Desmond opens with a budget reality that shapes everything else he says in this episode. Littleton Public Schools is funded primarily on a per-pupil basis, enrollment is declining across the state and the country, and Colorado's state deficit is creating competition for the same limited dollars between Medicaid, K12, and every other public obligation. In that environment, being a high-performing district does not guarantee resources. It just means the expectations are higher. Desmond's response to that constraint is practical and creative: he is exploring cell tower and colocation partnerships as revenue streams, building a crowdsourced internal security team across every technology domain on his staff, and pursuing a managed security service provider relationship that gives him access to a bench of specialists, including data privacy experts and penetration testers, without the cost of hiring them full time. The framing he uses throughout is the same: when the pot is limited, you get creative about what else is in the room.
The AI governance section of this episode is where Desmond is most candid about what the past year taught him. He felt at the start of his tenure that there was time to develop policy thoughtfully. Twelve months later he looked up and said they were behind. That experience produced one of the most direct and repeatable lines in the episode: we are no longer in the exploratory phase of AI. The district has moved past that point. The response was an AI task force that brought together staff, educators, non-educators, leaders, and students to build a framework organized around four pillars: cybersecurity and data privacy, teaching and learning integration, policy and ethics, and the principle that there must always be a human in the loop. The framework was presented to district leaders and the Board of Education and is being released at the start of the 2026 to 2027 school year. The principle Desmond has adopted as his north star for all of it: it is not whether you are pro AI or anti AI. It is whether you are AI literate. You may feel any way you want about it, but if you are at least informed, you can justify your thinking and your reasoning. That framing has changed how he runs every stakeholder conversation about AI in the district.
The security conversation in this episode is where Desmond and the host find the most alignment and the most productive friction. Desmond makes the machine learning versus LLM distinction in terms that are as clear as any guest this season. Machine learning is not consuming your data and running as an agent. It is asking one question on a continuous loop: is this normal? Adobe encrypting a file it does not normally encrypt. Desmond sending emails at 3:00 AM in a voice that does not sound like him. A new admin account doing things on day one that no other admin does. These are the signals machine learning catches at machine speed, stops, and escalates to a human. That is the model Desmond believes wins the security battle, not blocking everything off, not patching faster, not adding another SIEM or EDR layer, but having a system that sees abnormal behavior across every surface and calls for an adult before the damage is done. The MGM breach, he argues, is the clearest proof of what that would have meant in practice: a new admin account running behaviors no established admin ran, on day one, and no system flagging it as abnormal. Machine learning would have caught it. Nothing else would have.
Resources mentioned in this episode
This episode is brought to you by CyberLynx.com
CyberL-Y-N-X.com.
CyberLynx is a complete technology solution provider to ensure your business has the most reliable and professional IT service.
The bottom line is we help protect you from cyber attacks, malware attacks, and the dreaded Dark Web.
Our professional support includes managed IT services, IT help desk services, cybersecurity services, data backup and recovery, and VoIP services. Our reputable and experienced team, quick response time, and hassle-free process ensures that clients are 100% satisfied.
To learn more, visit cyberlynx.com, email us at help@cyberlynx.com, or give us a call at 202-996-6600.
Building the School of the Future in Kansas with Rob Dickson - Ep 222
From 45-Year Mainframe to AI Campus: Loyola's CIO on What Works with Alan Schomaker - Ep 221
You Can't Outrun a Script: AI Security in a Law Firm with Michael Massey - Ep 220
CIO
Littleton Public Schools
Matthew Connor: Matthew Connor here, host of the Cyber Business Podcast. Today we're joined by Desmond Grant, CIO at Littleton Public Schools. Desmond, welcome to the show.
Desmond Grant: Thank you. Glad to be here.
Matthew Connor: Glad to have you. Before we get too far in, a quick word from our sponsors. Hackers are getting smarter — is your security keeping up? Cyberlynx sells industry-leading, AI-powered cybersecurity solutions that detect threats in real time, so you know about an attack before the damage is done, not after. Learn more at cyberlynx.com. And now back to our show.
Desmond, for those who aren't familiar, can you tell us about Littleton Public Schools and your role there as CIO?
Desmond Grant: Sure. Littleton Public Schools is located in Littleton, CO, about fifteen minutes southwest of the Denver metro area — a suburb of the greater Denver area. I'm in my second year as CIO, and it's been a phenomenal experience. We face many of the challenges typical to K-12, but despite those, Littleton has a strong reputation across the state and nationally as a high-performing school district.
Matthew Connor: Glad to have you, and you're doing great work out there. Let's talk about one of the biggest challenges you face right off the bat — resources. A CIO in a public school district is a fundamentally different job than a CIO at a Silicon Valley startup with unlimited funding. You've got real constraints. How do you balance keeping everyone equipped and secure when the budget is genuinely finite?
