Is culture impeding security?

Have you ever questioned how effective we are at doing our job, when you see all these reports coming out about servers being hacked and personal information being lost?   We are certainly aware of these reports and take them seriously.  It seems like there is a new one every day.  Recently it was announced that Target lost the personal information of tens of millions of people.  This is stunning.  Higher Education is not immune, and has its fair share of attacks.

In some cases, attacks are becoming more sophisticated, while in other cases, brute force processing power is used to find weakness.  Last week I was talking to some of my peers in the U.S. and we had an interesting discussion on why these attacks seem to be happening more frequently and what we are doing about them.

We bounced around a few ideas we had heard elsewhere, and three things surfaced:

The culture of hoarding:  We simply keep too much information.  We need better record retention strategies and we need the policies in place to make sure people follow them.  In our information age, the days of trusting that individuals have the skills, judgment, and capacity to manage this are long gone.

The culture of frugality:  We need to invest more.  In higher ed we sometimes lag in having the proper governance structures in place to be able to make the tough decisions on where resources are needed and what the priorities are.  It is hard to commit new investments when funding is being cut and tuition is regulated, but we need to look at the whole picture.   Information Technology is an integral part of the university and we need to stop treating it as a cost centre.  Our investments need to be strategic and effective.  In some cases this means looking at the cloud, which means we need to overcome the perception that information in the cloud is less secure.  This is not necessarily true and in many cases cloud security is significantly better and more cost effective than what we do today.

The culture of service:  This was the one I found the most interesting and one I had not thought a lot about.  We are moving more and more to a culture of service and trying to deliver whatever our community needs.   As we do that, we may not be emphasizing security as much as is probably needed and we are likely compromising. The stress on this service culture is partly to build up trust and to avoid too much shadow IT in the organization.   Some of that shadow IT is healthy, but we do need to ensure we invest where the value ad is and make certain that security is well understood and implemented.  On top of this, the university ‘network’ has also been thought of as a fairly free and open environment and that adds to the risk and means we need to be more diligent.

Back to the question of whether we are doing our jobs.  Simply put, yes. I know we take the threats seriously, have many mitigations strategies in place and invest a lot of resources. I also feel that the cultures of hoarding, frugality, and service are making it a more challenging endeavour.   We need to engage the community, build a better understanding of the risks, make sure proper policies and tools are in place and back this up with effective investments.  We need to consider all options, because this is only going to get more challenging.

Security – Everyone’s Responsibility

When was the last time you forgot your laptop or phone at a coffee shop, bookstore, library, or restaurant, only to find it still sitting where you left it when you rushed back in, panicked, a few minutes later?

When was the last time your car, office, or home was broken into and something was stolen, but you weren’t sure what?  These are places you think are secure, perhaps even alarmed, but were still vulnerable.

We usually think of something like this in terms of what we would have lost (“my whole life is on that phone!”) rather than what someone else might have gained.  But was there a USB key sticking out of your laptop?  Is your phone password-protected?  Is someone else’s personal information on any of your devices?  Can these devices be used to access other systems?

When we relax our attention, these thefts are more frequent and other security threats become more prevalent.  We need to build awareness and ensure we have the resources to build prevention into our technologies and services.

Most people in our communities are unaware of the massive number of attacks that occur behind the scenes on our systems.  Occasionally, an individual may get caught in a phishing attempt, or maybe they get a virus or malware on their personal computer. These threats are only a fraction of the threats out there and even though the personal costs may seem significant for those impacted, the cost of prevention and remediation to the organization as a whole is a significant part of our operations today.

We need to be aware of these threats and we all need to ensure we do what we can to help identify and prevent them.

In terms of email we see an incredible amount of spam and malware coming to our border.   At Queen’s, we might see about 14,000,000 incoming messages in a given month and close to half of those messages are intercepted at the edge and rejected as spam.  The University purchases and maintains special hardware to make sure the vast majority of these messages don’t make it to your inbox.

Through public education, the community is becoming more aware of phishing attempts and usually ignores them, but accounts are frequently compromised and Queen’s has to expend considerable resources to mitigate the risk that these accounts pose.  Occasionally these accounts send out massive amounts of spam.  ITServices has to keep scripts in place to identify and throttle these accounts before Queen’s is blacklisted and our email systems come to a crawl.   Information can also be stolen from these accounts and the costs to repair that are hard to quantify.  At the moment we only scan Queen’s outgoing email for spam, but there are tools that prompt machines to scan email for things like SIN and Credit Card Numbers and notify the user to a double check before they let the message go out.

