Gotta Have Grace

By Melissa Tebbenkamp, Director of Instructional Technology, Raytown Quality Schools


Leadership is hard. There are days that it comes with great reward, and others where it stretches you beyond what you thought were your limits . . . and sometimes, leadership helps you find yourself. 

 

COVID, however, took leadership to a whole new level. This pandemic has affected us all personally in some way. There are new struggles with our own virtual learners at home, sickness in our families, growing debate amongst those closest to us, and the impact of a sudden change to how we live our lives. Sometimes we get so wrapped up in our own world that it’s hard to remember that everyone around us has also been impacted by the pandemic. 

 

As leaders, we are called upon to be the rock and guiding light in times of crisis. It can feel like those around us forget that we are also personally impacted. My team feels this as well, as IT is expected to work without flaw so that teaching and learning, and business operations, can happen. Our community and staff forget that there are humans behind every support provided by the IT team. 

 

When things get rough, it feels like we are expected to be perfect. But, that is far from realistic. When people are in crisis, when they are overwhelmed, overburdened and unsure of their world, they make mistakes. We all make mistakes, even on our good days, but particularly when our world is abruptly disrupted. 

 

So how do we, as leaders, support our team and district during these times of uncertainty? How do we balance the district’s need for the IT team to come to the rescue, while realizing that our team consists of people who are experiencing all the emotion and personal stress of the crisis while striving to meet all the new challenges? . . . . Grace

 

Grace . . . for your team and for each individual person on your team as they strive to support technology in a way that is so far removed from what they knew before. Grace for your team who in many cases are supporting way more than before, who are drowning with no light to be seen. Grace for your team who feel guilty that they cannot accomplish all that is needed from them. Grace for your team who are facing new challenges in a world that is frequently changing, in some cases daily.

 

Grace . . . for your district’s staff and leadership as they strive to provide the best education possible for students in this time of crisis. Grace for administrators who are trying to create a new way of learning that they had never considered before. Grace for administrators who are taking the daily calls from parents and so desperately trying to serve the disengaged students. Grace for the administrators who feel the burden of making big decisions that have tremendous impact on students and knowing that no matter what they decide, some will be upset and many will question the choice.

 

Grace . . . for the teachers who are trying their best to learn so many new tools and strategies so that they can provide some sense of normalcy for their students. Grace for the teachers who are torn between being scared for their health (and the health of their family) and their desire to comfort their students. Grace for the teacher who struggles to engage every student and worries about those they are not reaching. Grace for the teachers who really want to do their best, but are stretched thin as well.

 

Grace . . . for your vendors and partners who are trying to provide what their districts need in a time where the supply chain is disrupted. Grace for your vendors who are also human and dealing with this very real crisis. Grace for your vendors who have so much outside of their control and are just doing the best they can to meet your needs.

 

And most importantly . . . 

 

Grace . . . for yourself as a person, for yourself as a leader and for yourself as a member of the team as you lead your team and district through the ever-changing unknown. Grace for yourself, who wears so many hats and tries to keep it all together. Grace for yourself, who sacrificed so much of your personal and family time to make remote learning a success. Grace for yourself as you try to take it all on and be wildly successful. Grace for yourself when you fail, when you have to start over and when plans change. Grace for yourself when you reach your breaking point and feel like you just . can’t . go . any . further. 

 

We so often set such high expectations of ourselves and take the criticism, veiled cries for help, and new emergencies (like we didn’t already have enough) personally. We internalize all that is going on and make it our personal mission for everything to be successful. We look outside our area of control and take the failures of others as our own. We are leaders and we care so deeply.

 

But, at what cost? It doesn’t matter how much we care if we have nothing left to give. We must focus on our own personal wellbeing before we can take care of others. It’s like flight attendants say; in the event of a crisis, put on your mask first before helping others. We must first give ourselves grace before we can extend it to others. We must first allow ourselves to feel and react and fail and be ok with where we are at and where we are going. We must accept ourselves as imperfect before we can be the leaders our team and students need us to be.

