This will be my final post in the “Got a Minute?” blog series: I am wrapping up my time as EDUCAUSE Presidential Fellow. I’ll spare everyone (including me!) the long goodbye; it has been a privilege and an honor to serve in this role advising EDUCAUSE President Diana Oblinger, the staff of this wonderful association, and my colleagues and friends in the membership. I thought, in parting, to leave you with the following story, hoping that it will have value as a cautionary tale. We do live in challenging times. See you around the campus.
Back in December 2013, I wrote a blog post titled “Risk and Compliance: The Threat of Mission Not Accomplished.” Little did I know I was foreshadowing my future. Quoting myself:
We in higher ed information technology grasp the significant dangers of risk and compliance. Risk —or, to be more exact, how we think about (or obsess about) risk—can paralyze us. We can become so preoccupied with risk (its assessment, mitigation, and management) that we fail to be occupied with providing IT enablement to the missions of our institutions and with using technology to promote innovation in the execution of those missions. And yet, failing to be appropriately occupied with risk can end in catastrophe, which has the same result (i.e., mission not accomplished).
I concluded by pointing out that we as CIOs and IT professionals need to be visible enablers of all the good things in the mission of our university—to be a part of getting to “mission accomplished” and differentiating our institution from others. However, I emphasized that some things are visible only when they are lacking at the time you need them most. And how you’ve prepared to address those things (e.g., disaster recovery, data security) will also differentiate your institution. Paying attention to these things will avoid “mission not accomplished.”
*ahem*
February 18, 2014, gave me yet another lesson in the truth (and the frustrating absurdity) in that conclusion. I spent my final days at UMD dealing with a massive data breach. Rather than spending my penultimate weeks focusing on what would be the largest supercomputer in the university’s history, I (and my CISO, and the President, and pretty much the rest of the university) was mired in the aftermath and the [rightful] wrath and anxiety of those who had their personal information stolen. I got to read comments in both the Wall Street Journal and the Washington Post calling for my ouster. I lived “mission not accomplished” as a CIO.
In April, following my retirement from the field, I attended the Internet2 Global Summit. In a closed session with a room full of CIOs, I was graciously offered some time to tell the story of that experience to my colleagues and friends. I used the framework of a play (obviously, a tragedy)—listing all the “actors,” including the serviceable villain (the hacker, whoever s/he is), and running through the “plot” of the theft and its aftermath. In examining the proverbial lessons learned, I realize there surely were technical things that left cracks in our defenses. But what struck me about our experience was that we were prepared. We had paid attention to the things that are visible only when they fail. We had asked outside reviewers to closely examine our IT security and policy measures and give us recommendations, through which we were making tremendous progress. We had specifically called out IT security in the UMD IT Strategic Plan. We had doubled our investments in IT security (people and tools): we were spending well over $2 million annually (up from under $800K in 2011).
And still … we had fallen victim to one of the largest data breaches ever in higher education.
I won’t go through the talk I gave, since it’s better given in person. It’s not a secret, but it’s not a publication-quality tale of sensitive events at my former posting. What I will do here is provide the conclusions we reached about cultural factors that positioned us for the breach—conclusions that were reinforced by a room full of nodding-in-agreement CIO colleagues at I2’s Global Summit. I also urge you to read a recent piece by Quinn Norton, Everything Is Broken; it talks about this idea of cultural aspects that impact IT security (warning: Ms. Norton uses a lot of “colorful metaphors” worthy of an “R” rating).
Citing these cultural factors is not meant to mitigate the technical/technological and process mistakes that were made. I am not looking to obtain dispensation. Rather, I want to inform the many institutional leaders who will see these factors reflected in their own environments, factors that could consign their institutions to a similar fate. If your institution is like Maryland was—if you are pouring your risk-mitigation efforts into hardware, software, and humanware defenses but are not addressing these other factors in the culture of your environment—you run the risk of having the same thing happen to you. We must address the underlying cultural issues that create the circumstances—with that “we” being not just CIOs, CISOs, and IT professionals but also, and especially, Presidents, Provosts, Cabinets, and Boards.
