Prepared by: Stephen Neely, PhD
Introduction: Overlooked Vulnerabilities
When cyber analysts think about the security of critical infrastructure, they most often focus on high-profile facilities such as pipelines, power grids, hospitals, and financial systems. Events like the Colonial Pipeline attack evoke images of cascading failures and national security consequences. Far less attention is paid to K–12 school districts, which are rarely thought of as part of the nation’s critical infrastructure. Yet across the United States, and increasingly in Florida, public schools now operate as large, data-intensive organizations whose systems and networks hold extensive troves of student and employee data. In recent years, cyberattacks against America’s public schools have become increasingly common, and Florida’s K–12 system has not been immune.
School districts across the state have faced a wide range of cyber threats, from targeted network intrusions to large-scale data breaches involving student and employee information. For example, the Hillsborough County School District experienced a significant cybersecurity breach that disrupted systems for several days and prompted a multi-agency investigation, including the FBI and state law enforcement. In another high-profile incident, St. Johns County Schools publicly acknowledged that a third-party student information system (PowerSchool) was compromised, resulting in malicious actors gaining unauthorized access to customer. Together, these incidents underscore that school districts are vulnerable cyber targets not only through their local infrastructure, but also through third-party supply chain risks that extend beyond district boundaries.
According to threat tracking data, dozens of cyber events have struck Florida schools since 2016, including breaches linked to overseas actors who view school districts as “soft targets”, rich in sensitive personal data. Florida is not unique in this regard. National data show that cyberattacks on U.S. schools and universities have more than tripled in recent years, and analysts warn that these attacks are becoming increasingly sophisticated. The consequences of these threats are profound. Beyond immediate operational disruption, cyberattacks can expose sensitive student and staff information (such as names, contact details, dates of birth, and in some cases Social Security numbers), leading to long-term privacy and identity risks for families. For districts themselves, these intrusions can result in significant financial costs, diverted staff time, and disruptive engagement with outside forensic experts and law enforcement. Even when direct harm to data has not been confirmed, the mere possibility of unauthorized access can erode trust and require costly remediation and notification efforts.
In light of these trends and concerns, the Florida Center for Cybersecurity (hereafter “Cyber Florida”) undertook an extensive research effort in 2025 to better understand the challenges to cyber readiness faced by Florida’s K–12 school districts. This analysis focused on operational readiness: how district IT professionals perceive their vulnerabilities, what practices and policies they have in place, where gaps persist, and what barriers stand between current practice and an ideal defensive posture. Drawing on semi-structured interviews with IT and cybersecurity leaders from 17 Florida school districts, this report summarizes the experiences and perspectives of frontline professionals on the cyber readiness of the state’s K–12 schools. By grounding our findings in both practitioner experience and documented threat activity, this study seeks to provide a clear, evidence-based snapshot of where Florida stands today and what strategic actions are needed to strengthen the cyber resilience of its public education system.
Frontline Perspectives: Data Collection
This study draws on semi-structured interviews with information technology and cybersecurity leaders from 17 Florida K–12 school districts. The interviews were conducted in 2025 by researchers from Cyber Florida, typically by one or two members of the research team. Interviews followed a semi-organized protocol designed to elicit participants’ perspectives on district vulnerabilities, threat environments, defensive practices, organizational constraints, and policy needs. All interviews were conducted remotely and recorded with participant consent. Recordings were transcribed using Microsoft Teams’ automated transcription service and then reviewed by the research team for clarity and accuracy prior to analysis.
Participants were selected using a combination of direct recruitment and snowball sampling. Initial participants were recruited through Cyber Florida’s professional networks and direct outreach to district IT leaders across rural, suburban, and urban districts. In several cases, interviewees then referred the research team to peers in other districts within their professional networks, creating a snowball sampling process that expanded the sample across a broader range of district sizes, geographic contexts, and organizational structures. All participants were de-identified prior to analysis to protect confidentiality and encourage candid discussion. The resulting sample reflects a diverse cross-section of Florida’s K–12 cybersecurity leadership, including chief information officers, directors of technology, cybersecurity managers, and senior IT administrators.
The participants represented a highly experienced and professionally credible group of practitioners. Nearly all held senior operational responsibility for cybersecurity within their districts, and many reported decades of combined experience in K–12 information technology, network administration, and security operations. Several participants had previously worked in higher education, government, or private-sector cybersecurity roles before entering K–12 education. The analysis therefore reflects the judgments of individuals who are directly responsible for defending large, complex, and mission-critical public-sector networks, and whose daily work places them at the frontline of cyber risk management in education.
The interviews were guided by six research questions that structured both data collection and analysis:
1. Do K–12 districts in the state understand their core vulnerabilities, and the potential ramifications of cyber intrusion?