 

Give yourself a break, you are human. And, when it all seems too much, take a break. I know it sounds counterproductive, but it was the best advice I have been given as a leader. You will continue to spin out of control if you do not stop to regroup and approach your situation refreshed. It could be as simple as making sure you take a completely detached lunch, or a day off, or even just a fun evening with the family. When you feel the stress the most, take a break, give yourself grace and then be the leader you are driven to be.

 

‘Cause I gotta have grace

I gotta’ have grace

Because I gotta have grace, grace, grace

I got to have grace, grace, grace 

Evolution of Physical and Cyber Security in My District

by Kevin Richmiller – Director of Technology – City of St. Charles School District

This is a brief recount of how physical and cyber security has evolved in the City of St. Charles School District over the last eight years, and how physical security moved from being managed by the Facilities Department to mostly managed by the Technology Department. 

I started as Director of Technology for the City of St. Charles School District in July of 2012.  At that time all physical security was handled by the Facilities Department and cyber security by the Technology Department.  The district firewall was a very basic stateful inspection firewall that only actively looked at traffic on ports 80 and 8080.  We had two vlans, voice and data. We had five security cameras per building, and the exterior doors were left unlocked all day.  

That year we began talks of making our buildings more secure.  On December 13th, 2012, the board approved adding an Aiphone door buzzer system to every building so we could lock our exterior doors during the school day.  That next morning Sandy Hook happened which shook the entire school community.  The Aiphone project was fast tracked from a two month timeframe to a two week timeframe for installation.  Because this system involved cabling and wires, physical security slowly started shifting from being Facilities managed to Technology managed. 

That spring (2013) we began planning a bond issue for the following spring.  On the bond we added door access control and expanded our camera system from 75 cameras district-wide to 550 cameras.  Door access control and added cameras put physical security almost completely into the hands of the Technology Department.  The main thing the Facilities Department continued to manage was physical keys which most staff no longer required because of the access badges.  

During the last five or six years, we upgraded our firewall to a next-generation firewall, and we now monitor all ports, not just basic internet ports.  We also segmented as much out into separate vlans as possible.  This was a necessity as we discovered our outdated firewall could not keep up with growing demand, and outside entities were attempting to flood our network with DDoS attacks.  

As more and more products became web-based and the education field became apparent low hanging fruit for hackers, our district began yearly mandatory security awareness training for all staff and simulated phishing attacks to help staff identify phishing emails. The simulated phishing attack in our district that is most talked about, even three years later, is a phish around November appearing to be from Costco telling everyone they received a free turkey from the district for being such outstanding employees.  All they had to do was simply click the link below to claim their free turkey coupon.  That phishing attempt resulted in a 25% fail; apparently, our staff didn’t know our CFO as well as I do. 

With so many products now online and a need to ensure student and data privacy, two years ago our district began using a product called Education Frameworks.  This program does an initial review of a site’s privacy policy and provides a data privacy score.  We then review the score and make final determinations on if the site is safe for teachers and students to use in our district.  We were spending a tremendous amount of time going through privacy policies trying to determine if a site is safe for student usage.  Education Frameworks helps reduce our man hours spent on going through online privacy policies.    

Technology has changed rapidly these past eight years.  We have to be able to adapt and change with it or risk being left behind, both from a physical and cyber security standpoint.  Our district has made tremendous changes in the last eight years and more and more things keep falling into the responsibility of our Technology Department.  I believe most technology departments in education have seen the same or similar transformations over the last 10 years.

Increase Technology Integration in a Pandemic

by Rich Wilson – Director of Technology – Francis Howell School District

School districts across the U.S. quickly shifted gears from in-person face-to-face learning to a remote learning environment during the COVID-19 pandemic. We all became very familiar with new terms, such as social distancing, community spread, droplets, flattening the curve, and alternate methods of instruction (AMI). In addition, terms such as Zooming, Google Hangouts, e-learning, digital citizenship that are familiar to us, as technology leaders became common vernacular for our administrators, teachers, students, and families. Along with these new terms for our districts and communities came a quick learning curve around such digital tools.

