Partner Talks: Mark Orchison Unpacks Cybersecurity Challenges in Independent Schools

Narrator 0:02
welcome to Talking technology with ATLIS, the show that plugs you into the important topics and trends for technology leaders all through a unique Independent School lens. We'll hear stories from technology directors and other special guests from the Independent School community and provide you with focused learning and deep dive topics. And now please welcome your host, Christina Lewellen.

Christina Lewellen 0:25
Hello everyone and welcome back to talking technology with ATLIS. I'm Christina Llewellyn, the executive director of ATLIS,

Hiram Cuevas 0:32
hiring Cuevas from St. Christopher's school in Richmond, Virginia.

Bill Stites 0:35
And I am Bill Stites, Director of Technology at Montclair Kimberley Academy in Montclair, New Jersey.

Christina Lewellen 0:41
Gentlemen, welcome back. My co host, we're getting the hang of this, aren't we guys? I mean, like other than Bill's got a little bit of the fall cold situation going on. So you're sounding kind of bassy. But are we getting this under our belts? Are we getting better? I

Speaker 1 0:55
think so. I've got like the Barry, white thing going on right now. Which is, you know,

Christina Lewellen 0:59
do not saying do not sing I will edit you? I will pull it out?

Unknown Speaker 1:04
No, there is no singing. There is no singing that I can guarantee.

Christina Lewellen 1:09
Hiram, are you going to sing for us today? I don't think it would Barry White. If you did,

Hiram Cuevas 1:12
I think it will just say let's get it on.

Christina Lewellen 1:17
Okay, that I can handle. But I have editing power on this thing. So I'm excited to be back. I think that there's been a lot of attention lately around AI. We've had a lot of those conversations even on this podcast. But what's really critical is because that's the bright and shiny that a lot of schools are talking about, and hey, I'm never gonna complain when administrators at independent schools are talking technology, right? Like if they're paying attention to some kind of technology issue. That's never a bad thing. But AI is getting a lot of attention. It's in the spotlight right now. And we're talking a little bit less about cybersecurity. And yet, cybersecurity continues to be such a massive part of the work that we're all doing and the demons that we wrestle at our schools. Before we welcome our guest today. This person has a ton of expertise in this area, Bill and Hiram, what's in your all's world in terms of cybersecurity right now? What are you guys talking about and thinking about it your schools, it

Hiram Cuevas 2:15
There isn't a day that goes by where we're not discussing cybersecurity issues. It may not be something that goes out on a daily email, but it is certainly something that our school within our department and within the business office, when we're talking about cyber renewals and other subscription services, we are constantly discussing, you know, what are the ramifications to cybersecurity and the safety of our constituents?

Speaker 1 2:36
I think the one thing I would add to that is we're talking about it, even though we're not talking about it in that you're always addressing things that relate in terms of, you know, what new service are we bringing on? Who's going to have access to it? What type of data are we storing in it? What is it connecting with? How is it connecting with these things? All of these things are the pieces that get talked about, but might not necessarily be known as the types of things that are getting labeled as cybersecurity. But they all fall into that category. And that's one of the things we're trying to get people more familiar with and accustomed to here in terms of the conversations.

Christina Lewellen 3:11
That's awesome. I think it leads us really well into our guest today. So let's bring on our guest today is talking technology with that list. Mark orchardson Welcome and hello, how are you? I'm going to let you introduce yourself. But you are kind of our cyber guru so far on the podcast. So welcome.

Mark 3:29
Thank you. I'm very good. It's a pleasure to be here today talking a bit about cybersecurity a bit about the changes in law a bit about the risks that are facing our schools globally. You know, we work with schools, not only in North America, but in most countries around the world. So we have a very good footprint of intelligence about what's really happening in the

Christina Lewellen 3:48
world. So tell us a little bit about who you are and where the heck you came from. Because in the Independent School, we tend to kind of know each other, right? And the same names and the same companies. But here comes Mark and I met you about, I guess a year ago, a little somewhere in there at like a gathering of leaders in the Independent School Associations and accreditation body community. And so that's how you and I met, but at first even I was like, and I'm fairly new to the sea. But for me to go who's this guy?

Mark 4:18
He's Brett, right?

Christina Lewellen 4:20
Who's this? Brett? So can you tell our audience who in the heck this Brit is on

Mark 4:25
base near London, and I grew up in the countryside around England, you know, as you can imagine, when's a Hogwarts that sort of thing.

Christina Lewellen 4:33
Whoa, wait a minute. Hold on. If you're gonna drop that in the podcast, everyone's gonna need to know your house. So what house are you then if you want to talk words?

Mark 4:43
I'm definitely Griffin door. Okay.

Christina Lewellen 4:45
I think we all want to be Griffin door. So well. We all want to be Gryffindor thrown through. All right, excellent. You may continue Gryffindor really?

Mark 4:54
So I started my career within a company called Sun Microsystems. You know a lot of you will will be familiar We've that organization or that business that's now was acquired by Oracle. And within sun, I worked in one of two r&d units that are outside of North America. So we had one in Grenoble in France, and one in Brackenfell in the UK, near near Redding, which is maybe 20 minutes from Heathrow, so it's quite central as a hub. And essentially, my role in that organization was a product manager on what's called one in two U servers. So we were in high volume servers that were competing with the HP dl 360, HP dl 380, if you're familiar with those products, and actually Simon came up with the first rack mounted servers, and I was working for Sunfire V 100, if you want to NT net your suite of servers, and in my role within that organization was to work with the engineering side of the business also with customers to then develop and bring to market, more technically capable servers that actually, we're competing with Wintel Wintel units from HP and Dell. Now going back into the late 90s. Sun, as an organization was flying when it came to servers, they brought to market leading edge servers. But then essentially, when I joined, you had Dell and HP who had commoditized, the product offering with a Wintel Windows Intel, offering that essentially were far more competitive on price than the Sun box, but a sun box itself, engineering wise, based on Unix, far more secure than a Windows based machine. So from having that expertise, I then went into management consultant, supporting a whole range of different organizations from education, and schools to universities, to becoming the program leader for technology on terminal five. If any of you fly into Heathrow, terminal five, then think about that, as a piece of an infrastructure project, I was responsible for 300 people implementing the technology from from the 54 server rooms in that building, to the flight information, display screens. And also I then worked on a with a global data center business to streamline the operations around how they datacenters would work before then deciding to start online. I know that sounds like a long winded introduction to me, but from a technology background, very much r&d, engineering, and then sort of the business application in the three to starting nine, which is my business and how we support schools now with technology.

