Charter & Boarding School Security: Success Academy, Hotchkiss, and Kent Share Their Playbook

At first glance, Success Academy Charter Schools - with its 57 schools and 23,000 students across New York City - might seem to have little in common with the historic boarding schools of Connecticut's northwest corner. Yet in a recent webinar, technology leaders from these vastly different educational environments revealed how they're finding common ground in their approach to data security.

The conversation, moderated by Virtru’s Andrew Lynch, brought together Bryan Thompson, CISO of Success Academy Charter Schools; Kevin Warenda, Director of IT at The Hotchkiss School; and Michael Siepmann Director of IT at Kent School, offering a rare glimpse into how different types of educational institutions are tackling similar challenges.

Keep reading for a recap of this conversation; or, watch it on demand by following the link below. 

The New Educational Security Landscape

The digital transformation accelerated by COVID-19 has fundamentally changed how schools approach data protection.

"The COVID-19 pandemic accelerated the process of digitizing a lot of things that may otherwise have taken a lot longer to become really fully digital," explained Kevin Warenda.

This rapid digitization has exposed schools to new vulnerabilities. As Warenda noted, "Schools in particular have been an increasing target largely because commercial entities largely got their act together... Threat actors really realized that schools were right because many of us were not resourced, or structured in a way. Our cultures are different from a commercial organization, so it was much lower hanging fruit."

Recommended Reading: Shenandoah County Public Schools Secures Pandemic Communications with Virtru

Different Schools, Different Stakes

The current state of American education is diverse, and will continue to morph and change in the next few years. Nowhere is this more evident than in how different types of schools approach data security. For Success Academy Charter Schools, protecting intellectual property is as crucial as protecting student data.

"Because we're a charter school, we kind of follow a different set of content and curriculum, is really what we consider our intellectual property," explained Thompson. "It can change a little bit of how our information is shared with our kids, in particular, given that we're a charter school, it's gonna be a little bit of our competitive advantage."

In contrast, private boarding schools like Hotchkiss and Kent face distinct challenges managing residential student life. Beyond academic records, they're responsible for health information, international student data, and financial records from high-net-worth families.

"You have quite a few high net worth individuals that are our customers effectively," Warenda noted. "Their information is in our systems from the application process, or for those that donate to us... there's a lot more financial information than I think I was dealing with in public space before."

These boarding schools also carry unique operational risks. As Warenda explained, "For a residential educational environment where people thrive living and learning here... anything that can interrupt that operational cycle or damage our reputation is actually more important now than ever."

Kent School faces the additional challenge of managing data across what Michael Siepmann calls "a wide variety of business processes... Anything from, you know, from start to finish, right, the admission cycle all the way to the alumni cycle."

This creates a complex litany of data protection needs that spans a student's entire journey and beyond.

Discover: Virtru for FERPA

Converging on Solutions

The stark differences between a 57-school charter network and historic New England boarding schools might suggest different security needs. Yet as cyber threats mount against educational institutions, these schools have discovered a surprising truth: effective data protection looks remarkably similar across all contexts. Here's their shared playbook:

Start with the Fundamentals

The leaders emphasized that sophisticated security tools are worthless without basic protections in place.

"Just by enabling certain things like MFA... it doesn't make sense to layer on a certain tool if you're not securing your accounts properly," Siepmann explained.

This approach extends to established security frameworks. As Warenda elaborated: "You could look at the NIST standards and CIS standards, K12 SIX standards. They give you a roadmap of exactly the types of things you need to be thinking about and considering... for the most part, most of those start with identity, secure that identity, and make sure you're training your users."

For schools with limited resources, this fundamentals-first approach is especially crucial.

"If money is the problem, look for these creative ways to actually kind of offset other expenses or consider the actual financial or reputational cost if you don't do something," Warenda advised. "Sometimes the savings on the premium for their insurance policy actually pays for the service."

Build a Culture of Security

Success Academy has taken an aggressive approach to security training. "Most organizations do it annually. We actually do it quarterly," Thompson shared. "So that helped to kind of improve a lot of the security culture that we're trying to institute."

The need for this cultural shift is particularly acute as schools face increasingly sophisticated threats.

"Email still is the thing. The social engineering aspect is where this is all going," Warenda explained. "Even with the best of tools... we've seen threat actors that are effectively able to convince someone that it's a legitimate message coming from someone inside our school… We have to really double down, educating people as to how to spot scams, how to spot phishing attacks, and educating them on how our perimeter fences do work so they can recognize things that are outside of those norms."

Prepare for Incidents

The schools have moved beyond basic incident response to comprehensive crisis management, recognizing that a data breach requires coordinating multiple stakeholders across the institution. Modern incident response isn't just about technical fixes - it's about managing communications, maintaining trust, and ensuring operational continuity during a crisis.

Each school has developed multi-layered response plans that engage both technical teams and executive leadership.

"We have an incident response plan, but not only from just a technical standpoint, but also how we handle the response for parents and other types of organizations," Thompson detailed. "We do a technical tabletop, and we do an executive tabletop. That way we incorporate the technical elements that need to take place to appropriately handle an incident, but also what do our executives need to do, how we communicate, who needs to communicate, who's handling certain types of things internal and external."

Michael Siepmann added a critical point about third-party dependencies: "You don't necessarily know the extent of the data that may have been breached... the process can take take a while and you wanna avoid having a long span of a gap in communication, but it's hard when you're relying on some of the third parties to help manage that."

Manage Vendor Risk

The increasing reliance on cloud services has made vendor management a top priority; when data flows through third parties, vetting becomes priority number one.

"We're now more and more having to actually vet and understand what are the capabilities and how are our partners, how are our vendors, handling our data," Warenda emphasized. "The last few years alone, I've seen more and more of our things go to SaaS products from on premise."

Thompson highlighted how this extends to even basic services: "We put together a whole third party risk management program just based off of one of the fundamental questions that we always ask is, will that vendor interact with student data? And that usually triggers everything. And it can be as small as a bus transportation, because they're going to have a class roster... all the way to full blown SAS or student information system."

Defense in Depth

The schools have moved away from relying on single solutions, recognizing that no one security tool or vendor can address all threats. Instead, they're implementing multiple layers of protection that work together to create comprehensive security coverage. This layered approach means that if one security measure fails, others are in place to catch potential breaches.

"Part of our strategy is a defense in-depth approach," Warenda explained. "We don't actually want to trust a single vendor for anything because there's blind spots there... If you think about pieces of Swiss cheese layered on top of each other, you don't want that hole to go all the way through."

New Frontiers in Educational Security

Looking ahead, these school leaders identify two emerging battlefronts: artificial intelligence and student mental health. While AI presents new educational opportunities, it also introduces unprecedented security challenges that demand attention.

Mental health has emerged as a critical security concern. "We're also looking at making sure more that we think about the kids' mental health... Even social media pieces are starting to become kind of a mental health concern to our younger kids," Thompson noted. The digital safety net must now extend beyond data protection to student wellbeing.

Meanwhile, social engineering remains the most persistent threat. "Email still is the thing. The social engineering aspect is where this is all going," Warenda warned. "That's where we're seeing the most targeted attacks on us... humans are fallible."

A Common Path Forward

These discussions across different school types reveal a simple truth: whether protecting charter school curriculum or boarding school health records, effective security requires the same fundamental elements. Strong foundations, rapid incident response, careful vendor management, and layered protection aren't optional - they're essential.

The message is clear: in today's threat landscape, no school can go it alone. By sharing experiences and best practices across institutional boundaries, schools are building stronger defenses for all.

Want to watch the conversation in full? Head over to the on-demand webinar by selecting the button below.