Cybersecurity: Prioritizing What Matters for Ed Tech Leaders

Don Ringelestein, Executive Director of Technology, Yorkville CUSD #115

Cybersecurity has long been a crucial issue for educational technology leaders. CoSN’s State of Ed Tech Leadership reports have consistently highlighted it as one of their top concerns. In response, a robust market of ed tech vendors offers tools—both hardware and software—to ease these concerns. However, the real question lies in how districts prioritize cybersecurity investments and whether these tools address the actual security needs of the district. Are districts investing in solutions that ultimately don't protect what’s important, or are they safeguarding assets that don’t need protection?

Let me share a personal experience to illustrate this. In a previous district where I worked, although I wasn’t the ed tech leader, I observed that cable locks were installed on all the classroom projectors to prevent theft after a few had been stolen. However, when reflecting on the cost-benefit of this decision, it became apparent that the district had invested a significant sum to secure all projectors, even though only a handful had been stolen. The cost of securing all projectors far outweighed the expense of replacing the few that had been stolen. In the end, the district was protecting projectors simply for the sake of it, rather than evaluating whether the expense was justified.

“The key takeaway for technology leaders is to ensure that the risks are properly understood and prioritized before making investments”

While this may be an extreme example, it underscores a key point: not all assets need to be protected just for the sake of protection. Assets that require safeguarding directly support the district’s mission of educating students and supporting staff and families. This leads to the next question: How do districts identify critical systems, and once they do, what steps should be taken to protect them?

Certain cybersecurity measures are non-negotiable. Every district must ensure that their computers—from servers to student devices—are equipped with endpoint protection. There are several effective software and hardware solutions for this, and these investments are essential. Similarly, firewalls that separate district systems from the internet are another mandatory expense. These are the basic requirements—what we might call "table stakes" in the cybersecurity game—and districts must make these investments.

Beyond the basics, more advanced systems and methods can further enhance a district’s security. However, these must be weighed carefully on a cost-benefit basis. The key issue here goes beyond the technology department. Before purchasing a new high-tech system or investing in an offsite disaster recovery center that promises 99.9 percent uptime, the district should assess its risks and determine its risk tolerance.

This assessment must involve the entire leadership team, not just the tech department. Decisions about risks—and how to manage them—belong to the district’s leadership, including the superintendent. The role of the tech leader is to help identify risks, and only then can the team decide on mitigation strategies, whether through technology, process changes, risk transfer (such as insurance), or simply accepting the risk. These decisions must involve all stakeholders, as everyone has a stake in the outcomes and must support the final choices.

Only at this point should decisions be made about specific tools—whether it's cybersecurity hardware, software, or staff training systems. The key takeaway for technology leaders is to ensure that the risks are properly understood and prioritized before making investments. This prevents us from making the mistake of buying 300 projector locks because five projectors were stolen and ensures that our security decisions align with the district’s true needs.

AI

Storage

Predictive Analytics

Learning Management

Test

Marketing

Educational Technology

Disaster Recovery