September 15, 2025 • read

5 Security Questions with Mike Bianco, VP of Information and Data Security

Lauren Gilchrist
Blogger, Traveler, and Video Talent

Lauren Gilchrist

In this article

Share this story

K–12 schools have become an increasing target of cybercrime. With limited resources and a growing reliance on digital tools, schools face significant challenges fending off cybercrime. From ransomware attacks to data breaches, the risks are real—and growing.

We asked Mike Bianco, Skyward’s vice president of information and data security, to share Skyward's approach to security and what you can do to keep your district safe this school year.

Why is it important for districts and edtech providers to make cybersecurity a level one priority?

Mike: Ransomware and business email compromise (BEC) continue to disrupt learning and finance operations with material recovery costs when districts aren’t prepared. The basics—strong identity, MFA, least privilege, and a tested incident response plan—reduce both risk and impact.

Edtech platforms sit at the center of sensitive student and staff data and critical daily operations. Vendors have to model good security hygiene—secure development, encryption, audits, and rapid response—because our controls become our customers’ first line of defense. Our hosting and application practices are built around that reality, including annual third‑party reviews and strict controls in our hosted environment.

Security and safety are connected. When identity, access, and monitoring are strong, we reduce opportunities for data abuse, online harassment, and account takeovers that can put students at risk. We also point districts to federal K–12 cyber‑safety resources to reinforce safe practices at school and at home.

What puts Skyward ahead of the game in K-12 security?

Mike: First of all, we are a leader in security because we didn’t just add MFA as a checkbox—we built it right in, made it a must-have, and gave districts straightforward advice for rolling it out.

Second, we proactively validate our security. We added crowdsourced testing through Bugcrowd in addition to traditional application penetration testing—so we’ve got more eyes, earlier, on the places that matter most. (Editor’s note: Bugcrowd is a coordinated vulnerability disclosure and bounty program that goes way beyond traditional application penetration testing. Vetted researchers rigorously test areas like logins, MFA, and APIs, and we triage and remediate issues through a structured process. It complements app pen tests by giving us in-depth coverage from specialists with diverse techniques.)

Third, we will never stop making security improvements. This includes continuous improvements in our cloud hosted environments, maintaining a documented incident response plan, and conducting regular exercises to ensure preparedness. We also use a multi-layered security approach, so even if one line of defense is tested, we've got backup measures ready to keep things safe.

What other steps has Skyward taken to create secure solutions?

Mike: A secure solution requires a multi-layered approach. Some examples of the layers include annual third‑party audits and pen tests, strong encryption and access controls in our hosted environments (SSAE 18/SOC practices), a coordinated vulnerability disclosure program with Bugcrowd, and mature incident response tabletop exercises.

Skyward invests heavily in security training for our teams. We conduct regular security awareness sessions for all staff to reinforce best practices and emerging threats. Our development teams also participate in secure coding workshops and follow strict coding standards, with peer code reviews and automated tooling to catch vulnerabilities early. These ongoing education efforts ensure that security is woven into every stage of product design and deployment.

What can districts do to maximize their digital security efforts?

Mike: Start where attackers start: identity. Turn on MFA for business office and privileged accounts first, then expand to staff and high‑risk roles. Pair it with SSO, least‑privilege security groups, IP address restricted security groups, EDR on endpoints, and a tested IR plan.

The security available in our Secure Cloud is best of class, so move critical Skyward data to the Secure Cloud. Then move to SSO, EDR, and routine access reviews. Those moves stop the most common attacks cold.

Finally, lock down email (BEC is still rampant) and don’t forget the human layer—continuous phishing awareness wins. We’ve published top recommendations articles and checklists districts can follow.

You are speaking at the EdProtect Symposium in Washington DC this month. Tell us about this event.

Mike: I’m excited to showcase our EdTech Security leadership at EdProtect. This is a hybrid security research initiative led by UC Berkeley’s Center for Long‑Term Cybersecurity with Bugcrowd—culminating in a one‑day, invite‑only symposium in D.C. where participating edtech teams review findings, remediation progress, and next steps with researchers and program partners.

Security is a team sport. We value our customers’ feedback and collaborative spirit—your guidance shapes our approach and enhances our security. Together, we’re setting the standard and leading the edtech industry forward in security excellence.

Stay tuned for more practical tips and security best practices!

Follow-up resource: Turn on Essential Security Features Before It’s Too Late

Let’s look at four security measures you can take to defend your district against business email compromise attacks.

Thinking about edtech for your district?

We'd love to help. Visit skyward.com/get-started to learn more.