Institutional Resilience is issue #6 in the 2025 EDUCAUSE Top 10.
"We need technology to enable remote work and remote learning, and to enable flexibility in the face of disruption. For example, disruptions include health (like pandemics), weather (snowstorms), and political unrest. We sometimes have students or faculty who are caught abroad; maybe their home is somewhere else in the world, and they can't get back to campus because of some visa issue or outbreak of violence in their country. Online or remote operations enable them to continue to participate. Technology is really helpful in those kinds of circumstances."
—David Kotz, Provost, Dartmouth College
Institutional resilience is the ability to anticipate, respond to, and adapt to rapidly changing circumstances in ways that maximize opportunities and minimize consequences of unforeseen events.Footnote1 Higher education is being battered by a wide range and number of risks, many of which are beyond our ability to control or even influence. No institution can be fully prepared for the unexpected, nor can leaders afford to invest heavily in risk preparedness in today's frugal times. The key is to build awareness of the many possible risks, to anticipate their potential impact on the institution and its community, and to build foundations of risk detection and mitigation so the institution can respond quickly when (not if) disaster strikes. Cross-institutional coordination and leadership that can be decisive amid ambiguity are critical capabilities that will serve the institution well, including during emergencies.
The Promise
Increasing confidence in higher education. Public confidence in higher education has been diminishing. Although some of the criticisms fall outside their remit, CIOs can contribute to institutional risk management and help reduce the impact of risks that damage institutions' reputation. Beyond helping avert reputational damage, CIOs can also combat low public confidence—a risk in itself—by helping build student services that simplify students' interactions with the institution and by helping develop learning experiences that engage and teach students most effectively. CIOs can contribute to providing an environment in which students feel safe and protected.
Avoiding existential threats. Technology can both cause and mitigate the kinds of threats that could disable an institution or deplete its resources entirely. Technology and data leaders can anticipate, prepare for, and help avoid technology-related disasters such as ransomware and other cyberattacks or problems caused by major operational disruptions. They can also work with institutional leaders to develop and rehearse disaster recovery and business continuity plans for the growing number and frequency of weather disasters, pandemics, or acts of social unrest that disrupt business and academic operations.
Creating room for transformation. Crises bring opportunity. CIOs can help identify and leverage the opportunities embedded in crises, as they did with remote work and learning during the pandemic. Prioritizing staff responsibilities in areas that cannot be outsourced or automated can be crucial to creating room for staff to reskill, be proactive, and pivot when necessary. And by avoiding disasters, or at least minimizing their impact, CIOs can also help preserve focus and resources needed for institutional innovation and work that staff find most rewarding.
The Key to Progress
Learn from the small incidents to avoid the big ones. Small problems can be gifts. Leaders who treat incidents as one-offs are most likely fooling themselves at the expense of the institution. Our world is different now, and once-unthinkable disasters are happening, often in tandem with other disasters. Leaders using the discipline of foresight can flag early signals of change as wake-up calls, allowing them to anticipate and prepare for looming problems.
QuickTakes
Take a long view in planning. Planning can seem like a waste of effort that could be better directed at doing today's work. That earthquake or major data breach may not happen for years, but when it happens, institutions that took the time to plan for it will be beyond thankful that they did. It can take a great deal of fortitude and social capital—not to mention time—to plan when peers don't see the value in it. Conduct an institutional risk assessment and create a risk matrix. Start with the larger, more likely risks and work from there.
Prepare and rehearse. Planning should include identifying risks and creating disaster recovery and business continuity plans. Rehearsing the plans can make them tangible, helping staff spot gaps and giving them experience that they can apply more quickly and adapt more easily when disasters occur.
Make decisions at the right levels. Institutions with very top-down or hub-and-spoke decision-making will struggle to make all the big and small decisions that are necessary to prepare for and manage risks—and make them quickly enough. Decision-making should happen as close to the work as possible. Senior leaders should empower staff to make smaller, more focused decisions as quickly as possible. The key is to ensure that those staff inform and coordinate with leaders and other stakeholders to avoid costly surprises.
Get comfortable with ambiguity. Difficult situations are volatile. Often, people need to act before all the information is available. Under those circumstances, the institutional culture needs to be comfortable with uncertainty and support rapid decision-making. Some choices may go badly. The key is to respond quickly, communicate widely, and move on gracefully.
