Is There Really Such a Thing as a Free Lunch?

One of the challenges in Higher education is making sure we protect our digital information.   We are the stewards of personal records, health records, information on intellectual property and a myriad of other types of sensitive information.   Sometimes this information is stored in enterprise systems that are well protected behind firewalls and/or physical security, but at other times we share this information with 3rd parties in order to better enable us to  do what we do.  In these cases we have to ensure due diligence, as do the companies we share the information with. We should never relinquish ownership of our digital information, but if we do, then we need to be well aware of the risks and benefits and make an informed decision.

In Higher Education, individuals within our organizations are frequently afforded incredible autonomy when it comes to the technology they use.   That is not to suggest that this autonomy doesn’t exist in other sectors, maybe just not to the same scale.  I am continually surprised when I talk to my peers in the private sector and they tell me about “shadow’ systems that they simply weren’t  aware of until they were well established and dependencies had been built.   We don’t really mind that these systems exist and at times they  can drive innovation.  As long as they are efficient and effective, don’t compromise other things that we do, and protect our digital information then we should be fine.

The challenge is that I am increasingly seeing a number of technology solutions being developed and marketed directly to individuals on our campus.   These include applications or services that specifically address real  needs in the community and would be enticing for anyone.   Many of them are focused on our students and some of them come with no cost.  That is where the kicker is – why are these things free – what is the business model that will sustain the company that has developed this solution?   Many times  when we look at the fine print, we find out that the value for the business is getting access to our digital information.  This is not unlike the business model of many well know social media platforms that we use everyday.  The difference is  one is  a personal decision and the other is an institutional (enterprise) decision and they come with different levels of accountability..  These businesses are either using this information internally or worse, selling it to someone else.   As stewards of this information we have responsibility to ensure that the information is used in the execution of our core ‘business’ (teaching, learning and research), it is not shared further, and that we notify individuals how and why the information is to be  used.   This is also a good point to note that we need to treat student information differently than we do faculty and staff information.  There are far more sensitivities on the former.

At an enterprise level we do an assessment of new technology solutions, in order to fully understand the risks to our information.  The assessment is about awareness and being deliberate in what we do.  Among other things, we look at  contractual obligations that would limit the re-purposing or resale of information; we look to ensure that we maintain ownership of our information and we look at what sorts of security measures 3rd parties have in place to protect the information.  The Information Security and Enterprise Architecture group within ITS, helps units do these assessments and better understand any residual risk.   When we do these assessments, we sometimes get push back from the vendors and sometimes that tells us all we need to know.

People frequently ask me what keeps me up at night as a CIO and this is something I think about a lot.   I encourage the community to consider 3rd party solutions because it can facilitate innovation, but I also  hope individuals realise the implications of their decisions.  This is one of those places where the CIO has accountability, but little authority to limit actions.  Remember if someone comes to you with an offer that sounds too good to be true …. then it probably is and there really is no free lunch.

 

 

 

Information Security is Everyone’s Responsibility

It’s October, and that means it is Cyber Security Awareness Month.  This is a time to reflect on the issues, and to think about what role you play in ensuring that your own, and the University’s information resources, are secure.   In my previous roles I wrote a number of blog posts that revolved around cyber-security, and especially the role the individual plays.  I don’t think much has changed since I wrote those.  The individual plays a significant role, and still seems to be the weak link in our overall strategy.  Whether it is responding to a phishing email, not patching a machine or losing an unecrypted device, human error, or lack of knowledge around best practices, underly most of the issues.

Recently, there have been a number of high profile incidents in the  Canadian Higher Education Sector, as well as many prominent private sector incidents, the most talked about one being Equifax.   Although the root causes of these issues may not be changing much, the public’s tolerance for them is quickly waning.  From the media and public perspective, it seems to be the same problem over and over again, and t0 the layperson it seems like these incidents could’ve be prevented with appropriate education and resourcing.  Nothing is ever that simple, and we do need to acknowledge that the threat landscape has grown significantly and is ever changing.  Often we simply can’t keep up with the bad agents.  That being said we can certainly mitigate the impact of these incidents with more awareness and resources.  Various levels of government and watchdog organizations have started to ask some hard questions and we need to respond along with our governments.