Issue #1: A Culture of Data Retention
University entities (both administrative and academic areas) are hoarders of data. We never want to throw anything away. As electronic media storage systems have driven down the cost of storage, this culture has been further enabled. When the budget for storage is not part of the budgets of the stewards (hoarders) of data, the cost of retaining information is zero. If it’s “free,” why not save everything? Because you never know when you’ll need it! I’ll tell you why not: We are saving things we should not save. Ask yourself the question: If we hold on to this data, what trouble can it cause for the institution … and for the individuals represented in the data?
Issue #2: A Culture of Frugality in IT
IT budgets are always under pressure because IT is often viewed as an auxiliary (see my last blog entry). Thus, rather than doing things the way a best-practice approach would suggest, we do them in the best way we can with the funds we have. This is not a pitch for bottomless IT spending. It is a pitch for ceasing to do too much with too little. Taking a frugal approach may appear to work initially (and may work for a long time), rewarding you for that frugality. But lurking in frugal designs are elements that, when they fail, bring everything crashing down. Those who build these frugal environments aren’t stupid; in fact, they’re often quite clever and resourceful and get everything done for less than half the cost of what a “best practice” would cost. However, when you add in the costs of the failure that can come from being clever, the frugal approach is no longer a good deal. In fact, it can be a real horror show—not just because of the real dollar costs of remedying the failure but also because of the punitive costs to the institution’s reputation and, most important, the costs to the individuals who lose peace of mind.
Issue #3: A Culture of IT Subservience
Often, the CIO and central IT cannot create and enforce policies for the good of the institution unless those policies are accepted and supported by those who would have to live with(in) them. This sounds good and egalitarian, just as a university should be. And hackers appreciate that we are so decentralized in our governance and so egalitarian in our methods—and that we leave so many holes open in our distributed environments, which have pathways, born of frugal designs, to lots of data that has been hoarded. They’re very grateful that IT organizations are so service-oriented!
I am not advocating total IT autocracy. However, the role of the CIO (and central IT) has to be less “customer-service driven” when it comes to matters of institutional data integrity. The history of our organizations has been one of service to the campus: to its academic participants (i.e., faculty, researchers, students) and its administrators (i.e., student enrollment offices, finance and administration)— those areas out of which parts of our organizations emerged in the last century. However, technology has now placed us in the larger role of serving the institution (not just its members and its offices). And the formative culture of service runs against being, for lack of a better word, dictatorial when it comes to matters of protecting institutional integrity.
This must change. As I mentioned in my last blog post, CIOs must establish bona fides by providing a highly mission-enabling, IT-abundant environment and set of services. But Presidents, Provosts, and Boards must insist that the CIO’s first role is to protect and advance the institution and must judge them according to that role rather than on-campus popularity. (A good read for these leaders would be Michael McRobbie’s 2012 EDUCAUSE Review article discussing centralization and commoditization.)
********
In my view, these three cultural factors were just as responsible for the UMD data breach as the technical/technological and process factors. I believe these cultural issues exist at many, if not most, other institutions as well. Documenting and addressing only the latter category of factors without considering and addressing the former category may provide an immediate sense of recovery and future security, but that sense of security will likely be a false one.
This is my tenth blog post during my time as EDUCAUSE Presidential Fellow. Aside from a personally cathartic missive explaining my rather sudden decision to step off the playing field (post #6), the underlying theme running throughout my “Got a Minute?” blog has been the examination of the role of the CIO (and central IT). Whether my comments were regarding aspects of Administrative IT (#1, #2, and #3), discussing the GRC triad (#4 and #5), exploring the CIO pipeline challenges (#7, #8, and #9), or this final introspective parable (of sorts), the blog has addressed our profession and those of us who sit in “the chair.”
I have a zealot’s belief in the critical importance of the CIO position. I believe that our past haunts us at nearly every institution but that informed executives with foresight will look away from the past and continue to elevate the importance of the CIO role in their institutions. I believe that doing so is key to those universities’ ability to survive the disruption that technology is bringing to higher education. And I believe that failure to do so is not only unwise—it is an unsurvivable error.
These are the things I believe. What about you? If you believe them too, then what are you going to do? I know what I’m going to do: I’m going to see if I can get into an adventure that involves carrying this message beyond the choir.
Will this change things? As the Zen Master says: We’ll see.