Don’t take the bait

Many of you will have read  the news about the  cyber-security event at Calgary.  Our thoughts are with the team there who are recovering from a very difficult situation.   At this point we really don’t know what has happened aside from a few brief media releases.  All hands at Calgary are likely on deck and our debrief with them will happen in due course.

We at ITS continue to monitor for malware and it is important that our communities become more vigilant when responding to emails and clicking on websites.    At lunch today I was stopped by a couple of faculty members who asked me what happened at Calgary.  Malware can come from various sources including phishing.  Their response was simply “who is stupid enough to click on these phishing emails?”, and my response was, lots of people do because it is getting really hard to identify them.  If in doubt don’t click, call the IT support desk or check for alerts on our website or go to the phishing page..

Here at Queen’s we continually monitor the network for anomalies, we regularly apply system updates, test for vulnerabilities on critical systems, actively run anti virus and malware and work at educating the community.   In the last year we have expanded our security team by adding two more staff, and recruited a new Information Security Officer.

All of these initiatives mitigate the risks, but we can’t eliminate the threat completely.  Ransomware is prevalent on the internet and it is growing exponentially.  Not all parts of the community are as forthcoming as Calgary has been, so we don’t hear about all the incidents.  Fifteen  years ago hacking was more of a sport, now it is malicious and criminal.  It is a rapidly moving target and we are evolving with it.

 

 

The end of an era – change can feel hard

 

Have you ever been in a situation where something has been around so long that you couldn’t imagine the world without it?  Then “someone” makes a decision to take it away and your first reactions are fear, resentment and anxiety.    You feel a sense of loss that slowly translates into doubt as you begin to question why this decision was made.   You become anxious and confused and you can’t imagine how you could live without ‘this’.  It is really easy to get stuck here, and that can end up being problematic.

In these situations you need to be deliberate in order to move forward.  You need to step back and separate fiction from reality and explore the reasons behind the decision.  You need to question what is really the worst thing that can happen, and look objectively at how you can move forward.   You need to question what is important, that you got from ‘this’, and what do you really need.  This will allow you to better understand and work through the change.

At the end of March we closed our Campus Computer Store.  The Store has been around for a long time and has touched a lot of people over the years, but the world, and the market has changed.   It used to be that every fall many students would pick up a new computer when they arrived on campus and now they all come with one already.   We are seeing vendors like Apple and Microsoft selling directly to their educational customers and there is a proliferation of on-line competitors.   The store has always had two sides, retail and internal procurement. Over the last few years retail sales have gone down dramatically, which has really put the operational model we use into an unsustainable position and we needed to rethink how we do this.

On top of that we have seen a big push towards commoditization of desktop technologies.   When we standardize on our desktop and mobile devices, it enhances the user experience, becomes less expensive to procure and easier to support, freeing resources for other more meaningful activities.  If we are being truly objective, close to 100% of the devices we use on our desks should be treated like a commodity.  When we come into work there is a phone on our desk (stay tuned on that one) and we simply accept it is there.  There may be choice of a few models, depending on your role, but if it breaks we bring you a new one that looks and works the same.   We need to think about our desktops and laptops the same way.   As we evolve more into cloud services, there is less reason for storing files locally and most of us should have a common set of tools available. That allows us to simply swap out a machine whenever a problem arises.   There will be exceptions to this and some people will have unique needs, but they should be few and far between and can be accommodated.

At the moment you can go to the procurement site and you can buy just like you did before and have goods delivered directly to you.  You may even notice some of the prices are better, and there is no mark-up, which was necessary to cover the costs of running the store.  In the next short while you are going to see a list of preferred desktops and mobile devices to make your decisions even easier.

On top of that, ITS is going to expand the Direct Computer Support program to support hardware.  “This means that your desktop computer will be just a device you use, can be easily replaced, and have a predictable and consistent fixed cost over time.

It is hard when something you are used to changes, and it is normal to be a little cautious and have questions.  However, don’t let the feelings of  loss and frustration distract you from being objective.  Try and understand the need for the change, engage with the individuals and groups supporting people though the  change, help shape the change, explore how the change can help you and you may end up in a  better place than you are today.

