This Framework in Focus interview was featured in the Summer 2022 NICE eNewsletter.
Title/Organization: Director of Technology & Information Services, Community High School District 99 (Downers Grove, Illinois)
NICE Framework Categories: Oversee & Govern
NICE Framework Work Roles: Executive Cyber Leadership
Academic Degrees: B.A.
Certifications: CISSP, CISM, CETL, CDPSE
This issue’s interview is with Rod Russeau, Director of Technology & Information Services at Community High School District 99 in Downers Grove, Illinois. Mr. Russeau shares his path into cybersecurity, and how he helps people understand that everybody has a responsibility to do things that promote security. Below is a summary of his conversation with Karen A. Wetzel, Manager of the NICE Framework
KAREN WETZEL: Hello. My name is Karen Wetzel, and I am Manager of the NICE Framework at the National Initiative for Cybersecurity Education (NICE) at NIST. The NICE Workforce Framework for Cybersecurity, published as NIST Special Publication 800-181, establishes a taxonomy and common language used to describe cybersecurity work. The NICE framework is intended to be applied in the private, public, and academic sectors. In this edition of the NICE e-newsletter series Framework in Focus, it is my pleasure to speak with Rod Russeau, Director of Technology and Information Services at Community High School District 99 in Downers Grove, Illinois.
Rod, thank you for letting us learn more about your career pathway and understand the NICE Framework from your perspective. Let’s start by hearing about your role and responsibilities as Director of Technology and Information Services at District 99.
ROD RUSSEAU: District 99 is located about an hour west of Chicago. The entirety of our district is two large, comprehensive high schools totaling about 5,000 students. Six K-through-8 separate, independent school districts feed kids into us. I am currently Technology and Information Services Director, a cabinet-level position. I report to the superintendent and am responsible for managing all of the technology within the district, which includes budgeting, planning, and maintaining the data systems and overall network infrastructure.
I’ve been with the district 26 years and my role has changed exponentially over that time, especially in the last 5 years or so. You can see the difference when we look at things like bandwidth allocation—when I started in ‘96, we had a T1 line. That was all we had; Internet was there, but not too many people used it and not much changed in the 15 years that followed. In the last few years, though, it’s just an astronomical increase. That example can be used as an analogy for the growth in complexity and reliance upon technology overall.
And, as part of that acceleration of technology, we’ve seen a commensurate growth in the need for cybersecurity and data privacy. To me, those two things go hand-in-hand and a lot of states, including Illinois, have really ramped up the data privacy requirements.
KAREN WETZEL: What kinds of folks are on your team, and what kinds of roles do they fill?
ROD RUSSEAU: When I started with the district, it was me and a computer operator and a couple teachers in the buildings that liked to dabble in technology. We’ve definitely grown since then. We have about 17 IT staff across the district now, and we’re very blessed that the board of education has recognized that supporting technology is important. More specifically, there are three people at the district office who work directly with me: a network infrastructure manager, a network systems administrator, and an information systems manager. And the first two roles I mentioned, just as their titles would suggest, take care of the overall network infrastructure and all of the connectivity and security and things that go along with that, and our infrastructure systems manager works with all of our data and information system needs—including the student information system, finance and HR systems, and a myriad of other systems in which we house data and upon which people rely.
In each of the two high schools there are about half a dozen additional people, such as a network supervisor, IT support technicians, and some higher-level technicians who troubleshoot issues and deploy new technologies. In addition, supporting teachers and what they do with technology is extremely important. We have a full-time instructional technology coordinator in each building in addition to about six curricular technology consultants—teachers who are released from one teaching assignment, so they have an extra period free during the day to act as additional support for the instructional technology coordinators.
When it comes to information security, it’s our team here at the district office and we share that responsibility. One of the things we do to try to fill that void is use a virtual chief information security officer (vCISO). For instance, he really helped us focus on risk management. But I’ve been talking with the superintendent and other leaders here and I wouldn’t be surprised if in the relatively near future school districts like ours will need a full-time cybersecurity position on staff.
KAREN WETZEL: The NICE Workforce Framework for Cybersecurity is a tool that can be used for people to understand different kinds of cybersecurity work. Have you been able to use it to guide your own career and do you see it as useful for students who are interested in learning more about cybersecurity?
ROD RUSSEAU: Although I’ve been in the technology field since 1977, it wasn’t until 2018 that I earned my CISM and CISSP. It’s really opened my eyes to the world, paying attention to the organizational objectives that are just so critical to manage risk in an organization and especially in a school district. I like how the NICE Framework is built around that, and the three buckets of knowledge, skills, and tasks, and how it embraces agility and flexibility. Our field has so much change coming at us rapidly. It’s critical that those concepts be first on the mind.
KAREN WETZEL: Can you share about your career path and how you came to your current position?
ROD RUSSEAU: I started out in 1977 as a computer operator at a high school district about an hour north of us here. The entirety of the student information, financial HR information systems was run on a minicomputer with 96K of memory and a 40-megabyte disk drive—my watch has 100 times more power and capacity than that now! I taught myself how to program in COBOL, got to know the software developers, and in a little less than a year they offered me a job in their small group. That started my career in software development, developing, maintaining, supporting, and programming student information systems and financial information systems for school districts all around the country.
After some mergers and acquisitions, I went to work for a school district as their data processing director in 1994, when technology in schools was data processing. In my second year there, I shifted into a newly created technology director role for a year before the superintendent for my current district created the role I’m in today.
In 2018, I took a cybersecurity class taught by Amy McLaughlin with the Consortium for School Network (CoSN). She had earned her Certified Information Security Manager certificate, and I was curious about that. It really spoke to me because it covers the governance and management side of security much more than the technical side, which, as a leader of technology in the school district, really applied to me.
