Edtech Security: From Shared Responsibility to Shared Practice
By Curtiss Barnes, CEO, 1EdTech
The last eighteen months have asked a lot of our edtech community. Multiple major incidents have affected tens of millions of students, faculty, and staff across K–12 and higher education. Consequently, data privacy and security are moving from a procurement footnote to a front-page operational reality. Institutions are spending weekends rebuilding access. Technology provider teams are spending months in remediation. Students and families are spending years anxiously watching their data move through systems they cannot control.
June marks my second full year as CEO of 1EdTech. I have heard from members and non-members alike, technology leaders, institutional leaders like registrars, and other major stakeholders in nearly every state and several countries. I never hear complaints about any single vendor. It is a quieter, more difficult question: who is responsible for what?
We owe one another a clearer answer.
The frame matters
A cyber-security incident is almost always treated, in the moment, as a failure of one company. That framing is comforting. It localizes blame, it points at a fixable target, and it lets everyone else feel that they are doing the right things. It is also, increasingly, wrong. As AI lowers the cost of attack and accelerates its cadence, the single-vendor responsibility or blame frame will mislead us more often than it informs us.
Reputable certifications such as the 1EdTech Data Privacy Certification, SOC 2, and ISO 27001, along with agreement frameworks like 1EdTech's and A4L’s DPSAs, are designed to attest to the presence of specific controls and to encourage strong security and data privacy practices. They are not, and cannot be, guarantees of complete invulnerability, nor are they intended to be. No widely recognized certification makes that claim.
It can be tempting to interpret a hack as evidence that a certification or framework has failed, but that perspective reflects a misunderstanding of their role. Certifications and agreements are one part of a broader risk management approach, not a standalone assurance of security.
A more effective approach emphasizes complementary practices that meaningfully reduce risk: thorough due diligence that goes beyond standard checklists, contracts that align incentives and responsibilities, disciplined identity and access management, and well-practiced incident response capabilities. When these elements work together with certifications and frameworks, they provide a more realistic and resilient foundation for security.
That is what "shared responsibility" actually means. It is not a slogan. It is a working agreement among institutions, technology providers, identity providers, and standards bodies. We are all in the same soup, we each carry obligations the others cannot discharge for us.
Where 1EdTech sits
1EdTech is the standards layer of this work. We are the organization that brought the community together to develop the current rubrics. 1EdTech unites the community for common good. And that is how we will continue to address new challenges and opportunities.
We do not build learning management systems, and we do not run school networks. We co-create and steward the standards that let edtech components trust one another, exchange data safely, and meet a shared bar of practice. 1EdTech’s TrustEd Apps program is the most mature of those efforts; thousands of applications have been vetted against a rubric developed and managed by our members, and the directory is widely used to inform real procurement decisions in schools and universities. The rubric has evolved continuously since the program began. The question now is how fast it should evolve, and toward what.
Three questions are surfacing from our members with growing consistency. They are not new questions, but the last eighteen months have made them urgent.
First, how should a certification address specific vulnerability scenarios, and not only stated policies? Stated policy is necessary, but demonstrated control under pressure is the standard the field actually needs.
Second, how should the quality of a vendor's incident response be captured? How an organization notifies, contains, remediates, and communicates after an incident tells us something material. The willingness to learn publicly is itself a security control. Encoding that into a rubric without reducing it to a checklist is the hard part.
Third, tighter integration with the institutional side of the equation and deeper coordination with other associations to maximize awareness and understanding. Standards bodies will not get there alone.
These are not rhetorical questions, and they are not 1EdTech's to answer in isolation. They are the agenda the community needs to take up together.
An invitation
The community has always advanced by learning together — too frequently from incidents and sometimes from successes. The same is true now. If you are an institutional leader who has spent the last weeks rebuilding services, or a supplier executive who has spent them answering hard questions, I would like to hear from you on the three questions above, and on the ones I have not surfaced.
This is not a one-time response to a single moment. It is the next phase of work that the community has been quietly asking for, and it is the right phase for this moment in the threat landscape.
The next phase of the field's security practice will be built by the people thinking carefully about it now. This is exactly what communities like ours exist for. Not the easy moments, rather the hard ones.
Join us. We have work to do, together.
Curtiss Barnes is CEO of 1EdTech, a non-profit standards and edtech education & research organization serving educational institutions and supplier organizations worldwide.