 

 

Wanted – faculty whisperer who is highly regarded as a soothsayer and has the ability to walk on water…..

Have you ever wondered what it takes to be a good CIO?    As with most leaders you could list such things as being honest, collaborative, creative and inspiring, or having strong commitment, positive attitude and the ability to execute.   A team player who provides a good cultural fit, would also seem desirable. However, thinking specifically about a CIO, are there things that are  inherently different that require different attributes?”

There are many interesting insights in CEO’s seek CIO’s with a “Bias for Action” that really set the bar pretty high for a CIO and make me wonder how you can possibly get there.  I think expectations are so broad and high that you need to have a strong team reporting to you, and you need to report up to  a strong team.  That is the only way to become transformational and  develop the ability to “walk on water” .

The most interesting piece for me, was the need to “gut-think”.  They argue that CEO’s are able to act faster because they “trust the gut”.  The suggestion is,  many CIO’s tend to be analytical and rely on evidence based decisions and that takes time.  “CIOs who can channel their inner CEO by reassessing their business, adjusting their strategy and executing earns the coveted “transformational CIO” moniker”.   These are arguably the most successful CIO’s, but I want to challenge the notion that is that simple..

It comes back to the actions of  the teams you deal with, or maybe just the culture you live in.   I think higher education can impose certain constraints on the CIO that at times conflict with this need to gut think and make decisions quickly.  I don’t think it is across the board, but there is a strong culture to think things through very deeply and consult very broadly, before undertaking any action.  That is not necessarily bad, but sometimes it can lead us to become handcuffed and we don’t do what is needed.  Even when we do make decisions, by the time we get there it may  too late because the world has changed or the problem itself, that we are trying to resolve, has become bigger and needs another approach.

So, I think I agree that organizations are asking a lot from their CIO’s, and deep down they want their CIO to be transformational.  However, I am not sure that our governance structures in higher education are  mature enough to support the CIO driving transformation.   Maybe we need to just trust our gut more and go for it – who knows, maybe we can all walk on water.

Your mission, should you choose to accept it…..

Suppose you are given an opportunity to present a SWOT about your organization.   The audience is an incoming Provost and all their reports, including the Deans.  The rules are it has to be a verbal pitch and you have 3 minutes maximum to present.   Others in the room will also be presenting their SWOT’s.   You can only do one Strength, one Weakness and so on. That is much harder than it first appears.  This is your archetypal elevator pitch, so what would you say?

I presented  this challenge to my peers in CUCCIO and the response was startling.   I ended up with about 40 CIO’s responding, which is about 2/3 of the community.  It has led to some interesting discussions and some valuable data.    There  is a lot of commonalty between schools, but each school is also unique in terms of their maturity and what they focus on.   I will summarize some of the responses and finish with my statements, as this was a real exercise for me.

In terms of full disclosure, I see Strengths and Weaknesses as being internal to the organization, while Opportunities and threats are external to the organization.  Strengths are characteristics that give your unit an advantage over others, while weaknesses are characteristics that place your unit at a disadvantage relative to others.  Opportunities are external elements that exploit your advantage and threats are elements in the surrounding environment that could cause challenges.   Inevitably people read this differently, and the lines get blurred.  I hope this clarification helps explain my SWOT statements..

Strengths:

Most CIO’s talked about their people.   I don’t disagree we have great people, who are very dedicated, in higher education, but if we all have great people then how is this an advantage?   In addition, several CIO’s talked about a buy-in to the Enterprise.  I think this either plays out from the size of the school – the smaller the school the more buy-in to enterprise – or from the maturity of the school.   By that I mean the more mature the school is the better handle they have on enterprise computing.   Engagement was also mentioned frequently and I think this plays into the need for CIO’s in HE to build consensus and drive norms which may differ from other sectors.

Other things that were mentioned included Infrastructure, Applications, Services, Project Planning and Governance.   Governance was only called out once, but it probably blends into engagement and enterprise.  Almost every item on the list resonated with me, the challenge is picking only one.

My response:

The ability to take an institutional view. By that I mean we have the  capacity to understand the complexity and scope of the enterprise environment and design and implement  solutions that satisfy that environment in an efficient and cost effective way – this is true whether it is administrative, academic or research technology – I think IT has a unique view across those disparate domains ( examples would be our ERP , or our institutional LMS.