Christina Lewellen 7:24
So it's interesting because you it sounds like you have had through your career, that very interesting mix of being able to speak technology, but also speak and user. And that's something that I know is sometimes tough even in the independent school setting for our technology leaders to talk tech, but also make sure that you're doing so in a way that makes sense to people who are not tech people. Yeah,

Mark 7:47
very much. So like, I think I've got a strong discipline in how technology goes together, you know, at an architectural level. And because of my early career, or within consultancy, you know, consultancy is a people business. To be successful. As a management consultant, you have to be likable, you have got to communicate well in terms of understanding the client's problem, but also solving that client's problem. And solving that client's problem means we're dealing with now inherently technical individuals that essentially need things in a more binary need to be articulated a more binary way, so that they can go and do the engineering and that middle guy in between to make that work as an individual not only have a built a tech consultancy business, but we have 65 developers and a cybersecurity team. So in the past three or four years, I've had to learn not only the infrastructure, but also how software comes together, which is far more complex than actually whenever infrastructure, I want to talk about switches, servers, and clouds. So yeah, all those are the skills are repackaged together. And that's sort of what I do in who I am now. That's really great.

Christina Lewellen 8:51
And to help everyone understand the groundwork of this conversation are the foundation of this conversation. It's worth mentioning that ATLIS has recently partnered with you, with your company nine. And the idea that we were looking for the problem that we were trying to solve when you dropped into our world a year or so ago, is that we had been offering for some time, sort of, well, we refer to it as cybersecurity one on one, it's like kind of starting the conversation around putting together a team at your school, making sure that you're addressing the correct questions pertaining to cyber and student data privacy. The workshop is really useful, and it's a great place for schools to start if they just literally are kind of like the head in the sand, you know, they just really are attacking this proactively or if there's been an issue at their school if there's been some kind of a breach. And so what we needed next is we needed a deeper dive. And yet each school is a little bit different. Each set of systems is a little bit different. So we were really struggling with how to provide our members and our community with a deeper dive in comes mark. Right. So then you come along and we start to get to know your product, I don't want to go too deep into it, I think that that leaves a little air of mystery because your company is I've come to understand it is that there's a consulting side, there's also a software side that helps schools manage all of this. But if you could tell us a little bit about the Cybertech Academy program, you know, you're already doing this program, ATLIS teamed up with you to offer it to our members. And by time this podcast hits the street, we'll have you know, a good number of our ATLIS community schools in the mix of this program. So can you tell us just a little bit about that cohort style approach? And why you stood it up to begin with like it pre-existed us knowing you? So where did it come from?

Mark 10:49
What are the things that we found with working with hundreds of schools globally, is that like tech directors have a problem when it comes to finding professional learning opportunities, also, professional learning opportunities that solve real world problems in education. So you can go on an MCSE, you can go on as their CCNA, you can go on various engineering driven training courses. But actually, the application back into the real world of schools is missing. And the training programs are very much theoretical, so very theoretical, built around specific equipment or specific solutions. And quite often, when a school invites us in to help them now we are generally doing the same thing, but with a consultant leading the way in communicating a process that we have delivered in house to solve specific technical problems. And what we thought is that whilst that's very useful for schools that can afford to buy a consultant to help them with those specific problems, it's not really advancing the wider community of tech leadership within schools, it's not really helping the wider community of schools that actually can't afford to have that expertise delivered through a consultant. So we came up with the idea of really packaging up what we would typically deliver as a consultant going into a score on specific areas, and specifically the Tech Academy, it's focused on implementing a zero trust architecture, which is all around cybersecurity and cyber defenses. And we have therefore packaged up our intellectual property of how we do things based around specific engineering challenges when it comes to zero trust architecture, and turn that into a workshop and a workshop that covers off the theory. So what is the theory behind specific technical components of a zero trust architecture, then goes into a small teams working together virtually. So if we've got 50 people, as part of the Tech Academy, you will be split up into 10 teams of five, for example, who we then solve, or do games based learning around that specific topic. So the theory is then brought to live through some sort of gains based learning activity for 20 minutes, and then maybe two of those 20 minute activities to really help embed the learning within a real life example within a school. And then you've got actually the next step is okay, if I want to take this theory, and this concept that I just learned about that actually, really, I understand now, because I've listened to it, I've sort of gamified it, and I had a workshop for four or five people. And then you have a task driven exercise of okay, well, to put this into my school, we need to do 1-234-567-8910 1112, all the tasks that need to be completed, also supported with a design documents, and the design architecture that you can then easily follow to plan and implement a zero trust architecture within your school. So essentially, where it came from was, well, first of all, there isn't any properly accessible, affordable, relevant, professional development and education that we've seen in specifically in the UK, or British and American curriculum schools around the world. And we sort of have the answer to it, because we are selling that on a one to one basis all the time. So let's just package it up and deliver it in a way that's far more accessible at any school. And essentially, with ATLIS, I think it's a great vehicle to really support your community with PD. I

Christina Lewellen 14:19
love this. So you're saying the idea of like, okay, so we know what we need to do in theory, but the practical application is really what the Tech Academy offers. Let me turn to Bill and Hiram, I mean, does that seem to resonate with you like, you go, you learn something, and you get it conceptually, but then actually, like boots on the ground, getting it done at your schools, that can't always be very easy. So having the solution seems pretty interesting. Let me talk to you guys. Do you have any questions?

Speaker 1 14:53
One of the things that we focused on here is what we refer to as like the low hanging fruit, what are the things that you can pick off pretty easy really, you know, whether that's MFA, you know, enabling that in the school, we're running your phishing exercises, so on and so forth. And when you start talking about things like zero trust, you know, I'm not sure everyone understands, actually, even with zero trust means and how that might look in a school. But you know, Hiram, and I and others that may have heard that term are involved with that term, going that step beyond, you know, like climbing higher up the tree to get you know, those pieces that are a little bit harder. How do you see the work that you're doing helping people like myself, you mentioned, you know, you've got the sun background, my background is in early childhood education, I thought I was going to be a third grade school teacher my entire life. So the low hanging fruit was really easy. How do you see getting people to that next step to implementing zero trust, understanding zero trust and getting through those things in those programs? How does that look?

