Why won’t you change your password?

In higher education we sometimes struggle getting people to practice good password hygiene.   Why is this the case, and what can we do to change this?

Don’t read too much into that first statement – we have a significant number of people who change their passwords at regular intervals and it is just part of their routine.  We actually enforce that for accounts that access our most precious assets.  We also have rules on the ‘complexity’ of the password, but we have yet to fully embrace the notion that length trumps the diversity of characters.

I am regularly in meetings where the conversation turns to compromised accounts and password hygiene.  Inevitably someone sheepishly admits they haven’t change their password since they first got their account.  Some of these probably date back  NetNorth and the beginning of the internet. (anyone remember those days?).  I am of course stretching that it a bit, but the point is these passwords are old. Individuals know it, and they jokingly admit they should change it, but  don’t.  It is almost like a badge of honour – “I have a really old password because I was around when this all began and I have seen it all.”  I might suggest that if they had been watching it “all” they would be changing their password.

I remember a faculty mentor I had way back when I provided research computing support in an academic unit. Her office was the stereotypical absent minded professor mess, with old journals and half finished manuscripts everywhere.   The funny thing was her monitor always had a bunch of sticky notes on the bezel with  passwords to various systems.  I used to tell her frequently that she  should be more careful with her passwords, as I picked up old sticky notes that had fallen to the floor.  That being said, she did change her passwords, and then simply crossed out the old ones on the sticky notes and wrote in the new one.

In that example it comes down to physical security.  Anyone who had access to her locked office had access to her passwords.  That was very few people and likely there wasn’t someone in there with criminal intent..   Today, that is completely different.   In this article it shows that anyone who has access to the dark web can access the credentials of over 1.4 billion accounts  I hypothesis that people who can access the dark web, and this list, is significantly higher than someone who can physically access your space and the world has changed,

So, what do you do – the simplest thing is to change your password.  If your name is on this list  and you change your password, your credentials information will no longer be valid.   It is that easy.   So, that brings me back to the first question on why don’t some  people change their passwords…… I can’t really answer that except to say maybe they just don’t think it can happen to them.   The excuse that, I am too busy, or it is too hard to remember a new password, doesn’t cut it anymore.  Maybe we just need to talk about this more and show the other schools who have had incidents and subsequently done across the board password changes….. let us learn from each others experiences and not wait until we feel the pain of a widespread incident.


Next up, why should I use  multi factor authentication…..





Is There Really Such a Thing as a Free Lunch?

One of the challenges in Higher education is making sure we protect our digital information.   We are the stewards of personal records, health records, information on intellectual property and a myriad of other types of sensitive information.   Sometimes this information is stored in enterprise systems that are well protected behind firewalls and/or physical security, but at other times we share this information with 3rd parties in order to better enable us to  do what we do.  In these cases we have to ensure due diligence, as do the companies we share the information with. We should never relinquish ownership of our digital information, but if we do, then we need to be well aware of the risks and benefits and make an informed decision.

In Higher Education, individuals within our organizations are frequently afforded incredible autonomy when it comes to the technology they use.   That is not to suggest that this autonomy doesn’t exist in other sectors, maybe just not to the same scale.  I am continually surprised when I talk to my peers in the private sector and they tell me about “shadow’ systems that they simply weren’t  aware of until they were well established and dependencies had been built.   We don’t really mind that these systems exist and at times they  can drive innovation.  As long as they are efficient and effective, don’t compromise other things that we do, and protect our digital information then we should be fine.

The challenge is that I am increasingly seeing a number of technology solutions being developed and marketed directly to individuals on our campus.   These include applications or services that specifically address real  needs in the community and would be enticing for anyone.   Many of them are focused on our students and some of them come with no cost.  That is where the kicker is – why are these things free – what is the business model that will sustain the company that has developed this solution?   Many times  when we look at the fine print, we find out that the value for the business is getting access to our digital information.  This is not unlike the business model of many well know social media platforms that we use everyday.  The difference is  one is  a personal decision and the other is an institutional (enterprise) decision and they come with different levels of accountability..  These businesses are either using this information internally or worse, selling it to someone else.   As stewards of this information we have responsibility to ensure that the information is used in the execution of our core ‘business’ (teaching, learning and research), it is not shared further, and that we notify individuals how and why the information is to be  used.   This is also a good point to note that we need to treat student information differently than we do faculty and staff information.  There are far more sensitivities on the former.

At an enterprise level we do an assessment of new technology solutions, in order to fully understand the risks to our information.  The assessment is about awareness and being deliberate in what we do.  Among other things, we look at  contractual obligations that would limit the re-purposing or resale of information; we look to ensure that we maintain ownership of our information and we look at what sorts of security measures 3rd parties have in place to protect the information.  The Information Security and Enterprise Architecture group within ITS, helps units do these assessments and better understand any residual risk.   When we do these assessments, we sometimes get push back from the vendors and sometimes that tells us all we need to know.

People frequently ask me what keeps me up at night as a CIO and this is something I think about a lot.   I encourage the community to consider 3rd party solutions because it can facilitate innovation, but I also  hope individuals realise the implications of their decisions.  This is one of those places where the CIO has accountability, but little authority to limit actions.  Remember if someone comes to you with an offer that sounds too good to be true …. then it probably is and there really is no free lunch.




Information Security is Everyone’s Responsibility

It’s October, and that means it is Cyber Security Awareness Month.  This is a time to reflect on the issues, and to think about what role you play in ensuring that your own, and the University’s information resources, are secure.   In my previous roles I wrote a number of blog posts that revolved around cyber-security, and especially the role the individual plays.  I don’t think much has changed since I wrote those.  The individual plays a significant role, and still seems to be the weak link in our overall strategy.  Whether it is responding to a phishing email, not patching a machine or losing an unecrypted device, human error, or lack of knowledge around best practices, underly most of the issues.

