Facing Headwinds: IT Agency Undeterred by Disruption

Economic, demographic, cultural, and political forces are converging and creating significant headwinds for higher education in the United States. Most obviously, changing demographics and values have created enrollment crises, which in turn are driving intense competition and reduced funding. In addition to these external pressures, college and university IT organizations are grappling with the need to simultaneously reduce institutional risk (e.g., by improving cybersecurity and compliance postures) while also providing a diverse user community with faster, more seamless access to IT services. Technical debt, staffing shortages, skill gaps, and tightening budgets significantly inhibit IT efficacy. How do IT organizations effectively respond to these disruptive forces? The colleges and universities that are the most effective at addressing the critical needs and rapidly changing requirements at their institutions understand that a mature identity and access management (IAM) program is vital to developing a secure and transformational digital campus. IAM isn't simply a technical problem; it is a business opportunity with technical components situated at the very center of an institution's most strategic goals.^Footnote1

The Demands Are Real and Growing

A brief review of key higher education business needs demonstrates how the growing list of demands is stretching the capacity of the IT organization to support institutional priorities. A sound IAM strategy is critical to addressing each of the following anonymized real-world examples.

Non-Traditional Academic Programs

The mission of a university expands to include a greater number and diversity of non-traditional academic programs. Certificate programs, non-degree programs, business-partner management training, and lifelong learning programs require fast, seamless access to registration, tuition transactions, and learning platforms. These programs demand an engaging digital experience and data analytics capable of driving smart business decisions.

Student Experience

The president of a statewide university system responds to decreased enrollment by mandating that all campuses permit and support seamless cross-campus enrollment. Regardless of which university a student has applied to, been accepted at, and is enrolled in, that student will now be permitted to register and take courses at any other university in the state system. What's more, the student must be able to do so using the credentials from their home campus. Student experience and academic engagement must be seamless.

Privacy and Inclusion

A state university system has established new policies requiring its campuses to support diversity, equity, and inclusion through the distribution and management of lived/preferred names and pronouns. The policies mandate that campus IT organizations ensure every individual's privacy while also ensuring that lived/preferred names (in addition to legal names) are propagated automatically, consistently, and ubiquitously across all appropriate campus applications and services.^Footnote2

Administrative Efficiency

State legislators have mandated that each university in a state system identifies and adopts ways to drive greater administrative efficiencies within and across campuses. This includes determining how campuses can leverage shared platforms (e.g., human resources, student information, learning management, etc.) and services.^Footnote3 Each campus is also responsible for supporting the Day-1 work readiness of its staff and faculty. This means eliminating all current delays in onboarding employees' access to critical applications and services.

Proofing and Levels of Assurance

Federal research funding sources (e.g., Department of Defense and National Institutes of Health) and national insurance companies continue to increase their minimum requirements for qualification, access, and coverage. Increasingly, research institutions and campuses are required to provide proof that they have formally identified the persons using campus-provisioned credentials (e.g., usernames and passwords) and regularly validate and safeguard these credentials with effective multifactor authentication, identity proofing, and assurance levels.^Footnote4

New Business Requirements Spawn New Projects

These emerging patterns in higher education are having a major impact. They also depend significantly on the processes, people, and technologies that manage the identities, credentials, and access needed to teach, learn, conduct research, and provide care. Effective responses to these new demands are predicated on the capacity to realign IT services quickly and to deploy flexible technologies to address these and future challenges. Common IT initiatives spawned by these new needs include the following:

• More complex business practices often demand modernized enterprise resource planning (ERP) solutions, leading to the deployment of and migration to new admissions, student information, and human capital management platforms.
• Increased focus on enrollment and recruitment results in new customer relationship management (CRM) and digital experience platforms (DXP) that seamlessly identify, promote, and report on recruit and applicant online experiences (i.e., sooner and with greater granularity).
• Online and non-traditional course offerings require transaction-based, seamless, real-time access to academic technology.
• Privacy regulations and inclusivity initiatives change requirements for how people can manage their identities and grant consent and how personal information (i.e., identity data) such as lived/preferred names, gender, and pronouns are managed across applications.
• Day-1 work readiness (i.e., providing employees with all the access they need for their first day of work) calls for better business processes, well-defined lifecycle policies, and a rationalized approach to access governance.
• Continued growth and complexity in research require increased collaboration, real-time provisioning, and the ability to proof the identities of people who may not yet (or ever) be entered into an ERP system.
• Cyber insurance and "identity as a security perimeter" initiatives (e.g., Zero Trust) require robust privileged access management (PAM) solutions.