Mark 15:53
It's very much designed for, you know, tech directors, because for each of the individual modules, you've not only got the framework of from an engineering perspective, what you do, you've then got the directional learning of actually how you do it. But also, we provide a timeline of actually the amount of time it's going to take to implement each of those projects. So for example, on network switching, audit, and best practice, for every tasks associated with that specific module, we have estimated the amount of project and engineering time it takes to implement each of those individual steps. So from your perspective, as a tech director, looking at that program of work has actually is broken down on a task by task basis. Within the nine governance software, it says, you know, to deliver this project, these are the tasks that need to be completed, you go into a task, there's a description, there's a checklist, and then there's a resource and an estimated amount of time. So for you, as a tech director, you can review every single task and you can then conceptually through going all the tasks understand that complete program of work, what is the engineering going to be required to improve our security on a network switching? And also, what is the benefit of doing so? So what is the organizational benefit? What is the amount of time that is required? Do we have the skills in house yes or no to do this. And generally speaking, you should have the skills in house to do that, because the team who are on the training course, would have learned those skills on the module, we even go down to the level of when you're implementing, for example, access control lists, that's the second one, we give you the scripts that typically you would write where you are coding a switch, for example, on the control prompts you going into that level of detail of the theory, all the way through to the design, or the through to the technical implementation. So for you as a tech director, it should give you confidence in a actually, what are the steps that we need to be taking to secure our network from a successful cyber attack? Be? Oh, actually, I understand the scope of each of those projects, I understand what it means. And I understand its relationships to zero trust architecture. See, I can evaluate whether we actually do have the engineering skills in house to deliver this. And then D Do we have the amount of time available to deliver this module and an engineering perspective within our school, and we don't have it during the academic year? Do we have it in the holiday periods when the kids are out. So it gives you that intelligence. And furthermore, it gives you the ability, again, at a project and task level to review that with leadership. Now, if leadership wants a more secure school, and typically, to do that you need to have resources in time to implement those technical projects, you need to turn things off to update them and to do certain things. And I think what we've delivered and for those going on at Tech Academy, it actually gives you a lot of levers and a lot of discussion points to have with leadership about what are the consequences of we want our school to be more secure from cyber attack. Okay, well, there's these nine projects that we have to do. And this is how we're going to do it. This is how much time it's going to take. These are the skills we need, or that we either have we need or either require work.

Hiram Cuevas 19:08
I love the fact that you actually talked about the levels because Bill mentioned the low hanging fruit. And then you intentionally talked about these levels and talking about peeling back the onion essentially, of getting more secure. I do have a question because I know Bill, and I've had this conversation between us and also with other tech directors, I find that within the industry for cyber insurance, not all of the cyber insurance recommendations are created equal. And do you have a sense for where these policies are going with the K 12? Industry? I still feel like they have a very corporate slant to them. I'm curious if they're really understanding what the K 12 environment is all about.

Mark 19:51
So if we look at the insurance industry, when it comes to cyber, there's a story to tell. So prior to that pandemic, It was very interesting that the premiums that you pay for cyber insurance were really low, like incredibly low. cyber insurance was a booming industry, and certainly a booming product amongst many insurance. And we were working with Hiscox. They're one of the lead global group based providers about the pricing of cyber risk when it comes to education, and actually how they could use the data that we have to better price, the price risk for cyber insurance when it comes to education. With the pandemic, you had a significant increase in the number of cyber attacks affecting education. And if we look at our data prior to the pandemic, and you can use the Microsoft Malware threat tracker is a good point of reference for this. Prior to the pandemic. Education was like in the low teens as an industry that was affected by malware. about September 2020, education was 60% of total malware encounters across all industries. And then about January, February 2021. We're talking 80%. And education has been consistently 80% of malware encounters since that point in time. Now, on the risk profile side, what you saw with insurers is that they totally underpriced the volume of cyber attacks that were facing education. And they've had a huge amount of money that they've had to pay out because they essentially said, Look, you have a cyber attack, we'll pay for everything. And we'll bring in a PR agency to manage the communications with your community will pay for tech specialists to come and rebuild your systems will pay for forensics to understand the root in and will pay for damages in terms of loss income associated with that. So with that happening, you suddenly saw a complete change of tactic from insurance, where it was, how many blockers can we put into play to actually reduce our liability when it comes to the risks that we've sold to sort of the cyber packages, but actually, that won't cover their liability into those risks. So the easiest thing for them to jump on is actually no, let's jump on a corporate approach to IT systems and services, when it comes to actually what our expectations are. Because if we have that as the expectation, and it's a belt and braces approach, that actually we are protecting our liability, we are protecting our margins, and we're reducing our risk profile. And that is what you have seen specifically within the industry. And more than that, there is then the you know, we are now seeing within policies, that whilst they may, you know, underwrite your risk for cyber at this moment in time subject to you evidencing that you have certain protections in place, that you actually have to have some form of evidence and accountability about how you are continuing to manage your cyber risk. So it's not just a point of time of care, yes, we can demonstrate our level of risk is and we have the cyber protections, but how are you testing as an organization that those protections remain in place during the course of the 12 months of that insurance policy? Now, one of the reasons for that is that, let's say when you first installed all of your IT systems, so your devices, your network, you have your cloud systems, and when you first install them, they are all joined together, so they're all joined together. And from a security perspective, they all touch each other at a single point. So you know, end to end, that actually, there are no air gaps in our systems, because they're all joint from a through to Zed, and all the way through, we can see the security. Now over time, over the course of 12 months period, each of those systems has an update, laptops get updates all the time within Microsoft, Mac, get updates, iPads, get updates, your network switches get updates, your firewall gets an update, even Google will get an update and office 365. And over the course of the year, air gaps are generated between each of those individual systems. So a security air gap is created. And that is a vulnerability. And essentially, what the expectation is when it comes to insurance, is that you as a school, as your systems get updated throughout the course of the year, you can manage those air gaps, you can manage those vulnerabilities, because it's those vulnerabilities those air gaps that are created that allow an attacker to circumnavigate, or through Snakes and Ladders, their way through your IT systems and services. And that's how, in many cases, a successful attack occurs. So going back to your point here, and hopefully there's a long winded explanation of actually the context behind insurers, how they've seen their their their reduction in profit, and also in their specific losses when it comes to underwriting insurance. Also, the expectations now, underwriting at this moment in time, but how an insurance that you get ready to go gotta get out of paying cyber claim is by asking for the evidence of how you've continually managed your systems. And if you can't provide the evidence, then it's likely that the insurance policy would allow them to not pay out on that claim.