In my district, we have a variety of subscriptions to software and online resources. Yet we did not universally utilize many of those resources we paid for or promoted. The reasons varied from lack of interest to learn, hesitancy or no desire to learn, and not having time to learn. Many in my district lamented the fact there was not time to learn, nor felt as though they needed to be trained first before using. As “tech people”, we have learned many of our skills by doing. I like to say, contrary to popular belief, I did not have a college course to learn Adobe Acrobat, Excel, or pick any software package. We have learned through our experiences by exploring and out of necessity to learn a system as part of our desire to learn more and our work responsibilities.

During our school closures, hundreds of our faculty and staff learned not only what Zoom was, but also how to use it. As we allowed Zoom and other resources, our teachers rose to the occasion with some guidance and learned in a very short period of time how to effectively use Zoom and other online resources. The need and desire of our teachers to serve and connect with their students and classes was the driving force. Most learned on the fly (with some instructional videos and guides) how to video conference with their students and classes to continue teaching and learning during the pandemic closure. One day during the closure, I was at a school for device and hotspot distribution. I listened in as a group of teachers, paras, and staff were trading Zoom tips and tricks. Most said they had not ever heard of this Zoom thing just until a couple of weeks ago.” I was ecstatic to hear about their successes in learning and the collaboration around their new learning.

Through this experience, folks in my district and community have a deeper desire to learn more about technology and how it can be leveraged to enhance both teaching and learning. Moreover, with the increased level of implementing digital resources during AMI, I have witnessed a higher confidence level around learning new technology skills in our faculty and staff. No longer can we see technology as a tool to implement if one wants to, but many more see technology resources as an integral part of teaching and learning of our students. Through the years, we have preached this message. Now more members our districts and community are seeing this need and are more receptive than ever to the message. Now is our time to shine even brighter to further advance technology integration in our districts for the betterment of our staff and students.

IoT is Everywhere

by Melissa Tebbenkamp – Director of Instructional Technology – Raytown Quality Schools

As I ponder recent conversations I’ve had around data and cybersecurity, I can’t help but recall several energy-driven discussions on the Internet of Things (IoT). These discussions revolve around several key questions: What really is IoT? Why does it matter? How is IoT used in education? And, is IoT really a risk?

When schools think about the Internet of Things (IoT), many think about a teacher using a digital assistant, laptops or maybe even cell phones.  It is true that IoT includes personal devices and items around our homes, such as video doorbells, home automation, networked thermostats, smart televisions, and now even my blender, but it is so much more than these personal devices. 

In school, IoT devices are everywhere and can include student learning and assistive devices, glucose monitoring devices, security cameras, access control doors, networked HVAC and lighting control, vending machines, freezer/refrigerator monitors, and projectors, just to name a few. When overlooked, they can lead to network and data privacy vulnerabilities. If not managed properly, these networked devices can open a door to your network that may allow a malicious person to leverage them for a DDOS attack or mine your network and servers for valuable data. An example can be found in the EdScoop article Ransomware used HVAC to infect Michigan K-12 district.

The requests for IoT on our networks are not slowing down. Advances in technology make these devices easier to deploy, which at times, makes them harder to manage. There is hope, by following a few best practices, you can minimize your risk and begin embracing the devices that help to make the business of education more effective and impactful.

 

