In schools we need to keep student data secure however equally we need the flexibility to use different learning platforms and tools in the search of effective learning experiences. There is a clear tension between these two requirements, where it would be fair to consider then the opposite ends of a continuum. On one end you could have a very secure system, similar to in highly regulated industries like a bank, but in doing so you would lose some of the flexibility needed by teachers. Alternatively you could have a very open and flexible setup but in doing so would likely open your schools to increased cyber risk. So how do we navigate the continuum?
The security paradigm
In my view, part of the challenge here is the security paradigm of keeping systems and data secure. The reality is that we can only measure this after the event, so for every day we don’t suffer an incident, we have achieved this requirement, and we need to achieve this requirement indefinitely. A single incident would therefore represent total failure. In the complex world of IT with ever changing threats, this model doesn’t work.
I think we need to accept that if we look far enough ahead there is a certainty of an incident. As such, we need to make sure this is understood at the senior levels of the school, and then seek to do everything reasonably possible to make sure that incident stays in the future, or failing that, limit the damage caused by an incident. In considering probability of an incident it’s almost like the doomsday clock, ever moving slightly closer or further away from global catastrophe.
Risk Appetite.
One of the first decisions which I think schools need to identify is their risk appetite. The more risk you are willing to tolerate, the closer the doomsday clocks hands are to midnight, but the more flexibility you have available. The less risk you are willing to tolerate, the further away from midnight the doomsday clocks hands are, but the less flexibility you will have. All schools will have a risk appetite somewhere between the two opposite points, but the question is where on this continuum and how much closer it is to cyber security or to flexibility and learning.
Risk Assessment
The next thing to consider is risk assessment. How can you seek to manage and mitigate risks if you don’t know what they are? The more flexibility you need the more risks you will likely need to document. One of the benefits of risk assessment is to spend time considering what the risks might be, their likelihood and their potential impact. This then gives an opportunity to prioritise resources to those risks deemed important to the school. I think it is also worth noting that any risk assessment should be a working and living document, as the nature of schools is one of constant change.
Documenting decisions
It is important that senior staff are aware of the decision-making processes, decisions and risks and therefore it is critical that the risk appetite and risk details are shared with those staff to ensure they are appropriately informed. This can help with identifying where there is need for additional resourcing but also to identify where risks remain due to mitigation measures being cost or otherwise resource restrictive. If your focus is on learning, you need to ensure you clearly document the resultant risks which the added flexibility will have opened up.
It is also important to remember we will only be able to identify failure in the future, after an incident. When this happens, we will want to look back to see if the incident was the result of decision, and if so why we took this decision. Or was the incident simply something which we didn’t consider in our examination of the likely risks? This requires the decisions around risks to be clearly documented.
Near Misses
Am also going to mention near misses, something I frequently forget to mention. There is a lot to be gained in terms of knowledge and experience from those “almost” incidents where we come close to a cyber incident. We need to therefore find ways to capture such incidents, to encourage users to report near misses, etc as otherwise we will have lost valuable intelligence, leaving us only with actual incidents to learn from.
Conclusion
There isnt one answer or solution for all schools in relation to navigating between cyber security and learning/flexibility, however each school will need to consider and make their own decision in this respect. It needs to be based on context, needs, resources and a variety of other factors, and it should be a concious decision rather than something that simply happens.
On the cyber security side of things, I believe the focus has been for too long on prevention. Schools don’t have significant cyber security resources but are an enticing target for cyber criminals, so prevention on its own isnt enough. We need to accept that an incident will happen and therefore shift to a focus on minimization or delay, mitigating risks to delay the incident further into the future, or mitigating risks to reduce the damage when the incident finally does occur. For this reason I increasingly like the term “cyber resilience” in preference to “cyber security”, as it hints to the need to ready to respond and recover from the inevitable cyber incident.
Maybe we should all start including a cyber doomsday clock in regular communication with senior staff; Is this the way forward?
Technology and Learning