2. What are the primary threat vectors that K–12 school districts face, including internal and external threats?
3. What steps are K–12 school districts taking to ensure their cybersecurity?
4. What are the most significant areas where K–12 school districts are not able to confront the threats they face?
5. What are the primary impediments to cyber readiness for K–12 school districts?
6. What policy changes are needed at the state level to support the cyber readiness of K–12 schools?
The interview transcripts were analyzed using a thematic content analysis with emergent coding. Rather than applying a fixed coding scheme in advance, the research team first conducted an open reading of the transcripts to identify recurring concepts, practices, risks, and constraints. From this process, a set of thematic codes was
developed inductively to capture patterns related to the six guiding research questions. Each interview was then systematically reviewed and coded using this emergent codebook. Codes were applied at the interview level when a theme was substantively present in a participant’s responses.
After initial coding, the research team conducted a cross-case synthesis to identify dominant themes, code frequencies, and patterns of convergence and divergence across districts. This process produced the emergent thematic framework reported in the Findings and summarized in the Appendix. The final analysis integrates both within-interview interpretation and across-interview pattern analysis, allowing the findings to reflect not only individual district experiences but also statewide trends in cyber readiness.
Findings
This section presents findings from 17 semi-structured interviews with IT and cybersecurity leaders from Florida’s K–12 school districts. Organized around six research questions, the findings summarize how districts understand their vulnerabilities, the threats they face, the steps they have taken to defend themselves, and the barriers that continue to limit their readiness. For each research question, we first describe the patterns that emerged across the interviews and then summarize their implications for cyber readiness in practice. Together, these findings provide a structured, evidence-based account of where Florida’s K–12 districts are strongest, where they remain most constrained, and how those conditions shape the state’s overall cyber risk posture.
Research Question 1
Do Florida’s K-12 districts understand their cyber vulnerabilities?
Across all 17 interviews, there was nearly universal evidence that Florida K–12 districts understand both their core vulnerabilities and the potential consequences of cyber intrusion. In each case, participants articulated a clear sense of cyber risk, typically framing compromise as plausible rather than hypothetical and emphasizing that perfect security is unattainable in an open educational environment. Several participants explicitly rejected the idea of “being safe,” instead adopting a risk-management framing:
3 Interview 15: With cybersecurity… you can never feel 100% safe.
3 Interview 2: It’s not if it’s when.
This level of situational awareness suggests that those tasked with defending Florida’s K-12 districts against cyber threats have a clear-eyed and sober understanding of the threat landscape, even if they lack some of the material resources and support needed to effectively execute that mission.
The most frequently identified vulnerability across the interviews was “human error”, which appeared explicitly as a core risk theme in a majority of the interviews. Participants repeatedly emphasized that technical controls are often bypassed by staff behavior, credential compromise, or simple errors. As one urban district leader stated, “All those tools and appliances and alerts go out the window if somebody gives up their credentials through a phishing e-mail”
(Interview 6). A rural district described the same phenomenon more bluntly: “Most of the times when things happen, it’s usually somebody outside of IT that clicks on a link” (Interview 4). These insights are consistent with what we understand about the broader threat landscape: current ransomware, business email compromise, and identity-based attacks overwhelmingly rely on social engineering rather than technical exploitation. In this respect, district perceptions are well aligned with national threat patterns.
Beyond recognizing the centrality of human error to their cyber vulnerabilities, several districts demonstrated a sophisticated understanding of data sensitivity and regulatory ramifications, particularly around student and employee data. Although this theme appeared less frequently in explicit coding, when it did appear it was framed in concrete regulatory and operational terms:
3 Interview 1: We certainly have very valuable information… Social Security numbers… academic history… extremely valuable unfortunately to bad actors.
3 Interview 11: We have probably some of the most valuable data… student health data… Social Security numbers.
A smaller number of districts also framed vulnerability in terms of governance and organizational structure, noting that cybersecurity risks are amplified when security leaders lack direct access to executive decision-making (Interview 3) or when legacy systems and instructional priorities prevent timely patching and maintenance (Interview 2). These governance-related vulnerabilities, while less frequent, are high-impact in the real-world threat environment because they directly constrain response speed and control effectiveness.
Research Question 2
What are the primary cyber threats facing
Florida’s
K-12 school districts?
Across the interviews, there was an overwhelming consensus that the most common tools leveraged against Florida’s K–12 districts are phishing and social engineering schemes rather than attempts at highly technical exploitation. Phishing appeared as a primary threat vector in all 17 interviews, and broader social engineering concerns appeared in approximately 11 of 17. District leaders consistently described a threat landscape in which attackers were “not hacking in so much as they were logging in” (Interview 2), and where successful intrusions most often began with deception rather than with technical compromise. A rural district summarized this pattern succinctly:
3 Interview 4: Without a doubt the biggest issues right now… phishing attempts… primarily through teachers.
This near-universal emphasis closely mirrored the contemporary K–12 threat landscape, in which ransomware, business email compromise, and data theft were typically preceded by credential harvesting or user manipulation.