Christina Lewellen 24:55
We've been saying for a while that cyber insurance is like the Wild West of insurance because of all these issues that you're bringing up, Mark. So that's really interesting. Let me put a finer point on it. And let's move a little bit into student data privacy, because in the States, as you all know, we're coming along on our obligations in terms of protecting privacy, but we're certainly not, you know, where some other countries are in terms of the global scene, I'd love you to just reflect on that, given that you have this international perspective and experience. If we haven't gotten there, we're getting there, maybe or we're about to get there. But in any event, there's even if not a legislative or a law based reason for us to protect data for our students and our communities. Certainly, there's an ethical, maybe a moral obligation for us to do it. And if nothing else, is a PR nightmare if these things happen. So I'd love to you to touch on that. Because I think that many of our schools are just ignoring this altogether, depending on what state they live in. But as I talk to different audiences, I refer to the student data privacy issue as a tsunami that is sneaking up on us, tell us a little bit about what you're seeing and what schools need to be thinking about.

Mark 26:11
So if we think in the moment where the US is so us as an outlier when it comes to the protection of personal data, now we're looking against most other countries, globally around the world. And the reason for this is a regulation called the GDPR, the general data protection regulation that was brought into play in Europe in 2018. And it was actually announced in 2016. So it was announced in 2016. With, you know, by 2018, you have to be compliant with all these things when it comes to data protection. And if you're not compliant, then there are fines, there are fines of 4% of turnover, or 20 million euros, whatever is highest, right. So I think tick tock have recently been fined 300 million Euros by the EU for non compliance with data protection law. Now, prior to 2018, as an organization, you still had to protect personal data, there is a moral obligation. But generally speaking, in most countries, there is some form of data protection law, specifically within the EU. And beyond 2018, who is the stick, there's now a stick, if you do not do this, you're going to be fined. And then you've got other countries like Singapore, and in Saudi and in China, that go a step further and go, Well, you're not only gonna get fined, but we'll throw you in jail. So like in Singapore, if you're like the head of admissions of an international school, or an American International School, and you're not protecting personal data in your area, you yourself can go to jail. That is how many countries have been dealing with this. And the motivations for this is because in many instances, the law when it comes down to technology, and specifically when it comes down to data hasn't been catching up with actually how technology is developing. So the EU, specifically, if we look at the geopolitics of where this law came about, was looking at us tech firms and going hang on a sec, you gotta have all these us tech firms harvesting all this personal data about Europeans making tons of cash off the back of it. And that is not competitive in allowing EU tech firms to flourish. Therefore, we're gonna bring anyone on a level playing field, it's as simple as that. And then what the EU then smartly said, if they said, Well, if your country outside of the EU, and you want to trade with us, yeah, you want some all consumer business, you want to sell us cars, then you're gonna have to have a data protection law, that is as adequate as our data protection law. Otherwise, when you know, you're not coming in, not into the room. So you've had this tidal wave around the world of the changes in data protection law. Now, in the US, there is no federal law around data protection. And at the state level, you have had specific states going well, this is really, really important. Yeah, actually, we completely agree with the Europeans and everyone else that actually, we want to, we want to understand that if a company is taking our data online, and then using that to influence our behavior by showing us ads, yeah, we want to have a say. So we want to say we want to either do accept that we want to be influenced by that, or we want to reject it. Likewise, for our children. We want to understand that if our kids go to school, and they are using all these edtech apps that in many cases are free. That actually there are protections in place around how that data was used to influence our child when they log on to their Xbox in the evening and play a game. And then adverts come up to try to influence their behavior. Because in many cases, that is what has been happening. Technology is generated on students whilst they're at school that is aggregated through their browser and through specific identity and identifiers around who they are. They then log on from an IP address at home in many cases, the same device or with similar accounts because they may have an app account on their iPad that's also associated with it. X Xbox. And consequently all that data can be aggregated by an algorithm to then seeking to influence their behavior.

Christina Lewellen 30:06
So free is never free, free is

Mark 30:09
never free free is always to harvest your data to sell it to someone else. And in many cases, you don't know where it's going. Right. But you know, that you're being influenced.

Speaker 1 30:19
That's one of the hardest things I think that we deal with in schools, because one of the things that came out of COVID was this wild west of these proliferation of free apps and you know, teachers needing to be nimble, and being able to meet students where they are, and to address the hardships that COVID put upon first trying to teach. But I think it was that free nature that is now where we, as schools are trying to rein all of that back in, and kind of get things under control. Because I don't think we understand that, you know, those that are listening to the podcast, those, you know, that are in this, we understand that exactly nothing is free in this world, what you're giving up is that data, the data is the commodity that you're using to pay for this, but trying to get and communicate that clearly, to our faculties, who are working with the students and making the students understand these things is the hurdle that we have to overcome. And one of the things I'm curious about from your perspective is, how do you see helping with that? Is there anything in what you're doing or what you're seeing or how you're talking to schools, about the education that needs to happen around that idea of free is not free, this all comes at a cost. And these are the things that you need to look out for and be aware of,

