Investment in relationships

CUCCIO is probably the best investment of my time, of any organization I belong to. CUCCIO stands for the Canadian University Council of CIOs and has been in existence for about 12 years. It currently has 62 member schools which makes up almost all of the schools in Canada.

CIO's laughing

What You Always Wanted to Ask a CIO, But Were Afraid to panel at Ontario Higher Education Information Technology (OHEIT) conference in Sudbury, May 2018. Left to right, Bo Wandschneider (University of Toronto), Nela Petkovic (Wilfred Laurier University), Luc Roy (Laurentian) and Brian Lesser (Ryerson).

CUCCIO hosts three face-to-face meetings per year and also oversees the annual Canadian Higher Education Information Technology conference (CANHEIT) that brings together people from all across the nation to share and discover new ideas, and generate innovative collaborations. In other words, CANHEIT is about relationship building. Too often our staff work within their own bubbles and don’t get to see how others are solving the same problems and challenges and fail to look at the opportunities. CUCCIO also hosts various special interest groups (SIGs), to facilitate ongoing discussion between universities. CUCCIO is currently piloting a leadership program for aspiring higher education IT leaders in the country. This program is designed to be complementary to other programs out there and is taking on a mentorship approach, as sitting and past CIOs are delivering the content and engaging in dialogue with participants.

These are all fantastic initiatives that provide a value beyond the minimal cost of membership. That being said, the main value for me is the network and interactions with the other CIOs. There is so much to learn from each other and the group has developed an incredible sense of trust where we share almost everything in order to drive better outcomes across the sector. We are in touch by email and phone on a regular basis and almost any question is answered promptly, even though we all have incredibly busy schedules. The face-to-face in-person meetings are critical for building the relationships that set the stage for partnerships and collaborations between schools.

Yikes: What did I get myself into? Confessions of a New CIO at CANHEIT 2018.
Left to right, Martin Bernier (University of Ottawa), Gayleen Gray (McMaster University), Bo Wandschneider (University of Toronto), Ryan Kenny (University of Windsor), Sally Felkai (Emily Carr University of Art and Design)

I would be remiss if I didn’t mention the “therapeutic” value of these meetings. Just being able to share our challenges with someone who really understands, is worth its weight in gold. I love my job as a CIO, but there are times where it really can be demanding. I always feel refreshed and better after hashing things out with my peers and getting some advice. One way we do this is by doing presentations to the community with CIO panels. This year I had the pleasure of chairing a panel of new CIOs and learned so much about leadership and how they approach a new role. I also chaired a panel with my peers where we took questions from the audience. From the picture below, you can see how much fun we do have when we get together.

I am very fortunate to have been able to attend CUCCIO meetings almost since the beginning and I can safely say I wouldn’t still be in this position or be the leader I am without this great network. And on top of that, CUCCIO makes it fun – just look at those smiling and laughing faces when we get together.

If you have a big problem, think about big and bold solutions

The frequency and complexity of information security threats are increasing at an unprecedented rate and as such, the associated cost of mitigation is unsustainable. This is particularly acute in the higher education space. It is safe to say that no individual institution has a realistic chance of addressing the issues alone. The problem we face is becoming so large that if we want to move from being reactive to proactive we are going to have to think outside of the box and work collectively.

Back in April a group of Senior IT leaders met at the University of Alberta to explore the possibility of creating a shared Canadian Security Operation Centre (SOC). The group included a collection of willing and able institutions: University of British Columbia, University of Alberta, McGill University, University of Toronto, along with their respective provincial Research and Education Networks: BCNET (BC), CYBERA (Alberta), RISQ (Quebec), ORION (Ontario) and the national Research and Education Network: CANARIE. Discussion focused on the challenges that we face, the value of collaboration, what others were doing, potential financial models along with the possible services a shared SOC may offer. A lot of the discussion focused on an emerging model from the Big Ten universities called OmniSOC.

Since that time we have met at the University of Toronto in April, and during the Canadian Higher Education Information Technology (CANHEIT) conference in Vancouver last month. In addition, part of the group attended a summit at the University of Indiana in June, to ask questions about OmniSOC. There now exists a draft project charter for a Shared SOC Service, and by the August we are looking for verbal commitment to undertake a 12-month proof of concept (POC). After the meeting in Toronto, McMaster University and Ryerson University officially joined the conversation. This brought the group to six universities. Experience from OmniSOC suggests that the sweet spot is four to six institutions for a POC.

During the POC, we will test some technology to ingest information from the various partners and also create the document outlining how this could be rolled out more broadly to the Canadian higher education community. This document would include resources and tools such as a governance model, a financial model, templates for data sharing, a service delivery model and several other deliverables. The intention is to collaborate with OmniSOC and try and leverage what they have already learned and completed. If things go as planned there would be an excellent opportunity to create a federation of higher education SOCs built on similar technology stacks offering similar services.