A closely related area, credential compromise and identity-based intrusion, emerged as a second primary threat vector. Multiple districts reported that attackers were explicitly targeting usernames, passwords, and account recovery processes rather than attempting to defeat perimeter defenses. One district warned that “all those tools and appliances and alerts go out the window if somebody gives up their credentials through a phishing e-mail” (Interview 6), while another noted that attackers were “phishing for credentials” was “easier… than brute force” (Interview 17). Several districts described these attacks as multi-stage intrusion chains: once an account was compromised, attackers sought lateral movement – i.e. “the next hop… domain controller… firewall” (Interview 17). In this sense, the interviews portrayed Florida districts as operating in an identity-led threat environment, where the protection of authentication systems, help desk workflows, and privileged accounts was as critical as any network control.
Internal threats were also a persistent and operationally significant part of the threat landscape. To our surprise, student-driven circumvention and insider misuse appeared as a meaningful theme in several interviews, particularly in districts managing large Chromebook fleets and open instructional networks. Participants reported students “finding proxies… ways to bypass some of this stuff” (Interview 12) and “trying to find a way to get around the system” on a continual basis (Interview 17). In several districts, this behavior was framed not as isolated misconduct but as a constant adversarial pressure that consumed staff time and exposed latent weaknesses in filtering, segmentation, and identity controls (Interviews 8, 12, 16). While these activities were not always aimed at data theft, they materially increased risk by normalizing bypass behavior, weakening admission controls, and creating opportunities for lateral movement once an endpoint was compromised.
A growing number of districts also reported that artificial intelligence was actively transforming this threat landscape, primarily by making existing threat vectors more sophisticated rather than by introducing entirely new categories of attack. AI-enabled phishing was identified as a central concern in approximately 7 of 17 interviews, with participants reporting that messages were becoming more realistic, better written, and more targeted. One district observed that “phishing emails have become much better… less spelling errors” (Interview 2), while another noted that “everything looks (more) authentic” (Interview 13). Several districts raised emerging concerns about deepfake and impersonation risk, particularly for executive and emergency scenarios:
3 Interview 9: Deep fakes… very, very difficult to discern from reality.
3 Interview 17: … it is actually harder for the district police to identify if the threat is actually legitimate.
Across these interviews, AI was consistently framed not as a separate threat domain, but as a threat amplifier that increased the realism, scale, and success rate of phishing, impersonation, and social engineering attacks that districts already struggled to contain.
Implications
Taken together, these findings indicated that Florida’s K–12 threat environment is best characterized as deception-driven, identity-centered, and increasingly AI-accelerated. The dominant risks are not advanced zero-day
exploits, but phishing, credential theft, impersonation, and internal circumvention (increasingly operating in an environment where AI lowers attacker skill thresholds and raises the difficulty of human detection). From a readiness perspective, this suggests that the most consequential defensive investments are those that strengthen identity security, verification workflows, phishing resilience, and monitoring of account misuse, rather than those focused narrowly on perimeter defenses alone. The interviews collectively imply that without sustained attention to identity governance and human-process controls, technical investments alone will provide insufficient defense against the threat vectors districts most frequently face.
Research Question 3
What steps are Florida’s K–12 districts taking to ensure their cybersecurity?
Throughout the state, school districts report a wide range of cybersecurity strategies. The most frequently cited practices in our interviews included phishing simulations and awareness training, endpoint protection, and identity controls such as multi-factor authentication. Several participants described a deliberate shift away from relying solely on perimeter defenses toward a more comprehensive model of layered security. As one district leader explained, “We take a very multifaceted in-depth approach… far beyond just… antivirus… firewalls” (Interview 1). In general, districts described cybersecurity as an ongoing operational function rather than a one-time investment.
One of the clearest areas of strength across districts was the widespread use of phishing simulations and structured awareness programs. Multiple districts reported running recurring phishing campaigns, often paired with remediation and governance reporting. One district described quarterly exercises with formal board reporting:
3 Interview 6: We do quarterly phishing campaigns… and we provide our results to the school board every quarter.
Another emphasized immediate follow-up training after failures:
3 Interview 13: We have a campaign for training like right after… follow-ups with all of the individuals who had those hiccups.
In several districts, participants explicitly linked these programs to measurable improvements in staff behavior and reduced click rates over time. This pattern suggested that many Florida districts had correctly aligned a significant portion of their defensive effort with the dominant threat vector identified in Research Question 2.
