Is There Really Such a Thing as a Free Lunch?

Posted on October 12, 2017 by

One of the challenges in Higher education is making sure we protect our digital information.   We are the stewards of personal records, health records, information on intellectual property and a myriad of other types of sensitive information.   Sometimes this information is stored in enterprise systems that are well protected behind firewalls and/or physical security, but at other times we share this information with 3rd parties in order to better enable us to  do what we do.  In these cases we have to ensure due diligence, as do the companies we share the information with. We should never relinquish ownership of our digital information, but if we do, then we need to be well aware of the risks and benefits and make an informed decision.

In Higher Education, individuals within our organizations are frequently afforded incredible autonomy when it comes to the technology they use.   That is not to suggest that this autonomy doesn’t exist in other sectors, maybe just not to the same scale.  I am continually surprised when I talk to my peers in the private sector and they tell me about “shadow’ systems that they simply weren’t  aware of until they were well established and dependencies had been built.   We don’t really mind that these systems exist and at times they  can drive innovation.  As long as they are efficient and effective, don’t compromise other things that we do, and protect our digital information then we should be fine.

The challenge is that I am increasingly seeing a number of technology solutions being developed and marketed directly to individuals on our campus.   These include applications or services that specifically address real  needs in the community and would be enticing for anyone.   Many of them are focused on our students and some of them come with no cost.  That is where the kicker is – why are these things free – what is the business model that will sustain the company that has developed this solution?   Many times  when we look at the fine print, we find out that the value for the business is getting access to our digital information.  This is not unlike the business model of many well know social media platforms that we use everyday.  The difference is  one is  a personal decision and the other is an institutional (enterprise) decision and they come with different levels of accountability..  These businesses are either using this information internally or worse, selling it to someone else.   As stewards of this information we have responsibility to ensure that the information is used in the execution of our core ‘business’ (teaching, learning and research), it is not shared further, and that we notify individuals how and why the information is to be  used.   This is also a good point to note that we need to treat student information differently than we do faculty and staff information.  There are far more sensitivities on the former.

At an enterprise level we do an assessment of new technology solutions, in order to fully understand the risks to our information.  The assessment is about awareness and being deliberate in what we do.  Among other things, we look at  contractual obligations that would limit the re-purposing or resale of information; we look to ensure that we maintain ownership of our information and we look at what sorts of security measures 3rd parties have in place to protect the information.  The Information Security and Enterprise Architecture group within ITS, helps units do these assessments and better understand any residual risk.   When we do these assessments, we sometimes get push back from the vendors and sometimes that tells us all we need to know.

People frequently ask me what keeps me up at night as a CIO and this is something I think about a lot.   I encourage the community to consider 3rd party solutions because it can facilitate innovation, but I also  hope individuals realise the implications of their decisions.  This is one of those places where the CIO has accountability, but little authority to limit actions.  Remember if someone comes to you with an offer that sounds too good to be true …. then it probably is and there really is no free lunch.