How Summit Public Schools Is Protecting Students, Staff and Data With Smart Digital Security Investments
Here in the age of digitally connected classrooms, computer-driven learning and Big Data, an educational organization’s security responsibilities extend well beyond protecting the physical well-being of their students, staff and structures.
No one knows that better than Bryant Wong, who as Chief Technology Officer at Summit Public Schools leads the effort to protect 11 schools (eight in Northern California and three in Washington State), their staffs, students and data, from potentially damaging and costly breaches. In a recent conversation with BuyQ, Wong explained what it takes for charter school organizations to build and run an effective digital security program in the face of ever-lurking threats, ever-changing technology and ever-present budget constraints.
BuyQ: Keeping students and data safe and secure in today’s digital environment is a major challenge. How do you balance budget constraints with the very real threats that schools such as Summit face?
Bryant Wong: It’s easy to say, “We need security for x, security for y.” But from a superintendent’s perspective, they need to understand the goals, objectives and outcomes in digital security, while measuring effectiveness and assuring the organization’s decision-makers can make actual decisions that move the needle managing risk.
It’s really easy to be an alarmist about security. It’s really hard to be disciplined, do the strategic security design work, communicate the outcomes, maintain accountability and get lasting buy-in from the organization stakeholders.
When it comes to an organization’s security investments, it’s really easy to procure the best. It’s harder to procure the right-tool-at-the-right-time solution. But that has to be the priority. It is more fiscally responsible, it’s more thoughtful and it’s more aligned to the evolving needs of the organization.
BuyQ: Describe the strategic approach you and Summit take with your digital security program and investments.
BW: Solutions should be selected that align to the organization’s culture and risk. I think security is most effective if it’s implemented with 100% adoption.
From a strategic perspective, it’s important to design a security program that aligns to the organization’s identified risk and the outcomes you want. We have adopted a security framework that’s backwards-compatible with National Institute of Standards and Technology, and with ISO, to show we’re following and implementing best practices to secure data, but also provide us with the knowledge to design a larger security fabric to address larger technology-associated risks involving the organization, systems, people, training, and, yes, data.
It’s important to focus on what we’re trying to accomplish and getting the tools for solutions to address that need. It’s really easy to lead by the tool, but it’s not as easy to lead by understanding the concerns, measuring those concerns, puzzling and running that through a security framework to ensure those issues are resolved by solving for all sides of the Rubik’s Cube. I mention the Rubik’s Cube because a solution is only as good as its ability to solve for all sides of a problem. If you solve only for one side, then you’re just creating a larger challenge for yourself. So strategy is critical to designing and implementing effective security.
BuyQ: Who at your organization is involved in digital security procurement decisions, and what does the decision-making process look like, generally?
BW: There needs to be a shared ownership of digital security across an organization. Far too often it is one team, kind of a black-box solution of how you look at security. That may not be effective because the people aspect is the heart of it all. When you consider how to address the people aspect, you start to bring in a better way of approaching security. How do you ensure there’s a level of ownership across the organization instead of just leaving it to one person or one team to really solve it? At Summit, we have a security committee made up of cross-functional team members.
Security systems decisions are typically left with the CTO but although I may make the final decision on security tools, there is oversight on purchasing and those purchases need to meet within the approved budgeted line item and aligned to defined organizational needs.
Since Summit established its security committee and security governance about a year ago, organization leads drive and make decisions about what we should be doing from a security standpoint by aligning to our security framework. This allows our digital safety working group stakeholders to ensure the security part is aligned. Buy-in becomes the norm versus the exception. I think our process provides transparency, but equally important, it builds a culture of security inclusion versus a black-box approach. All of the 10-plus team leads are decision-makers and have a responsibility to ensure our practices are sound. They have a voice in decisions and carry the torch of security awareness throughout the organization.
BuyQ: What’s your preferred procurement pathway for digital safety purchases — RFP, bid solicitation, group purchasing organization/co-op, or another option?
BW: It’s really difficult to find it all in one stop, but I find that our vendor partners, if they don’t have a solution, they work to establish one. I think trust in strategic vendor relations is critical.
RFP-based solicitations can be really good avenues for security purchases. I think these avenues are more effective when the school district security model is more mature than in its infancy. In its infancy, there can be a lot of bouncing off the walls trying to figure out what makes sense. As you mature through that process, you start to hone in on where your needs are and the tools that meet those needs. That’s when your RFPs, your bid solicitations, become more concrete instead of this kind of shotgun approach of everything under the sun.
Instead of issuing an RFP that says, “I want these 50 things under the sun,” where probably half of them have no real relevance to you at the time, you start to figure out what you need. Maybe it’s not 50 but 30 top things you actually need. Then the vendor can say, “Okay, now I know what system they want and I can bring them the right solution.”
BuyQ: What tech partner does Summit work with for its digital security procurement?
BW: We use CDW-G (an Illinois-based technology provider that serves schools, healthcare organizations, government entities and businesses). For our relationship to work well, I think it takes two sides of the coin: Summit having a really good, high-trust relationship, to share what we need, and also for CDW-G to be able to come to the table with solutions that are aligned to our priorities and the risks we’re trying to address. When you have that, you start to build this really strong relationship of bringing in the tools that actually meet the defined needs that the organization has.
Far too often, it doesn’t happen that way. There’s a mismatch and the organization ends up not getting the right kind of tools to address its long-term security needs.
BuyQ: What relevant federal requirements and compliance issues do organizations need to consider in the context of their digital security investments and strategy?
BW: Well, FERPA (the Family Educational Rights and Privacy Act, a Federal law that protects the privacy of student education records) is the big one. I think it all depends on the kinds of records. Especially when you’re talking about special education, there can be sensitive data. You have to consider what applications HIPAA plays into it. And of course CIPA, the Children’s Internet Protection Act. Depending on how much information is actually being stored, there may be other relevant federal laws. And each state has its own laws.
BuyQ: As a larger organization, to what extent are you looking at enterprise-level digital security solutions?
BW: At our stage, we’re actively looking at more enterprise solutions. Enterprise tools are not always the right solution for every situation, though. Instead I would blend open-source and free tools that make the most sense for an organization’s goals and objectives.
Generally, I think managed solutions are more effective than unmanaged solutions. A strategic vendor partner can help strategize effectively on those solutions.
BuyQ: You mentioned that Summit has established a digital security committee and a digital security framework. What was the impetus behind those initiatives?
BW: It started with some core stakeholders, from legal and HR to people on the academic side. We needed people in the group that actually could make decisions — directors and above. The goal of the committee was to understand, “What are we trying to do with security, and what are we trying to understand about the larger risks around the organization?”
It has really helped us to look at security across an organization due to this cross-functional leadership team. Technology is just the facilitator of it all.
The goal is to be able to make sure everyone knows what’s going on. But also a level of responsibility is shared now. That’s the power of the committee: to make sure everyone who owns a piece of technology, whatever the system is, or they’re the stewards of the data, they’re responsible for making sure security is also there. But we agree collectively on how security is done through consensus-building, through this work that we do.
Then governance comes in. There’s myself and a couple other people who make sure we are sharing technology the right way, and to give guidance to the committee about how to think about security.
We meet every three weeks to do this work. If we’re thinking about encryption or we’re thinking about multi factor authentication, or we’re working to get consensus on implementing a part of our security framework, it requires everyone to say “Yes” to this work so that everyone is a stakeholder on all those outcomes. It’s a very powerful guiding coalition of security across an entire organization.