Districts also reported substantial investment in technical controls, particularly in endpoint detection and response, email security, content filtering, and managed detection services. Several districts described deploying modern EDR/MDR platforms and 24/7 monitoring capabilities. One rural district noted, “We have multiple layers of security… EDR… firewall… IPS… block listing” (Interview 12), while a larger district described having “24/7 eyes on our devices” through managed services (Interview 17). In smaller districts, federal grant funding and vendor partnerships were often cited as enabling access to tools that would otherwise be unaffordable (Interviews 7, 15, 16). These investments indicated that many districts had assembled control stacks broadly consistent with contemporary best practices.
At the same time, the interviews consistently suggested that these steps were not sufficient on their own, primarily because of limits on staffing, governance, and operational capacity. A recurring pattern was the presence of strong tools paired with limited ability to fully operationalize them. One district captured this gap directly:
3 Interview 9: We have quite a deep bench of really good tools, but we’re probably using 10% of each one.
Others noted that monitoring focused more on servers than on end-user devices (Interview 15), that network access control remained incomplete (Interview 13), or that after-hours coverage was limited to a “nine to five shop” (Interview 16). Even in more mature programs, cost ceilings constrained visibility:
3 Interview 17: We’re limited by cost on how many logs that we can process.
In effect, many districts were taking the right categories of action but lacked the sustained capacity to use those actions as continuously effective defenses.
Implications
Taken together, these findings suggest that Florida’s K–12 districts have largely identified and begun implementing the appropriate categories of cybersecurity controls, particularly around phishing resilience, endpoint protection, and identity security. However, the interviews also indicate that the sufficiency of these measures is constrained less by technology selection than by staffing, monitoring capacity, and governance bandwidth. From a readiness perspective, this implies that future improvements will depend not only on acquiring additional tools, but on strengthening the human and organizational capacity to fully deploy, monitor, and govern those tools over time. Without sustained investment in operational capacity, many districts will continue to possess strong technical controls that they are structurally unable to use to their full defensive potential.
Research Question 4
Where are Florida’s K–12 districts most limited in their ability to confront cyber threats?
Across the 17 interviews, districts consistently reported that their most significant limitations were not technological, but organizational and capacity-related. The most frequently cited areas of weakness included insufficient staffing and depth of expertise, limited monitoring and after-hours coverage, and incomplete visibility across endpoints and networks. In approximately 10 of 17 interviews, participants explicitly described capacity constraints as their primary vulnerability, even in districts that had deployed modern security tools. This pattern suggested that many districts faced a structural gap between the complexity of the threat environment and the human resources available to manage it.
Another common theme was the lack of continuous monitoring and 24/7 response capacity. Several districts described environments in which sophisticated attacks could persist undetected outside of business hours. One participant explained the limitation directly:
3 Interview 16: We’re a nine to five shop and if something’s afterwards, we’re trying to get a hold of folks, pulling them in, that kind of thing.
Others noted that although they collected logs and alerts, they lacked the staffing or budget to fully analyze them in real time (Interviews 9, 15, 17). Even districts with managed services described tradeoffs between cost and visibility. In effect, many districts were operating with temporal blind spots that left them vulnerable to prolonged dwell time once an intrusion occurred.
Another major limitation involved incomplete identity governance and access control. While most districts reported deploying multi-factor authentication in some form, several acknowledged that coverage remained partial, particularly for legacy systems, service accounts, and privileged users. One district described the challenge bluntly:
3 Interview 3: No matter how much we spend on firewalls and… technical controls, all it takes is for someone with privileged access to fall for one of these phishing emails and it bypasses all that.
These weaknesses were especially consequential given the identity-centered threat environment described above, where a single compromised account could enable broad lateral movement.
Several districts also reported limitations in their ability to manage student devices and internal circumvention at scale. In multiple interviews, participants described constant efforts to block proxies, VPNs, and bypass tools, often in an endless cycle of adaptation. One district described this dynamic as:
3 Interview 16: No matter how much we spend on firewalls and… technical controls, all it takes is for someone with privileged access to fall for one of these phishing emails and it bypasses all that.
Additionally, several districts emphasized that this internal adversarial pressure consumed staff time that could otherwise be devoted to other efforts (Interviews 8, 12, 17). While not always catastrophic in isolation, these gaps collectively increased the probability that external attacks could gain persistence once inside the environment.
Finally, a smaller but important set of interviews highlighted limitations in incident response maturity and recovery planning. Some districts described limited tabletop exercises, incomplete playbooks, or reliance on informal processes during incidents (Interviews 5, 11, 14). Others noted uncertainty around coordination with legal counsel, communications staff, and law enforcement during a major breach. These gaps suggested that even when detection occurred, districts were not always fully prepared for the organizational complexity of a large-scale incident.
