Does anyone have advice on how to build an IT security strategy for an EdTech organization?


1.1k views3 Comments

President and National Managing Principal in Software, 501 - 1,000 employees
So EdTech and not Education right?  That latter would certainly come with a broader set of risk.  That said, if you are providing software or technology to schools or university - its not small feat. 

I would start by thinking about the following from a context perspective:
1.  Size and scope of the organization

2. What type of sensitive data are you handling (course content, student PII, anything financial?)

3. Based on that data, what regulations might your customers need to comply with (and then you by extension).  FERPA, COPPA, are some that come to mind as does HIPAA if handling health related data. 

4. What does your technology footprint look like?  E.g. are you 100% cloud-based, on-premise, hybrid? 

5.  What third parties do you connect to and/or rely on to provide the solution?

From there I recommend a formal risk assessment.  The goal of a risk assessment is to identify the potential risks and threats to the data and/or your applications.

From there you would build strategy and program around addressing those risks.  There are a variety of standards that you can look to like NIST CSF or ISO 27001.  Also recommend you look at consulting firms to help -  and no, I'm not one of those so now selling here :-)
1
Associate Vice President, Information Technology & CISO in Education, 1,001 - 5,000 employees
Creating an IT security strategy for an EdTech organization involves several steps to ensure the protection of sensitive information, prevent data breaches, and safeguard against cyberattacks. Below are some detailed steps and recommended frameworks to follow:

1) Conduct a risk assessment: Start by identifying the risks your organization faces, such as potential data breaches or cyber attacks, and conduct a comprehensive risk assessment. This assessment should help you understand the current state of your IT security and identify areas of vulnerability.

2) Define security goals: After identifying potential risks, define security goals that align with your organization's overall objectives. These goals could include protecting student data, safeguarding research or intellectual property, and ensuring regulatory compliance.

3) Develop a security framework: Once you have identified your goals, you should develop a security framework based on industry standards such as ISO 27001 or NIST Cybersecurity Framework. These frameworks provide guidance on best practices and offer a systematic approach to managing IT security risks.

4) Establish policies and procedures: Develop policies and procedures that outline how your organization will respond to potential security incidents. Ensure that all employees are aware of these policies and procedures and that they are regularly updated to reflect changes in security threats and regulatory requirements.

5) Implement security controls: Implement security controls such as firewalls, antivirus software, intrusion detection systems, and encryption technologies to protect your organization's network and data. Consider cloud security solutions that provide a secure environment for your data and offer backup and disaster recovery options.

6) Train employees: Provide regular security training to all employees to help them understand their role in maintaining IT security. Educate employees on how to identify and report security incidents and emphasize the importance of strong password management.

7) Conduct regular audits and assessments: Conduct regular audits and assessments to ensure that your security measures are effective and that they align with regulatory requirements.

By following these steps and using frameworks such as ISO 27001 and NIST Cybersecurity Framework, you can develop an IT security strategy that aligns with your organization's objectives and protects sensitive information from potential threats.

I would say that the type of organization doesn't matter as much, but you should right size the approach commensurate to the risk and appetite of the leadership. You don't want to overdo it, especially if you don't have the right buy in at the moment. You can always start small and mature along the way.

Oh, and consider a subscription to ChatGPT ūüôą
1
CISO in Insurance (except health), 5,001 - 10,000 employees
The design of a strategy is key. Here are a few threads to review that have good information to help you get started. 

https://www.gartner.com/peer-community/post/do-you-have-any-thoughts-best-practices-to-share-on-developing-cybersecurity-architecture-582229 

https://www.gartner.com/peer-community/post/what-is-a-zero-trust-architecture-535832

Also, use the Gartner security and risk score to help as well. 
1

Content you might like

Slow recovery response times35%

Data availability is limited48%

Too expensive to scale effectively52%

Difficult to manage for widespread use38%

Prone to misconfiguration12%

No - There are no drawbacks7%


524 PARTICIPANTS

1.3k views3 Upvotes

Messages or documents must be encrypted/secure as they travel over the Internet51%

Messages or documents must be encrypted internally (at-rest) when stored in my organization28%

Both are equally important22%


282 PARTICIPANTS

1.1k views2 Upvotes

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
39.9k views130 Upvotes318 Comments