Desmond Grant: It's definitely a challenge. Our primary funding mechanism is per-pupil — we receive a state allocation based on how many students are enrolled. And one of the biggest issues we're seeing now, both in Colorado and across the nation, is that enrollment is declining. Birth rates are low. School choice is increasing — which I think is a good thing, but when families choose private, charter, or home school, that reduces our per-pupil funding. Add to that a state budget deficit, and you're competing against Medicaid, other services, and other education priorities for a shrinking slice of pie.
What we've done is get creative. We look at grants, we reprioritize existing resources, and we have those hard conversations with our executive team, board, and community to make sure people understand what's at stake when funding decisions are made. I'm also actively looking at revenue stream opportunities — things like cell tower partnerships and co-location arrangements with Internet service providers, which I've done at previous districts. You can lease space on school property in ways that generate income within the rules. You have to be strategic about it, but the opportunities exist.
And when it comes to capital needs — major infrastructure and technology upgrades — we look at mill levy overrides and bond opportunities that require community votes. Those conversations are happening now and will become increasingly important over the next several years.
Matthew Connor: Now, on top of all that, you've got a real cybersecurity challenge that doesn't care about your budget constraints. Machine-speed attacks are real. The bad guys are using AI against us, and humans simply can't keep pace with that. I love what products like Darktrace are doing — using AI to see what's happening in real time, flag anomalies, and stop threats before they become incidents. But for a public school, you've also got student privacy concerns layered on top of everything. A breach isn't just a business problem — it's kids' data, their images, their activity, potentially accessible from their bedroom. How do you navigate all of that with limited resources?
Desmond Grant: It starts with education — educating our stakeholders. Last year my team and I gave a presentation to our Board of Education specifically on the state of cybersecurity in K-12 and at Littleton Public Schools. We walked them through where we are, the challenges we face, and how we're addressing them given our constraints. Because here's the reality: we're all getting breach notification letters constantly now. We've almost become immune to them because it happens so often. But in K-12, that doesn't reduce our obligation. We have to protect student and staff data. Period.
Structurally, we're part of K12 Six, which is a cybersecurity membership organization that provides a framework similar to NIST — controls and standards we can apply. Because I don't have the budget to bring cybersecurity experts in-house, I've had to crowdsource our resources internally. We've essentially built a virtual security team by telling every domain expert — networking, systems administration, endpoint — to dedicate a portion of their time to the security element within their domain. We meet regularly, discuss challenges, and attack security collectively.
I'm also actively looking at bringing in a Managed Security Service Provider. Rather than hiring for skills I don't have in-house — a data privacy expert, a penetration tester — I can access that bench through a service agreement. It gives me flexibility without the headcount cost.
Matthew Connor: Now let's talk about screen time, because I think every parent is grappling with this, and you're right in the middle of it. You want kids who are technologically capable, but there's a real question about whether we've become too technology-dependent in schools. Where do you fall on that?
Desmond Grant: I think we have to go back to COVID to understand where we are now. When the pandemic hit, we had no choice — we either gave every student a device and figured out remote learning, or we stopped educating our kids. So we became one-to-one. We increased our technology resources dramatically and built a dependency on that technology that has continued well past the need that created it.
We're still in that mindset in 2026, and part of why is that ed-tech became big business during COVID. A lot of school districts just kept running with the technology without asking whether it was actually helping or hurting students.
Dr. Jared Horwath testified before a Senate committee earlier this year and shared research indicating that technology really is having a harmful impact on kids. People are on both sides of that argument, but what it did for us was prompt us to look at the data ourselves. We're currently doing a full audit — not just hardware but software subscriptions, how teachers and principals are actually using technology day to day, what types of apps students are engaging with, and how long they're on their devices. We need data to have informed conversations about whether we need to adjust the role of technology in the classroom. You can't argue with that approach — we're doing the research, looking at the evidence, and making decisions from there.
Matthew Connor: And AI is the newest layer of that challenge. You want kids to be prepared for a world where AI is ubiquitous, but you also can't let them outsource all their thinking to it. Where do you stand on integrating AI into education?
Desmond Grant: Honestly, when I started here I thought we had a little more time before AI became urgent. I was focused on getting the lay of the land, understanding the district's priorities and challenges, and building strategy. I knew AI was here, but I felt like we had some runway. Then I looked up after a year and realized — we're behind. It moved that quickly.
We are no longer in the exploratory phase of AI. We've moved into intentional use, and we need guardrails in place to be successful with it. The framing I've adopted is: it's not whether you're pro-AI or not, it's whether you're pro-AI literacy. You may have feelings about AI — that's fine. But at minimum, if you're AI literate, you're informed. You can justify your thinking, understand the risks and the benefits, and make better decisions. I've adopted that mindset for our entire district.
To act on it, I partnered with our learning services department to build an AI task force. We brought in staff — educators and non-educators, leaders, and students — to develop a framework for evaluating, adopting, and using AI in the district. We presented to district leadership last month, to our board this month, and we're finalizing it for release at the start of the 2026-27 school year this August.