  • Adopt a data security framework that includes these five steps: Identify, Protect, Detect, Respond, Recover. For risk mitigation, your focus should be on the first 3 steps. 
    • Have a procurement process in place that requires someone to evaluate all devices that attach to the network prior to purchase and installation. Knowing what is on your network is critical, evaluating the devices before purchase is even better.
    • Protecting your network from IoT devices can be as much of an art as it is process-related. Know your network and determine the best path for your system.
      • Segment IoT devices on their own virtual network so they cannot communicate in your production (computing, servers, etc) environments.
      • Ensure that new or stray devices cannot connect to your production environments. 
      • Change the password on all IoT devices from the manufacturer default. If the device does not allow a root password, do not allow it on your network or isolate it so that it cannot be reached from other devices.
      • Stay current on software and firmware updates. If the manufacturer does not release firmware updates, you may want to question their security practices and how the device is connected to the network to determine your level of risk. 
    • Ensure you have the correct tools to detect “rogue” devices or services on your network. This may include network monitoring to alert to new traffic as well as reviewing log files. If you know your “normal” network traffic, it is much easier to identify a new device and/or abnormal traffic.
  • Explore Cyber Malpractice insurance and ask your vendors what coverage they offer if their device is compromised on your network.
  • Note that consumer devices are just that, intended for consumers, not institutions. Check the terms of service and privacy policy to see if commercial/educational use is allowed and what protections they offer.
  • Check for privacy concerns. Determine what data a device is collecting and if it could potentially cause an exposure of biometric, PII or FERPA data.
  • If the device allows or requires a vendor to connect to your network, be sure to secure that connection and ensure that they can only access the necessary equipment/systems to manage the device.
  • Manage staff, student and vendor personal devices separately. These may include smart/fitness watches, voice assistants on phones and glucose monitoring devices. School systems should have a policy and procedure around these devices and limit the level of access they have on the network.

To help educational leaders navigate this complex challenge, the Consortium for School Networking (CoSN) recently released a guide on Securing IoT Devices on School Networks that discusses these practices as part of their cybersecurity initiative. More information can be found at https://cosn.org/cybersecurity

 

About the author: Melissa Tebbenkamp has served as the director of Instructional Technology for Raytown Quality Schools since 2006.  Raytown Quality Schools is a tier one suburb of Kansas City, Mo. and educates 9,000 students a year. Melissa is a CoSN national Board member, a founding member and chair-elect of CoSN’s Missouri state chapter and was one of the first people in the U.S. to attain certification as a Certified Education Technology Leader. She also led the Raytown Quality Schools (Missouri) to becoming one of the first cohort to receive the CoSN Trusted Learning Environment Seal.

Things That Keep Me Up At Night

by Rob Landers, Director of Technology – School District of Washington

As I thought about what to do for my editorials, the most obvious things I could think of were topics that bugged me. Things that I had problems with. Things that don’t work the way they should, etc… But I didn’t want this to devolve into a complaint-fueled tirade every time it was my turn to speak. However, from an Ed Tech leadership position, there are numerous things that I deal with on a regular basis that cause me a great deal of concern, and I’m not necessarily sure how to address them. For my part, I’ll be discussing a few of these concerns with you all as we move forward. My goal is not to add to your headaches or worries but instead to spark conversations about how we can address these issues that we, likely, all have in common.

Having said all that, this month’s topic doesn’t really keep me up at night. It does, however, cause me a great deal of concern about how well we are preparing our students for the future. You see, in Washington, we have gone 1:1 in grades 3-12 with Chromebooks. Students are quite adept with these devices and have mastered the use of Google Drive, and, by most accounts, these devices serve our purposes quite well. But something happened a while back: our Network Administrator, whose daughter is in high school, was using one of the Windows PC’s in the library and couldn’t figure out how to save something so that she could get to it later. When her dad suggested using her H:\ drive, he was met with silence on the other end. Turns out, she had no idea what a Home drive was (or what any other network drive was, for that matter). And that’s coming from a child whose father is a “computer guy.” So I started asking my daughter (also a high schooler) what she knew about network drives and use of a Windows-based PC in general. The answers were pretty much the same. This is what got me thinking. If kids whose parents are very tech savvy, or work in the technology field, have little to no understanding of Windows PC’s then what do other kids know? Intuition tells me that they would know even less. And what happens when we send our “21st Century Learners” (a term which I despise, by the way….) out into the workforce and they are put in front of a Windows PC to do their work? Will they know what to do? The employer is certainly expecting them to know. I mean, this young person has just spent the last decade using a “computer” for most of their work on a daily basis. How could they not know what to do when faced with one of Mr. Gates’ finest creations?