We don’t need to boil the ocean here. Taking some small, well orchestrated steps can completely change our security posture and significantly mitigate risks.   We need to remember that cyber security prevention is everyone’s responsibility and we are only as good as our weakest link. This understanding doesn’t always come naturally. If your neighbour decides to leave their doors unlocked it won’t really affect you; but in terms of cyber security, if the person next to you,  or across campus leaves their systems unpatched or responds to a phish, then it could impact you significantly.    Sometimes culture in Higher Education can be a significant barrier to taking even the smallest of steps, and we need to think about that.   I wrote a blog a few years back on how culture impedes our ability to tackle the issues around information security and I might bring that up for discussion in a  future post.

Here at ITS, we will be running various awareness events across the university over the next month.  I encourage you to check out our website and see what you know, or don’t know, and find out what your role could be.   Remember, you are your own best defence when it comes to protecting your information resources, and what you do, or don’t do, can  significantly impact others.  Small steps can generate big returns.

 

 

 

Alignment and Cultural Change

In the spirit of the next 180 days, let’s delve a little more into Team Alignment and Cultural change.  What is really meant here and what am I thinking.  I am almost certain many people are looking to the new CIO to make some changes and even “rip and replace” huge parts of the organization.  This can be unsettling for individuals, but may not be necessary. The pieces may be here, but we just haven’t arranged or enabled them in the most effective way.  There is a great piece in CIO Canada by Clint Boulton on How Adobe’s CIO redefined her IT org’s identity.  At this point I could just send you there with the word “ditto”, but let’s dig into a few of these things..

The first quote that struck me was: “With so many IT organizations mired in an identity crisis, the first step in Stoddard’s plan was creating an “identity for IT” that sought answers to key questions. Why does the department exist? What is its secret sauce? How should it treat employees?”  One of the first things I noticed here was that we had no visual identity for ITS and it seems like that translates into a larger issue around a lack of purpose.  What is our vision and what are the values we live by – I think we struggle to answer that, but I think it is there.  It is just not top of mind and I certainly don’t think the broader campus community knows what it is and that is critical. We just did an engagement survey with staff and  it shows people have a desire to answer some of the questions from above.   I have heard people talk about a desired state for ITS, but that not everyone had the same view, or they certainly were not delivering in that way.  I suspect there is simply a lack of awareness across the silos.  If we engage and tease it out, I could a see lot of this coming down to the creation of a service focused organization that has client service at it’s core.  I don’t think many people would disagree, I am just not sure we fully understand what that looks like, how to get there and if we even have a shared desire.

In terms of the client focus and service culture, a bold statement was made when Stoddard says “staff … needed to define the organization by imbuing IT with cloud-like characteristics,”.  As the author notes, this is “essentially delivering IT on-demand” and I think that is where we are going.  That being said, I also appreciate that this is going to be hard.   This is where the culture piece comes into play and I think an intentional change in culture is going to be needed.   That is going to take time and effort and will require an engaged organization.  In the article they talk about the companies new vision around  delevirables and how their internal workplace experience needs to change in order to deliver on this.   The whole notion of creating a personalized experience for the employee within the organization is something I find fascinating and really hadn’t considered… at least not to this extent, and in this context.  I certainly appreciated ‘clients’ in philosophy were different from clients in engineering, but I hadn’t fully translated that into my own team.

So for me this really just boils down to getting the whole organization together, defining why we exist, what we do and the rules of engagement around that. This is going to need to be intentionel and when it happens the pieces will start to align and culture will change.  We need to clearly communicate this out to the broader organization and we need to be prepared to live by it

 

 

 

A new year begins

Now that a new academic year is underway it is time to open up this blog. I am going to use this forum to talk about information technology at the University of Toronto. Given that almost all we do in Higher Education seems to be enabled by technology, I think that will leave things broad enough. I will use this blog to signal direction to the University community, affirm direction within the team in ITS and hopefully stimulate broader discussion on various issues.

I was recently appointed as the Chief Information Officer at the University of Toronto. I am thrilled to be working at an institution as prestigious as this. You certainly can feel it when you arrive on campus. And what a gorgeous campus it is, right in the heart of Canada’s largest city.   I have been spending the last few months exploring campus, talking to people and gaining insight into what their needs are. I have really appreciated how open and forthcoming people have been. There is lots of work to do and lots of opportunities.