Weaknesses:

Governance came up frequently as did recruitment and retention.  Governance has been top of mind for many of us and given we still see it on these lists it is a tough one to resolve and some of us till aren’t there.    Agility, maturity, language, culture were mentioned in various ways. Size, capacity and redundancy came up with someone lamenting that “there is too much work keeping the lights on and not enough put towards grow and transform”.  This is an ongoing challenge.  Internal challenges within the unit were also mentioned frequently, referencing such things as silos and inability to take ownership as a team. This category is  normally the easy one to tease out in Higher Education IT.

My response: 

We are not always good at speaking the language of the business and this challenges our ability to effectively communicate the value of IT. We frequently find that advancing institutional IT priorities must rely on persuasion and influence rather than common vision and goals and this takes a long time. This means that we aren’t always agile and this frustrates the Faculties who have resources, to the point they build their own solutions.  We then sometimes let go of institutional solutions, or water them down, which can further increases the divide between faculties.

Opportunity:

Not surprisingly the biggest opportunity was around cloud and shared services.  There are clearly many definitions around the cloud, but they all contain the same message around finding efficiencies, creating agility and enhancing security. Many people also referenced various campus initiatives that were redefining IT support on campus.   New technologies, internal pressures, efficiencies and campus culture were also mentioned,   There was a theme running through many of these that the organizations were maturing and there was an opportunity to engage in a new and different discussion.  In other words there was an optimistic view that the community was starting to be ready for this dialogue.

My Response:

Shared services across HE, including the cloudWe are looking for some level of aggregation to cut costs and/or satisfy a growing pool of unmet demands.   The catch here is that we must undertake our due diligence to ensure our information resources are well protected – we can’t outsource stewardship or ownership of Personally Identifiable Information and Intellectual Property.  This doesn’t always sit well with the community when they see it as another delay.

Threats:

The top threats were equally split between finances and cyber-security.  In some cases there was discussion that the financial challenges were impeding the ability to deal with cyber-security which is somewhat troubling.  The rate of change was also called out by some people as being a challenge.  Somewhat related to this is the notion of unrealistic expectations in our community, to the point that someone actually sated that there was  “a divergence of expectations and reality”

My response:

The increasingly hostile security and privacy risks that need to be responded to in a highly distributed decision-making landscape.  Like the rest of the world we probably aren’t really aware of the threats and the risks and they have become malicious and costly to mitigate or clean up.

——–

Given the prolific response to the exercise I think this gives us some relevant material to work with.   We are looking at sharing the detailed responses with the CUCCIO community.   I believe that going through the exercise helps us shape our thinking and hearing other perspectives is incredibly valuable in validating our thinking.

Postscript: …as always, should any member of your team be caught thinking about this,  we will disavow all knowledge of your actions and/or this post.

 

 

The demise of the Canadian University CIO…?

I remember many years ago a colleague joking that CIO stood for “Career is Over”.   In those days there was lots of turnover and success did not always translate into longevity in the role.  Some recent departures in the Canadian University sector are making me ponder whether there are systemic issues that are causing our best and brightest to leave the sector.

I have talked about CUCCIO (Canadian University Council of CIO’s) in previous posts, but maybe just a little refresher.  Most University CIO’s in Canada are members of this group.   We engage on a daily basis through our lists, and meet face to face three times a year.   The group is very collegial and there is probably a core group of 35-40 at each meeting.  It is an important organization with some great leaders.  We learn from each other, we advocate, we commiserate and we make HE IT better when we get together.

Over the last year and a bit I can think of 8 CIO’s from this group of 40 who have left their roles, all but one of which were at a U15 (research intensive) school.  Prior to that, a couple of well-respected long serving CIO’s also retired.   This has an impact on an organization like CUCCIO, and on the Canadian University Sector.   These were some of our best and brightest. People who were driving organizational change and transforming the way we thought about IT. I feel the loss.

These individuals left for varying reasons, some stayed in HE but went to other countries, while others left the sector entirely. My question – Is there something systemic drawing or driving them away?   Certainly the CIO role can be a challenging one.