Overall this is an ambitious undertaking, but big problems, require big solutions. There is a great deal of interest from the community and we will be looking to sharing progress on a regular basis and soliciting input on direction. This model may not fit everyone’s needs and it does come with some risks, but the opportunity is so significant that we are compelled to explore. Assuming there is broad agreement from the participants, the project will start shortly, there will be a website and a series of community update meetings to share progress.

Photo:  Initial Shared SOC meeting  on April 11th 2018, at the University of Alberta.
Initial Shared SOC meeting on April 11th 2018, at the University of Alberta.  Absent from the picture are the partners from Ryerson and McMaster University – Brian Lesser and Gayleen Gray.

 

Reflections on my first year and vision for the future

I’ve been at U of T just over a year, so it is time for an update on how things have been going. What an incredible first year, filled with amazing people, new relationships and fascinating challenges. There has been lots of listening, accomplishments and plenty of ideas for the future. From a technology standpoint it is an exciting time to be at the University of Toronto as there is a lot of change happening. In general terms, I would say the community here is pushing for  positive change, but is also cautious.  People want to see us build partnerships, deliver and this will lead to the trust we need to take on bigger challenges.

Back in September 2017, I wrote about the next 180 days. I outlined six initiatives that I wanted to focus on, over this time period, and below is an update on these items. It certainly doesn’t tell the whole story, and I will try to share more about that in upcoming posts.

In terms of team alignment and cultural change, I believe we have accomplished a lot in a very short period of time. The leadership team has shared sessions focused on such things as leadership styles, team building, healthy conflict, character strengths and organizational culture. The Directors have one more meeting  scheduled for the fall.  That will complete their commitment for 6 full day sessions,  and I am looking forward to seeing the team further develop. We have had several all staff meetings to work on culture, values and vision and I think a number of new connections have been made across ITS.  I have really enjoyed these events and it has given me an opportunity to meet a wide array of incredibly talented people. It will be interesting to engage the community over the next year and hear if they see any outcomes from the work we are doing within ITS.

Carrie Schmidt is heading up our new education and awareness group and building out the team. I am looking forward to seeing where they take this next, as this is such an important piece for any progressive IT organization. We need to keep the community informed, encourage open dialogue and build understanding of what is possible. We will be presenting a very different view of ITS over the next year and expect more transparency and engagement. Carrie has also promised to keep me focused on getting out a regular blog and that will help.

Our ability to address cyber/information security has progressed, and so have the threats. That means there is a lot more we are going to do. There is an exciting opportunity in the creation of a new Chief Information Security Officer role at the university and the information security council has started meeting (second meeting was June 29th) with a series of working groups. I have very high expectations for this committee, and I think the working group model will get lots of collaboration across the university. Another exciting development we are working on is the creation of shared Security Operations Centre, similar to OmniSOC. Stay tuned for more on that.

When I first came to U of T we had a significant number of inflight initiatives, like Office365, Voice over IP (VoIP), and Quercus. This is a massive amount of change for the organization (both ITS and the community) and it doesn’t even touch all the positive transformation happening in other areas such as EASI. This is all positive change and we are progressing forward. The O365 roll-out went well, but it exposed a number of issues around deprovisioning and outdated desktop environments. The next step here will be helping the organization leverage the possibilities of this new collaboration suite.  We continue to roll out more VoIP phones and divisions are actively engaged in upgrading their local network infrastructure to accommodate this. The new Learning Management Engine, Quercus was piloted in the winter term and will be full production by the fall.

Our work with Kuali is progressing. Curriculum management is moving ahead in some divisions and we are working closely with Kuali on enrollment management. New private sector investment for the company should move the needle forward on this file.

Building relationships with key stakeholders is an ongoing initiative, and I have met with scores of our partners and colleagues. There are a lot of people to meet and the university and many discussions that need to happen in order to build trust around common vision, shared governance and joint accountability  (don’t tell anyone, but this is the best part of my job).

I am really pleased with how ITS and the rest of the community has engaged, and I think the next year will be really exciting. We have a number of new of initiatives including the new CISO, Shared SOC, an HR LME, ITSM and an ITS strategic plan. Stay tuned ….

Why won’t you change your password?

In higher education we sometimes struggle getting people to practice good password hygiene.   Why is this the case, and what can we do to change this?

Don’t read too much into that first statement – we have a significant number of people who change their passwords at regular intervals and it is just part of their routine.  We actually enforce that for accounts that access our most precious assets.  We also have rules on the ‘complexity’ of the password, but we have yet to fully embrace the notion that length trumps the diversity of characters.

