CISA Provides Resources for Securing K-12 Education System


The US Cybersecurity and Infrastructure Security Agency (CISA) this week published a report detailing the cybersecurity risks the K-12 education system faces, along with recommendations on how to secure it.

Over the past four years, there have been thousands of cyber incidents involving K-12 institutions, where threat actors targeted school computer systems to deploy ransomware, disrupt access, render systems unusable, and steal sensitive information on students and employees, including financial and medical information, and employee Social Security numbers.

The K-12 Cybersecurity Act of 2021 instructed CISA to review the cyber risks to elementary and secondary school, evaluate challenges schools and school districts face in securing information systems, to provide recommendations on improving the protection of these systems, and to develop an online training toolkit for school officials.

Discussions with stakeholder groups relevant to the K-12 education community revealed that the majority of them do not have the time or resources to secure information systems and sensitive student and employee records, or to implement cybersecurity protocols.

“Most reported that the breadth of available cybersecurity information—news coverage, conference panels, webinars, and more—only made matters more complicated. Nearly all reported that they needed simplicity, prioritization, and resources targeted to the unique needs and context of K-12 organizations,” CISA’s report reads (PDF).

According to CISA, “with finite resources, K-12 institutions can take a small number of steps to significantly reduce cybersecurity risk,” such as deploying multi-factor authentication (MFA), patching known vulnerabilities, creating backups, and implementing cyber incident response plans and cybersecurity training programs.

The agency’s incursion into the cybersecurity stance of the K-12 education system has revealed that many school districts struggle with insufficient IT resources and cybersecurity capacity, which can be addressed by using free or low-cost services, by asking technology providers for strong security controls at no additional cost, by migrating IT services to more secure cloud versions, and by taking advantage of the State and Local Cybersecurity Grant Program (SLCGP).

CISA also notes that K-12 entities cannot singlehandedly identify and prioritize emerging threats, risks, and vulnerabilities, recommending that they join relevant collaboration groups, work with other information-sharing organizations, and collaborate with CISA and FBI regional cybersecurity personnel.

The agency recommends that all K-12 institutions start by investing in the most impactful security measures, which will allow them to eventually migrate to a mature cybersecurity plan. They should also prioritize investments in line with CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).

CISA’s Digital Toolkit contains resources and materials in line with these recommendations, as well as guidance on how stakeholders can implement each recommendation. The toolkit also includes additional resources to help stakeholders build, operate, and maintain a resilient cybersecurity program at their institution.

Related: CISA Updates Infrastructure Resilience Planning Framework

Related: CISA Releases Decision Tree Model to Help Companies Prioritize Vulnerability Patching

Related: CISA Urges Organizations to Implement Phishing-Resistant MFA

The post CISA Provides Resources for Securing K-12 Education System appeared first on SecurityWeek.

Why CISOs Make Great Board Members


As I discussed previously, the past three years created a perfect storm situation with lasting consequences for how we think about cybersecurity: 

  • Digital transformation accelerated significantly. Projects took off due to the pandemic and remote everything—work, manufacturing, healthcare, you name it—became imperative for business survival.
  • Ransomware went for the jugular. Critical infrastructure organizations had to navigate an escalating threat landscape, especially a surge in ransomware attacks as threat actors understood that the value of operational technology (OT) networks and the availability of crypto payment infrastructure improved their chances for pay-outs. 
  • Cybersecurity became critical to business. Under siege, businesses prioritized building resilience for which cybersecurity is essential and, when done well, can drive competitive advantage. 

The impact of this perfect storm on boardroom conversations has been that cybersecurity technologies and teams have shifted from being viewed as a cost center to a business enabler. The shift is so crucial to business outcomes that Gartner expects that by 2025, 70% of CEOs will mandate a culture of resilience and recommends risk leaders recognize resilience as a strategic imperative to survive a confluence of threats. The mission is no longer just to protect, but to build trust that the business can operate even under strenuous conditions and to accelerate innovation within business units. That is very different from how security teams operated for the last two decades.

Businesses that invest in cybersecurity as a competitive advantage are transforming their business models. Every company is or will become a technology company, and those doing it faster are winning. Accenture refers to companies that have doubled down on technology and innovation as “leap froggers”, growing five times faster than laggards in the past three years.

Geopolitics contributes to this storm and need for board change

Geopolitical conflict has raised the stakes even further and is here to stay, whether in its aggressive form of the Ukraine conflict or more subtle, as in the competition between the U.S. and China. That means companies that are a meaningful part of the economy of their countries, or that hold strategic importance because of the sector they operate in, will find themselves increasingly as targets in those conflicts. 

In addition to needing to significantly increase their collective understanding of technology innovation risk and objectives, CEOs and board members need to understand how the current geopolitical situation could be affecting the organization’s risk posture, adversaries’ motivations, and how best to dedicate resources. 

Many CEOs and board members are finding it exceedingly complex in this current climate to accurately identify, much less reduce risk, which is why shifting the makeup of boards is needed. A vast majority of board members are former CEOs and CFOs, with most new directors still coming from those backgrounds (26% and 23%, respectively). The good news is that 17% of new directors now come from the technology sector which is beginning to fill the hands-on experience gap of navigating technology-led businesses.

CISOs as board members 

One natural solution to infuse more technology and security expertise on boards is to recruit CISOs and CIOs for those positions. While just a few years ago that was mostly unthinkable, today an increasing number of boards are seeking out those experts, even if it means attracting board members with no prior board experience. That in itself is helping break another unfortunate aspect of boards: a lack of diversity and infusion of fresh perspectives and experience to handle emerging oversight challenges such as digital transformation and cyber and operational resilience. While we aren’t where we need to be, progress is happening and now 14% of CISOs say they sit on a corporate board or both a board and an advisory committee.

Even as first-timers, successful CISOs make for successful board members. In the last few years, the best CISOs have pushed their organizations outside of their comfort zones, resulting in high-ROI projects that contribute significantly toward the digital transformation of the organization. The spirit of this relentless pursuit to transform is highly impactful at the board level, and the practical knowledge those CISOs bring is very valuable. 

Another encouraging trend, Gartner predicts that by 2025, 40% of companies will have a dedicated cybersecurity committee. Who is better suited than a CISO to lead that conversation? Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. CISOs can provide advice on moving forward with digital change initiatives and help companies prepare for the future. They can explain the organization’s risk posture, including exposure related to geopolitical conflict as well as to new business initiatives and emerging threats, and what can be done to mitigate risk.

Lastly, the role of the CISO has evolved from being a risk metrics presenter to a translator of risk to the business. Therefore, the expertise CISOs have developed in recent years in how to explain risk to the board makes them valuable contributors to these conversations. They can elevate the discussion to ensure deep understanding of the tradeoffs between growth and risk, enable more informed decision-making, and serve as guardrails for total business alignment.

The future belongs to the companies who are fastest and boldest in their adoption of technology as a competitive advantage. To best protect this future, we need technology and cybersecurity leaders on boards who understand and can translate the risk side of equations into successful business outcomes. 

The post Why CISOs Make Great Board Members appeared first on SecurityWeek.