Implications
Taken together, these findings indicate that Florida’s K–12 districts are most constrained not by the absence of security tools, but by gaps in staffing, continuous monitoring, identity governance, and operational resilience. The interviews suggest that improving cyber readiness will depend less on adding new technologies and more on strengthening the organizational infrastructure of cybersecurity: sustained staffing models, after-hours coverage,
identity lifecycle management, and mature incident response planning. Without addressing these structural constraints, many districts will remain vulnerable even as their technical control environments continue to improve.
Research Question 5
What are the primary impediments to cyber readiness for Florida’s K–12 school districts?
Across the 17 interviews, districts consistently identified a small set of structural impediments that limited their ability to achieve higher levels of cyber readiness, even when technical solutions were available. The most frequently cited barriers included insufficient funding, hiring constraints, and competition with the private sector for skilled personnel. In approximately 12 of 17 interviews, participants explicitly described resource constraints as the dominant impediment shaping their cybersecurity posture. As one district leader stated bluntly, “… we don’t have the funding or the pay structure to be able to be competitive….” (Interview 5). This pattern suggested that cyber readiness was constrained less by awareness of best practices than by districts’ ability to sustain them financially.
A central and recurring impediment was the difficulty of recruiting and retaining qualified cybersecurity staff. Multiple districts reported losing experienced personnel to higher-paying private sector positions or being unable to fill open positions for extended periods. One district described this dynamic directly:
3 Interview 7: So even though I get a lot of people available, I can’t hire them because I can get outdone by private industry pretty quickly.
Another noted that even when funding was available, hiring pipelines were slow and restrictive:
3 Interview 11: we had four applicants in two years because we just can’t compete.
Several districts emphasized that small teams were responsible for extraordinarily large and complex environments, often spanning tens of thousands of endpoints and users (Interviews 3, 9, 16). These staffing constraints limit not only detection and response, but also the ability to maintain documentation, conduct proactive assessments, and continuously improve controls.
Funding limitations were also described as a direct impediment to visibility, monitoring, and modernization. Even districts with relatively mature programs reported that budget ceilings constrained their ability to collect logs, retain data, or expand managed detection coverage. One district explained:
3 Interview 17: We’re limited by cost on how many logs that we can process.
Others noted that federal grants provided episodic relief, but did not support long-term sustainability (Interviews 7, 15). In several interviews, participants described being forced to choose between competing priorities (i.e. staffing, tools, training, or infrastructure) and being able to invest comprehensively across all domains.
Another commonly reported impediment was organizational complexity and governance friction. Some districts described slow procurement processes, fragmented authority across departments, or limited executive understanding of cyber risk. One participant observed:
3 Interview 8: … it’s hard to conceptualize for leadership… It’s a challenge because unless something is broken or goes wrong, you’re not really seeing an ROI for it.
Others noted challenges coordinating across instructional technology, facilities, legal counsel, and communications during planning and incident response (Interviews 5, 14). These governance barriers often delayed implementation of controls or weakened enforcement of policies that already existed on paper.
Finally, several districts identified training saturation and change fatigue as key impediments. While most districts recognized the importance of awareness training, participants noted that staff had limited capacity to absorb repeated security messaging. One district captured this tension succinctly:
3 Interview 8: We’re struggling right now just because you only have a certain amount of training capital and change capital you can burn on anybody.
This dynamic was particularly important given the deception-driven threat environment, in which human behavior remains a primary threat vector.
Implications
Taken together, these findings indicate that the primary impediments to cyber readiness in Florida’s K–12 districts are structural rather than technical. Chronic funding constraints, an uncompetitive labor market, and organizational complexity limited districts’ ability to fully implement and sustain effective cybersecurity programs. From a readiness perspective, this suggests that improvements will depend not only on district-level efforts, but also on state-level strategies to stabilize funding, expand workforce pipelines, and reduce governance friction. Without addressing these systemic impediments, many districts will remain unable to translate awareness of cyber risk into operational readiness.
Research Question 6
What policy changes are needed at the state level to support the cyber readiness of Florida’s K–12 school districts?
Throughout the interview process, districts consistently articulated a need for stronger, more coordinated state-level support to address structural barriers that cannot be resolved at the district level alone. The most frequently cited policy concerns included sustained and predictable funding, state-supported workforce development, shared services/centralized resources, and clearer guidance on minimum cybersecurity standards. In approximately 11 of 17 interviews, participants explicitly argued that meaningful improvements in readiness would require policy interventions beyond local control. This pattern suggested that cyber readiness was widely viewed as a state responsibility as well as a local one, particularly given the uneven capacity across rural, suburban, and urban districts.