The fact of the matter is that all “computers” are not created equal. There are major differences between systems and differences in how the user interacts with the device. For example, one of the biggest issues I’ve run across when a Chromebook user is on a Windows device is the concept of saving your work. Chromebook kids just don’t do it. They don’t know to do it. They haven’t been conditioned to do it like we were. Google just does it for them. It seems like a small thing, but when a student is standing in front of you, tears welling in their eyes, because they lost half of the paper they just spent an hour typing, it’s no longer just a small thing. In fact, it’s a pretty big thing to them. Now imagine if that was the sales projection data that the CEO wanted on her desk five minutes ago…definitely not a small thing at that point. And I’m sure that Mac districts have struggled with this, to a certain degree, for years. Sorry, but it’s a new situation to me, and I truly believe the difference between Mac and PC is less than the difference between Chromebook and PC. So I feel like we’re in a bigger hole now than in the past.

So what do we do?

Seriously, I’m asking you the question.

I don’t think there is an easy answer. If you’re like us, you’ve probably removed all of your computer labs from your buildings, and removed Computer Classes from your elective rotations. So now we’re really in a pickle.

We are just now starting to formulate a plan to attack this situation. Fortunately, we do have a very robust VDI system here in Washington. We believe we can leverage that system to help mitigate the situation. The idea is that we will develop a list of “Windows Competencies” (™ and © pending…) and then will work with our curriculum coordinators to embed these competencies into our existing curriculum where it makes sense. Then, in the course of those curricular lessons, teachers will have their students access the VDI (which presents as a Windows 10 desktop) so that they can learn to master those skills. Will it work? That is yet to be seen.

As I mentioned, we are early in the process and are still trying to identify the Windows Competencies on which we will be focusing. It’s not much at this point, but it is a plan. And having a plan is a great start. Maybe that’s why it doesn’t keep me up at night. Or maybe it’s all the bourbon.

 

The Pursuit of Certifications

Over the years, I’ve pursued a number of certifications, some successfully and some not. They have all been beneficial to me in varying degrees depending on the current challenges I’m facing. For me, obtaining a certification was not just to add a few more letters behind my title but was an endpoint to a journey of professional development. Even if I didn’t reach the goal of obtaining the official certification, I learned very valuable information along the way that made me a better IT leader. In the following, I’ll talk a little about a few of the certifications I an successfully and unsuccessfully pursued.

CISSP – Certified Information Systems Security ProfessionalISC2

This was one of the first certifications that I completed. It is often described as “an inch deep and a mile wide.” It is a great starting point for someone interested in information security. The knowledge base for the CISSP covers everything from types of encryption to physical security. 

I’ve found the CISSP to be very helpful. In K-12 we wear a large number of hats and support a variety of needs. The broad scope of the CISSP provides the foundation knowledge to help you with those various needs. I spent one year studying for the old, written version of the test which was 6 hours and 250 questions. They now have a shorter, computer adaptive test.

The CISSP is offered through ISC2. To qualify for the CISSP, you must have at least five years of cumulative, paid full-time work experience in two or more of the eight domains. To pass the test, you are given a maximum of three hours to complete the 100 to 150 items in the CISSP computer adaptive exam. After passing the test, you must get endorsed by a current CISSP. Feel free to reach out to me if you are in need of an endorsement. Similar to most of the certifications below, you must complete 120 CPEs over 3 years to remain in good standing. There is a fee for taking the test and an annual maintenance fee every year after passing the exam. 

There are a large number of resources available you can use to prepare for the CISSP. You will find plenty of books on Amazon. The actual ISC2 CBK for the CISSP is an extremely dry read and challenging to get through. SANS has some boot camps periodically in the region. MOREnet has also recently rolled out their “Professionally Evil CISSP Mentorship Program.”