I am regularly in meetings where the conversation turns to compromised accounts and password hygiene.  Inevitably someone sheepishly admits they haven’t change their password since they first got their account.  Some of these probably date back  NetNorth and the beginning of the internet. (anyone remember those days?).  I am of course stretching that it a bit, but the point is these passwords are old. Individuals know it, and they jokingly admit they should change it, but  don’t.  It is almost like a badge of honour – “I have a really old password because I was around when this all began and I have seen it all.”  I might suggest that if they had been watching it “all” they would be changing their password.

I remember a faculty mentor I had way back when I provided research computing support in an academic unit. Her office was the stereotypical absent minded professor mess, with old journals and half finished manuscripts everywhere.   The funny thing was her monitor always had a bunch of sticky notes on the bezel with  passwords to various systems.  I used to tell her frequently that she  should be more careful with her passwords, as I picked up old sticky notes that had fallen to the floor.  That being said, she did change her passwords, and then simply crossed out the old ones on the sticky notes and wrote in the new one.

In that example it comes down to physical security.  Anyone who had access to her locked office had access to her passwords.  That was very few people and likely there wasn’t someone in there with criminal intent..   Today, that is completely different.   In this article it shows that anyone who has access to the dark web can access the credentials of over 1.4 billion accounts  I hypothesis that people who can access the dark web, and this list, is significantly higher than someone who can physically access your space and the world has changed,

So, what do you do – the simplest thing is to change your password.  If your name is on this list  and you change your password, your credentials information will no longer be valid.   It is that easy.   So, that brings me back to the first question on why don’t some  people change their passwords…… I can’t really answer that except to say maybe they just don’t think it can happen to them.   The excuse that, I am too busy, or it is too hard to remember a new password, doesn’t cut it anymore.  Maybe we just need to talk about this more and show the other schools who have had incidents and subsequently done across the board password changes….. let us learn from each others experiences and not wait until we feel the pain of a widespread incident.

 

Next up, why should I use  multi factor authentication…..

 

 

 

 

Is There Really Such a Thing as a Free Lunch?

One of the challenges in Higher education is making sure we protect our digital information.   We are the stewards of personal records, health records, information on intellectual property and a myriad of other types of sensitive information.   Sometimes this information is stored in enterprise systems that are well protected behind firewalls and/or physical security, but at other times we share this information with 3rd parties in order to better enable us to  do what we do.  In these cases we have to ensure due diligence, as do the companies we share the information with. We should never relinquish ownership of our digital information, but if we do, then we need to be well aware of the risks and benefits and make an informed decision.

In Higher Education, individuals within our organizations are frequently afforded incredible autonomy when it comes to the technology they use.   That is not to suggest that this autonomy doesn’t exist in other sectors, maybe just not to the same scale.  I am continually surprised when I talk to my peers in the private sector and they tell me about “shadow’ systems that they simply weren’t  aware of until they were well established and dependencies had been built.   We don’t really mind that these systems exist and at times they  can drive innovation.  As long as they are efficient and effective, don’t compromise other things that we do, and protect our digital information then we should be fine.

The challenge is that I am increasingly seeing a number of technology solutions being developed and marketed directly to individuals on our campus.   These include applications or services that specifically address real  needs in the community and would be enticing for anyone.   Many of them are focused on our students and some of them come with no cost.  That is where the kicker is – why are these things free – what is the business model that will sustain the company that has developed this solution?   Many times  when we look at the fine print, we find out that the value for the business is getting access to our digital information.  This is not unlike the business model of many well know social media platforms that we use everyday.  The difference is  one is  a personal decision and the other is an institutional (enterprise) decision and they come with different levels of accountability..  These businesses are either using this information internally or worse, selling it to someone else.   As stewards of this information we have responsibility to ensure that the information is used in the execution of our core ‘business’ (teaching, learning and research), it is not shared further, and that we notify individuals how and why the information is to be  used.   This is also a good point to note that we need to treat student information differently than we do faculty and staff information.  There are far more sensitivities on the former.

At an enterprise level we do an assessment of new technology solutions, in order to fully understand the risks to our information.  The assessment is about awareness and being deliberate in what we do.  Among other things, we look at  contractual obligations that would limit the re-purposing or resale of information; we look to ensure that we maintain ownership of our information and we look at what sorts of security measures 3rd parties have in place to protect the information.  The Information Security and Enterprise Architecture group within ITS, helps units do these assessments and better understand any residual risk.   When we do these assessments, we sometimes get push back from the vendors and sometimes that tells us all we need to know.

People frequently ask me what keeps me up at night as a CIO and this is something I think about a lot.   I encourage the community to consider 3rd party solutions because it can facilitate innovation, but I also  hope individuals realise the implications of their decisions.  This is one of those places where the CIO has accountability, but little authority to limit actions.  Remember if someone comes to you with an offer that sounds too good to be true …. then it probably is and there really is no free lunch.