educator doesn’t love a rubric? What educator doesn’t love the thought of continuous improvement?” Price said. “This really gives you a model, so you know what to do to get to the next level.”