School Security Insights: Project Planning and Implementation
Note: This Q&A was coordinated and written by Preferred Technologies, LLC
Have you ever gotten “Google Overload”? Have you ever searched for a symptom and found out that you’re dying of a real disease? If you’ve ever tried searching online for advice on security planning, your experience was most similar. The best advice always comes directly from industry professionals. Two K-12 security experts were asked to give advice on starting a security plan from the ground up.
We talked to Chris Montgomery, who is the Network Services Manager for Tomball, Texas ISD and has been with the school district for more than 26 years, along with Troy Neal, currently the Executive Director of Cybersecurity and Operations for Spring Branch, Texas ISD. Neal has worked as a cybersecurity professional in the K-12 school sector for more than 13 years.
If a new school district approached you, how would you advise them on the best way to start a security program?
Chris Montgomery: “You need a scope. Realize that you are not a security professional and that you will need help to develop a comprehensive security program. Reach out to other local school districts and ask about systems and partners. Reach out to your local law enforcement as they often have resources dedicated to helping develop these programs. Reach out to the other departments and your administration to ensure cohesion and integration with the different parts and systems in the plan. A good partner will help you determine your technology needs, such as camera types, video storage, switching ports, and bandwidth requirements. A good partner will also assist with knowledge of any federal/state money that can be used to implement your plans.”
Troy Neal: “You have to have a philosophy first. Take physical security and cameras in general. What are you trying to solve? Is it just building security? Physical security, technology, academics, and operations all have to be on the same page and discuss it together versus one person making all the decisions. That’s where a lot of failures happen between academics and technology. We should be true partners. From there, then, what’s your strategy? How do you want to get there? What are your long-term costs? Can you scale it? Can you manage it? Who’s going to own it? The biggest problem we have in technology alone is, “Who owns it?” If somebody doesn’t own it, it’s always going to fail. Who’s your executive sponsor? It’s true project management from the start. All of our projects are done by a project charter. Bring in industry experts. Talk to other school districts and find out what they do. Find out what fits the organization and then plan where you want to go with it. Size means a lot. Run it like an enterprise. From a technology and security standpoint, you’re never in the way of things. And I think that’s where it starts.”
The best place to start a security program is to seek out help from others for planning. This can mean professionals from other districts, security integrators as well as academics, and IT from within the district. All parties involved should be on the same page and meet regularly to ensure the security program is meeting the needs of everyone. The next step is working within the budget. Funding for K-12 is limited, so accounting for needs versus wants also requires the help of everyone at the table.If money were no object, how would you build out your security plan and in what order would you implement it?
Montgomery: “Develop a thorough scope that will solve your security needs. Choose a partner that understands your needs and has resources available to assist you. Determine which systems you will use to solve your needs and build an infrastructure that will support them now and in the future.”
Neal: You’ve got to look at local policy and legal policy because we have to follow all of that. You have state laws and federal laws. You have to figure out those parameters first. What are your basics? Cameras, you want to be able to see who comes in and out. You want people to badge in and out. Fire alarms, all the mandatory stuff. Then, how do you start tying in other things? The problem in K-12 is that there are certain systems we have to use, whether we like them or not. And some of those are not built to an enterprise standard. They don’t develop it, they don’t have the life cycle and so you’re dealing with some of this great-looking software, but you can’t get data out of it. You can’t move data. Data drives everything; same with security. The more data points I have, the better holistic view I have of the organization. Our biggest challenge in K-12 is money. Especially with so much of this cloud-based software. We are not funded to pay for that. The subscription-based software is the hardest thing for me to pay for because that comes from general funds. In schools, 85% of your budget is spent on salaries. It’s people which are the most important piece of education. How do you find those mechanisms?”
The first step to building a security plan is to figure out the scope of your project. Then verify the legal requirements. Next, move to planning for the basics like cameras, access control and fire alarms. Make decisions now that will solve your current needs, but also continue to work in the future without compromising your philosophy.
What changes have you seen over the last few years after security upgrades and integration?
Montgomery: “The number of resources used by our security devices (storage, bandwidth) has increased greatly on a scale that we have found ourselves unprepared for.”
Neal: “A lot of security software has gone cloud-based and subscription-based. This is where schools are really struggling. The way our budget cycles and planning is, we start budget conversations in October for the next school year. The biggest problem is the cloud part of it. Second, is the complexity of the software. You need a certain level of talent to get people to be able to own it and manage it. If you don’t have a philosophy or roadmap, someone is going to want this shiny object. Then it’s this next siloed system that you've got to manage and maintain. So, you start building out these cool things, but then they become despaired again. Ideally, there would be a holistic integrated kind of system from the start. You have to have a different model for us to pay for things, especially in regard to the licensing for K-12.”
“In regard to changes in physical security, a lot has helped because a lot of it now talks together. The hurt is, they still don’t have industry standards. Just like we update standards in education and in the world, you’ve got to have very basic standards that things talk to one another. Especially in physical security, things don’t talk to each other by design, and that’s a problem. We need industry standards that force organizations and companies to say, “look you need to be able to talk based on this protocol.” So, then I can take this information and use it in another system. Going back to data and physical security, the most important part is protecting the entrance of a building and ensuring there is no unwanted person or thing coming through a building. Access control technology and simple things like badging and turning off alarms have all grown. In schools, a lot of them are not there yet. You’ve got schools built in the ’50s and up. The cost to redo all of this even from a cabling standpoint is a lot. Standards are the number one thing. Just build it to an industry standard that’s then safe and secure.”
Planning, and planning early is of the utmost importance when considering upgrades in security. Storage upgrade requirements and yearly pricing increases in subscription-based software are limited by the strict budgets of K-12 schools. Avoid getting caught up in buying software that can cost more money than originally budgeted for. Although many improvements have been made, more efforts should be made to push for industry standards in physical security that would benefit everyone.
Schools have always been the place where members of the community come together to collectively educate and protect children, and their futures. Having a plan for creating a safe school starts with designing and building out a security plan. Planning should involve communities coming together from local school districts, law enforcement agencies and security integrators alike. When these groups can have vulnerable, productive conversations, real changes can be made for everyone’s benefit. Involving voices from many spheres to share their successes, and more importantly, failures will only strengthen security in schools to protect our future generations to come. Now go, be vulnerable and reach out; build the security program your school needs.