Another common theme was the need for stable, recurring funding streams dedicated specifically to cybersecurity. Many districts described reliance on episodic federal grants or one-time allocations that enabled short-term tool acquisition but not long-term staffing or monitoring. One district captured this limitation directly:
3 Interview 7: There’s a particular rule in school finance that says when you get capital money, you can buy stuff with it, but you can’t buy services with it. We can buy a lot of equipment. I can buy tons of staff and student computers. I can buy every kind of hardware you can think of, but I can’t buy the services I need to continually maintain it.
Others emphasized that cybersecurity funding was often embedded within broader technology budgets, making it vulnerable to reallocation when other priorities emerged (Interviews 5, 11, 15). Several participants argued that without protected funding lines, districts would continue to cycle between partial modernization and operational degradation over time.
A second major concern was workforce development (couple with shared staffing solutions). Multiple districts proposed that the state play a more active role in training, certifying, and retaining K–12 cybersecurity professionals. One district suggested “some way of funding and maybe even mandating cybersecurity awareness training so that I don’t have to go to the Superintendent and say can I get 10 minutes of the teacher’s time” (Interview 3), while another argued for regional or shared security operations centers to support smaller districts that could not staff 24/7 coverage independently (Interview 16). These comments convey a realization that the labor market constraints described earlier are unlikely to be resolved through district-level hiring alone.
A number of districts also expressed a need for centralized services and shared threat intelligence at the state level. Several participants argued that the state could provide economies of scale in monitoring, logging, incident response, and threat sharing. Others suggested that statewide contracts for managed detection, email security, or identity services could reduce cost disparities across districts (Interviews 7, 15). This theme indicated that participants viewed the state not only as a funder, but as a potential operational integrator for cyber defense.
Finally, some districts called for clearer statewide guidance and minimum cybersecurity standards to reduce variability across districts. Participants noted that while frameworks existed, enforcement and consistency were uneven.
3 Interview 14: since… FERPA doesn’t cover it, and there’s no other state law relevant to the district that requires it, it will never get done.
Several participants suggested that a combination of baseline standards, audits, and technical assistance would help ensure that all districts achieved a minimum level of readiness, while still allowing flexibility for local conditions.
Implications
Taken together, these findings suggest that improving cyber readiness in Florida’s K–12 system will require policy interventions that extend beyond individual districts. The interviews point to four priority areas for state action: (1) establishing stable cybersecurity funding, (2) building state-supported workforce pipelines, (3) expanding shared services and centralized capabilities, and (4) defining clear minimum standards for district readiness. From a policy perspective, the central implication is that cyber readiness in education should be treated as a statewide infrastructure responsibility, rather than as a collection of isolated local challenges. Without sustained state-level
coordination and investment, existing disparities in district capacity are likely to persist, leaving the overall system vulnerable to systemic cyber risk.
Conclusion
This study set out to assess the cyber readiness of Florida’s K–12 school districts from the perspective of the professionals responsible for defending them. Drawing on in-depth interviews with IT and cybersecurity leaders from 17 diverse districts, this report documented what districts understand about their vulnerabilities, the threats they face, the steps they’ve taken, and the barriers that continue to limit their readiness. This concluding section synthesizes those findings into a set of core takeaways and translates them into concrete policy recommendations. The Key Findings highlight the most consistent and consequential patterns that emerged across the interviews, while the Recommendations outline specific, feasible actions that state leaders can take to strengthen the cyber resilience of Florida’s public education system.
Key Findings
This study set out to assess the cyber readiness of Florida’s K–12 school districts from the perspective of the professionals responsible for defending them. Drawing on in-depth interviews with IT and cybersecurity leaders from 17 diverse districts, this report documented what districts understand about their vulnerabilities, the threats they face, the steps they’ve taken, and the barriers that continue to limit their readiness. This concluding section synthesizes those findings into a set of core takeaways and translates them into concrete policy recommendations. The Key Findings highlight the most consistent and consequential patterns that emerged across the interviews, while the Recommendations outline specific, feasible actions that state leaders can take to strengthen the cyber resilience of Florida’s public education system.
3 Finding 1: Florida’s K–12 districts understand their cyber risks clearly, but they view security compromises as inevitable rather than preventable. Across all interviews, there was near-universal agreement that cyber intrusion is a matter of when, not if. District leaders consistently rejected the idea of perfect security and framed their mission in terms of risk management rather than risk elimination. This level of realism is a strength: districts are not complacent about their exposure. However, it also reflects a deeper recognition that defensive capacity currently lags behind the threat environment.
3 Finding 2: Human behavior and identity compromise are the primary threat vectors facing Florida’s K-12 Schools. Among the participating districts, the most consistent and consequential theme was the primacy of human error, phishing, and credential compromise. Every district identified phishing as a primary threat vector, and a majority described identity-based intrusion as their most dangerous vulnerability. This suggests that improvements in cyber readiness will depend in large part on reducing human-error than on investments in perimeter technologies alone.