The framework is organized around pillars: cybersecurity and data privacy, teaching and learning integration, and policy and ethics. Each pillar defines how we look at AI, how we make decisions about it, and how we guide people in using it. We're also building out professional development — asynchronous, packaged training that fits within teachers' constraints, because finding time that isn't consumed by lesson planning, administrative work, and being present for students is genuinely hard.
Matthew Connor: And on the security side specifically — when people hear AI, they think ChatGPT or Claude or the emerging agent tools. That's the loud, visible part. But I get most excited about AI in security, and specifically machine learning applied correctly. Not bolting a large language model onto a security product and creating prompt injection vulnerabilities, but using machine learning to understand what normal looks like in an environment and stopping things that deviate from that. The bad guys are funding themselves with billions of dollars a year from ransomware and attacks. The only way we turn the tide is by using AI on the defensive side just as aggressively. Where does that sit for you?
Desmond Grant: It starts with data governance, honestly. One of our pillars in the AI framework is cybersecurity and data privacy, and that shapes every vendor relationship we have. Before we enter a contract with any company, we're asking: do we have a data privacy agreement? What does it say? How are they protecting our data? That's step one.
Step two is understanding our own data — data governance. Where is our data, who has access to it, how is it structured, how is it being used? This is a challenge for public sector broadly, not just K-12. And we're creating a data governance committee next year to start asking those fundamental questions across HR, finance, IT, nutrition services — every function that touches data. We have to start somewhere.
Then the third tier — AI. Once you have data privacy agreements in place and data governance established, you can start thinking about allowing AI to work with that data in a controlled, trustworthy way. That's where a lot of people, including me, get uneasy. So our approach is crawl, walk, run. We're not exposing our data to AI tools until we've got the previous elements solidified.
That said — I find machine learning in security genuinely exciting, and I think it's the unsung hero of this battle. Machine learning isn't consuming your data and training on it. It's watching for normal and flagging what's not. It doesn't know why Adobe is trying to encrypt a file it normally doesn't touch — but it stops it and flags it. It doesn't know why Desmond is sending emails at 3 AM — but that's not normal, and it doesn't sound like him, so it stops it and calls for a human to investigate. That's exactly the right model. The human comes in after AI has already identified and stopped the threat — not to monitor a wall of logs, but to validate what the AI flagged and decide next steps.
The old model — patch everything, firewall everything off — is simply antiquated. You can't patch fast enough because AI is finding vulnerabilities that have been sitting undetected for decades. You can't unplug your systems. You need something that can see exploitation happen in real time and respond at machine speed. Standard SIEM products and EDR alone don't get you there anymore. But machine learning-based security tools are doing it, and they're maturing. I think the timing is right for this category of product. This is, privacy-wise and security-wise, where I think the good guys win.
And I'm excited for things like Claude's vulnerability discovery capabilities to mature and become accessible to defenders, not just researchers — the ability to point something at your infrastructure and say, where are we exposed? Find it before the bad guys do. That's a tool we need.
Matthew Connor: And it connects to something you said earlier that I think is genuinely profound — the idea that you don't have to be pro-AI, you have to be AI literate. There's a philosophical depth to that. Being forced to become literate about something you fear or distrust is actually a forcing function for confronting your own biases. AI is interesting in that way — it's not a person, it's not an ideology, it's a technology. And that gives just enough distance for people to engage with it seriously who might not otherwise.
Desmond Grant: Exactly. When we give presentations on AI and cover hallucinations and bias right up front, detractors will say — see, this is just proof we shouldn't be using it. And we say: no, this is proof you need to understand the tool. Every tool has limitations. Understanding those limitations is what allows you to use the tool at its highest level and extract real value from it. That's true of any technology, and AI is no different.
And to your broader point about learning lessons from previous technology waves — social media, smartphones, one-to-one devices — I'm genuinely worried we haven't. I show a video in my presentations from Kai-Fu Lee, a prominent computer scientist and entrepreneur from Taiwan. In a 60 Minutes piece from 2019, he said he believed AI would be more significant to mankind than electricity. When I first shared that, one or two people in the room raised their hands in agreement. The last time I presented it, a third to almost half the room raised their hands. The shift in that response tells you everything about where we are. We're at a fork in the road, and being AI literate is how you navigate it well — for yourself, for your students, for your community.
Matthew Connor: Desmond, it has been an absolute pleasure. You brought up some genuinely thought-provoking ideas, and I hope everyone takes the time to sit with them. Before we go, can you tell everyone where they can find out more about you and Littleton Public Schools?
Desmond Grant: Absolutely. Find me on LinkedIn by searching my name — Desmond Grant. And you can learn more about the district at our website, which we completely redesigned last year. Our communications department did a phenomenal job with it. You can read about our current initiatives and what we're doing to prepare for the upcoming school year.
Matthew Connor: Sounds great. Thanks for coming on, Desmond. Until next time.
Desmond Grant: Thank you very much. I appreciate it.