Over the last twenty years or so as an Educational Technologist, I’ve visited literally thousands of schools and many Multi-Academy Trusts. When I first started, my point of contact was the ICT (Information and Communication Technology) Network Manager. Nowadays, it’s almost always a member of senior leadership. I don’t flatter myself that I’m more important than I used to be. It’s simply that technology in most schools is now integrated into teaching, learning and operations from top to bottom. It’s strategically important.

Of course, with strategic importance comes a sharpened focus, not only on the benefits of technology but on the issues and threats it introduces. Barely a week goes by without a story about the effects of screen time on children or the destruction wreaked by the latest malware. Where once upon a time, I could guarantee I’d find an administrator password on a sticky note in the office, initiatives such as Safeguarding and Prevent have ramped up the focus on safety and security in schools.

And yes, senior leaders are nervous. Apart from an unwelcome appearance in the media, if a school’s Safeguarding or Prevent arrangements do not meet requirements, then Ofsted is likely to place them in special measures.

As if that wasn’t enough, against a background of growing threat, hardening sanctions and shrinking budgets, the replacement of the Data Protection Act (DPA) with the EU’s General Data Protection Regulation (GDPR) has in itself created the need for a new role (Data Protection Officer) and widened security horizons that have to be addressed holistically.

Whilst it’s true that the GDPR is bringing more clarity and rigour to the discipline of information security, schools and Trusts may well have more of a mountain to climb than most because they are Data Controllers with sensitive personal data on minors.

However, the main purpose of this post is not to bemoan the plight of schools and Trusts but rather to point out an emergent weakness in this layered process of security hardening. It’s mandatory for schools to designate a member of senior management as a Safeguarding Lead. It’s also mandatory to appoint a Prevent Lead. With the advent of the GDPR, there’s now a DPO as well. To perform these roles effectively requires:

  • An understanding of the relevant regulatory environment
  • Experience of its practical application in schools and Trusts
  • A grasp of the technology landscape across their supply chains

In the good old days (ahem), when I used to roll up to meet the Network Manager, usually I wouldn’t need to speak to anyone else. They were the Kings and Queens of their ICT domains. Perhaps they lacked a strategic perspective on occasion, but at least there was one person who understood every piece of technology in the organisation and the implications of every change that was made.

I’m certainly not advocating a return to the past, but, going forward, I think the increasing regulatory load is already leading to fragmentation in the security chain. In a world where one IoT device can become a gateway for a serious network incursion, it’s easy for knowledge to exist in silos which lead to Donald Rumsfeld’s infamous unknown unknowns.

My conclusion is that people are usually the weakest link in the security chain and, in this case, the weakness is exacerbated by an approach to safety and security in schools and Trusts that is evolving in silos. I’d simply advocate that domain experts with overlapping interests come together on a regular basis to educate each other and review their mutual challenges. Every school – every organisation – should have a Safety & Security Working Group that aligns and coordinates the work of all stakeholders.