3 Finding 3: Many districts have assembled modern security tool stacks, but they often lack the capacity to fully operationalize them. Across the interviews, a clear pattern emerged: many districts possess sophisticated tools but are structurally unable to use them to their full defensive potential. Underutilization of platforms, limited log analysis, partial monitoring, and weak after-hours coverage were frequently reported. This indicates that Florida’s cyber readiness gaps are less about technology selection and more about operational capacity. The presence of strong tools alongside weak utilization represents a classic “last mile” problem in public-sector cybersecurity.
3 Finding 4: Staffing shortages are one of the most significant constraint for cyber readiness across the state. Staffing constraints appeared as a dominant theme in the interviews. Districts consistently reported being understaffed, losing trained personnel to the private sector, and being unable to fill open positions even when funding exists. Small teams are often responsible for extraordinarily large and complex environments. This suggests that workforce scarcity is not a peripheral issue, but rather a central bottleneck limiting detection, response, training, and continuous improvement.
3 Finding 5: Funding patterns favor tools over people, creating structurally fragile security programs. Several districts described an environment where available funding often privileges tool acquisition rather than staffing and operations. This is driven in part by the structure of grants and procurement rules. While federal and state funds have enabled some degree of tools modernization, they often do not support long-term sustainability. This can lead to programs that appear modern but lack the human infrastructure needed to remain effective over time.
3 Finding 6: Artificial intelligence is already reshaping the threat environment, primarily by amplifying existing risks rather than creating new ones. Districts consistently describe AI not as a separate threat domain, but as a force multiplier for phishing, impersonation, and social engineering. This suggests that Florida’s K–12 threat environment is not static, but rapidly evolving in ways that further disadvantage human-centered defenses. As a result, investments in identity verification, training, and governance will become more (not less) important over time.
3 Finding 7: District-level efforts alone are insufficient; cyber readiness is a state-level problem. Participating districts note that many of their most serious constraints cannot be solved locally. Workforce pipelines, stable funding, shared services, and baseline standards were all identified as areas in need of state-level intervention. This reframes cyber readiness in education as a form of statewide infrastructure risk, rather than a collection of isolated local problems. Without coordinated state action, existing disparities in district capacity are likely to persist, leaving the overall system vulnerable even as individual districts improve incrementally.
Recommendations
Taken together, the findings of this study suggest that meaningful improvements in the cyber readiness of Florida’s K–12 school districts will require state-level interventions that address structural capacity constraints, not simply additional guidance or awareness efforts. Districts consistently demonstrate strong situational awareness and a clear understanding of best practices, but lack the stable funding, workforce pipelines, and the shared infrastructure needed to implement those practices at scale. Based on the evidence from these 17 interviews, the following recommendations represent some of the more feasible and high-impact actions available to state leaders.
3 Establish a stable, recurring state funding stream dedicated specifically to K–12 cybersecurity operations and staffing. The most consistent finding across the study was that cyber readiness was constrained less by technology selection than by the inability to attract and retain qualified personnel. State leaders should consider a dedicated, recurring funding stream for K–12 cybersecurity that explicitly supports staffing, monitoring, and operational sustainment, not only capital purchases.
3 Build a state-supported cybersecurity workforce pipeline for K–12 education. Workforce scarcity emerged as one of the most significant constraints on cyber readiness. To help address this concern, the state could invest in a formal K–12 cybersecurity workforce pipeline, including certification reimbursement, paid apprenticeships and internships, partnerships with state universities and community colleges, and clear career ladders within public education. In parallel, the state should explore regional or shared staffing models for smaller districts that cannot independently sustain 24/7 coverage. Without addressing the labor market directly, most other readiness interventions will have limited effect.
3 Create shared statewide or regional cybersecurity services for monitoring, detection, and incident response. Many districts lacked the capacity to provide continuous monitoring and rapid response, particularly after hours. The state should develop or subsidize shared services for core defensive functions, such as managed detection and response, centralized logging, threat intelligence sharing, and incident response support. These services could be delivered through Cyber Florida or regional consortia and would provide economies of scale that individual districts cannot achieve alone. Shared services offer a practical way to reduce readiness disparities across districts while improving statewide resilience.
3 Define and support a clear statewide baseline for minimum cybersecurity readiness. Districts consistently reported wide variability in controls, governance, and enforcement. The state should define a minimum cybersecurity readiness baseline for all districts, including core identity controls, phishing resilience practices, monitoring expectations, and incident response planning. Importantly, any baseline should be paired with technical assistance and funding, rather than imposed as an unfunded mandate. A clear baseline would reduce systemic risk while still allowing flexibility for districts with more advanced capabilities.
