Managing Risk and Exploiting Opportunity

The role of the Chief Information Officer, one of the newer positions in higher education senior leadership, continues to transform and evolve, often heading in surprising directions. Not only are the technologies changing at a dizzying pace, but it often feels as if the role itself, as well as what institutions need and expect from the CIO, is transforming just as quickly.

Recently, with sweeping changes in institutional priorities, the increasing pervasiveness of networked information with all the good and bad that entails, and the growing expectation from boards, both public and private, that colleges and universities need to anticipate and manage risk more effectively, the CIO has assumed a "go-to" leadership role in the institution. I am not sure, however, that this new centrality of the CIO has happened in the way that analysts had anticipated and advocated. Many commentators have focused on the emergence of the CIO as an academic leader who projects organizational alignments that serve to integrate pedagogic support centers, libraries, and IT organizations. This change in role has indeed happened in many institutions, particularly liberal arts colleges, and this certainly represents an important opportunity for the CIO and the institution. But I believe that the growth of the CIO role has been driven more by other factors.

Let me elaborate. Increasingly, the CIO is working with new executive partners across the institution, since business processes that were not traditionally dependent on digital technologies now require complex central enterprise systems. No more than five to seven years ago, what we commonly refer to as "enterprise applications" were generally characterized by the "Big 3": financial systems, student systems, and human resources systems. The CIO's ability to work with key business leaders to support these three types of systems was often what defined success. For example, one of the first new enterprise applications was the learning/course management system (L/CMS). But what started out as a departmental application to provide low-level tools for classroom management and instructional materials delivery has now become arguably the most mission-critical application in the academy. When the L/CMS isn't available, the most basic function of the higher education institution—teaching students—is substantially hindered. Furthermore, these tools are becoming critical to managing the institution's risk (Can the institution maintain instruction if it loses the physical campus?) and exploiting new strategic opportunities (Can the institution jump-start a new international campus by using the L/CMS to deliver instruction to a location on the other side of the world?).

We have also experienced major growth in the critical use of information technology for communications. The e-mail service that was introduced many years ago as a "convenience" service is now seen as a multi-purpose communications vehicle for the institution, supporting the transmission of official information to students, enabling the research faculty's collaboration with research teams across the globe, providing lifelong engagement with alumni, and supplying the basic fabric of communications for institutional administration. Much the same story can be told for the institution's web services. A capability that was often relegated to student projects run on departmental web-servers sitting under the proverbial "techies' desk" has now become the vehicle that is expected to serve as a recruiting magnet for new students, become the "website of choice" for thousands of alumni, and serve as the platform for communicating the institution's core vision, mission, and values. The loss of web services or a breakdown in the performance of e-mail is now equated with a major institutional failure, creating a new focal point in the institution's risk management profile.

In addition, we have seen rapid growth in the use of digital technologies in institutional functions for which the CIO has traditionally had little, if any, responsibility. At Georgetown, for example, we have had to create an enterprise systems team (parallel to our more traditional student, finance, and human resources teams) to support new applications in the safety and facility areas including camera systems, fire alarm systems, incident management software, an integrated Safety Command Center, and centralized climate management systems. All of these run (or will run) across the integrated IP network infrastructure for the campus, making the capacity and availability of that infrastructure yet another key element in institutional risk management.

Finally, higher education has increasingly moved into the crosshairs of new regulation at the local, state, and national levels. Data privacy legislation enacted primarily at the state level is the perfect example. Scores of colleges and universities have experienced large-scale crises as the result of system compromises or lost computer equipment containing large amounts of legally protected data such as Social Security numbers and credit cards. These incidents have cost institutions scarce financial resources and have caused strained relationships with students and alumni whose information may have been compromised. Even though these incidents most often involve resources that are well outside the traditional range of control of the CIO, it is the CIO who is usually held accountable and who is expected to manage future risk of data exposures. On the bright side, CIOs have often been able to use this accountability to alter their responsibility in ways that allow them to address core data security and privacy issues that they have not been able to influence in the past. Nevertheless, these efforts have consumed many more resources than often are available, affecting other critical priorities. Similar effects have resulted from new regulations in managing credit card information, financial accounting and reporting, human subjects research, animal research, electronic discovery, research materials management, CALEA, the newly authorized Higher Education Act—and the list goes on, likely without end.

As we look to the future of colleges and universities, we also see fundamental shifts in mission with the emergence of the "global" university, the university whose programs can be delivered anytime/anyplace, the university that serves as a lifelong resource for its alumni, or the university that becomes a strong economic-development partner for its community. Each of these new ambitions, all of which are commonly seen as being central to the future of the college or university, has information and technology at its core; each creates new possibilities and new challenges for the CIO.

What has happened here, I believe, is a fundamental shift in the role of technology in the institution and, thus, a fundamental shift in the role of the CIO. Five to seven years ago, the higher education application landscape was often represented by a pyramid. At the very top were the few systems that had true enterprise relevance (finance, human resources, and student systems). At the base were a much larger number of systems that were implemented and maintained outside the institutional data center (and thus were not the responsibility of the CIO). But then along came the "perfect storm" represented by information privacy and security, the migration of scores of systems from analog to digital, the new federal rules governing e-discovery, a wave of regulations governing the conduct of research, the centrality of technology to communication—all tending to increase the institutional stake in IT systems. Thus the traditional pyramid has been turned upside down, with the larger number of systems now being at the top, among those categorized as having true enterprise relevance. Although the CIO can choose to leave a few of these systems in the care of others, the risk profile of most have become such that the CIO is in the accountability path, like it or not.

I have worked in academic technology organizations for over thirty years, serving for the last fourteen years as CIO. While I have always experienced the rapid churn in technology, only in the last five to seven years have I seen the role of the CIO experience the same (if not a higher) level of transformation. Perhaps the greatest change has occurred on the side of managing risk: the CIO's role has become substantially more central to protecting the institution. This is clearly seen in how much time CIOs spend addressing business continuity and emergency management planning across the institution or in how much pressure CIOs come under when the campus e-mail or web services misfire. But at the same time, CIOs have new opportunities to exploit, showing how technology can add value to the future strategies of the institution. At Georgetown, for example, building technology services to support the opening of a new campus of our School of Foreign Service in Doha, Qatar, has been an exhilarating experience, allowing us to showcase new technologies and to see the future of global education up close and personal.

I do often find myself wishing we could slow down the pace of change. On the other hand, I have never felt more energized or more fulfilled, with the emerging centrality of the CIO in the higher education institution leading to the critical—and challenging—leadership role of managing risk and exploiting opportunity.

H. David Lambert is Vice President and Chief Information Officer at Georgetown University.