Mark 31:36
there are a number of different levels there. So we have a thing called vendor management. It's a tech solution that has pre qualified vendors around their terms and conditions and what they are doing with data. It's like the Netflix of ad tech vendors that you can have. But to want to use that then you need to be motivated to evaluate the vendors that you are using. So what you have seen from a legal structure within the US is individual states, rather than doing the whole data protection pie, and doing it all like a big GDPR. That one little slice of pie, to actually start forcing through organizations in law to undertake certain things when it comes to the evaluations of vendors when it comes to their data and cybersecurity. And Christina referenced those 11 states, California, Colorado, Connecticut, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, Virginia, all of those states have brought in specific vendor laws that require you as a school to understand where your data is going when you contract with a vendor. Now, importantly, Bill, many schools, we know these freemium vendors, right, I've downloaded the app and press to go, yeah, and teachers are now using it. That's many cases. And there's no documentation of actually what that teacher has done, or what the terms of contract are between both parties. And what these laws are saying in these 11 states as that can no longer happen. You can't just have a teacher going by a free app, and agreeing to those terms of service. Because from a risk profile, the organization is accepting the legal risk of that transaction taking place. And importantly, the organization being the school is then liable for what's happening with that data. Now, if you're ahead at school, or you're the superintendent or whoever you are, you being the head of that organization are ultimately accountable and liable for the decisions when it comes to the contracts that are being made. So you got to get a grip on that. Because in certainly within those 11 States than your organization, it has had to go through in law and evaluation of those vendors when it comes to what is the personal data that's being collected? Where is it going? What is it being used for? Who is it being shared with? How is it being secured, and legally, what protections are in place that that vendor is offering the school that that data will be protected from a cybersecurity breach? You

Christina Lewellen 34:04
just sent heads like through the roof, right? So your your point is that heads of school ultimately responsible for contracts so they can wrap their heads around this from the perspective of the new dining hall vendor or school uniform provider, like that's a contract or lease or whatever it is, but if a teacher or even a tech director is click, click clicking through the Okay. Okay, acknowledge you now have a contract where no money's being exchanged, but like we said, free not free. It's data being exchanged and the heads are ultimately responsible. That's heavy, right? So even if heads are not listening to this and tracking that, certainly tech directors like Hiram you, you're in Virginia. Are you freaking out about this? That you're basically click clicking and now your head of school is responsible for the data of the kids at your school?

Hiram Cuevas 34:56
Yeah, absolutely. And one of the things that I think Tech directors are also experiencing are the changes to the terms of service that are happening frequently. Google, for example, is updating their terms of service in a variety of their application. So photos has now been pushed to 18. And over as an example, Bard is 18. And over so there are certain areas within your workspace that you have to actually sign off and clean to Google that you have made them aware that you are an environment where it's 18, and over for certain ODU, or organizational units, within the workspace, if for those of you who are looking for a great example, to show your faculty and staff if you've ever watched, Jane is awful on Netflix, they have a terms of service components about two minutes in length. And the character essentially is saying, I never saw this. And the attorney says, Yeah, I've never done it until I printed it out. And she prints out the terms of service. And it's this huge stack. And she was like, Yeah, you just scroll through your phone, and you agree to it.

Speaker 1 35:57
One of the other things that I think comes up with this, though business, rapid clicking and, you know, having to realize all these things, where others might not, is I think you have the have the ability and feel like you can say no to certain things. And I think that's often the hard part in terms of what you're dealing with. I was recently in a discussion with a vendor, who we were trying to figure out how we could send data over to them to integrate with them. And it was going to be through an API connection. And they said, Yeah, we just need access to all of the scopes in your API. So they needed access to every piece of data via our API. And I was working with a group in our school to kind of push this through. And I said, I can't agree to this. They're asking for way too much than they actually need to do what it is that they're doing. The vendors response was, Well, we asked for it in the event that we have to pull data for other things, and I put my hands on and I said, There's no way I'm going to give you this because I don't know what you're taking. I don't know what you're doing with it. I don't know how you're storing it. I'm willing to give you x to allow you to accomplish why but I'm not giving you the whole thing. And it was good because it was an excellent exercise for us as a school to understand what our steps were going to be internally, if we weren't willing to give a company what they were asking for. And we saw a need for using the service that the company provided. What were our steps going to be to work around that? Or what direction were we then going to pivot to what was really great about it was the vendors acknowledge that you're right, you know, we're asking for too much. Let's figure out how to pare that down. But if you don't feel that you are empowered, as a tech director to say no, because you've got pressures coming at you from other other ways. It's a sticky place to be in and I think it goes back to what we were talking about before in terms of how do we educate the whole on what all of these risks are so that they understand the reasons for a no, and what you're willing to do to get to yes, but how do you work through all those things?

Christina Lewellen 38:02
Let's stop down on that for just a second. Let me play through that. This is a good example, Bill. Mark, I don't mean to put you on the spot. But like if Bill had signed that and just decided I'm not fighting this fight, the directive is coming from the head, we need this software. If Bill had agreed to just say whole hog. Sure, go ahead API the heck out of this, you can have all my data, where then does the liability and the responsibility lie? Is it the school's problem? Is that the vendor who protects the data at that point?

Mark 38:34
Yeah. So it depends what's in the contract that bill is agreed to between the particular provider ultimately, let's say the worst case happens, the supplier vendor has a cyber attack. And all this data is exposed. So you can go on the dark web Novi society, for example. And you can see when they have attacked the school or school district, who hasn't paid the ransom, they put all the data online. So let's say in this instance, the vendor that bill is agreed to download all this data, they have a cyber attack, and all that information is published online. The students in that school, certainly from a litigation perspective, and their parents in that school, if their data was published online, certainly we'd have claims against the school for damages and could sue the school. And the school in that case, would have limited defense, because they wouldn't be able to say that there was a signed contract or there was they wouldn't go and say there's a due diligence process. First of all, how would you sign contracts for sharing personal data? Oh, we don't allow anyone to do it. Yeah. Okay. Well, you're gonna be sued. You have no defense in that case. The second scenario is you have a due diligence process, but you're not checking the obligations of the vendor back to the school. So do you remember there was a I think in 2001, there was a breach with a blackboard that affected schools globally and many schools who were under the provision of the GDPR. And when these schools looked at their contracts with Blackboard and When no provisions were Blackboard needed to help the school in terms of identifying which people had lost their data to consequently, in law, those schools were in breach of their respective data protection obligations. And they had to notify the regulator in their respective country that they are in breach of the law, because they haven't checked the contract. So in all cases, it is going to come back to the school because the school is the person that's sharing the data. And the providers is going, Hey, you will give me the data. Yeah, we didn't really care about how you check us. Right? Right. A vendor is trying to make their contractual terms less onerous on them, so that the risk is owned by the school, that's part of a commercial negotiation. In Europe and in Canada. Now that changes in law make that basically illegal. If you are a vendor, you need to have these provisions in your contract that makes you as responsible, and that you have a responsibility back to the organization who's sharing that personal data. However, the school itself or the organization needs to have a due diligence process for evaluating the vendors. And they need to understand what is right and what is wrong. So they ultimately still need to make the decision. And importantly, my last point is, the organization who's sharing to the school in this case, needs to only share the minimal dataset that you're sharing more than is required. And that's a problem. And I think what you're going to see, you're going to see certainly more than the supply chain attacks in education. And you're going to have parents and children going, can you explain to me which vendors we have, who you share my personal data with? And how have you evaluated them? Simple question, and you're gonna see nine schools out of 10 going back, no, I can't give that information because we're not doing it. Right.