In trying to encourage collaboration across Universities I have been thinking a lot about why it is so challenging in IT when we see other parts of our institutions, such as the libraries, have success.  When I talk about collaboration I mean much more than just collaborative buying clubs, I am thinking about infrastructure and services that multiple institutions plan, invest in and share.

CIO’s in public sector institutions often work in an environment where expectations for IT in our communities exceed what can be achieved with the resources we have to work with.   At times many of us can be head down trying to meet these expectations, sometimes with a very singular focus driven by institutional priorities.  There can also be little tolerance in our communities for IT failure and that can push us to be more risk averse than we would like, or need to be. Although we are working hard at it and we are moving forward, many places haven’t truly embraced technology as a strategic enabler and look at IT as just another cost centre.   This makes it really hard to motivate real change and encourage our organization to advance where they need to.  There is simply very little capacity for collaboration

A few years ago I was talking to a colleague who moved from HE to a private sector agency.  They looked great, were happy and there was excitement in their voice.   They said that when they had good ideas for moving the organization they had instant support from the CEO and there weren’t long drawn out consultations with the community.  They were still doing their due diligence, but made decisions faster and resourced them appropriately.  They said it was fantastic to deliver what their community was asking for in a timely and responsive manner. They were doing it well and their staff were happy. It was fun being a CIO again.

So I leave you with a few questions that I hope will be discussed at our next meeting of CUCCIO.  Is there a systemic issue, or is this just a blip?   Is the grass really greener on the other side?  What can we do to help create an environment for success? How do we make up for this loss of talent and what are our collective plans for succession?

Encouraging Collaboration between Universities

We have all heard our favorite quotes about failure being an essential part of creativity innovation and moving forward.  My favourites focus on the notion that failure is simply the act of gaining experience.   Even though we encourage and embrace failures in our students and faculty when it comes to learning, research and discovery it has always been elusive in administration and especially in IT departments. We simply won’t talk about about our failures, and I think that is a challenge.  If we want to work collaboratively, the biggest success will be driven from sharing our failures.

This morning I went to the gym early  and jumped (stumbled?) onto the bike with the intent of catching up on some reading from the most recent Educause Review.  The first article, Embracing Failure to Spur Success: A new Collaborative Innovation Model by Kim Wilcox and Edward Ray really was a good start to my day.

They talked about some of the problems we are all facing and how each of us are making progress, but “the progress could be even faster and more dramatic if we did two complementary things: collaborate with each other across campuses, and embrace. share and learn from failure”.   I couldn’t agree more.    I could sense my cadence get faster as I read this.   I recently invited a colleague of mine from another ‘system’ to speak at a meeting of my peers from across Canada.  The discussions were on shared services and I remember the colleague saying, “I am not sure what I can say about that, because what we did wasn’t a complete success”.   My response – that is exactly what we need to hear.  That is the value that you bring to us, to be open and honest about what didn’t work.

Wilcox and Ray are  talking in the article about the University Innovation Alliance.   A consortium of 11 major public research universities looking for new and innovative ways to collaboratively address shared problems.   They point out the need for candor and that rests on a strong foundation of trust.    To help develop that trust they have agreed to a common set of goals and it seems like there is some unwritten commitment to be frank and open when it comes to sharing.

Here in Canada the university CIO’s across the country have created an organization called CUCCIO.   We meet on a regular basis and we share a lot of information about what we are each doing.  Since the early days there has been a push towards building trust amongst the membership and this has gone a long way to opening up and sharing not only our success, but our failures.  Our discussions are frank and informative and they add value.  Recently a sub-group from Ontario has started to discuss shared services.  The group is smaller, and given the fact that education is funded provincially it may be easier to facilitate at this level.   That being said we still benefit from seeing what the rest of the group is doing in their respective provinces and learning from their success and failures.

I think the next step for us might be, as outlined by Wilcox and Ray, to get “buy-in from the leaders…. it sends a signal to the entire campus administration and community that collaboration and innovation are to be prioritized and that sharing lessons learned from failure is not only acceptable, but essential”.  We need the whole community on board if we want to drive the type of collaboration that I think we need.

A great call to action, not only for the UIA, but for all of us.

Success is stumbling from failure to failure with no loss of enthusiasm.” Winston Churchill.