I then happened to find an annual online CISSP mentor program, totally free, offered by FRSecure and SecurityStudio. I enrolled in that program with the sole purpose of just learning more, without any intention to earn the CISSP—I thought it was too technical. I was surprised, though, as I got halfway through it that so much of it is about managing risk and governance, so I eventually pursued that as well.
It’s funny. All those years in my career I was learning on my own and then waited until the end to get some letters after my name!
KAREN WETZEL: I had a call earlier this week about how many people go into the field without knowledge of the business of cybersecurity. Your reporting line shows me you know the importance of understanding the business of technology and cybersecurity and how these help an organization to grow, to provide their services, and to safeguard systems, networks, devices, and information.
ROD RUSSEAU: It’s so important to help people understand that there’s a difference between responsibility and accountability, where everybody is responsible for security. Everybody has a responsibility to do things that promote security. Ultimately, though, the district leadership, the superintendent, and that key administrative team are accountable for information security, just like they’re accountable for everything else that happens or doesn’t happen. Part of our job is education and awareness, explaining how people fulfill an important function in keeping our district secure.
KAREN WETZEL: You mentioned the letters behind your name. What do you think is the importance of that academic degree or credential in this field?
ROD RUSSEAU: As you could tell based on my story, I built quite a lengthy career without formal certifications, and again, I use them more as a learning tool. When I’m looking at filling a role, certifications show me that someone has dedicated the time and resources. I can also tell you that our vCISO and I have the same letters after our name. But I don’t have 15 years of experience doing cybersecurity work like he does.
So the letters definitely show a commitment and a body of knowledge and awareness within someone, but alone they don’t declare that person an expert.
KAREN WETZEL: It sounds like you’re very interested in your continuous learning and making sure that that’s something that you dedicate your time to. Are there other tricks that you use to keep your skills and maybe those of your team sharp and current?
ROD RUSSEAU: I’ve mentioned our vCISO—working with him has been so helpful on many levels. Many of our interactions there are learning experiences, whether it’s to celebrate what we are doing well, fine-tune and improve areas we need to, or pull our heads out of the technical and get us more into the organizational and risk side of our work.
Another tremendous resource is the Illinois state chapter of CoSN, Illinois Education Technology Leaders (IETL). It is a tremendously interactive, openly sharing and helpful group that not only holds periodic face-to-face conferences but regular interactions and learning opportunities. The connections you make with people just can’t be understated.
KAREN WETZEL: How are you working to support a diverse workforce?
ROD RUSSEAU: District 99 is and has always been really focused on hiring a diverse staff, from the board of education down through the district leadership and in our human resources offices. For instance, we attend job fairs specifically geared toward minorities, visit selected universities in the area, and have incentive programs in place. The district is always making sure that’s always present and front of mind and that we continue to move in that direction.
KAREN WETZEL: What is it that you enjoy most with your work at District 99?
ROD RUSSEAU: First, my team is amazing. I’ve never worked with a more collaborative, supportive, or stronger group, and it makes coming to work great every day. When we’re talking about the qualities of people that you are looking to hire, I think soft skills are incredibly critical, especially communication. Strong technology people are oftentimes pigeonholed. I understand a lot of the technology parts of things, and I can work well with people and communicate. That’s helped me get to where I am today.
Also, it’s hard to find a more challenging and rapidly changing environment. With COVID, educational institutions had to just change on a dime, and there’s always something going on.
KAREN WETZEL: What's the biggest takeaway or maybe the biggest challenge that you had with COVID’s impact?
ROD RUSSEAU: We were in pretty good shape when it came to students and providing them access from home since we had been one-to-one with Chromebooks for about 6 years or so already. When it came to supporting teachers, though, we were accustomed to having them come to the district, so we had to put in place more remote options.
One of the biggest challenges we found was some of our labs for our students with more specific applications for AutoCAD classes, digital photography classes, and the like. We had to quickly come up with a concept to allow through virtual desktops so students could work on those with their Chromebooks at home.
From an applications standpoint, we initially kind of had a feeding frenzy, if you will, of requests for different online applications that teachers wanted to use to supplement instruction when everything went remote. So that put some pressure on us too. Our normal process to vet an application from a security and data privacy standpoint had to be adjusted.
Since we already had an ecosystem in place that supported and secured students and teachers periodically working from home, we were on high alert for the attacks that come along during any crisis of any kind, when you’re not necessarily paying attention because all of your energies are focused elsewhere. For instance, we have a phishing awareness and education campaign where we will phish the staff—when we went remote for COVID, we didn’t suspend that. I know some districts did, but we just felt it was so important. The real world isn’t going to stop phishing you, so we shouldn’t stop educating you.
Ultimately, we’re helping support students and their learning. So we keep that in our mind when we’re in the trenches and having to deal with some of those issues.
KAREN WETZEL: What advice would you give to someone who is looking to enter the field of cybersecurity?
ROD RUSSEAU: This is probably universal, Karen, but I’ll say it anyway—find a mentor. Find someone who is doing what you think you might want to do or who knows what you think you might want to know. Befriend them. Understand what they’re doing. And as you start to meet people, get engaged and say yes to opportunities. Sometimes you may be a little unsure of yourself, but keep saying yes.
KAREN WETZEL: Well, and you’ve shared some great places for people to start and to help with those connections, so thank you for that. And thank you, too, Rod, for your time today. This has been fascinating, and I very much appreciated getting to know more about you.
ROD RUSSEAU: Thank you, Karen. I really appreciate the opportunity and have enjoyed talking with you.
To listen to the full audio interview with Rod Russeau, click on the audio below:
Download a full transcript of the interview.