Cybersecure California

June 7, 2025

Sponsors:

Cybersecurity Roles & Responsibilities in Schools: Who Does What?

Clean and professional school office workspace with a laptop, notebook, and coffee cup arranged on a wooden desk, representing organized team collaboration

Cybersecurity is a shared responsibility β€” especially in K–12 public schools, where resources are limited and teams wear many hats.

This guide breaks down who typically handles what, what gaps to look out for, and how to build clarity around roles, even in small or rural districts. It also highlights how clearly defined roles help schools meet state and federal compliance requirements like FERPA, AB 1584, and CIPA.

🏫 Core Roles & Their Responsibilities

πŸ‘¨β€πŸ’» IT Director / Technology Coordinator

  • Implements technical safeguards (MFA, firewalls, endpoint protection)
  • Leads incident response and recovery
  • Maintains backup systems
  • Manages vendor security reviews
  • Tracks compliance with FERPA, AB 1584, and CIPA technical requirements

πŸ§‘β€πŸ« Principals & Site Admins

  • Enforce staff training participation
  • Coordinate site-level response during outages or breaches
  • Support phishing awareness and reporting campaigns
  • Ensure staff follow acceptable use policies
  • Help ensure site compliance with district data privacy protocols

πŸ‘¨β€βš–οΈ Superintendent / Cabinet-Level Leadership

  • Oversee funding decisions and risk management priorities
  • Approve cyber insurance coverage and vendor contracts
  • Communicate with community and board in the event of an incident
  • Ensure overall district compliance with student data privacy laws

πŸ’° Chief Business Official (CBO)

  • Ensures insurance requirements are met
  • Coordinates with IT on vendor agreements and compliance documents
  • Reviews costs for cybersecurity tools and services

πŸ‘©β€πŸ« Teachers & Classroom Staff

  • Complete phishing and data privacy training
  • Follow district-approved edtech guidelines
  • Report suspicious emails, behavior, or system errors

πŸ” What’s Missing in Many Schools

  • No one officially owns incident response planning
  • Vendors onboarded without security review or contracts
  • Training tracked loosely (or not at all)
  • Superintendent not briefed on cyber risk or insurance status
  • No one designated to handle compliance with AB 1584/FERPA

βœ… Tips for Building Clarity β€” Even Without a Full-Time IT Team

  • Assign a cyber lead at both district and site level (even if it’s part-time)
  • Create a shared checklist of responsibilities by role
  • Leverage COE or MSP support for audits, planning, and vendor vetting
  • Add cybersecurity goals to LCAP or board-level priorities
  • Make compliance tracking a recurring agenda item for leadership

πŸ’‘ Final Word

Clear roles reduce chaos β€” and improve compliance.

When everyone knows their part β€” from classroom teachers to cabinet β€” your school system becomes more resilient, more secure, and better prepared to handle cyber threats.

Use this guide as a conversation starter for building internal clarity, even if your district is just getting started.

Cybersecure California is here to help schools stay secure, compliant, and ready β€” together.