Now the term is about to start and the students are back on campus. Most of my life I have followed the academic calendar, meaning that, for me, this is a time of new beginnings. In Higher Education, it is one of my favourite times of year. I love the cooler weather, with less humidity, and I really love the energy that you feel every day you come into work. I am sure it will be harder to get a squash court, and the lines for food will be longer, but it is really nice to have the students back.

I don’t have a regular schedule for this blog. I will post when I have something interesting to say and when I have time to put down a few words. I am going to try and carve off some of my commute time to make sure the later is not constraining.

My first “informative” post will be about my priorities over the  next 180 days.

Next 180 days

 We have all heard the notion of the “first 100 days”. When we start a new position people often look at what we accomplish in the first 100 day and measure success or failure based on this. In leadership roles I think it is critical to think about what you want to accomplish early on, clearly articulate this, and track progress. However, in Higher Education things don’t always move at  speed. Consultation is critical, it needs to be broad, and that takes time. In this post I want to talk a bit about what I want to accomplish in the first year at the University.

Early on I had a meeting with an individual from Deloitte, who I had worked with previously. They pitched an opportunity to attend their CIO Transition Lab. The lab experience was designed to help me navigate the next 180 days in my new role, focusing on three key elements: time, talent and relationships. I was intrigued by the notion of the next 180 days and the focus on time, talent and relationships. It seemed like they understood the leadership challenges in Higher Education Tech, and I decided to give it a shot.

They asked to interview 6 or 7 individuals, in senior roles at the University. In the interviews they asked about how IT was meeting their needs, where they thought we should be focusing and what challenges we would have. The interview list included VP’s, Deans, and Principals, then it was up to me to show up for a day at their office. The day was all about ‘me’. I spent about 7 hours with a team of 8 people and talked about everything from framing the day with quotes from other CIO’s, to my hopes and fears, and the legacy I want to leave. My favourite quote was “It’s hard to be strategic if your pants are on fire”. I am sure many people in IT can relate to that.

We talked about the Operational and Catalyst CIO and everything in between. We evaluated where I am on that spectrum and where I want to be. These were far from being the same. We started to look at various IT disciplines, evaluating the maturity today and where 1 thought we should be. We looked at identifying critical success factors and finally what my goals need to be for the next 6 months. The day flew by and I will say it was fun and draining. In essence I was grilled all day – in a good way. It was an fantastic process to discover, shape and then synthesize  what is already in your head into a plan that you can be tracked. Throughout the process they provided lots of external perspectives and insight from others they had worked with..

As a result of the session, we drafted a 180-day plan based on six (6) priorities identified below. This certainly isn’t all that will happen, but  I think it is activities that are critical to success, and something we need to be deliberate about.


Six Priorities

1. Team Alignment & Cultural Change

  • Ensure team is aligned with the vision of IT org. & ready to embrace the culture of digitization, in a federated model.
  • Plan for Leadership Team Offsite (every two months)
  • Develop an all staff event
  • Mature staff development Program
  • Act on staff engagement survey

2. Build & Launch Education & Awareness Team

  • Create communications (education and awareness) framework and integrate university communications with ITS communications
  • Secure necessary resources and recruit team

3. Cyber Security

  • Develop a short term risk based roadmap (targeting low hanging fruit)
  • Develop a long term plan for cyber security
  • Seed & build ISC
  • Obtain buy in from PAG and stakeholder community
  • Review w/ Audit & Risk
  • Secure funding for the short term plan

4. Deliver Inflight Initiatives

  • Deliver inflight initiatives: Office 365 LME, VOIP
  • Identify SPOCs and receive regular status updates for initiatives

5. Redefine / Re-orient UofT’s role in Kuali Student roadmap & Delivery Model

  • Take on EST Student Chair role

6. Manage Senior Stakeholders

  • Build relationships with key stakeholders to ensure support for key initiatives

Overall I am happy with where this landed. It is an interesting process that I would recommend for others starting a new role, at a new organization. I think it is ambitious in parts, but manageable. Parts of it will challenge the organization, and it will lay a foundation for the interesting journey ahead.