Live from New Hampshire this is the K-12 Tech Talk podcast uh I am Josh and with me in New Hampshire is Chris in person in person and Mark in person this is the first time we've ever recorded in person together awkward direct eye contact no no I'm not gonna look at me look at me Josh um so yeah we're here in New Hampshire it is cold and rainy but that is not taking away from the content that is being talked about here at the New Hampshire CTO Clinic um and we got to meet Mark in person for
the first time and stay at his cabin and he didn't kill us we're still alive yeah yeah please um what I didn't kill you yet yet yes yeah yeah so Mark Chris shipped Mark the mixer ahead of time and Mark has done a bunch of uh shall we say enhancing the in the yeah I'm not happy about it the mixer nice uh I didn't I didn't say that to Mark put a bunch of Chris audio on here oh come on uh come on guys oh come on so yeah this is this is hilarious um so what's the couple days been like guys
well cold and rainy uh yeah but really fun to be able to get to know you we had a we started off with a car ride yeah that took forever because there was so much traffic awesome I introduced them to Boston traffic yeah Josh and I got here Mark showed us a dumpster like a truck well it's called a trash truck trash truck we were just we were behind it in traffic like he showed us a trash truck like we don't have those in Missouri and then he's like and here's a tunnel ah come on
he showed us some tunnels well then okay so then we describe the paint we took a visit some some people on my team wanted oh yeah wanted to meet you guys yes they did so we popped into my office real quick yeah that was awesome after we got pizza and um we walked in and my team had prepared a surprise yeah for us so the mark on the Buffalo picture was blown up into what two foot by three foot photos and pasted all over the walls everywhere everywhere the entire
office was decorated with photos of me of memes from various episodes of the podcast nice um and the thing that drives me the crazy part is they clearly did this outside of work because we don't have a printer that big so I couldn't nail them on like you use District technology to do this nope they had clearly gone out of their way to print out giant pictures of me on a buffalo [Music] you're hanging all around the office it was it was hilarious can I tell you
that we've received a listener email oh no from someone in the tech department go easy on Mark now next question do I need to update my resume after decorating his office and if so any openings in Missouri [Laughter] there are several openings in Missouri right now um do you have any guesses we can unpack this do you think you know who did it unpack uh yeah yeah I know exactly who it's going to be and uh I think he'll do well in Missouri do you have a first name
I think he's been on the podcast before yeah yeah
yeah he was on episode 100. who would that be Joseph you could be right he says with this Dane yeah in the office his name is Joe it's now Joseph ah it'll all be by the book now I felt like because you never laughed or smiled oh no that no and then you actually ripped the papers off the walls yeah yeah yeah was that for a show towards us to try to show that you do have dominance in the office my my face was blown up two by two feet by two feet and put everywhere even the the
help desk dashboard instead of looking at like Network outages they're looking at my face instead so well you were off that day they had to have your face somewhere right yeah yeah and the best part of it were the representatives from the uh superintendent's office that came down and yeah no no it did not just stay within the tech department the soup's office came down I was like what why are you on a buffalo which is a great question it is a great question I went to Yellowstone last year
that's what we did yeah so anyways yeah so trash truck two tunnels yeah Mark's Cabin in the Woods yep in the White Mountains in New Hampshire and now this beautiful Resort yes on the coast of Winnipesaukee which apparently Jimmy Fallon spends time here in the summer and Drew Barrymore and Mitt Romney has a place up here yeah I feel very npr-ish with this microphone yeah yeah we're not used to recording like this no um so what do we got coming up on this episode we interviewed several people
right Josh and Pam uh hear from New Hampshire they're two of the big drivers behind some of the student data privacy alliances here in New Hampshire I almost said Missouri um and then we talk with Neil who everybody everybody at this conference we had dinner last night everybody talks about Neil as the Cyber guy apparently Neil is like the go-to tech director here in New Hampshire that knows a lot about cyber and helps out other districts around the state with cyber stuff so
um we hope you enjoy this this episode and thanks to New Hampshire CTO clinic for having us up we really enjoyed our time and hopefully we can come back so we are here at the New Hampshire CTO clinic and I we have with us well Mark this is the first time Mark and I are in the same room together which is pretty fantastic we just uh I did not hear you oh sorry can you hear me now yeah um so we just wrapped up our keynote address and we have two uh people from two attendees from the event here that
