William Stein, director of information systems at Metropolitan School District of Mt. Vernon in Indiana, needed just five minutes and $5 to show a group of district administrators the future of cyber threats. He pulled out his phone and cloned his assistant superintendent’s voice, playing a fake message canceling school for the day. The message sounded authentic enough to send a district into chaos.
This demonstration captures how AI is reshaping both sides of the cybersecurity equation.
Across the country, school districts are discovering that surviving the next cyberattack isn’t enough; they need to build systems that can withstand, adapt and emerge stronger from cyber threats.
This shift from reactive management to intentional resilience-building reflects how the field is evolving. Instead of buying better firewalls or updating incident response plans, the leaders driving this change are rethinking how schools govern data, develop their people, collaborate with their communities and harness emerging technology like artificial intelligence.
The Pasadena Independent School District in Texas exemplifies this transformation. When the district used the Cybersecurity Rubric from the Cybersecurity Coalition for Education to conduct a comprehensive self-assessment in May 2023, it wasn’t checking boxes on a compliance form. The rubric measures such factors as leadership, culture, governance and practice to help schools get where they need to be.
“The rubric evaluation showed us clear opportunities for improvement,” says Melissa McCalla, chief technology officer. “We identified areas of focus, and I was able to hire a dedicated cybersecurity administrator.”
The evaluation helped the district prioritize which fixes would have the greatest impact and positioned it to qualify for cyber insurance and grants. Today, cybersecurity is a standing item in Pasadena ISD’s board reports and its cyber insurance costs are down 40 percent.
“Similar to auto insurance discounts for buying a car with anti-lock brakes and airbags, when districts take meaningful steps to reduce cyber risk insurers are more likely to reward them with better coverage and pricing,” says Doug Levin, co-founder and national director of the K12 Security Information eXchange. “Indeed, districts that have not taken these steps may be hard pressed to find any coverage available to them at all.”
Data Governance Takes Center Stage
For years, the conversation centered on firewalls, filters and passwords. But many district technology leaders now believe that the real work begins with data governance — knowing the data you have, where it lives, and when and how it should be destroyed.
“A lot of us are shifting our attention to what to do beyond the incident response plan, which is reactionary,” says Jenn Judkins, technology director for Wayland Public Schools in Massachusetts. “Instead, we’re asking how we can get in front of this and mitigate proactively.”
We have to classify the data we have. Who are the data stewards? Who decides who gets access?
— Jenn Judkins, technology director for Wayland Public Schools in Massachusetts
Judkins calls data governance the bridge between cybersecurity and everyday operations. “We have to classify the data we have,” she says. “Who are the data stewards? Who decides who gets access? Those conversations cost nothing, but they change everything.”
Districts can dramatically reduce risk by purging unnecessary data, such as old student files and outdated staff lists, and aligning access permissions with job roles. This reframes cybersecurity as a shared responsibility, not an IT problem.
Pasadena ISD’s McCalla agrees. “If you’re aware of where your data is and who you’re sharing it with, then you’re playing defense against all who want it. I’d rather have that part in place.”
Roadmap for Readiness
“We don’t have enough trained cyber professionals in K-12, so we need to grow our own,” says Berj Akian, CEO of ClassLink and founder of the cybersecurity coalition. Through Certified Cybersecurity Rubric Evaluator training, more than 500 educators have already become peer evaluators who can help other districts.
Next spring, the coalition will launch Cyber Rubric Sidekick, an AI-enabled chatbot that will coach districts through assessments, offer real-time feedback and help prioritize investments. “It’s the only tool that can do pre- and post-assessments — and it’s free,” says Frankie Jackson, project lead for the rubric.
Some districts are investing in training the next generation. In Indiana, Mt. Vernon MSD opened the Keller Schroeder Cybersecurity Academy this year. The three-year program allows high school students to work in a simulated data center and graduate with industry certifications.
“We built a mini data center that mimics our data center, so they have a safe space to spin virtual machines and attack them safely,” says Sean Grant, the district’s chief information security officer and first-time instructor. “Going forward, everything will be more dependent on cybersecurity.”
Sharing the Burden
Districts don’t have to tackle cybersecurity alone. “Most smaller districts should plan to outsource the majority of their cyber work,” says Michael Flood, an education technology strategist. Managed detection and response providers now offer comprehensive, AI-monitored solutions that can isolate threats within minutes.
Collaboration can also mean sharing infrastructure. Ryan Miles, director of technology for Community High School District 117 in Illinois, is helping feeder schools benefit from its cyber protections. “Why do we have six districts with six [different] camera systems in our neighborhood?” he asks.
Miles is also thinking creatively about funding. With AI companies expanding into his community, he argues that they should help support schools. “If they’re going to pull water and power from the community, we need them to supplement by giving back to K-12. I think we can make a new model of doing business that affects the municipality, the schools, etc.”
When AI Fights AI
As Stein at MSD of Mt. Vernon showed in his demonstration, AI is capable of severe disruption. Attackers are already using AI to create hyper-personalized phishing emails and voice clones that could fool parents, staff and students. But AI-powered defense tools are improving too, spotting unusual behavior and automatically isolating compromised devices before damage spreads.
Right now, most of what we do is defense. But when AI is doing both sides, we may reach parity.
— Tim Tillman, principal cybersecurity adviser, Identity Automation
“Right now, most of what we do is defense; it’s easier to break than to build,” says Tim Tillman, a principal cybersecurity adviser for Identity Automation. “But when AI is doing both sides, we may reach parity. That changes the economics of cybercrime.”
Emerging technologies like passkeys could fundamentally change how schools handle authentication. Instead of students and staff remembering dozens of passwords that can be stolen or guessed, passkeys use biometric data (like fingerprints) or secure device authentication (a chip in your device that proves it’s yours). For schools, this could mean a student logs into their Chromebook with a fingerprint and that same authentication works for Google Classroom, the school information system and curricular software.
Meanwhile, “zero trust” security models are becoming the new standard for school networks. The concept is simple: Trust no one and verify everything. This means a teacher accessing student records from the faculty lounge gets re-authenticated and a student trying to access administrative systems from a classroom computer gets blocked automatically. Instead of assuming everyone inside the school network is safe, zero trust grants access only when needed and monitors every interaction.
Some districts are already piloting passkey systems for staff, and edtech providers are building zero-trust principles into their platforms. The question is how quickly districts can adapt to use them effectively.
The future of K–12 cybersecurity will depend on districts weaving governance, training, automation and collaboration into the fabric of school operations.
As Pasadena ISD shows, even modest steps can lead to lasting resilience and cost savings. The challenge now is making those practices routine, so that when the next attack comes, schools are ready.