3 Prioritize identity security and human-process controls as the core of Florida’s K–12 cyber strategy. Because the dominant threat environment is deception-driven and identity-centered, state investments should prioritize identity governance, verification workflows, phishing resilience, and training effectiveness, rather than focusing primarily on perimeter technologies. This includes strengthening help desk authentication, privileged account management, executive impersonation safeguards, and role-based access controls. As artificial intelligence continues to amplify phishing and impersonation risk, identity and human-process controls will represent the most cost-effective and scalable line of defense.
Appendix: Emergent Coding
Research Question 1
• Theme 1: High situational risk awareness
• Interviews: 2, 6, 8, 9, 10, 15
• Theme 2: Human error as the primary systemic vulnerability
• Interviews: 4, 6, 9, 10, 12, 15
• Theme 3: Resource scarcity and capacity constraints as vulnerability drivers
• Interviews: 3, 8, 9, 10, 15
• Theme 4: System complexity and limited system mastery
• Interviews: 3, 9, 15
• Theme 5: Data sensitivity and regulatory exposure (student/staff data)
• Interviews: 1, 10, 11
• Theme 6: Governance and leadership access gaps
• Interviews: 2, 3, 8, 9
Research Question 2
• Theme 1: Phishing as the dominant threat vector
• Interviews: 1–17 (all interviews)
• Theme 2: Social engineering and deception-based intrusion
• Interviews: 2, 4, 6, 9, 10, 12, 13, 15, 17
• Theme 3: Credential compromise / identity-led intrusion
• Interviews: 6, 9, 10, 12, 17
• Theme 4: Student-driven circumvention and insider misuse
• Interviews: 8, 12, 16, 17
• Theme 5: AI-enabled phishing and deception amplification
• Interviews: 2, 9, 10, 13, 17
• Theme 6: Deepfake and impersonation risk
• Interviews: 9, 10, 17
Research Question 3
• Theme 1: Tool-heavy security posture
• Interviews: 2, 6, 9, 10, 15
• Theme 2: Underutilization of existing tools and platforms
• Interviews: 3, 9, 10, 15
• Theme 3: Reliance on phishing training and awareness programs
• Interviews: 2, 6, 9, 10
• Theme 4: Layered endpoint and identity protection
• Interviews: 2, 6, 9, 10
• Theme 5: Practices constrained by lack of staff and time
• Interviews: 3, 8, 9, 10, 15
Research Question 4
• Theme 1: Staffing gaps and lack of dedicated cybersecurity personnel
• Interviews: 3, 7, 8, 9, 10, 15
• Theme 2: Time constraints limiting system mastery and training
• Interviews: 3, 7, 9, 10, 15
• Theme 3: Governance and communication gaps with leadership
• Interviews: 3, 9, 15
• Theme 4: Absence of metrics, reporting, and performance measurement
• Interviews: 3, 9
• Theme 5: After-hours response and incident response fragility
• Interviews: 7, 9
Research Question 5
• Theme 1: Inability to fund personnel / staffing prohibition in grants
• Interviews: 5, 7, 8, 9, 10, 14
• Theme 2: Funding-for-tools bias and inefficient resource allocation
• Interviews: 5, 9, 10
• Theme 3: Talent retention barriers and pay differentials
• Interviews: 6, 7, 10, 14
• Theme 4: Chronic budget constraints and competing priorities
• Interviews: 5, 7, 8, 9, 15
• Theme 5: Structural misalignment between policy and operational needs
• Interviews: 5, 6, 9, 10
Research Question 6
• Theme 1: Flexible grant funding and removal of restrictive “strings”
• Interviews: 5, 6, 9, 10
• Theme 2: Creation of dedicated cybersecurity funding streams
• Interviews: 6, 9, 10
• Theme 3: Cyber E-Rate or E-Rate–like funding model
• Interviews: 5, 6, 9
• Theme 4: Centralized or state-supported training frameworks
• Interviews: 5, 9, 10
• Theme 5: Shared services / regional cybersecurity capacity
• Interviews: 7, 9
• Theme 6: State-level vendor security enforcement
• Interviews: 6, 10
• Theme 7: Warning against unfunded or unrealistic mandates
• Interviews: 7, 10
Research Question 7 (AI Question, Blended with RQ2 in Report)
• Theme 1: AI-enabled phishing and social engineering acceleration
• Interviews: 2, 6, 9, 10, 17
• Theme 2: Deepfake and impersonation risk
• Interviews: 9, 10, 17
• Theme 3: AI lowering the barrier to entry for attackers
• Interviews: 6, 10
• Theme 4: AI literacy gap and training overload
• Interviews: 9, 10
• Theme 5: AI as dual-use (defensive enhancement and threat)
• Interviews: 7, 10
• Theme 6: State-level vendor security enforcement
• Interviews: 6, 10
• Theme 7: AI data governance and ethical risk with student data
• Interview: 10