The Cost of Inaction – A CISOs Guide to Securing Investments From School Boards

Nobody understands a school’s security risks better than a Chief Information Security Officer (CISO). CISOs are on the frontline, managing threats, identifying vulnerabilities, and working tirelessly to secure critical systems and data. But many CISOs are not just battling external threats – they are also navigating internal challenges, especially when making the case for funding to the school’s board of directors. What many don’t realise is how much common ground there is between a CISO and a school board when it comes to IT budgets and the need for cybersecurity. However, bridging this gap requires a measured and well-thought-out strategy. This article serves to assist every CISO in understanding how to better approach a board by identifying the many shared goals and priorities between both parties, and putting this information forward in a practical and effective way. 

Silver lining  

For many CISOs, getting buy-in from the board can feel like an uphill battle due to economic uncertainty, shrinking budgets, and the expectation to do more with less. There is also the fact that many board members don’t have relevant, recent experience in cybersecurity. That knowledge gap means it’s up to you to connect the dots between cybersecurity risks, business priorities, and the school’s long-term health.

The good news is that you have a shared objective – as most boards are now discussing cybersecurity fairly regularly. However, in the context of investments, it is essential to speak within the context of the cost of inaction, using real-world examples that paint an accurate picture of your school’s risk profile. 

Thinking like a board member

Winning over your board requires a deep understanding of the context in which they operate. Board members are laser-focused on protecting the school’s reputation, ensuring financial stability, and managing risk. While cybersecurity might not be their comfort zone, risk management certainly is. Your goal is to show them how investing in cybersecurity aligns directly with those priorities.

This can be achieved by building consensus around the school’s current state. These key questions are excellent conversation starters –

  • What do the board members consider as the school’s most important assets? Is it student data, operational continuity, or the school’s reputation?
  • What do they view as the biggest risks? A ransomware attack that shuts down the school’s systems for days? A data breach that compromises sensitive information?
  • What are the school’s top priorities? Whether it’s expanding digital learning tools, improving IT infrastructure, or maintaining compliance.

Grounding the conversation in these fundamentals will enable your board to see cybersecurity as a critical component of risk management and operational success, instead of an overly-technical maze they need to navigate. 

Speaking like a board member

The way you frame your message can make or break your pitch. Board members aren’t looking for technical jargon. Clear, concise information that ties back to the big picture will be more effective. Ultimately, your goal is to talk business, not technology.

Using relatable examples –

Real-life incidents resonate far more than warnings. Instead of overwhelming the board with technical details, focus on examples that show the reality of risks. Here are two examples that make risks feel tangible and help board members understand why proactive investment in cybersecurity matters –

Ransomware attacks – Share an example of a ransomware attack on a similar sized school and explain the damage caused (lost school days, reputational damage, and significant recovery costs.)

Insider threats – Highlight a case where an internal actor, whether malicious or careless, led to a breach of sensitive student or staff information, and what the subsequent consequences were. 

Focus on ROI

Board members want to know how every dollar spent will contribute to the school’s success. When presenting your case, emphasise return on investment (ROI) in terms of the school’s current needs, as well as its future goals. Below are a few examples of questions to pose to the board to help you frame cybersecurity as a business enabler, not just a necessary expense –

  • Enabling growth: How will cybersecurity investments support the school’s move toward more digital tools and online learning?
  • Protecting operations: How can improved security prevent costly downtime and ensure the school runs smoothly day-to-day?
  • Maintaining trust: Highlight how a secure environment helps build trust with parents, students, and staff.
  • Educational outcomes: How will cybersecurity investments drive the school towards achieving its educational goals? 

Make risks relatable

Talking about risks without exaggeration or fear-mongering is key to building trust with your board. When you describe potential risks, make them specific, realistic, and relevant to your school’s operations.

By tying risks to concrete scenarios and outcomes, you help board members grasp the potential consequences of inaction, and allow the opportunity to mitigate those risks before they happen. Start the conversation by introducing a scenario similar to the one below, and then introduce the potential impact –

Scenario – If we experienced a ransomware attack like (school example), we could lose access to all digital learning tools and student records for weeks. Recovery costs could exceed thousands, in addition to the reputational damage we would experience.

Impact – 

This could mean: 

  • Cancelled classes.
  • Frustrated parents who pay school fees and expect a high level of delivery from the school.
  • Teachers being forced to devise new teaching methods to work around technology failures.
  • Students losing trust in the school’s ability to protect their personal information, facing disrupted learning outcomes and potentially falling behind on schoolwork due to a lack of effective tools.

Turning inaction into opportunity 

Showing an understanding of the board’s priorities and offering them clear, practical solutions is likely to shift their mindset, and allow them to see that the school’s operations, reputation, and financial health are too significant to ignore. By following the strategies above, you’ll be able to prove to your school board that you share their goals and priorities, and that an investment in IT is not a nice-to-have, but a necessity. 

NetStrategy is not only an expert in cybersecurity and IT solutions, but exist as a supporting partner to schools, offering guidance and expertise at every point of a project. Contact us today and experience why more schools choose us for our support in everything from securing budgets, to ensuring your school gets the most out of the investment.

Get in touch

Talk to an expert

Get in touch with us today to find out how we can deliver competitive edge to your asset intensive operations.
This field is for validation purposes and should be left unchanged.
35+ Years Experience
380+ Schools
Proven Processes
Strategic Solutions