 

Security is everyone’s business ‘redux’

We have been having a broad discussion around information security here at Queen’s and a while back I wrote a blog that talked about how security belongs to everyone and we are only as good as our weakest link.  I thought it would be helpful to share what one department has recently  done and show that this is not insurmountable.  Taking some small, well orchestrated, steps can completely change our security posture and significantly mitigate risks.

Queen’s Advancement Services have recently stepped it up to ensure the information they handle is safe and secure and procedures are consistent across the board.  Currently 99% of their staff have taken the ITS Security Awareness Training.  In addition, 98% of their staff have attended a personal Information Security Session designed for the department.  This covered things like email best practices, handling paper, and mobile device management.  They have also created a Security Standards page for the department and ensured active and signed confidentiality agreements for those handling sensitive information.

On their hardware side they have created physical and logical safeguards for all their devices and  they have moved all of their servers to a secure data centre on campus.  All their applications and business software has been audited by the ITS Security Group and all of their servers are  maintained and patched on a regular basis, with an associated change management protocol.

Congratulations to the team in a Advancement.  You have done a great job and set an example for others to follow.  Our information is valuable and we have been entrusted to protect it.

 

 

Safe computing in the cloud

Today I was pointed to an excellent article on the use of OneDrive from the University of Wisconsin Milwaukee: http://uwm.edu/o365/onedrive-security-recommendations/.  It outlines the risks of using cloud based storage, followed by excellent information on practices that can mitigate those risks.  This is something I have been trying to start a dialogue on at Queen’s for some time.  It is normally more about how we handle information than the tools we use to transmit it and where it is stored.

One thing I think is important to note:  The article’s focus is OneDrive, but the risks and recommendations it covers apply with many other storage solutions, whether cloud-based or not. Regardless of where data is stored, we all need to pay greater attention to understanding and applying safe handling practices for the different types of data, especially that which is considered confidential or sensitive.

The first part of the article really focuses on these best practices.   We should be cautious when using unsecured connections, make sure our systems are up to date and equipped with the latest virus and malware protection software, consider what needs to be encrypted, use strong passwords, and be wary of unsolicited emails asking for accounts and passwords.  We should all adopt these safe practices, no matter where the data resides. A server plugged into the Queen’s network or on a home network will in almost every case be more vulnerable to being compromised or infiltrated than a major cloud based service used globally.

I encourage people to click on the link in the article which takes you to their data classification standards, where you’ll find a very good distinction between confidential and sensitive data.   SIN, credit card numbers, login credentials or information that is protected under a statute, act or law, are confidential in nature and need extra care.  Our sense is that too often people send this type of information over email, even though email really is not a secure means of transmitting anything valuable.  I don’t think being confidential precludes us from using the cloud to store a file, but ensure you take extra care.   Maybe for these files you want to attach a password to them or if you are at Queen’s you may want to use other servers like QShare or the AD File Shares, even though we do not believe that in and of itself it mitigates the risk.

All in all, the article is a great read and something that we should all pay more attention to.  Our information assets are valuable and we need to ensure we do our due diligence.  How we classify, distribute and handle the information is probably more important than where we store it.   Moving to OneDrive, we have done our due diligence and  have subscribed to a secure environment that protects the privacy and confidentiality of our information.

Collaboration

One of the biggest challenges and opportunities in HE these days is facilitating on-line collaboration.  These things tend to happen organically, but in a community like Queen’s there are advantages to consolidating around common solutions, where we can easily find our ‘community’, use common tools, build consistent support and be sure it is done safely and securely.  We sometimes refer to this as virtualizing the residential experience.

This is an exciting week at Queen’s.  We  rolled out OneDrive for Queen’s, (also called OneDrive for Business) to all of our students, faculty and staff (notifications going out Monday).  This gives everyone at Queen’s access to 1 TB of web based storage per person.  That means you can securely access all of your files from anywhere that you connect to the web no matter what device you use.   It is also easy to automatically sync to your computer, so an up-to-date version of your files is always there even if not connected to the web (remember to encrypt your local synced files if there is sensitive and personal information on it).   You can share files and folder with colleagues at Queen’s or beyond.  From the Web App you can open files using Office products like Word, Excel and PowerPoint in the cloud, and multiple people can edit the same file concurrently.  People using the new active learning classrooms have been asking for this type of functionality.