Develop your workforce. Cross-train staff, ensure that they're able to use emerging technologies, and help them acquire skills to manage people, processes, services, and products. The key is to develop a workforce that's capable of responding creatively, flexibly, and competently to unfamiliar situations. Include succession planning in this work to ensure continuity of operations.
Think and act holistically. Most problems are multidimensional and need to be addressed in multiple, cross-functional ways. A coordinated effort that's grounded in a shared vision and direction will enable the institution to move quickly and effectively.
Do what you can with what you have. There's an ideal way to do things, and then there are all the other possible ways to do them. Incremental progress and creative shoestring solutions are better than waiting for the big fix that may not come in time (or ever).
Ask Yourself
How can we leverage institutional resilience planning to create new opportunities for innovation and transformative change, in addition to mitigating risks?
The Bottom Line
Institutional resilience will become a key differentiator in higher education. Those that prioritize holistic risk planning and adaptive strategies will be better equipped to navigate an increasingly complex and unpredictable landscape.
Data Point
AI governance is one of the key technologies and practices in the 2024 Horizon Report: Cybersecurity and Privacy Edition. The report authors explain, "As more institutions adopt AI-powered tools for learning and work, AI governance will be vital for protecting institutions and individuals. Unless AI governance is in place before new tools are adopted, institutions risk exposing themselves to cybersecurity threats, infringing on end users' privacy, reinforcing systemic inequities, and violating the complex web of data-related regulations."Footnote2
From Strategy to Practice
What You're Saying
"In addition to the technological threats universities face, there are other risks that transcend technology. Some of these include complaisance in the pedagogy status quo and the disconnect between what industry wants/needs and what universities are delivering."
"IT's increasing role is to support sustainable, practical executive decisions where IT has a major impact. This includes ensuring the institution has a great, progressive cybersecurity program and making sure it has a solid data integration infrastructure, strong policies and procedures related to data and IT, and solid project management methodologies for making sure the inevitable transition between software tools is efficient and timely."
"Competition keeps getting better, and we must as well."
"It is essential we work together to maintain resilience."
"We are at a very challenging crossroads in higher ed. Our expenses are growing exponentially, while in some cases our demographic is shrinking dramatically. We also continue to face dramatic funding issues, and people are having a harder time justifying the cost of a higher education degree. We need to continue to get better at delivering a quality education in fields that yield a valuable return for our students."
Solution Spotlights
"Statewide groups are working on this together to decrease the burden on individual institutions within the Nevada System of Higher Education."
Cheryl Jones, Truckee Meadows Community College
"We have a mature and effective enterprise risk management (ERM) program that starts in the C-suite and includes dozens of participants from university schools and departments. Through this mature ERM process, we are able to identify and define the most critical risks and apply needed resources to mitigate those risks."
Peter Murray, University of Maryland, Baltimore
What You're Working On
Comments provided by Top 10 survey respondents who rated this issue as important
Analytics
- Our data analytics platforms can be used to identify student markets and encourage student retention efforts.
- We're doing more simulations of what-if models, using PowerBI and other tools to see the long-term effects to changes in housing, meal plans, and undergraduate and graduate student enrollment.
Business continuity and disaster recovery
- Working diligently to develop and test a business continuity plan for critical IT services.
- Campus-wide effort to engage in continuity planning.
- Business continuity and disaster recovery planning.
- Prioritization of business continuity and disaster recovery.
Collaboration with other organizations
- Diversification of our data center strategy along a three-pillar model that includes partnerships for high-performance research collaborations with other campuses in our system and NASA.
Cybersecurity
- CMMC and ISO certifications.
- This is a big area for information security. We provide the tools and help so that resilience is built into systems and if (when) something goes wrong, recovery is quick. Detection is critical, and when prevention fails, we need to know.
- Need to be as secure as possible to lower risk while also being able to detect and recover in the event of an incident. Many times, we can recover but not quickly enough and not sure if data is compromised.
- IT security measures ($2.6 million spent in 2023).
- We have quarterly incident response tabletop exercises. We are considering a partnership with CISA (Cybersecurity & Infrastructure Security Agency) for one of our exercises.
- Hiring security officers.
- Regular briefings of our CIRT (Cyber Incident and Response Team) and Board.
- Cybersecurity efforts and upgrading equipment will address a great deal of these items. First, we had to rebuild the cybersecurity department and produce a master purchase cycle for ITS infrastructure hardware. Both are completed. Now, we're in the implementation cycle.