Christina Lewellen 41:46
And we're seeing that some of the public schools in the States, even though there's really not that connection in that law, to support us the way that it exists in Canada, and in the UK, you know, I think that we're seeing public schools start to do this and track this and vet vendors, but it's tricky, you know, independent schools, not only are the schools smaller than these big districts, but also our community is smaller, so we just don't have as much leverage. So when it comes to I'm hearing this a lot, Bill and Hiram, I know are advocates for this issue. At the end of the day, schools still have to operate, educators have to teach in our schools have to, you know, we have a business to run. And so we're kind of stuck, you know, without the protection of some of these laws, where it does shift some of that onus to the vendors, we can do all the due diligence we want, but at the end of the day, we come back to that issue of teachers clicking okay, okay, okay, without reading, and also, we got to get stuff done, we have to keep the wheels turning. And so where's the middle ground? You know, Bill has the kind of cachet, you know, like social capital to say, I'm not going to sign this, like, we're not going to do this. But what about for a tech director that doesn't have that standing in their schools. The contract

Mark 43:01
review process to look at these vendors is really time consuming, I'm guessing you all know about that is it maybe takes three to four hours per vendor. And that's for us to do it, you know, when we're doing it, and we've got a lot more expertise. So in solving this problem, we've created this vendor management solution. It's called Nine vendor management. And it has pre qualified vendors in it, we review all the terms and conditions. And we've got we have some weight price. When we write to these vendors, we say, your contract or your proofs you notice or your information security policy, whatever it is, has weaknesses in these areas, and it needs to be strengthened. Otherwise, on our platform, every school is good to see that actually, you aren't someone that can be trusted with personal data. However, you take all these steps, and you do this couple other things they have to do, then they recognized they get a certificate from nine as taking a professional approach to data privacy, in education. And they can use that as a way of communicating that they do take a professional approach. If they're on that program, and any school has a problem with them. When it comes to privacy and cybersecurity, the school can complain directly to us, and then we'll take it up with that specific vendor to say it. Now one thing that Alice could do now we've prioritized vendors that we generally know, our schools use in North America may be slightly different in terms of the types of vendors. But if Alice, if you did a questionnaire or your top 30, edtech applications that are in your, in your member schools, right? We will do exactly the same process because each of those 30 Do the term conditions, put them in our vendor management, the ones that are good, will raise her good and the ones who are bad will go don't use these guys because they're not participating. And I think the only way that you're going to change the mentality is one through a law, which is there at a federal level and at a state level. But the primary driver is coming together and go Well actually, you know, if there's other than having independent schools around the US a lot but You can then start highlighting, Alice can start highlighting the vendors that have passed the test, which vendors online and who hasn't. And that's the motivation that you're going to get vendors to want to play ball. And, you know, take time away from the scores and do because if if a vendor can work with us to do their assessment, and that goes out to 4000 schools, 5000 schools, that's 5000 schools who aren't doing it themselves, this one person doing it

Christina Lewellen 45:24
does checking vendors and keeping up with these regulations, is it made more challenging by the fact that it's generally a state by state thing, like we have some states that are, as you mentioned, you listed they're already in the fray and trying to take care of this work and protect our especially our youth or our consumers. And then other states are just not there yet. And we're, you know, we've got some political challenges in this country. So does it make it more tricky that the legislation and the regulation is, you know, that varies pretty significantly.

Mark 45:59
I think conceptually, it's all fundamentally the same. And now what we do is we focus on the highest level, so we focus on there, which states or which country has the highest level of protection, or requirements when it comes to privacy. Because if you're a company, if you're Google, for example, and you want to compete globally, you have to compete in demonstrating that you are compliant with the gold standard. And typically, the gold standard is the GDPR. Now, in the US, when we're evaluating vendors, we work with a number of vendors in the US on their privacy programs. And generically speaking state by state, there isn't a differential and we are evaluating against the GDPR. The only additional requirements are around FERPA and HIPAA. And from experience, so long as we evaluate against our standard framework that we use within nine vendor, then that covers off all of those areas, HIPAA and FERPA are just an addition, they will climate addition, in addition to what the gold standard is, so it isn't necessarily fundamentally changed on a state by state basis, we have a standard process that you would follow. And the requirements locally don't change.

Christina Lewellen 47:14
One more question for you on this topic, if not a regulatory call to action, you actually mark turned me into a student of this idea of the ethical obligation. And you pointed me toward it's UNICEF, right, and they released a manifesto on our obligations as grown people to protect the littles. Can you tell our audience a little bit about that, because even if you're living in a state that doesn't have the regulatory nudge, I have, on occasion spoken to independent school administrators and leaders and brought up this UNICEF call to action. And there's something there because I do think that as grown people making decisions, there is something to be said about protecting our littles until they can make decisions for themselves.

