We all know education is relying more and more on vendors and outside partners and this is especial true of edtech. It makes sense, let professional educators educate, and let businesses bring solutions that enable education. I know, sounds good, but in practice, it can be a mess. Can you trust vendors/partners to provide the right solution or are they in it to make a buck?
As usual, the truth is somewhere in between. Many industries have gone through the same lifecycle as education. In financial services, retail and healthcare, the initial response was, “can you fill out this security questionnaire?” We are seeing the same thing being done by education organizations, and it didn’t work for other industries……and guess what won’t work for education either.
Sure, it may help buttress what was already in a SaaS contract if you end up in a complex lawsuit, but how did that protect student and personnel data? How did it protect the district or university’s reputation? How did you really reduce your risk of a data breach at all? Think about it…..you are most likely working with a start-up or high-growth tech company. Now you are asking them to complete a survey that requires no validation or inspection to determine veracity of the answers. These companies need the deal and they are going to find every possible way to justify the best responses. Dishonest? Maybe, maybe not, but that is inherent weakness of a questionnaire.
So if surveys, simple conversations, legalese in contracts and questionnaires aren’t the answer, what is? Let me propose two options which I will touch on here, but go into more depth in upcoming blog posts.
- An independent audit – this can come in a few forms, but most popular are SOC2, PCI DSS (when dealing with credit cards), ISO27001 and Cloud Security Alliance STAR (https://cloudsecurityalliance.org/star/certification/#_overview)
- Understand your data, and only provide what is needed – This takes more time and effort, but can be the most important step you can take. SaaS providers want you to provide them with as much data as possible. The more data, the more you are reliant on that application (“stickiness factor” increases). But in many cases, you can limit what you provide and the less sensitive data your provider has, the more a breach becomes less harmful.