Reflections on my first year and vision for the future

I’ve been at U of T just over a year, so it is time for an update on how things have been going. What an incredible first year, filled with amazing people, new relationships and fascinating challenges. There has been lots of listening, accomplishments and plenty of ideas for the future. From a technology standpoint it is an exciting time to be at the University of Toronto as there is a lot of change happening. In general terms, I would say the community here is pushing for  positive change, but is also cautious.  People want to see us build partnerships, deliver and this will lead to the trust we need to take on bigger challenges.

Back in September 2017, I wrote about the next 180 days. I outlined six initiatives that I wanted to focus on, over this time period, and below is an update on these items. It certainly doesn’t tell the whole story, and I will try to share more about that in upcoming posts.

In terms of team alignment and cultural change, I believe we have accomplished a lot in a very short period of time. The leadership team has shared sessions focused on such things as leadership styles, team building, healthy conflict, character strengths and organizational culture. The Directors have one more meeting  scheduled for the fall.  That will complete their commitment for 6 full day sessions,  and I am looking forward to seeing the team further develop. We have had several all staff meetings to work on culture, values and vision and I think a number of new connections have been made across ITS.  I have really enjoyed these events and it has given me an opportunity to meet a wide array of incredibly talented people. It will be interesting to engage the community over the next year and hear if they see any outcomes from the work we are doing within ITS.

Carrie Schmidt is heading up our new education and awareness group and building out the team. I am looking forward to seeing where they take this next, as this is such an important piece for any progressive IT organization. We need to keep the community informed, encourage open dialogue and build understanding of what is possible. We will be presenting a very different view of ITS over the next year and expect more transparency and engagement. Carrie has also promised to keep me focused on getting out a regular blog and that will help.

Our ability to address cyber/information security has progressed, and so have the threats. That means there is a lot more we are going to do. There is an exciting opportunity in the creation of a new Chief Information Security Officer role at the university and the information security council has started meeting (second meeting was June 29th) with a series of working groups. I have very high expectations for this committee, and I think the working group model will get lots of collaboration across the university. Another exciting development we are working on is the creation of shared Security Operations Centre, similar to OmniSOC. Stay tuned for more on that.

When I first came to U of T we had a significant number of inflight initiatives, like Office365, Voice over IP (VoIP), and Quercus. This is a massive amount of change for the organization (both ITS and the community) and it doesn’t even touch all the positive transformation happening in other areas such as EASI. This is all positive change and we are progressing forward. The O365 roll-out went well, but it exposed a number of issues around deprovisioning and outdated desktop environments. The next step here will be helping the organization leverage the possibilities of this new collaboration suite.  We continue to roll out more VoIP phones and divisions are actively engaged in upgrading their local network infrastructure to accommodate this. The new Learning Management Engine, Quercus was piloted in the winter term and will be full production by the fall.

Our work with Kuali is progressing. Curriculum management is moving ahead in some divisions and we are working closely with Kuali on enrollment management. New private sector investment for the company should move the needle forward on this file.

Building relationships with key stakeholders is an ongoing initiative, and I have met with scores of our partners and colleagues. There are a lot of people to meet and the university and many discussions that need to happen in order to build trust around common vision, shared governance and joint accountability  (don’t tell anyone, but this is the best part of my job).

I am really pleased with how ITS and the rest of the community has engaged, and I think the next year will be really exciting. We have a number of new of initiatives including the new CISO, Shared SOC, an HR LME, ITSM and an ITS strategic plan. Stay tuned ….

Why won’t you change your password?

In higher education we sometimes struggle getting people to practice good password hygiene.   Why is this the case, and what can we do to change this?

Don’t read too much into that first statement – we have a significant number of people who change their passwords at regular intervals and it is just part of their routine.  We actually enforce that for accounts that access our most precious assets.  We also have rules on the ‘complexity’ of the password, but we have yet to fully embrace the notion that length trumps the diversity of characters.

I am regularly in meetings where the conversation turns to compromised accounts and password hygiene.  Inevitably someone sheepishly admits they haven’t change their password since they first got their account.  Some of these probably date back  NetNorth and the beginning of the internet. (anyone remember those days?).  I am of course stretching that it a bit, but the point is these passwords are old. Individuals know it, and they jokingly admit they should change it, but  don’t.  It is almost like a badge of honour – “I have a really old password because I was around when this all began and I have seen it all.”  I might suggest that if they had been watching it “all” they would be changing their password.