- We continue to evolve and adapt our security strategy. A strategy cannot be a "set-it-and-forget-it" type of document. It must continually evolve as the threat landscape does. We continue to evaluate and invest in the RIGHT technologies that help us advance our strategies while protecting the institution.
- Finishing the secure computing initiative.
- Ongoing penetration testing / assumed compromise exercises.
- Ramping up an SOC (Security Operation Center) to watch our systems twenty-four hours a day.
Holistic risk management
- Risk mitigation and risk awareness is a huge priority. We're working to ensure that we have processes in place to help with business continuity. We're also leveraging a cybersecurity dashboard that helps us monitor and assess our cybersecurity frameworks.
- Created a new risk oversight committee at the board level to coordinate and report out on any form of institutional risk.
- We have a mature and effective enterprise risk management (ERM) program that starts in the C-suite and includes dozens of participants from university schools and departments. Through this mature ERM process, we are able to identify and define the most critical risks and apply needed resources to mitigate those risks.
- Our cross-campus crisis management group (CMG) is working on standards and capabilities frameworks to address our many risk areas.
- We continue to identify risks and exceptions that take place in lines of business and work toward risk reduction, particularly around IT systems and ITSM.
- Implementing risk management tools and increasing the role of IT in institutional risk management forums.
Institutional security and safety
- From cybersecurity campaigns to campus safety, we have considered all areas to ensure we have a healthy and safe space for teaching and learning.
- A comprehensive robust security strategy has been developed, and we’re working on implementing most of these security initiatives to prepare the institution be resilient to any vulnerabilities and risks.
IT risk management
- IT project governance and associated risks.
- Ensuring resilience in IT solutions for any situation. Being a part of the leadership team that oversees our ERM processes and incident strategic response processes.
The IT organization's role in institutional resilience
- We're refocusing all technology initiatives on business outcomes—partnering with stakeholders on technology initiatives to drive business outcomes and address institutional challenges—changing the mindset from "technology" projects to institutional projects based on university goals and objectives.
- I see this as part of our CITO and CISO's roles.
- Risk is today's focus. No longer are we simply trying to justify IT investments based on performance, reliability, and best practices. Every element of what IT does is addressing risk (cyberattacks, institution reputation, intellectual property, and more). IT is no longer a "nice to have." It is required to sustain (and advance) the institution. Central IT and the CIO can only do this if leadership—provosts, presidents, and boards—realize this and support it. Fortunately, ours does, but it must continue to grow in awareness, and THAT is something the CIO can do!
Needing to address specific risks
- Investments that can increase our ability to recruit and retain traditional and nontraditional students are seen as a priority. Enhancing our data-management capabilities along with our human experience capabilities are keys to delivering these outcomes and are a focus for investments.
- We are a public, two-year comprehensive community and technology college, and institutional resilience is one of the greatest challenges for our institution. Wage expenses are increasing exponentially, putting pressure on enrollments.
- Ongoing risk changes—demographic cliff, etc.—will have an effect on planning.
Planning
- New management plan in the making.
- Focus on tabletop and resilience exercises.
Technology mitigations
- Using more cloud-based systems.
- Required multifactor authentication and password change policy for all users on campus and enforcing single sign-on.
- Least privilege access and ERP conversion.
- Working on making systems redundant. Making sure applications have redundant servers.
- Moving the last of our critical systems off premises and into the cloud. Document Imaging and BI cube remain on-premises. However, we will move document imaging to the cloud this year and are planning to move to MS fabric for BI next year. Also, taking steps to harden our systems and improve our cybersecurity posture.
- Considering SaaS to aid with disaster recovery and efficiency at the same time.
- Moving critical infrastructure to redundant cloud solutions (such as Azure for SSO).
Notes
- Susan Grajek and the 2023–2024 EDUCAUSE Top 10 Panel, "2024 EDUCAUSE Top 10: Institutional Resilience," EDUCAUSE Review, October 16, 2023. Jump back to footnote 1 in the text.
- Jenay Robert et al., 2024 EDUCAUSE Horizon Report: Cybersecurity and Privacy Edition, research report, (EDUCAUSE, September 2024). Jump back to footnote 2 in the text.
Marc Hoit is Vice Chancellor and Chief Information Officer at NC State University.
Jackie Milhans is Director of Research Computing and Data at Northwestern University.
Lisa Trubitt is Assistant Chief Information Officer for Strategic Communications at University at Albany, SUNY.
© 2024 Susan Grajek and the 2024–2025 EDUCAUSE Top 10 Panel. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.