Risk Ownership and Decision-Making in K-12 Cybersecurity Programs

Don Ringelestein, Executive Director of Technology, Yorkville CUSD #115

Don Ringelestein, Executive Director of Technology, Yorkville CUSD #115

Risk assessments are fundamental to any cybersecurity program. The reason is simple: districts need to understand their risks, identify which systems and data are most important, and determine how to address those risks. Once risks have been assessed and decisions are made about how to respond to them, cybersecurity programs can be designed to manage those risks appropriately.

Risk is typically calculated as a function of vulnerabilities and the likelihood that those vulnerabilities will be exploited. Vulnerabilities can be physical—such as the risk of flooding in a data center, unauthorized physical access to sensitive equipment, or fire. Others are technical or administrative, such as improper system configurations or users having unnecessary access to sensitive data and applications.

The likelihood of a vulnerability being exploited ranges from the highly improbable (e.g., a comet strike) to the almost inevitable (e.g., successful phishing attacks). Other risks—such as natural disasters, power outages, cyberattacks, or user error (like accidentally sharing sensitive data via Google Docs)—fall along this spectrum. Risk, then, is a combination of vulnerabilities and the likelihood that the vulnerability will be manifested.

The next critical question is which risks need to be addressed and how?

It's essential to distinguish between what risks a district chooses to address (a strategic decision) and how those risks are addressed (an operational decision). Only after the senior leaders in a school district decides what to prioritize can the tech team implement measures to mitigate those risks.

This leads to a fundamental governance question; who is responsible for each aspect of risk management? Should strategic leaders decide how to reduce risks? Should the operational team choose which risks to address? While both strategic and operational components are vital to a robust risk management program, clarity is needed around roles and responsibilities.

“In summary, risk ownership rests with the highest levels of school district leadership”

At its core, the issue is one of risk ownership. Who determines which risks to avoid, accept, mitigate, or transfer (e.g., through insurance)?

This ownership resides at the highest level of leadership. Deciding what risks to accept, which to accept, which to avoid and which to leave to insurance companies are strategic decisions that affect the entire organization. In school districts, these decisions should be made by the superintendent or board of education. However, in many cases, top leaders may not fully recognize the critical role they play in determining how cyber risks are handled.

This challenge is not unique to schools. On calls and webinars with cybersecurity leaders in the private sector—including large enterprises—I've repeatedly heard that members of the C-suite often do not understand their responsibility in cyber risk management. This appears to be a widespread problem, resulting in two common scenarios: either organizations are left unprepared for cyber incidents, or they overspend on protecting assets that aren’t critical to operations or data security.

Another problem is that technology teams and staff sometimes express their findings regarding risk in terms that can be difficult for leaders in the district to understand. As with any other communication with people outside of the arcane and confusing “technology speak,” tech leaders must take care to discuss risk in terms that non-tech people can readily understand. I’ve heard leaders in the private sector call these external conversations being phrased in terms of “puppets and crayons.” This isn’t meant to be pejorative about executive audiences, but rather to make very clear that cogent communications with non-tech stakeholders must be targeted to the audience, rather than in the natural terms that tech people might use to communicate between themselves. These are not conversations that should be laced with acronyms and arcane concepts.

So how can this gap be addressed?

First, it is the responsibility of IT and cybersecurity leaders to identify the vulnerabilities that exist in a district. This includes conducting penetration tests, vulnerability scans, physical inspections of server rooms and network closets, and assessing staff readiness to resist social engineering attacks. Then the tech team, in concert with other district stakeholders, should determine the possibilities that threats could exploit vulnerabilities and this create risks. These findings should be documented in a risk register, detailing each identified risk and its severity.

Next, this risk register should be presented to senior leadership. While IT and security teams can and should provide guidance, it is the role of senior leadership to determine how each risk will be treated—whether through acceptance, mitigation, transfer, or avoidance. Only after these executive decisions are made can IT and cybersecurity teams execute their plans accordingly.

In summary, risk ownership rests with the highest levels of school district leadership. IT and cybersecurity professionals play an essential advisory role, but they should not be the ones making strategic decisions about how to address risk. As with any other strategic decisions about the district, these decisions must come from the top.