I remember a faculty mentor I had way back when I provided research computing support in an academic unit. Her office was the stereotypical absent minded professor mess, with old journals and half finished manuscripts everywhere.   The funny thing was her monitor always had a bunch of sticky notes on the bezel with  passwords to various systems.  I used to tell her frequently that she  should be more careful with her passwords, as I picked up old sticky notes that had fallen to the floor.  That being said, she did change her passwords, and then simply crossed out the old ones on the sticky notes and wrote in the new one.

In that example it comes down to physical security.  Anyone who had access to her locked office had access to her passwords.  That was very few people and likely there wasn’t someone in there with criminal intent..   Today, that is completely different.   In this article it shows that anyone who has access to the dark web can access the credentials of over 1.4 billion accounts  I hypothesis that people who can access the dark web, and this list, is significantly higher than someone who can physically access your space and the world has changed,

So, what do you do – the simplest thing is to change your password.  If your name is on this list  and you change your password, your credentials information will no longer be valid.   It is that easy.   So, that brings me back to the first question on why don’t some  people change their passwords…… I can’t really answer that except to say maybe they just don’t think it can happen to them.   The excuse that, I am too busy, or it is too hard to remember a new password, doesn’t cut it anymore.  Maybe we just need to talk about this more and show the other schools who have had incidents and subsequently done across the board password changes….. let us learn from each others experiences and not wait until we feel the pain of a widespread incident.

 

Next up, why should I use  multi factor authentication…..

 

 

 

 

Is There Really Such a Thing as a Free Lunch?

One of the challenges in Higher education is making sure we protect our digital information.   We are the stewards of personal records, health records, information on intellectual property and a myriad of other types of sensitive information.   Sometimes this information is stored in enterprise systems that are well protected behind firewalls and/or physical security, but at other times we share this information with 3rd parties in order to better enable us to  do what we do.  In these cases we have to ensure due diligence, as do the companies we share the information with. We should never relinquish ownership of our digital information, but if we do, then we need to be well aware of the risks and benefits and make an informed decision.

In Higher Education, individuals within our organizations are frequently afforded incredible autonomy when it comes to the technology they use.   That is not to suggest that this autonomy doesn’t exist in other sectors, maybe just not to the same scale.  I am continually surprised when I talk to my peers in the private sector and they tell me about “shadow’ systems that they simply weren’t  aware of until they were well established and dependencies had been built.   We don’t really mind that these systems exist and at times they  can drive innovation.  As long as they are efficient and effective, don’t compromise other things that we do, and protect our digital information then we should be fine.

The challenge is that I am increasingly seeing a number of technology solutions being developed and marketed directly to individuals on our campus.   These include applications or services that specifically address real  needs in the community and would be enticing for anyone.   Many of them are focused on our students and some of them come with no cost.  That is where the kicker is – why are these things free – what is the business model that will sustain the company that has developed this solution?   Many times  when we look at the fine print, we find out that the value for the business is getting access to our digital information.  This is not unlike the business model of many well know social media platforms that we use everyday.  The difference is  one is  a personal decision and the other is an institutional (enterprise) decision and they come with different levels of accountability..  These businesses are either using this information internally or worse, selling it to someone else.   As stewards of this information we have responsibility to ensure that the information is used in the execution of our core ‘business’ (teaching, learning and research), it is not shared further, and that we notify individuals how and why the information is to be  used.   This is also a good point to note that we need to treat student information differently than we do faculty and staff information.  There are far more sensitivities on the former.

At an enterprise level we do an assessment of new technology solutions, in order to fully understand the risks to our information.  The assessment is about awareness and being deliberate in what we do.  Among other things, we look at  contractual obligations that would limit the re-purposing or resale of information; we look to ensure that we maintain ownership of our information and we look at what sorts of security measures 3rd parties have in place to protect the information.  The Information Security and Enterprise Architecture group within ITS, helps units do these assessments and better understand any residual risk.   When we do these assessments, we sometimes get push back from the vendors and sometimes that tells us all we need to know.

People frequently ask me what keeps me up at night as a CIO and this is something I think about a lot.   I encourage the community to consider 3rd party solutions because it can facilitate innovation, but I also  hope individuals realise the implications of their decisions.  This is one of those places where the CIO has accountability, but little authority to limit actions.  Remember if someone comes to you with an offer that sounds too good to be true …. then it probably is and there really is no free lunch.

 

 

 

Information Security is Everyone’s Responsibility

It’s October, and that means it is Cyber Security Awareness Month.  This is a time to reflect on the issues, and to think about what role you play in ensuring that your own, and the University’s information resources, are secure.   In my previous roles I wrote a number of blog posts that revolved around cyber-security, and especially the role the individual plays.  I don’t think much has changed since I wrote those.  The individual plays a significant role, and still seems to be the weak link in our overall strategy.  Whether it is responding to a phishing email, not patching a machine or losing an unecrypted device, human error, or lack of knowledge around best practices, underly most of the issues.