Recently, there have been a number of high profile incidents in the  Canadian Higher Education Sector, as well as many prominent private sector incidents, the most talked about one being Equifax.   Although the root causes of these issues may not be changing much, the public’s tolerance for them is quickly waning.  From the media and public perspective, it seems to be the same problem over and over again, and t0 the layperson it seems like these incidents could’ve be prevented with appropriate education and resourcing.  Nothing is ever that simple, and we do need to acknowledge that the threat landscape has grown significantly and is ever changing.  Often we simply can’t keep up with the bad agents.  That being said we can certainly mitigate the impact of these incidents with more awareness and resources.  Various levels of government and watchdog organizations have started to ask some hard questions and we need to respond along with our governments.

We don’t need to boil the ocean here. Taking some small, well orchestrated steps can completely change our security posture and significantly mitigate risks.   We need to remember that cyber security prevention is everyone’s responsibility and we are only as good as our weakest link. This understanding doesn’t always come naturally. If your neighbour decides to leave their doors unlocked it won’t really affect you; but in terms of cyber security, if the person next to you,  or across campus leaves their systems unpatched or responds to a phish, then it could impact you significantly.    Sometimes culture in Higher Education can be a significant barrier to taking even the smallest of steps, and we need to think about that.   I wrote a blog a few years back on how culture impedes our ability to tackle the issues around information security and I might bring that up for discussion in a  future post.

Here at ITS, we will be running various awareness events across the university over the next month.  I encourage you to check out our website and see what you know, or don’t know, and find out what your role could be.   Remember, you are your own best defence when it comes to protecting your information resources, and what you do, or don’t do, can  significantly impact others.  Small steps can generate big returns.




Alignment and Cultural Change

In the spirit of the next 180 days, let’s delve a little more into Team Alignment and Cultural change.  What is really meant here and what am I thinking.  I am almost certain many people are looking to the new CIO to make some changes and even “rip and replace” huge parts of the organization.  This can be unsettling for individuals, but may not be necessary. The pieces may be here, but we just haven’t arranged or enabled them in the most effective way.  There is a great piece in CIO Canada by Clint Boulton on How Adobe’s CIO redefined her IT org’s identity.  At this point I could just send you there with the word “ditto”, but let’s dig into a few of these things..

The first quote that struck me was: “With so many IT organizations mired in an identity crisis, the first step in Stoddard’s plan was creating an “identity for IT” that sought answers to key questions. Why does the department exist? What is its secret sauce? How should it treat employees?”  One of the first things I noticed here was that we had no visual identity for ITS and it seems like that translates into a larger issue around a lack of purpose.  What is our vision and what are the values we live by – I think we struggle to answer that, but I think it is there.  It is just not top of mind and I certainly don’t think the broader campus community knows what it is and that is critical. We just did an engagement survey with staff and  it shows people have a desire to answer some of the questions from above.   I have heard people talk about a desired state for ITS, but that not everyone had the same view, or they certainly were not delivering in that way.  I suspect there is simply a lack of awareness across the silos.  If we engage and tease it out, I could a see lot of this coming down to the creation of a service focused organization that has client service at it’s core.  I don’t think many people would disagree, I am just not sure we fully understand what that looks like, how to get there and if we even have a shared desire.

In terms of the client focus and service culture, a bold statement was made when Stoddard says “staff … needed to define the organization by imbuing IT with cloud-like characteristics,”.  As the author notes, this is “essentially delivering IT on-demand” and I think that is where we are going.  That being said, I also appreciate that this is going to be hard.   This is where the culture piece comes into play and I think an intentional change in culture is going to be needed.   That is going to take time and effort and will require an engaged organization.  In the article they talk about the companies new vision around  delevirables and how their internal workplace experience needs to change in order to deliver on this.   The whole notion of creating a personalized experience for the employee within the organization is something I find fascinating and really hadn’t considered… at least not to this extent, and in this context.  I certainly appreciated ‘clients’ in philosophy were different from clients in engineering, but I hadn’t fully translated that into my own team.

So for me this really just boils down to getting the whole organization together, defining why we exist, what we do and the rules of engagement around that. This is going to need to be intentionel and when it happens the pieces will start to align and culture will change.  We need to clearly communicate this out to the broader organization and we need to be prepared to live by it




A new year begins

Now that a new academic year is underway it is time to open up this blog. I am going to use this forum to talk about information technology at the University of Toronto. Given that almost all we do in Higher Education seems to be enabled by technology, I think that will leave things broad enough. I will use this blog to signal direction to the University community, affirm direction within the team in ITS and hopefully stimulate broader discussion on various issues.

I was recently appointed as the Chief Information Officer at the University of Toronto. I am thrilled to be working at an institution as prestigious as this. You certainly can feel it when you arrive on campus. And what a gorgeous campus it is, right in the heart of Canada’s largest city.   I have been spending the last few months exploring campus, talking to people and gaining insight into what their needs are. I have really appreciated how open and forthcoming people have been. There is lots of work to do and lots of opportunities.

Now the term is about to start and the students are back on campus. Most of my life I have followed the academic calendar, meaning that, for me, this is a time of new beginnings. In Higher Education, it is one of my favourite times of year. I love the cooler weather, with less humidity, and I really love the energy that you feel every day you come into work. I am sure it will be harder to get a squash court, and the lines for food will be longer, but it is really nice to have the students back.

I don’t have a regular schedule for this blog. I will post when I have something interesting to say and when I have time to put down a few words. I am going to try and carve off some of my commute time to make sure the later is not constraining.

My first “informative” post will be about my priorities over the  next 180 days.