Fifteen years ago, I was fortunate to attend the MOR Leaders Program. As part of that experience, I read Stephen Covey's book The 7 Habits of Highly Effective People. I initially approached the book with instant dislike. It had been recommended to me in order to help me stop overcommitting my time and improve my time-management skills. Like most remedies, it was not immediately palatable. Despite that, the book had a profound impact on me. I still periodically review how I am spending my time and ask myself: Is this the way I should be spending my time? The answer is rarely affirmative, and the exercise itself serves as sort of a reset.
There is a wealth of articles that tell CIOs and other IT leaders how to spend their time. It is all about risk and security. It is all about data. It is all about analytics. It is all about apps and the end-user experience. And so on. I would like to discuss here three issues that do not come up very frequently yet are higher-order problems that require my attention: identity, privacy, and governance.
Many higher education institutions are members of the InCommon Federation, and a number are investors in the Internet2 Trust and Identity in Education and Research (TIER) program. These efforts have been remarkably successful in building a national identity infrastructure and a software suite that campuses can use as an onramp to that infrastructure. The question is, why don't more campuses use these efforts to their full potential?
For example, many of us know that releasing attributes for research and scholarship services (R&S) allows our researchers to much more quickly access services aimed at their specific use cases using campus credentials. Examples of such services are the Laser Interferometer Gravitational-Wave Observatory (LIGO), which was recently credited with observing gravitational waves, and the Extreme Science and Engineering Discovery Environment (XSEDE). Yet most campuses do not allow R&S release, leaving researchers to use OpenID or other means to get to these resources vital for their research. Another example is the much-needed upgrade to the identity management infrastructure by moving from obsolete version 2 of Shibboleth to new version 3.0. Those of us at institutions running Shibboleth know that version 2 is no longer supported and is not getting security patches. However, only about half of the campuses running Shibboleth upgraded to version 3. Significant institutional risk is attached to inaction on both of these items, so why is it hard for campuses to make progress?
We collect and have the ability to analyze ever-increasing amounts of data about ourselves. Most higher education institutions have significant data warehousing, reporting, and analytic investments. As difficult as it is to build this capacity, the even harder problem is deciding who gets to see and use the data and how. What are our institutional agreements with members of the community regarding how the data about them will be used? How do we think of consent and a user-centric model versus the more prevalent top-down approach? Can identity and consent/privacy be tied in a user-centric approach to how we deploy services and grant access to them? For which services would this approach be the correct one? These are hard questions that are difficult to answer, yet every year campuses welcome a new group of students who are increasingly more aware of privacy issues. Faculty are also starting to ask questions. So again, why is it hard for campuses to make progress?
I think that perhaps some, though not all, of the problem is tied to our structure of IT governance. A number of years ago, most campuses embraced the need for IT governance. The intent was noble: transparency and input. However, in some cases IT governance has taken a dark turn and is starting to become a substitute for technology vision. In most IT governance models, projects are proposed and funded based on a vote (or other decision-making model) among key stakeholders. In a best-case scenario, students and faculty get a vote, but in many cases they are assigned an advisory committee role. This makes it very hard to move forward issues that are user-centric versus projects that benefit a central unit. It is also easier to have one partner that becomes a project champion versus hundreds of diffused voices. The unintended outcome can be that IT leaders will find it harder to advance issues that do not have a "project champion" or a clear cost benefit.
CIOs and other IT leaders can read an endless number of articles about how to be relevant. Yet our private industry colleagues long ago learned that the path to relevancy is through driving digital transformation. Simply put, we need to use technology to streamline processes and outcomes across units and at times eliminate organizational boundaries. This requires IT leaders to be able to step outside of a partnership mode and drive organizational change in units not reporting to them. It requires the institution to allow IT leaders to move beyond being the recipients of governance-selected projects and lend their considerable expertise to improving institutional processes and in some cases structures.
To remain relevant to senior institutional leadership, CIOs need a unique voice. They cannot simply repeat what the CFO is saying but in a more technical speak. All IT leaders should try to embrace being the advocates for end-to-end student, faculty, staff, and end-user experiences. We should use our voice to improve how our colleges and universities serve their communities. We can do so by spending more of our time on the critical issues of identity, privacy, and governance.
Klara Jelinkova is Vice President for IT and Chief Information Officer, Rice University. She is the 2017 editor of the Viewpoints column for EDUCAUSE Review.
© 2017 Klara Jelinkova. The text of this article is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 license.
EDUCAUSE Review 52, no. 1 (January/February 2017)