Recently, there have been a number of high profile incidents in the  Canadian Higher Education Sector, as well as many prominent private sector incidents, the most talked about one being Equifax.   Although the root causes of these issues may not be changing much, the public’s tolerance for them is quickly waning.  From the media and public perspective, it seems to be the same problem over and over again, and t0 the layperson it seems like these incidents could’ve be prevented with appropriate education and resourcing.  Nothing is ever that simple, and we do need to acknowledge that the threat landscape has grown significantly and is ever changing.  Often we simply can’t keep up with the bad agents.  That being said we can certainly mitigate the impact of these incidents with more awareness and resources.  Various levels of government and watchdog organizations have started to ask some hard questions and we need to respond along with our governments.

We don’t need to boil the ocean here. Taking some small, well orchestrated steps can completely change our security posture and significantly mitigate risks.   We need to remember that cyber security prevention is everyone’s responsibility and we are only as good as our weakest link. This understanding doesn’t always come naturally. If your neighbour decides to leave their doors unlocked it won’t really affect you; but in terms of cyber security, if the person next to you,  or across campus leaves their systems unpatched or responds to a phish, then it could impact you significantly.    Sometimes culture in Higher Education can be a significant barrier to taking even the smallest of steps, and we need to think about that.   I wrote a blog a few years back on how culture impedes our ability to tackle the issues around information security and I might bring that up for discussion in a  future post.

Here at ITS, we will be running various awareness events across the university over the next month.  I encourage you to check out our website and see what you know, or don’t know, and find out what your role could be.   Remember, you are your own best defence when it comes to protecting your information resources, and what you do, or don’t do, can  significantly impact others.  Small steps can generate big returns.

 

 

 

Alignment and Cultural Change

In the spirit of the next 180 days, let’s delve a little more into Team Alignment and Cultural change.  What is really meant here and what am I thinking.  I am almost certain many people are looking to the new CIO to make some changes and even “rip and replace” huge parts of the organization.  This can be unsettling for individuals, but may not be necessary. The pieces may be here, but we just haven’t arranged or enabled them in the most effective way.  There is a great piece in CIO Canada by Clint Boulton on How Adobe’s CIO redefined her IT org’s identity.  At this point I could just send you there with the word “ditto”, but let’s dig into a few of these things..

The first quote that struck me was: “With so many IT organizations mired in an identity crisis, the first step in Stoddard’s plan was creating an “identity for IT” that sought answers to key questions. Why does the department exist? What is its secret sauce? How should it treat employees?”  One of the first things I noticed here was that we had no visual identity for ITS and it seems like that translates into a larger issue around a lack of purpose.  What is our vision and what are the values we live by – I think we struggle to answer that, but I think it is there.  It is just not top of mind and I certainly don’t think the broader campus community knows what it is and that is critical. We just did an engagement survey with staff and  it shows people have a desire to answer some of the questions from above.   I have heard people talk about a desired state for ITS, but that not everyone had the same view, or they certainly were not delivering in that way.  I suspect there is simply a lack of awareness across the silos.  If we engage and tease it out, I could a see lot of this coming down to the creation of a service focused organization that has client service at it’s core.  I don’t think many people would disagree, I am just not sure we fully understand what that looks like, how to get there and if we even have a shared desire.

In terms of the client focus and service culture, a bold statement was made when Stoddard says “staff … needed to define the organization by imbuing IT with cloud-like characteristics,”.  As the author notes, this is “essentially delivering IT on-demand” and I think that is where we are going.  That being said, I also appreciate that this is going to be hard.   This is where the culture piece comes into play and I think an intentional change in culture is going to be needed.   That is going to take time and effort and will require an engaged organization.  In the article they talk about the companies new vision around  delevirables and how their internal workplace experience needs to change in order to deliver on this.   The whole notion of creating a personalized experience for the employee within the organization is something I find fascinating and really hadn’t considered… at least not to this extent, and in this context.  I certainly appreciated ‘clients’ in philosophy were different from clients in engineering, but I hadn’t fully translated that into my own team.

So for me this really just boils down to getting the whole organization together, defining why we exist, what we do and the rules of engagement around that. This is going to need to be intentionel and when it happens the pieces will start to align and culture will change.  We need to clearly communicate this out to the broader organization and we need to be prepared to live by it