OneDrive is a secure place to store your files,  backed up by negotiated contracts that ensure we maintain ownership of our information and that it is protected..  The data moves securely between Queen’s and the external data centre and is stored in a highly secure infrastructure, monitored 24x7x365.  The level of security is far better than what we are resourced to provide on-premise.

The solution isn’t perfect, but we are working on it.  As an example, there is not yet a OneDrive app for OS X, although there is for your iPhone and iPad.  Patience…. it is coming very soon and you can always use the web based app to access your OneDrive.   At the moment this is also really designed to be storage for the individual, although you can share with others.   The next step will be to roll out Share Point and Team Sites which will open up another set of opportunities around group collaboration.

Some people may be critical of the fact that the data is in the cloud.    We have done our due diligence here and had discussions with a lot of experts, including privacy commissioners and legal counsel. I encourage you to read my other blogs and also look at the Office 365 collaboration tools page on the CIO website.   There is a lot of information that I hope alleviates some of those concerns.  Also check with your peers and you will begin to see a lot of people are already storing information in the cloud, unprotected by any legal contract that involves Queen’s.

At Queen’s we also have access to QShare, which is still a good choice for group sharing, but OneDrive takes web-accessible storage to new heights.  As well, many people have what they call departmental file shares or AD file shares.   The ITS Team is working on documentation to explain when you might want to choose one over the other.   Stay tuned.

So, we are excited.  I think the team worked really hard, in a compressed time frame, to introduce a great new collaborative tool in OneDrive at Queen’s.   It is a lot of storage, works really well and there will be more to come as we enhance this with new features and expand the quiet of integrated collaborative services.

Let us know how you use it.  We are interested in hearing about the application of the service.

 

 

 

 

What the heck are those IT ‘guys’ doing anway….

You may be tempted to complete that title with ….playing video games all day. In reality the bulk of the work done in IT organizations is done behind the scenes, and that work is becoming increasingly complex and demanding, and there is very little ‘extra’ time in the day.  With the consumerization of technology it is becoming harder for the community to appreciate what the IT organization is doing, especially when it doesn’t seem to impact them directly.

Last week, at a CUCCIO meeting in Winnipeg we heard David Barnard say that the broader community tends to focus on local optima, while the IT organization focuses on global optima.  This can lead to confusion and frustration, even though the two groups want the same thing.  It is the fact that the perspective differs that things appear to be misaligned.

Last weekend a big part of the ITS team and Finance were engaged in a significant upgrade to our Financial systems.   Not only were staff working around the clock on that weekend to try and minimize impact on the business, they were also in on a weekend a few weeks earlier to do a dry-run of the upgrade.   An incredible amount of work goes into upgrading these systems and there is an incredible amount of testing done to make sure everything works.  The community doesn’t like change and are reluctant to change process, so we end up supporting a number of workarounds and customizations.  To put it into perspective, this upgrade involved over 16,000 hours of work between Queen’s and IBM.   Think about that – that is close to 10 years of work, and it doesn’t fully account for all the effort.  That is just the effort tracked and recorded against the project budget.

Overall this was a really good upgrade, and we actually brought the system up early so that people could start using it first thing Monday morning.  Staff really care about what they are doing and the partnership between ITS, Finance and IBM worked very well.   That is not to say that everything was perfect, but if issues did not arise during the upgrade then the end result would not have been as good.

The team doesn’t really get a break now, because many of  the same people that keep the lights on, do double duty on the project.   Inevitably things will need to be fixed and tweaked as people start pushing the system over the next while.  In addition, more work will be starting on Campus Solutions (student) and HR shortly.  We need to upgrade these systems in order to add functionality, fix problems and ensure we continue to have a system that is supported by Oracle.

The expectation of technology today is that it just works and we probably don’t resource our teams to align with that expectation.  People are focused on what is in front of them and if it doesn’t work, that is what is fresh in their minds.  Every once in a while we need to step back and appreciate all the effort that goes into making things work, because for every problem that people talk about there are 10 good stories where staff went above and beyond.

Thanks to all for a great upgrade.