Navigating from “Where Projects Go to Die” to Continuous Improvement

Responding effectively to these new challenges requires new ideas, approaches, and technologies. A recently appointed CIO shared that a consistent theme emerged during his initial listening tour to identify the most pressing needs on campus (as well as the largest gaps in IT services). Even though most campus stakeholders didn't exactly know what IAM was, they shared that IAM had become universally known as "where projects go to die." Technical debt, staffing shortages, skill gaps, and the loss of institutional knowledge had made IAM a significant blocker to many (if not all) of the intuition's most strategic initiatives. This was true despite the extremely hard work and commitment of a very talented IT staff.

IAM isn't a technical problem; it is a business opportunity with technical components situated at the very center of your institution's most important initiatives. Leveraging this opportunity and achieving continuous IT improvement begins by establishing a mature IAM program.

Alignment

A mature IAM program begins with strategic alignment, i.e., spending the time to understand the greatest needs of the critical stakeholders at your institution (students, faculty, staff, practitioners, and researchers) and aligning IAM investments (time, resources, effort, and dollars) with those needs.

Awareness

Listening and aligning investments are just the beginning. Raising and redirecting precious IT resources to address the current shortcomings in your IAM environment will also require increasing campus awareness (among academic, business, and IT stakeholders) of the central and critical role IAM fills at your institution.

Collaboration

Simultaneously listening to your stakeholders and championing IAM as part of the solution enables cross-campus collaboration. This is an absolutely essential component of a successful approach to addressing the challenges that span a vast swath of campus organizations.

Business Process Redesign

Working jointly with institutional stakeholders (recruitment, admissions, registrar, human resources, academics, and research) to improve business processes is a prerequisite to enabling improved technology and data-driven IT service delivery.

Technology

Replacing technical debt with new, flexible IAM solutions, while insufficient, is likely necessary to establish an agile service delivery organization capable of continuously bringing highly valued and much-needed solutions to these pressing challenges. Two technological developments in IAM may assist with this effort:

• SaaS IAM: While not all cloud IAM platforms are truly software-as-a-service, a significant number of mature SaaS IAM solutions are sufficiently flexible to meet many of higher education's requirements while reducing the effort and skills needed to leverage these tools for campus improvements.
• Componentized and Converged IAM: Leading IAM vendors are moving toward "converged" offerings to provide a single platform for most IAM requirements. While this may not be a realistic option for many large, complex institutions, smaller institutions may be able to reduce the number and diversity of the tools their teams support. Even for larger institutions, changes in the market mean there are a variety of options that target the most complex requirements at many higher education institutions, including access governance, customer IAM (CIAM), third-party / non-employee IAM, etc.

Strategic Plan and Roadmap

To achieve IAM program maturity, you must have a plan. The scope of this plan is much broader than tool selection and implementation. IAM program planning must include awareness and communication strategies, people, policy and standardization, business process improvements, and technology. Effective planning should include roadmaps that span multiple phases across multiple years and identify regular (e.g., quarterly) goals for delivering impactful improvements to the campus, i.e., continually demonstrating the value of the IAM program.

Conclusion

The dynamic and converging pressures on higher education are causing significant changes in how institutions educate and do business. An effective and mature IAM program is a critical part of an institutional digital transformation strategy. Effective aggregation, management, and application of identity and access information is crucial to a robust risk management program and can transform the digital experience of students and employees. IAM can either be one of the biggest blockers to effectively responding to challenges or the primary agent of continuous IT improvement.

Notes

1. The centrality of IAM to the most critical institutional objectives transcends higher education and applies equally to the private sector. A recent article published in Forbes makes the case for the importance of IAM to customer experience, administrative efficiency, and cybersecurity. See George Webb, "10 Reasons Why The Modern Enterprise Needs A Chief Identity Officer," Forbes, February 22, 2024. Jump back to footnote 1 in the text.↩
2. A recent example of state university system mandates to support inclusion that have direct implications for the management and distribution of identity data is "Gender Recognition and Lived Names," Diversity and Engagement, University of California, last updated February 14, 2020. Jump back to footnote 2 in the text.↩
3. One example of a state legislation mandating greater efficiently across universities in the state system is An Act to Require the Board of Regents to Assemble a Task Force to Study the Operations and Functions of the Institutions of Higher Education under the Board's Authority, Senate Bill 55, South Dakota Legislature (2020). Jump back to footnote 3 in the text.↩
4. The National Institutes of Health (NIH) has instituted security requirements governing research institutions and universities that provide authentication services (an identity provider) for researchers to access NIH applications. These requirements include the ability to perform and verify, MFA, identity verification, and levels of assurance (leveraging the Research and Education FEDerations (REFEDS) Assurance Framework). Jump back to footnote 4 in the text.↩