Elizabeth “Betsy” Corcoran, Co-founder and CEO | EdSurge Research
School districts across the United States are shifting their approach to cybersecurity, moving from a reactive stance to building resilient systems that can withstand and recover from cyber threats. This evolution is partly driven by advances in artificial intelligence (AI), which is being used both to launch sophisticated attacks and to bolster defenses.
A recent demonstration by William Stein, director of information systems at Metropolitan School District of Mt. Vernon in Indiana, highlighted the power of AI-based threats. In just five minutes and for $5, he used his phone to clone his assistant superintendent’s voice and played a convincing fake message canceling school for the day. The ease with which such disruptions can be created has prompted schools to reconsider their security strategies.
Districts like Pasadena Independent School District (ISD) in Texas are adopting comprehensive frameworks such as the Cybersecurity Rubric from the Cybersecurity Coalition for Education. This tool evaluates factors including leadership, culture, governance, and practice. “The rubric evaluation showed us clear opportunities for improvement,” said Melissa McCalla, chief technology officer at Pasadena ISD. “We identified areas of focus, and I was able to hire a dedicated cybersecurity administrator.” Following this assessment, Pasadena ISD prioritized impactful changes that qualified it for cyber insurance and grants; its cyber insurance costs have dropped by 40 percent.
Doug Levin, co-founder and national director of the K12 Security Information eXchange, noted: “Similar to auto insurance discounts for buying a car with anti-lock brakes and airbags, when districts take meaningful steps to reduce cyber risk insurers are more likely to reward them with better coverage and pricing. Indeed, districts that have not taken these steps may be hard pressed to find any coverage available to them at all.”
Many technology leaders now view data governance as fundamental. Jenn Judkins, technology director for Wayland Public Schools in Massachusetts, emphasized proactive measures: “A lot of us are shifting our attention to what to do beyond the incident response plan, which is reactionary,” she said. “Instead, we’re asking how we can get in front of this and mitigate proactively.” She added: “We have to classify the data we have. Who are the data stewards? Who decides who gets access? Those conversations cost nothing, but they change everything.”
Purging outdated data and aligning permissions with job roles help reduce risk significantly while framing cybersecurity as a shared responsibility rather than solely an IT issue.
Developing internal expertise remains a challenge due to a shortage of trained professionals in K-12 education. Berj Akian, CEO of ClassLink and founder of the cybersecurity coalition explained that over 500 educators have become peer evaluators through Certified Cybersecurity Rubric Evaluator training programs. Next spring will see the launch of Cyber Rubric Sidekick—an AI-enabled chatbot designed to guide districts through assessments free of charge—as described by project lead Frankie Jackson.
Some districts invest directly in workforce development; Mt. Vernon MSD recently opened the Keller Schroeder Cybersecurity Academy where high school students gain hands-on experience managing simulated data centers.
Smaller districts often rely on external providers for managed detection and response services powered by AI that quickly isolate threats. Collaboration also extends into infrastructure sharing among neighboring schools or advocating for local businesses benefiting from community resources—like water or power—to support educational initiatives financially.
AI tools play roles on both sides: attackers use them for crafting personalized phishing campaigns or voice clones while defenders deploy AI-driven solutions capable of detecting abnormal behavior or isolating compromised devices automatically.
Tim Tillman from Identity Automation observed: “Right now, most of what we do is defense; it’s easier to break than to build,” adding: “But when AI is doing both sides, we may reach parity. That changes the economics of cybercrime.”
Emerging technologies such as passkeys—which use biometric authentication instead of passwords—and zero trust models are beginning implementation across some schools’ networks and platforms.
The future trajectory depends on integrating governance practices, ongoing training efforts, automation technologies like AI-powered monitoring tools and collaborative partnerships into routine operations so schools can remain prepared against evolving threats.
Alerts Sign-up