Staffed Up: 5 tactics districts can use to navigate cybersecurity workforce shortages

This audio is auto-generated. Please let us know if you have feedback.

The latest high-profile cyberattacks targeting Tucson Unified School District in Arizona and Nantucket Public Schools in Massachusetts are just two more examples in a sprawling list reminding districts of their networks’ vulnerabilities — and reminders of the need for qualified staff to help.

Finding resources and staff to focus on a school district’s cybersecurity “is so needed because it’s really not a matter of if you will have a cyberattack, it’s a matter of when you will have a cyberattack,” said Clar Rosso, CEO of the International Information System Security Certification Consortium, or (ISC)2, an international nonprofit organization that looks at securing cybersecurity on a global scale.

The education sector ranked among the bottom five industries in confidence levels for mitigating cybersecurity risks, according to a recent (ISC)2 cybersecurity workforce study.

Education sector lags in its confidence to mitigate cybersecurity risks

The percentage of cybersecurity professionals, by industry, who said they agree or strongly agree they have enough tools and people to respond to cyber incidents in the near future.

Yet only 21% of districts have a full-time-equivalent employee dedicated to network security, according to the Consortium for School Networking, an association for school technology leaders. Districts often struggle to find resources to boost cybersecurity personnel considering the median salary of a cybersecurity professional in the U.S. is $135,000, the (ISC)2 study found. That compares to the average $65,293 salary for a teacher, according to the National Education Association.

“First of all, K-12 probably pays less, so they have a problem of recruiting and they have a problem of retaining,” said Keith Krueger, CEO of CoSN.

And salary isn’t the only stumbling block. “Even if you wanted to hire someone, it’s very difficult to find them,” Krueger said.

Despite these hurdles, cybersecurity experts shared the following approaches to alleviate workforce shortages and address the pressing need for stronger K-12 network security. 

Consider training interested teachers

To overcome the difficulty of providing competitive salaries for cybersecurity positions in comparison to the private sector, Rosso said districts can hire entry-level candidates and offer training instead. 

And interested teachers could be a good fit for this recruiting strategy, she said. 

When Rosso thinks of the skills required of cybersecurity professionals — like teamwork, presentation, problem solving, desire to learn, project management and communication — that describes the abilities of most teachers she knows. This could also give educators a chance to get a decent salary boost, she said. 

“There is something to be said for nontraditional sources,” Rosso said. One solution could be people who split their time between the classroom and cybersecurity work, she said.

Still, Krueger said, it’s rare that once a district hires and trains an entry-level cybersecurity professional, that they’ll even stay for three years.

For Rosso, three years is plenty. 

“If you can get three really good years out of an individual, and that is securing the information and systems for your school and school district — take that,” Rosso said. “It’s OK to rotate them through, because, again, entry-level individuals have shown over and over that they can do the jobs that need to be done that would protect 80% of your information and systems within your school district.”  

Outsource to a managed service provider

At Maine Township High School District 207 in Illinois, the school system uses a managed service provider for day-to-day cybersecurity operations like surveillance and mitigation work, said Don Ringelestein, the district’s chief technology officer.

The district relies on a third party, he said, because the job market for cybersecurity professionals is so competitive. For Ringelestein, it doesn’t feel practical to hire for the position at the K-12 level, unless the district that’s hiring is a large one like Los Angeles Unified School District or Chicago Public Schools. 

“If we hire entry-level people, we’re not going to be protected to the extent that we’d like to be,” Ringelestein said. “They’ll be with us for two years, gain some skills, and then go make money in the private sector.” 

Managed service providers can also offer 24/7 coverage, which one full-time person could not do, he said. This move also makes more sense financially, Ringelestein said, adding that a district could expect to pay between $90,000 to $110,000 annually for a top tier provider. 

Share a CISO among districts

Another option is for districts to pool resources and hire a chief information security officer, or CISO, together, Ringelestein said. This could be a solid alternative if “districts could get on the same page,” he said.

This is also a cost-effective approach, said Amy McLaughlin, a subject matter expert at CoSN and the executive director of Technical and Solutions Architecture at Oregon State University.

Or districts can hire a virtual CISO — someone who can consult with them online — to advise on how to address risks and business impacts of a cybersecurity attack, according to Ringelestein and McLaughlin.

Most important, districts should ensure that backup services are available when working with a shared or virtual CISO, McLaughlin said. This will be crucial if, for example, all five districts need the CISO’s help at the same time, she said.

This article originally appeared in

Leave a Reply

Your email address will not be published.