Mark 48:07
Yeah, completely. Like, as adults, we can make our own decisions around where we want our data to go. And we can make decisions around our digital footprint. The ethical argument is obviously that children don't have that choice, we are making decisions for them. So if we're taking photos of them, and posting those photos on the internet, then we are allowing that images to be met by facial recognition technology, that in future when they're an adult, and they publish a photo online of them, and their face is mapped again, that historically, they will be able to track back and see all these different photos of them that have been published on the internet. And that in itself is a privacy implication. We are making decisions around the technology that they use, and in many cases that technology is seeking to influence their behavior. So when it comes to EdTech, yes, there is technology that is designed to enhance the learning experience of that child or enhance the learning velocity of that child. But in other instances, the free ad tech out there may claim to be doing that. But actually, the ad tech out there, the free tickler is seeking to profile that child to use the data to influence their behavior in ways other than are in the educational realm. So ethically, we schools should be taking accountability and responsibility for understanding that actually, they are a key decision points in influencing how that child's digital footprint is going to grow. And actually, what there are controls that they can put in place that will minimize the detriment from a digital perspective of that, that technology now and in the future can have in the child. And that is the ethical argument now Yes, if a teacher wants to use a piece of technology, because it's really going to help their students to learn, that is fantastic. But what are the ethical? What are the safeguarding and child protection issues that is associated with that piece of technology. So if you take scratch, you guys may use Scratch to scratch can be set up two ways. I don't know whether it's changed. Now, if you set up two ways, one where you as a child, you have your like Facebook type wall, where you can put your projects on and share them with your community. Anyone who's a scratch user can get access to that and can communicate with you. Or you can set it up a different way when it's locked down. That first way also allows people who aren't necessarily children who want to communicate with children access to children within your school. Now, you may evaluate that piece of technology and go Well actually, it's really important that the children share their projects, but we're going to tell our children in our class, that if anyone communicates with them who's not in their class or their school, to raise their hand and let the teacher know, otherwise, you've got that risk of grooming associated with that piece of technology. Now, the question I pose to listeners and you guys is within your school, how many pieces of technology are there that allow individuals who aren't in your school to communicate with students in your school? And how are you managing that risk? Because if I was a parent sending my kid to school, obviously me I'm a, no I do this day in day out, I am going to ask you as a score, show me how you managing these risks, because you've got locks on the door and a gate and a security office and security guards to make sure it's not people coming into the school. But how are you digitally protecting my child from these digital risks? Do you even know what those digital risks are?

Hiram Cuevas 51:48
More mark, that's a lot to take in. And it reminds me of a conversation that Bill and I had over 10 years ago, at the laws and laptop Institute, we were discussing his school's use of Evernote, and they were deploying Evernote to his students. And Bill, do you happen to recall what my very first question was to you?

Speaker 1 52:09
It was what are you doing about COPPA compliance for your students? I looked at Hiram or I think we were probably communicating over Twitter at the time. And I was like, What are you talking about? That was the birth of our friendship, because it was really this thing, where we both were interested in using certain tools, looking at the ways in which those tools that those times were providing these level of connections that were beyond what we were currently doing in the schools. But we're going to open potentially open things up. Beyond that, not necessarily with Evernote, in particular in this case, but was going to open these things up. And it really began this journey for me, which is what set me off on this path. With what got me more connected with Hiram is how do we look at things like the Coppa laws that were in place to protect students? And how do we manage those things around those choices. And that was really our deep dive into those privacy policies, those terms of service, because again, not as stringent as what you've got with the GDPR pieces. But there were definitely some guidelines there that you needed to follow and figure those things out. So it makes for a set of guidelines to use to start but definitely needs to be expanded upon.

Mark 53:23
Another interesting area is when I speak to school leaders is a games based learning in edtech. So a lot of subjects have games, because that is a tool that allows you to increase the learning velocity of that child or children by keeping them engaged through awards and whatnot. But the design around edtech is around persuasive design. So the technology that's being used is designed to be persuasive, and to encourage addiction, so that the children use it and then progress through the learning hurdles, or whatever is in that particular game. Evidently, if a child comes into school and every lesson, or three or four lessons of a day, they are playing games or games based learning addictive design based piece of technology, then evidently the school is contributing, and if not amplifying addiction in technology. But without necessarily knowing that because someone's not necessarily looking at the aggregate use of that type of technology across the curriculum at a year group level. And specifically with countries that have brought in changes in data protection oil. And obviously within the US, you've got the American data privacy protection act that may or may not be coming down the line. And as an organization, you have to look at the aggregate impact of the decisions that you're making, when it comes to the potential detriment of the sharing of personal data and the consequences. So games based learning is like a big area that not only from a legal perspective, legal issue, but from an ethical, like a really important ethical area. Like if you're coaching too origin to be addicted to technology because you think it's going to advance their education or contribute towards their learning velocity. So you can show the results back to the parents because the pain the student fees, you're actually the you are causing or potential detriment to them is another ethical area that I think is doesn't necessarily get too much attention when it comes to the discussion around technology in schools.

Christina Lewellen 55:23
If I can, Mark, I'd like to ask you, because some of these questions that you're bringing up are intertwined, right. There's the actual privacy and protection piece. But then there's the ethical questions. Is there a role for accreditation to play? Do you think in trying to address some of these big picture technology questions and ethical questions?

Mark 55:44
Yeah, 100%. I think Independent Schools accreditation is the starting point, I think to influence the behavior of school leadership to pay attention to it because from my experience, I've worked with a lot of American Caribbean schools globally, it's probably the the the leading American Christian schools. And if it ain't an accreditation, regardless to whether it's in local law, it may not necessarily get the emphasis that is required. That's not to say that many school leaders aren't paying attention to the other things that are important. It just adds a different lens and a different spotlight Actually, its importance. So the work that nine has been doing, we work with an organization called Eye Kasia, and they essentially, Christina, how incredible they are, like, they accredit via creditors, or they accredit the leading accreditors. Right? They do. Yep. Independent Counsel or crediting independent schools.

Christina Lewellen 56:40
There you go. I Kisa is basically looking at streamlining accreditation among accrediting bodies. So I think that it's cool that you're involved in those conversations, because this is something that we're not seeing, you know, in ATLIS pushes for it to ATLIS is definitely out there, making sure that accrediting organizations understand that technology needs to be addressed. And if they're struggling with that we can help.