are uh I guess you could say rock stars in in this space with data privacy and I.T leadership in New Hampshire so I will let them introduce themselves we'll start with Josh all right thanks for having me and thanks for coming all the way out here guys yeah uh my name is Josh I'm the I.T director in the Oyster River Cooperative School District uh we're about just over 2100 students and I've been there about 11 years now wow okay and I'm Pam McLeod I'm with the Concord
School District in New Hampshire it's about the third largest District in New Hampshire okay give us an idea how many students that we have about um 4 100 students plus a CTE Center so we're up over 4 500 students okay as well this is my 19th year in education wow nine years in Concord and before that I was 10 years at one of those small K-8 500 students okay I'm also a school board member at New Hampshire we heard last night we were talking to you that that a lot of school districts in
New Hampshire excuse me are very small rural it's almost like a very decentralized uh Live Free or Die Live Free or Die local control yes yeah so Missouri's local control but I think you guys you're from our discussions last night it seems like New Hampshire is taking that up a notch or two uh from a local control standpoint for sure so uh tell us about what your guys what your efforts have been around student data privacy here in New Hampshire and what but um like again last night at dinner you
were talking about the commissioner you know there's new there's new things coming from the Department of Education so uh give us a little bit of that um it's it's uh a little complicated I'll start with a little bit of a timeline okay um in New Hampshire uh they passed the data Privacy Law in
2018. we call it HB 1612 it's now an RSA um and even as they were working on the bill cousin notified us about it at the national level and so we actually got involved with talking with the sponsors of the bill as it was going through the process and we're able to kind of water it down a little bit make it more palatable for schools it was pretty intense as it passed it was one of the few pieces of legislation around the country I think at the time it was the first one that had minimum security
standards so um it passed it had this reference to this department of Ed needs to create these minimum security standards it's the standards by which school districts need to operate as well as we need to hold our vendors accountable to those standards so it passed and then we all sort of panicked um we weren't quite sure you know the smaller school districts especially nobody kind of knew how to handle all of especially the vendor vetting part of it um so Josh uh was friendly with Steve
Smith down in Cambridge who does so much work on the national level with sdpc and a4l yeah I was going to say we're kind of lucky we have this guy who started the sdpc very close he's presented at this conference before so we had already known him pretty well and said well this might be a good way to start meeting some of these privacy standards because these small school districts in New Hampshire are going to have a really hard time reaching out to these vendors
and actually getting a response please sign this data privacy agreement and so I think at that time there was 24 think about 24 State alliances with Texas California being big ones and obviously Massachusetts so we felt that seemed to be really a good Avenue um to start the work because the way the law is written is there's these security standards and then that wonderful language that um at least in New Hampshire it's everywhere it's meet or exceed the minimum standards right and
it was the vendors had to provide an assurance that they would meet or exceed the minimum standards and so how do you get a vendor to do that and so the DPA seemed like a really good vehicle to do that so was the original intent of the bill that each district would write its own DPA or is that the state would come out with uh no they didn't provide any funding to the state to do anything okay we did reach out to the state very first thing and uh and they basically said you know
we have to deal with this too um they had to develop those minimum security standards we don't have any funding to help you we were hoping they would kind of take the that was our first uh check we were hoping they would take the ball and organize all of us and sort of help lead us through this but uh Live Free or Die that's not how it works um so we spent the next six months just trying to figure out what to do how to organize this um we worked so we had a we have a state
CSO and um the person at the time came from a federal background and he developed the minimum security standards based on nist 800-171 so it's a subset of 42 of those standards so it's a smaller bite but he was great because he brought those to us he let us take a look at him we had some discussions about them before they went to the state and were adopted and finalized and after that we've even gone through a couple of rounds during the pandemic we went through a couple of
rounds of how do we make it so that these more commercial companies Panda doc was one it's an e-signature company they have soc2 certification so we thought we developed an addendum so that vendors with these Nationwide certifications could just sort of get a pass because their their certifications exceed our standards sure sure so they didn't have to go through our checklist to sign the data privacy agreement and um the gentleman that came up with the standards if you look across the
