FETC 2026: How K–12 Districts Can Build a Mature Cybersecurity Architecture

Building an effective cybersecurity architecture in K–12 schools requires far more than simply installing tools or outsourcing technical work. Real cyber resilience comes from treating security as a shared culture that touches every part of a district. That was the message delivered by Ozzie Vargas, manager of security solutions for CDW, at FETC 2026 in Orlando, Fla.

Cybersecurity must be woven into a school district’s culture rather than existing as an IT silo, Vargas said. Students, teachers, staff and administrators all play roles in securing data and should understand the importance of recognizing phishing attempts, following access policies, reporting incidents quickly and reinforcing safe digital behavior. Training and awareness cannot be one-off events or limited to technical teams; they must be ongoing and inclusive.

“Change must be systemic,” Vargas said. “Make sure that people and technology are blended. They go hand in hand. You can have can’t have one without the other.”

Vargas said districts also need a coherent, modern security architecture rather than a patchwork of disconnected tools. Many organizations run dozens of security products, which contributes to operational fatigue.

“Schools want a frictionless solution, simple and easy to use, coupled with a great experience,” he said. Rather than implementing layers of complexity, districts should seek intuitive systems.

According to Vargas, a strong security architecture includes endpoint detection and response, email and web protection, patch management, data classification, multifactor authentication, secure backups and disciplined decommissioning of legacy systems. Identity has become the new perimeter, so identity and access management must sit at the center of a cybersecurity environment.

Progress toward cybersecurity maturity depends on a journey grounded in a clear framework. Vargas encouraged districts to adopt a rubric-driven approach aligned with recognized frameworks such as those from the National Institute of Standards and Technology, the Cybersecurity and Infrastructure Security Agency and the Cybersecurity Coalition for Education.

The Certified Cybersecurity Rubric Evaluator (CCRE) program was developed specifically for education, designed to scale up internal capacity and knowledge and help districts to understand where they stand and how to improve. The framework is organized around six core functions: govern, identify, protect, detect, respond and recover. Governance clarifies roles, expectations and communication pathways. Identification maps assets and risks. Protection and detection define safeguards and monitoring. Response and recovery ensure there are tested, repeatable steps to manage incidents and bounce back from them.

In the cybersecurity maturity journey, self-assessment and continuous improvement are essential. Formal evaluations can help districts set concrete goals with clear deadlines. This is not a one-time project. Reassessment should happen at least annually, Vargas said, as this allows schools to track progress, adjust priorities, and respond to evolving threats and technologies.

The complexity of frameworks, tools and threat landscapes can overwhelm lean IT teams, but districts do not have to navigate this process alone, Vargas said. Partnering with experienced security integrators and certified evaluators can simplify decision-making, help rationalize portfolios, and align technology choices with educational and budget realities. According to Vargas, pairing the CCRE framework with CDW’s Cybersecurity Maturity Workshop ensures that district IT teams are prepared for cyber incidents.

“We are helping develop the strategy and the resources,” he said. “We’re helping schools navigate the cybersecurity journey to get to maturity. We’re also elevating IT professionals with knowledge, empowering them with what they need to know to have continuous improvement going forward.”