In a recent interview with Tech & Learning, Mishka McCowan, the Chief Information Security Officer at PowerSchool, outlined the company’s comprehensive and proactive approach to cybersecurity.
McCowan’s perspective emphasizes that security is not a separate function but an integrated part of the company's culture and operations. He describes his journey to becoming a CISO as one filled with diverse experiences, including roles in application security, security engineering, and security operations. This broad background has given him a holistic understanding of the challenges and solutions in the cybersecurity landscape.
A Culture of Collective Responsibility
According to McCowan, cybersecurity at PowerSchool is considered "Job One," and is a fundamental part of every employee's day-to-day work. This isn't just a top-down mandate; it's a deeply ingrained cultural value. As he explains, "You have to have security be a part of all of those activities. So for us here at PowerSchool, it's really about making security part of everyone's day-to-day."
This principle is championed by leadership, with the CEO frequently reminding staff that "security is everyone's responsibility." This phrase, McCowan notes, is echoed throughout the organization, ensuring that everyone from engineers to support staff understands their role in protecting customer data. This collective ownership transforms security from a niche concern into a core company-wide mission.
Validation and Certification: An Objective Approach
To ensure their security measures are robust, PowerSchool utilizes a two-pronged validation strategy. First, they engage with external auditors for certification against industry-standard frameworks such as SOC 2 and ISO 27001. This practice, McCowan notes, is crucial for avoiding "blind spots" because it forces the organization to be measured against a "widely vetted and widely understood" framework.
The second part of their strategy involves a more hands-on approach: hiring ethical hackers or white hat hackers. These third-party testers are tasked with finding vulnerabilities in PowerSchool’s systems, simulating real-world attacks. McCowan highlights the value of this practice, stating that the point is "to make sure that where the rubber meets the road and the security has been applied to these systems that it works as designed."
This process ensures that PowerSchool’s defenses remain effective against evolving threats, as these testers are dedicated to staying current with the latest attack techniques.
Industry Collaboration and Strategic Investment
PowerSchool also actively collaborates with the broader cybersecurity community, including industry-specific groups such as K12 SIX and CoSN, which focus on cybersecurity in K–12 education. These partnerships allow for the sharing of best practices and intelligence about emerging threats.
McCowan also points out that direct engagement with customers is a key part of their strategy. By sharing information with the security teams of their customers, PowerSchool gains a broader view of the threat landscape while also helping their customers improve their own security posture.
The company backs up its security commitment with substantial financial and operational investments. PowerSchool maintains a suite of industry-standard tools, including endpoint detection and response (EDR) systems and web application firewalls. Additionally, the company operates a 24/7/365 Security Operations Center (SOC) to monitor for and respond to alerts. They also invest significant time and effort into hardening products and performing frequent penetration tests.
As McCowan puts it, "There's all these sorts of areas that we invest in to make sure that we have as secure a posture as we possibly can."
Advice for K–12 Leaders
When asked for advice for K–12 technology leaders, McCowan's message is straightforward: focus on the basics. He warns against getting caught up in chasing "the new shiny thing" and instead emphasizes the importance of mastering fundamental security practices.
"The best thing that you can do is make sure that you've got the fundamentals down because they're a fundamental thing for a reason," he says.
These fundamentals include employee training on how to spot phishing emails, ensuring systems are patched regularly, and protecting all devices with EDR.
While this advice might seem simple or "dated," McCowan says that focusing on these core elements will put you "ahead of the pack" and protect against the majority of common attacks.
Resources
- PowerSchool’s Trust and Security Center
- Your Guide to Understanding and Reducing K-12 Cybersecurity Costs
- K-12 Data Security and Privacy Resource Kit
- Strengthening K-12 Cybersecurity: PowerSchool’s Collaboration with School and Industry Leaders
- K-12 Cybersecurity: A Guide to Online Safety in 2025
- K12 SIX: An industry group focused on cybersecurity in K–12 education.
- CoSN (Consortium for School Networking): An organization that supports K–12 education technology leaders.
- Verizon's Data Breach Investigations Report (DBIR): An annual report that provides insights into global data breach trends.
- SOC 2: A compliance framework that specifies how an organization should manage customer data.
- ISO 27001: An international standard for managing information security.