Spectrum you have the CIS top 18 you have nist CSF he did a lot of research into what education records fall under and that's how he arrived at nist 800 171 it's really interesting because it seems like there's so many different standards that people can follow it feels kind of like ceases kind of go with the top 18 for schools but I know I think New York um Texas are doing some variation of CSF so so it's pretty interesting and like Pam said I I pretty sure it was the first
legislation nationally that tied privacy um and security together you know when you guys had dug on that was kind of one of his points was yeah everyone's talking about privacy but not security right um but that was I think something unique in our law was that those two were together so how how has adoption been from districts that might be smaller districts that have a one-man shop or what what's that pinch Point bin or what's that struggle been like have they been successful in getting these
agreements obviously you know with dpas you can piggyback off of other Agreements are they primarily doing that or yeah who's having those tough conversations are you guys leading those tough conversations we're leading a lot of the tough conversations because we have more staff than some of those districts so especially during the pandemic we were really taking the lead on having those conversations with the vendors but it's really um we collect a dollar ten cents per student per year
from our member districts we have about 130 000 students in New Hampshire covered under this agreement which is about 82 percent um roughly of the students in New Hampshire I don't know what the other districts are doing yeah but I mean that would be a good yeah do they ever come to conferences and you're able to ask them that or are they are those districts that aren't adhering to that kind of they stated themselves or you know don't like to I think for for
whatever reason they're sort of flying under the radar that first year Josh and I you know we organized um so we use a non-profit in Massachusetts the tech the education Cooperative so we collect These funds or they collect These funds and we pay them to do they have an attorney on staff they call the vendors we're now in a Consortium with five other states so that's built up or four other states in New England so that's built up over time as well that's really helped our
adoption but that first year Josh and I um spent a lot of time going to every Regional superintendent's meeting in New Hampshire we got the buy-in from the superintendent's executive board Joshua superintendent Dr Morris was really instrumental in just leading us around introducing us to people we made sure we had that buy-in so that it would be more successful and I'm wondering the one meeting we missed is probably the region where we have two remote stragglers yeah
that would be interesting yeah I was going to say I think for anybody who is early on trying to build like an sdpc alliance or there's states that have them and you know maybe they're not as active as other states I really think what worked out well for us is number one our our nhcto group our coast and affiliate we're a tight group we meet monthly it's a great group of people we have a lot of fun and then from there we started building strategic Partnerships
with these other groups and specifically the superintendents Association and the school boards Association I have to give them a shout out um yeah they were they were great as well so we really worked with those other groups so the superintendents knew what we were trying to do we explained that you know this wasn't we were putting forth kind of this collaborative approach to data privacy instead of everyone trying to do it on their own we're going to pool our resources
because ver there's only a couple school districts that even have attorneys on staff most of us all share common law firms so the idea was how do we not pay our law firms multiple times for this work for the same project and so we had seen I think at the time in Massachusetts there was only maybe 10 schools kind of working with with this group Tech to collaboratively do this and so we said well do you think you could do it New Hampshire and um you know they said yeah you know
we'll see but there can't be that many people that'll jump on board and I think within the first month of kind of releasing this we had about 40 districts wow on board and so we've really leveraged them and a collaborative approach to like we're dealing with one attorney we're all funneling money into that one attorney and then we use um one of the ladies names Rhema she actually is the one that we interface with she goes out contacts vendors on our behalf starts that process helps the back and
forth so uh in some ways a lot of the districts the heavy lifting the contact the vendors is really taken care of and then you know if we run into problems with vendors you know we start talking amongst our group and we've put the pressure on a couple and there's a couple vendors that wouldn't sign that when we all said we're not going to renew that changed their mind it's just magic how that works right so and I just want to give a shout out Microsoft was