CETL – Certified Educational Technology LeaderCoSN

The CETL is a certification that I have repeatedly started but not completed. In the very early CETL days, I participated in the CETL field test. I passed the Part 1 multiple choice section of the test but did not pass the Part 2 essay section of the test. For me, the CETL remains on my to-do list. 

The CETL is important because it represents that an individual has the knowledge and mastery to lead a K-12 EdTech environment. The CETL recognizes that most of us have come from either a technical or curricular background and the need to have a balanced understanding of both sides. 

The best part of studying for the CETL is that it directly applies to the day-to-day work we do. It will make you a better K-12 EdTech leader even if you don’t take, or in my case, pass the test. There are numerous resources available to study for the CETL. Missouri and METL also have a large number of mentors available to guide someone in the journey to the CETL. Below are some currently available resources:

The METL board is working to put together a CETL Cohort. Please feel free to reach out to us if you are interested in pursuing the CETL.  

CEH – Certified Ethical HackerEC-Council 

CEH is by far the coolest sounding certification. This is probably why I have never completed the CEH. CEH is a more technical certification, covering areas outside my strengths. I’ve taken a CEH course and read a test prep book. I still haven’t reached a level of comfort with the content to give me the confidence to take the test. It is a more hands on certification covering the foundational knowledge required to be a white hat hacker. In my opinion, having experience with command line, basic programming, and networking are important when looking at the CEH. I’ve learned a lot of good information, techniques, and tools in my pursuit of the CEH.

The CEH is provided by the EC-Council. The test is 125 questions over 4 hours. Similar to the CISSP there are continuing education credits, 120 over 3 years. The test covers six tasks and seven knowledge domains.

Tasks: 

  1. System Development & Management
  2. System Analysis & Audits 
  3. Security Testing/Vulnerabilities
  4. Reporting
  5. Mitigation
  6. Ethics 

Knowledge:

  1. Background
  2. Analysis/Assessment
  3. Security
  4. Tools/Systems/Programs
  5. Procedures/Methodology
  6. Regulation/Policy
  7. Ethics

If you want to see how you might do on the CEH, the EC-Council does have an online assessment. While I don’t know if I will ever complete the CEH, I would be ecstatic to have a staff member with the CEH knowledge and skills helping protect our environment. 

ITIL – IT Infrastructure LibraryAXELOS

I am proud to say that I am a certified ITIL Expert v3. The first METL CTO Clinic I attended I met a couple of colleagues that were going to take an ITIL Foundation course. Not knowing anything about ITIL, I thought it would be a good chance to continue to collaborate with these individuals. At the end of that course, I not only understood ITIL but had a new way to look at our approach to IT. ITIL is a set of best practices built around IT Service Management (ITSM). It provides structure around the entire lifecycle of delivering a service to an end user. 

The current version of ITIL is ITIL 4. There are 4 progressive certifications for the current version: 

  • Foundation
  • ITIL 4 Managing Professional
  • ITIL 4 Strategic Leader
  • Master

I don’t recommend getting all the ITIL certifications, unless that is your professional goal. I do recommend that any person of leadership in your IT organization take an ITIL Foundation course and attempt to take the test. The Foundation course introduces you to the ITIL vocabulary and builds the basic understanding needed for an organization to start moving towards these best practices. All of my ITIL work was done through Centriq in a boot camp to certification test type structure. In case you are wondering, I did not pass ALL my ITIL certification tests the first time. 

CISM – Certified Information Security ManagerISACA

A friend of mine, in commercial IT, recently asked me if I would be interested in studying for the CISM with him. I’m just starting to learn more about the CISM. It is a certification on my roadmap for the future. As information security becomes a larger issue for school districts, I feel the knowledge gained through the CISM will help me better support our community. 

Conclusion

Certifications do not mean an individual is good at their job or as a leader. At a minimum, it means the individual acquired a scope of information long enough to pass an evaluation of some sort. I like to use certifications as a way to push my own professional learning. I’m successful if at the end of the journey I’m better able to support my community, not if I have a few more letters behind my name.

Thank you,
Jason Rooks, CIO, CISSP, ITIL, MBA…