Mark 57:06
Yeah, and our role is to really help the accreditation Commission's understand the implications of changes in law, understand the ethical arguments, and also understand that they are in pole position to really support their member scores in improving standards when it comes to cybersecurity data privacy technology, but they can also bring in the expertise and the resources like working with that this to really help them member schools move forward. So our role is to enable those conversations to happen, and to increase the capability and capacity of an Accreditation Commission to understand what's important and where they can get resources to support their member schools. You know, we have a number of success stories. We have the Council of international schools that we're working with, we've worked with Canadian accredited independent schools. We've done some work with the Southern Association of Independent Schools, Connecticut, there's a whole range of different accreditation commissions that are moving down this journey, more conversations we can have with the Accreditation Commission about why this is important. I think member schools can I ask their Accreditation Commission, how can you help us with cyber and privacy because through ICAO, Asia, the accreditation Commission's have an accountability to help them is a two way relationship. So occasionally report nine in to help their accreditation Commission's but then the school is going to the Accreditation Commission to help us with privacy and cybersecurity. The accreditation committees automatically have a point of access through nine and also through Atlis to get their support to build capability and capacity at the Accreditation Commission level. So if you're listening to this and need some help speak your Accreditation Commission mentioned nine and ATLIS. And then suddenly there'll be a PD program about it.

Christina Lewellen 58:57
I knew there was a reason that we brought you on this podcast.

Hiram Cuevas 59:03
So Mark, I'm eternally grateful for that, because I know this brings it to the forefront then for particular members of our administrative bodies, you know, the heads of school and the CFOs. Once they see the level of importance of it being part of an accreditation visit, they will put this towards the forefront and actually probably pay closer attention to the tech directors that have been talking about this for quite some time. And it just hasn't gotten that traction, that data to have. And I think this is going to be really, really helpful for tech directors. So

Christina Lewellen 59:36
as we start to wrap this up, this is not going to be an easy final question. The question is this, you know, we've covered a lot of ground and it's easy to see why even in the course of this podcast, why technology leaders can feel really overwhelmed in this work, because they probably feel really alone in this work for exactly the reason that Hiram just mentioned. If a school leader is listening to this and wants to start somewhere anywhere? What are those low hanging fruit items that Bill mentioned at the top of our discussion? Where do they start? Because it seems like a really big job for just one person at a school to be responsible for. And what we advocate, of course, is that it's not one person's job. But what do you say when a school comes to you and says, I'm just really overwhelmed? Or we're just overwhelmed? Where do we even begin? Yeah,

Mark 1:00:26
so grave a very difficult question. I think, as a tech leader, and you start investigating these issues, it's like, opening up a fire hydrant right is like a massive jet of water, have loads of information, information overload of the topic. And then supporting that is you have lots of organizations with a corporate agenda, giving you their spin on where to start, because it links to selling their products and services. But it's saying that, you know, I think that a good way to start specifically on a technical so let's say, we're talking about cybersecurity, there's no better start than doing the Tech Academy and a practitioner level, because that is practical, how to do stuff and make us more secure on a data privacy side is slightly more complicated and may require a bit more investment. So we have a data privacy program designed for US schools, that is no nine projects, 86 tasks of things that you need to go and look at. And that is available on a freemium level from about October 17. So you can start on that using that program that gives you context, we also have like a level of risk, what are the common cyber risks facing education based upon the two or 300 cyber vulnerabilities assessments that we're carrying out? Every single year we identify what those risks are, gives you a snapshot of where you are, where I have seen things being successful within tech leaders, is tech leaders at a regional level with ATLIS, you may be we may be doing this, but having like a tech leaders forum, where you come together for a specific afternoon to brainstorm these issues. So we're hosting one in the UAE, with a an American school, actually. And part of that is the starting question is how do we overcome these regulatory requirements when it comes to changes in law and privacy and cybersecurity? When basically, we don't have the skills and capacity to do so. So that is the opening question. And it's, you

Christina Lewellen 1:02:28
know, just a little light starter question to get things rolling.

Mark 1:02:34
Yeah. And that has been supported by a number of case studies, schools, who will then like, get up for 20 minutes and say, This is what I'm doing. And then people going back into breakout sessions.

Christina Lewellen 1:02:44
I mean, that's really the power of the ATLIS community. Absolutely, we, we definitely are having these conversations nonstop. And it sounds like you know exactly what you're doing in your company is what we do in our organization, which is we try to tear the approach to this work being like, Okay, we know you can't do the fire hose all at once. Start with level one. So the ATLIS cybersecurity recommendations are tiered like that, to give schools a chance to just kind of buy a little bit of the apple at a time and see some meaningful progress. Yeah,

Mark 1:03:15
it's quite simply on the cyber issues. As a school, you want to have a level of confidence that you are protected from most cyber threats, you're going to fix that through engineering of your school network, on both devices, and on the physical network, get that done, you're safe and secure, generally speaking, and that's the Tech Academy. On the privacy side, evaluate your vendors view, evaluate your vendors, you'll soon understand the primary privacy risks associated with you as a school. And going, you know, using nine vendor management is one way of doing that. But by going through the exercise, you're going to be able to escalate or present the school leadership that actually these are some core risks that we are facing. And I think moving forward, Christina, and some of the things that we'll be providing outlets is, you know, these are the good vendors. These are these are the bad vendors. Right. And that's going to provoke some conversation. So I think the more that we can work together, the more in our will support tech leaders are members of ATLIS. Absolutely,

Christina Lewellen 1:04:09
Mark, we're so grateful for your time and expertise, we will absolutely let folks know in the show notes how to connect with you how to learn more about your company. And I just want to thank you for your partnership with ATLIS. I think that on rare occasions, we find someone in our vendor community that really understands the thought leadership work that we're trying to do. And while you're a relatively new kid on the block, I don't think that you're going to stay that way for very long. I know you're in very high demand as a speaker in our space and I can see why. So consider this a standing invite. We'd love to have you back to the podcast whenever you're available. And when these trends kind of when you're starting to see little hotspots that are independent school community really needs to pay attention to just consider it an open invite you can come back Back for more pain and suffering on the pod anytime. Amazing.

Mark 1:05:03
It's been an absolute pleasure and Stephanie and so thanks, Christina, Bill in here. It's been fantastic. Really enjoyed it.

Unknown Speaker 1:05:10
Yeah. Thank you so much, Mike. This is great. Thank you.

Christina Lewellen 1:05:13
Thank you, Mark. Appreciate you.

Narrator 1:05:16
This has been talking technology with ATLIS produced by the Association of technology leaders in independent schools. For more information about ATLIS and ATLIS membership, please visit the ATLIS.org If you enjoyed this discussion, please subscribe, leave a review and share this podcast with your colleagues in the independent school community. Thank you for listening.