our first vendor to sign which was great it actually aligned with the we have a Microsoft pricing purchasing Consortium as well which I started when I was in a small District so it's like gosh it was I think it was 2010 it was a while ago so it aligned with the renewal of that contract um so that was um really um helpful for us and they were really great to work with so we have as large as Microsoft that's probably our largest and a small like we have tiny little vendors there's
a company called pickup Patrol which does uh after school you know parent pickup organization they're based here in New Hampshire I think they were developed by students in New Hampshire and then became a company and um so you know organizations of all sizes but um we have 1500 different products covered under our IPA so at this point it's almost in maintenance mode um at this point and um it really has been fantastic but it's really that collaboration with the other
states that has helped us get there and you're working on Google right to get them to sign we've gotten nowhere with Google yeah California yeah progress on it yeah yeah so uh help me understand how many districts are in New Hampshire 167 ish Public Schools you can have a single Community right with two districts right right so there's kind of splits and breaks and Pam's a school board member where they just Consolidated three districts into one so it's kind of
constantly changing still still three districts we've just Consolidated SAU services so we just our Central offices so Pam you mentioned something a few minutes ago that that was really cool about the cyber security Grant yeah uh the the sltt grant tell us what New Hampshire did with that Grant yeah well I have to speak about like our Partnerships again because most of us use uh primex which is our public risk management um pool and they have really uh Corey
Casey will be here this afternoon from primex for a presentation they've really taken the lead in working directly with school districts and municipalities around the state they've been really awesome and then we have a forensic first respect under the atom group so they they're actually it's a private company but they've been tapped as like the state's first responder and cyber security incidents fantastic and we have a state um CSO we have a different one now
um the new one is Ken weeks um he's absolutely really awesome to work with as well from the state so um I'm forgetting the original question yeah sltt cyber grade the Cyber Grant so they've all been working together with representatives from the schools and the municipalities to help determine how they would spend this money obviously it's limited money right in the grand scheme of things they came up with three things I've been trying to remember them one was UB keys for every everybody who
wants them in New Hampshire um if private public organizations the second was training so they have a training uh it's like cyber training Library certifications yeah like a voucher program so anyone who wants to get like um a plus security oh wow I'll provide a voucher for that's cool so like if I I have a team of six so if they wanted to get certified we could get vouchers wow to get certified and then the last one I don't think it affects us as much but all the small
communities they're using personal email accounts and all this crazy stuff so they're doing a um a facilitated move to.gov addresses oh good so I I don't think that's going to affect us that much and I'd kind of heard that cesa was wanting to move education to.edu's that'd be great I I spent some time at higher ed and they all have edu but those are managed by educause K-12 doesn't have correct access to educause so I think it'd be great for K-12 to have edu accounts I mean that Nashville
is a edu I'm not quite sure interesting I wonder how they have been for a long time yeah so yeah we we really felt that the group and Neil was our representative from our group on the sltt grant group and um you know it felt like they did a really good job trying to identify really easy things that are you know they could write the grant quick for yeah and then Implement quickly so I think we were one of I think it was under five yeah Missouri was one approval in December and I think at this
point we're just waiting for the feds to release the money I just got an email about an hour ago saying they they released FEMA released the money so oh great so yeah hopefully we'll be able to get that in Massachusetts we've applied for a waiver on the deadline and so we're gonna think about it in a few more months so it's only jealous yeah we're really excited we we appreciate what Neil who's a fellow I.T director and in um in New Hampshire what he was able to do for
that kind of represent us on the group and yeah he's our cyber security Guru in the crowd I think we all do a lot of cyber security but he's you know he's our go-to of heads and shoulders above the rest of us yeah it's really good well we appreciate you guys joining us and taking away from time in sessions but uh you guys are definitely doing some amazing things up here in New Hampshire and we wanted to bend your ear and tell us uh how how did you do it so uh we appreciate your time thanks guys
