“We don’t rise to the level of our expectations—we fall to the level of our preparation.”
— Jeff Wheat, Center for Threat-Informed Defense
In today’s digital landscape, where K–12 schools face increasing cyber threats—from ransomware to phishing to supply chain vulnerabilities—basic security isn’t enough. And as Jeff Wheat puts it in this episode of Vetted by Mark Vetter, “We can’t checklist our way out of risk.”
Jeff is a Senior Fellow at the MITRE Engenuity-backed Center for Threat-Informed Defense, a global nonprofit that helps organizations align their security efforts to actual adversary behavior. His mission? Help schools shift from theory to action by using threat-informed frameworks like MITRE ATT&CK.
Many school districts are adopting cybersecurity frameworks like NIST or CIS—which Jeff fully supports. But his warning is clear: if your framework lives in a binder on the shelf, it’s not helping anyone.
“A framework is a starting point,” Jeff explains. “But what matters is how you implement it. Threat-informed defense is about validating your controls against real-world tactics—not theoretical risks.”
He compares it to building a house: “It’s great to say you have locks on every door. But if no one checks whether they’re locked, or if the back window’s open, you’re still vulnerable.”
Jeff challenges the idea of chasing "perfect security." Instead, he encourages school IT teams to focus on resilience—the ability to detect, respond, and recover quickly when something (inevitably) goes wrong.
“Resilience isn’t about avoiding every breach. It’s about minimizing impact when it happens.”
He shares examples of K–12 ransomware incidents where delayed detection turned minor breaches into multi-million-dollar disasters. The takeaway? Invest in network visibility, regular testing, and incident response plans that involve more than just the tech team.
One of Jeff’s biggest takeaways is that school leaders don’t have to guess what threats look like. The MITRE ATT&CK framework maps the actual tactics and techniques used by adversaries—and it’s freely available.
He explains how districts can use ATT&CK to:
Simulate real-world threats
Prioritize investments that match their risk
Test whether their controls are working as expected
“It’s not about adding more tools. It’s about understanding how the ones you already have actually perform against known threats.”
Jeff emphasizes that non-technical communication is often the missing piece in school cybersecurity plans.
“If your superintendent or board doesn’t understand your risk, they won’t fund your fix.”
That’s why he advocates for tech directors to regularly brief leadership using plain language, real-world examples, and a focus on business impact. Because at the end of the day, cyber threats don’t just compromise data—they compromise learning.
As the episode wraps, Jeff encourages schools to move beyond fear-based thinking and toward measurable, mission-aligned defense. That means:
Using frameworks like ATT&CK to prioritize what matters
Practicing for incidents, not just planning for them
Focusing on resilience, not perfection
“The goal is not to be impenetrable. The goal is to be prepared, responsive, and in control.”
🎧 Listen to the full episode: Vetted by Mark Vetter with Jeff Wheat
🛡️ Topics: Threat-informed defense, MITRE ATT&CK, cyber resilience, communication with leadership