Schools and #ZeroTrust

This isn’t a sales pitch…and this is not a rhetorical question. For years, much of what schools use isn’t housed inside their network. Why haven’t zero trust networks already caught on? Why are school IT departments so concerned about purchasing high end firewalls, like putting a new Benz in the MDF?

How long before schools adopt Zero Trust Networks?

If you’re not down with zero trust, here’s a 60 second break down.

It makes a ton of sense for a school, with collaboration, email, SIS and every app for learning in the cloud to move toward this model. Why hasn’t it happened yet?

What size is the right size for an District IT team?

I’ve been in all sorts of districts in my career – big (for WI), little, rural urban. Each, down to the building has specific needs and cultures. There are no templates, because like people each school is unique. IT support varies as well. Some outsource everything to a cooperative or private business. Others, have their own department. I’ve seen technology professionals pulling their hair out because they’re so busy. Other’s have told me they’re bored and using their time to apply for other jobs. This is simple honesty, I’m not trying to shock anyone, these are simply experiences that have been shared with me?

So what is a “right sized” situation. Depends. Does your district buy professional grade devices from reputable companies? Do you have a process for creating high-functioning images? Do you manage updates (as much as you can) through central management or group polices? Is the infrastructure purchased from a reputable company and installed by experienced network engineers who know best practices? Is there a continuous improvement cycle in place to stay on top of upkeep?

If your answer is no to all or half of these questions, you’ll never have enough. Techno-fires will be burning non-stop throughout your schools. No one will be able to keep up. I’ve seen and lived that sort of environment. It’s no fun for anyone and the students learning suffers.

If your answer is yes to the vast majority of those questions, there will no doubt be staffing efficiencies to be found. If your network is updated, monitored and follows best practices, your network admin is going to get bored. How else can that person’s talent be used? It’s been my experience that districts feel good having a network admin onsite “just in case.” If things are managed well, you’ll be able to share that network admin with another district and perhaps pay her or him what they’re worth on the open market. Make no mistake, schools are where your average network professional goes to get her/his teeth and move on to be paid what the market values her/him at.

Sorry, not answers here. It depends…the ultimate cop out answer. Stop and think about the questions above…it’ will help you figure out where IT support is at in your district without doing a survey.

The pendulum swings for school technology leaders

It wasn’t that long ago that networking came into schools – about 15 years ago. Networks brought trepidation from some, excitement from others. The one thing it brought to most everyone I was working with at the time was a bad technology experience. From my vantage point what got in the way of creating a good experience was fear and lack of understanding (even from the technologists). Roaming profiles were one tool that made logins processes slow and needlessly bloated. Annoying, but not that core of the problem. Fear lead to locking down the network. Remember when wireless connections where heresy? Funny for me to think about that.

Networks were built to check a box. Yup, we have this technology thing. Often they were slapped together by the lowest bidder and locked down to a point of near uselessness. People tend to fear what they don’t understand and federal regulations didn’t help. The connection to the web was over-filtered in the name of CIPA.

Then the iPads showed up. In typical education/Apple fandom the potential between the use of wireless devices and learning was hypothesized from that first introduction in 2010. Wireless networks here we come! The smart districts invested in robust solutions for wireless access. Filters were pealed back as the learning side of the technology equation got a seat at the table, and in some cases a louder voice in the debate.

Some of this was great. Great for learning, innovative options for teachers, the use of relevant, flexible devices for students. Along the way, a few things were side stepped. There was a rush to access for networks. A rush to access for tools. Agreements were signed without reading them like they were shrink wrap licenses. Security best practices weren’t followed.

Thankfully we’ve woken up from this and are thinking about security and privacy. InBloom helped move this conversations to the forefront in 2014. Today, Facebook has made it a national conversation. Cybersecurity awareness is on the forefront with many school technology leaders. Internal audits are happening. Encryption is in the lexicon of many folks. Thank goodness the pendulum has swung back. Hopefully this time it’ll be in the – as Doug Johnson would call it – the Radical Middle.

When it becomes about the process and not the events

In the not to distant past I was all about attending conferences. I was all about being on professional association boards. To me at that time it was all about being seen, it was all about getting name recognition around my state in ed tech. Then I started noticing something. There were a lot of folks who had done that for 20ish years and don’t have a darn thing to show for it in their districts. No major achievements to speak of. Not depth of knowledge to bring to a discussion on the state of ed tech leadership. Just lines, buzz words and saying hi to several hundred people you don’t really know.

In the words of Frank Constanza in “The Strike” (of the Festivus episode), “There had to be another way!”

There is. Good, deep work with your team in your district. I realize now I was using my addiction to conferences and boards as an escape from my day to day struggles as a leader, specifically some of the day to day struggles I was having with staff under my supervision…I thought, enough of this rigmarole, I want to go pretend I’m a budding thought leader for 2.5 days.

Part of the change has been bringing in people who are great team members. Now I’m enjoying the daily process of providing good service and an environment that allows for innovation to happen daily.

Don’t get me wrong, there is nothing wrong with conferences and boards. Those are needful pieces to help move people’s learning from where it is, to where it needs to be. It’s necessary infrastructure. My point of view on it now is, everything in moderation. I was way too into it and it was a coping mechanism. I’m glad I’ve left that behind. The real work is at home in your school. The real prizes are in making it work for teachers and students.

I’m very happy I’m enjoying the process again.

#Cybersecurity Isn’t Just a Firewall #infosec

I’m disappointed when I hear leaders speak about security and they mention a firewall first. Is it essential to your infrastructure? Of course! But you don’t throw in a Palo Alto or Fortigate and call that your security initiative for the year. Security is about diligence. It’s about connections and empowering people to make better choices.

To me the diligence comes in on the technical side. Patching and updating are essential to keeping your infrastructure and end points secure. If you have 30 updates waiting to be run on your database server, someone isn’t doing their job. If firmware on your switches hasn’t been touches in some time, again someone isn’t doing their job. In multiple organizations I’ve seen users grumble about the updates pushed out to their computers, but its another essential piece to the puzzle.

That brings me to connections. Users squawk about updates because they likely simply see it as an impediment to getting their work done. Education is key, because the security aspect of running updates is likely the furthest from their mind…and there’s nothing wrong with that. It’s our role to educate.

Educating your colleagues on other aspects – identifying phishing schemes, building good passwords and the advantages of two-step authentication are all things that help both the organization and the person. Those pieces are part of helping to secure the human, as SANS calls it. The human is the most important part of the equation because they make choices everyday that we have no control over, and we shouldn’t want to lock things down to exact our control. Empowerment with knowledge is THE target for those of us in charge of IT in organizations. Without knowledge in people’s hands, the best cyber appliances in the world won’t do us a lick of good.