yeah we were preparing for a presentation on privacy and realizing that we're we're the ones talking to the experts about it so there's a little what do we say that they don't already know so congrats thank you thanks guys thanks we do want to thank our sponsors for this special episode at the New Hampshire CTO Clinic it's been awesome getting to hang out with Josh and with Mark for the first time in person we're not just friends via zoom we're not just friends via text uh the relationship
it's real it's a real one so again thanks to our sponsors manage methods is back manage methods make securing data and detecting students safety signals in Google Microsoft 365 and zoom easy and affordable for District technology teams check out manage methods we also want to thank ntp our newest sponsor look them up ntp check out their K-12 cyber Security Solutions they can give you some special K-12 Tech Talk podcast pricing on antivirus but you gotta mention us and
we can't forget about Fortinet email fortinetpodcast fortinet.com if you are interested in any of Fortinet services and products reach out to extreme networks that's D mayor at extremenetworks.com and I think I just said extreme.com when Josh and I were talking that's extreme networks.com get your extreme switches and your networking from them they can bring your network to the next level go extreme finally last but not least somethingcool.com a proud sponsor since the beginning email sales at
somethingcool.com so we are back here at the New Hampshire CTO Clinic the Kosen affiliate here in New Hampshire and Chris and Mark are both with me now and we also have guest uh speaker or guest attendee Neil hey Neil how's it going good how are you guys doing get a little closer to that microphone how's that that's much better um so give us an idea of what you like about this conference what what your part is in this conference and planning and all of that uh so what I like about
this conference is it's geared towards getting not just the tech directors but the superintendents and the business managers like that's the entire hope and Foundation of this this conference um to get us in that room talking together and hearing that same message from all of the presenters yeah um as far as involvement and planning and stuff I'm a past board member for the New Hampshire chapter and that's pretty much the extent of okay of that and um they did reach out to me early on
they're like hey with K-12 podcast come and talk with us of course we will let me reach out no that's cool and then you and you and I had met last summer at the MS ISAC conference in Baltimore right yes um so everybody here calls you the Cyber guy like you are you're you're it's always here it's all here Niels the Cyber guy Niels are the expert um so give us a little bit of of the help that you give school districts or the resource that you are in that cyber realm like are people calling you all
the time asking for help or what's going on there yes um so the answer to that was yes yes across the board um so I'm the only cyber certified professional okay in K-12 in New Hampshire oh wow um I also happen to be the director of Technology um but that's it I've got oh seven or eight certificate cissp the Sim cisf the data privacy and then a bunch of sand certs as well okay so that's sort of where you know that cyber security thing came from sure um but because of that the state passed
the data Privacy Law in 2019 and they were looking around and they're like uh we don't know anything about this I'm in the southwest corner of New Hampshire nobody comes to see us but nobody knows we really exist um I was like well I've been doing this from 2013 that's when I started doing cyber and K-12 and like oh and then they sucked me in in this that it's just grown from there there um really involved with the CTO group here in New Hampshire then the state reached out and said hey
uh can you help us Define these standards that the legislature said that we must develop so I helped um with Pam McLeod get those squared away then they they reached out again to me when the sltt grant came through they said you know would you be the K-12 rep so we can right get that money right going and then you know I GT government Tech magazine reached out and asked me to be on there for our conference board oh wow another conference reached out down in Florida I
don't even remember who they are right now wow that's cool yeah so Pam mentioned something earlier that the with the sltt grant cyber Grant um States buying UV keys for public employees can you like what how did that come about that's awesome Yep um so we we got together you know um all the different reps from the different sectors within within the state and we're like you know dollar for dollar this isn't a lot of money right what can we do with this to get the most
value out of it so they developed you know the governor box because that doesn't cost them much of anything to do the state will just give us a gov address and you know set business cards and letterhead to get it started um and then they're like well training if we can get anybody or everybody trained even just an intro into cyber to at least have a better understanding and we can sort of level set across the board so they've started that route and it wants to be trained reach out to the state
um and tell them what cyber course you want to take and they'll figure out how to get that paid about your um and then eventually even pay for the certification if you want to go that far with it one of the things you mentioned too is the dot gov address yes so what we heard was that there are still some districts in New Hampshire that don't have district-wide email accounts is that where it is that is where it is yes [Laughter] and it's funny the real problem is down at the
municipality level right right like the small towns yeah where you know they're all running on Yahoo addresses right Chief is you know at msm.com it's crazy it's so that's the problem they're trying to address I wouldn't be surprised we haven't been in Missouri as well so to our cybers Gamers that are listening what towns are those yeah so okay so part of the plan is to get those towns that are that are running off of personal accounts onto a.gov correct um training for folks and UB Keys yep
um what's been the response from districts and towns to those kinds of things um so we're still waiting to get that first check in to get the Yuba Keys purchased yeah that was the third thing um and the thought there was how can we best facilitate 2fa Implement Implement implementation without telling everybody you got to use your personal device right because that's the one complaint we hear there's no I'm not using my personal device if the state's like well we get a huge
discount anyways so just be that purchaser you tell us how many you want add 30 because they're going to lose them yeah and we'll ship them to you that's fantastic so okay so I don't want to use my personal uh account or my personal device for for two-step but also like our our do you think you're going to get resistance from towns or schools that don't want to move off of personal email accounts move on to a statement yes absolutely absolutely because the motto of New Hampshire still
is Live Free or Die absolutely absolutely so now having the state come in and say you must use this address correct so are you gearing up for that have you heard from some districts already so the districts are torn right we've got this Longevity if we already have our established domain right a lot of us yes our four character domains rightly we don't want to just walk away from that to get some yeah oh so even if you have a domain you're still migrating over you can or you can okay you can you
don't have to okay you can I keep thinking about email addresses like police chief underscore 2004.
and then I keep thinking of some inappropriate ones yeah so does it is it police chief one and then the new police chief comes in there police chief2 yahoo.com or do they just pass the credentials that's the conversation right so fascinated if they get canned do they share the password with the next person and there are police Chiefs like or officers handing out business cards that say like yeah absolutely absolutely amazing I mean okay also amazing that that was recognized yeah
in 2023 like let's nip it yeah yeah I mean real talk let's use this money and fix this problem yeah this thing's been lingering around for a while no that makes sense but it also outlines I think it's it's very common across the United States where you have states that are very very rural with a mixture of kind of urban Suburban districts and that's exactly what New Hampshire is you've got Concord Nashville Manchester or the kind of mid-sized bigger districts but the majority of your kids go to
sub 1 000 student accounts or districts right so we've heard that quite quite a lot with with a very very kind of decentralized District by District small District approach from Tech Support to security to data privacy so um we talked earlier to to Pam and Josh who talked about how they're really trying to build this Consortium around data privacy do you feel that same thing can happen with security obviously the two are related do you think there's going to be more Consortium and kind of
group thinking or District you know groups of districts thinking about cyber security I hope so I think it will get there um you know we've got nationally we're starting to see that pickup we've got k-126 yep that's out there trying to make an effort we've got MSI Sac right with the K-12 working group there out there um so I think it will come I think it's going to be slow yeah because districts still at the end of the day don't have those resources it it's still a time
commitment yeah and if you're a two or three person Department right yeah whose time am I taking away and rightly you're not going to do what what problems are you not solving because you are focusing on this other bigger problem yeah well but but this conference this week is happening in the shadow of your second largest District in New Hampshire getting hit with ransomware so National was just hit earlier this week is that sending waves it's it's definitely sending waves around this
room do you feel it it's going to hit superintendents as well I I think it will and I think it's already started when I went into our leadership meeting on Monday that was the topic of the principles like what happened to Nashville is it going to happen here is it you know it's yeah yeah yes yes yes yeah it can absolutely yeah yeah and it will yeah yeah yeah yeah well Neil we we appreciate your time with us today uh we don't want to keep you from any other sessions here this
afternoon so uh we appreciate it and thanks for thinking of us and getting us up here thank you thank you thanks Neil