This isn’t unique to Queen’s and in the last few days we have seen the following posts at Western and Carleton, reminding the community about threats.

At Queen’s, we also run an intrusion detection/prevention system on our network.  Between January 14, 2013 and January 14, 2014 we blocked just under 20,000,000 ZeroAcess Bots connection attempts.   These are a type of Trojan horse malware that affects Windows systems.  In addition, we blocked over 700,000 ICMP: Nachi-like Ping attacks, which is a family of Worms that attack systems.

There are thousands of other attacks and the threat is significant.

On top of the intrusion detection system, we need to ensure our services and servers are not vulnerable to these attacks and exposures.  In 2013, Queen’s did 231 security assessments, some with external resources and some with internal resources.  These take a lot of time, but they are preventive in nature and well worth the mitigation that they deliver.  We plan for these assessments to be done on new services as well as services that have undergone upgrades.  We also monitor what is happening elsewhere and assess where we feel there may be heightened risks.

In addition, we have numerous compromises that we have to deal with on an emergency basis.  The assessment, mitigation, and recovery take significant effort.  Not all of these compromises are preventable, but education, knowledge, and awareness do come into play.

I hope this information has increased some awareness around the number of threats that Queen’s faces and reinforced the notion that security is a concern for all of us.  We need to have strong policies in place, make sure there is user-awareness, that individuals have access to the tools they need, and that we invest appropriately to prevent intrusions and their associated clean-up costs.

Acting AS THE Business

During the last couple of weeks I had the opportunity to spend time with my peers in Canadian higher ed institutions through CUCCIO (Canadian University Council of CIOs) meetings and through a Microsoft Higher Education Executive Briefing in Redmond, Washington.   This is always a great opportunity to share ideas, develop thoughts, establish common ground, and build partnerships.  In one of the background pieces for CUCCIO strategic planning discussions, the following comment sparked my interest:

“..exploring, understanding, addressing the transformation of Higher Education and the CIO role and how we can collaborate on what that looks like and how to effectively manage the change in our diverse and structured environments”.

This is something that we really need to ponder and figure out.  The role of the CIO is evolving in most sectors, as are the roles of the people employed in HE technology.  I don’t think it is anything more than the maturation of our organizations as a whole, and the maturation of the role that IT plays within that organization.   I have talked about this evolution before in various forums.  It is related to the notion that IT is embedded in most everything we do and because of that we need to embed IT decisions into the day-to-day business of the organization rather than having it as something over on the side that is only called upon on occasion, or worse yet, whenever there is a problem.   At the same time, I have also said that IT is an enabler and a partner.   I am beginning to rethink this a bit.  It is not that I think it is wrong, but maybe there is a better way to characterize this.  After all, it is not just about IT changing, it is also about the organization changing, so maybe we need to look at it from the other side as well.

A few months back my Associate Directors went to a development program through the Intervista Institute in Ottawa where they looked at IT Portfollio Management in a strategic sense.   One of the things that they discussed when they got back was the area around IT and business alignment.  It is absolutely critical to get to this alignment, but probably one of the hardest things to achieve.  Whether it is lack of engagement by the business, lack of understanding of the business by the IT unit, lack of resources, or lack of leadership/vision, it is hard to drive this sort of transformation.   At the end of the day it is no longer about producing good code, it is about improving business performance and having a shared vision around what that means.

In the development program, the Associate Directors looked at IT Credibility and Capability and laid it out in two very nice quadrant style diagrams.   In the bottom right of the Capability diagram was the traditional notion of Supporting the Business.  This is about cost and efficiency, which results in a delivery of Low Capability.  This is such a trap that we fall into.  IT becomes a cost centre and at the end of the day nobody is happy because we are not enhancing business performance, even if we say we are working efficiently.

The middle of the graph is where IT is Acting like a Business.   In this area we are starting to drive from efficiency to effectiveness and from cost to investment.  In this area we haven’t yet developed a balance and subsequently we aren’t fully delivering on business performance and we haven’t maximized the IT capability.   I see this as a transitional piece – a place we have to go, but also somewhere in which the path forward is not always clear, and there is always the threat of falling into the efficiency/cost trap.

True alignment between IT and the Business is where we focus on effectiveness (as opposed to efficiency) and treat IT as an investment, rather than simply a cost.   The title of this quadrant is Acting AS THE Business.  IT may be an enabler and partner in this area, but it is also an integral part of the business.  Decisions about technology are no longer made in isolation and we measure business outcomes, not just cost efficiency.

I really like the three states that they describe:  Supporting the Business, Acting like a Business and Acting AS THE Business.  It certainly resonates with me, but I also think this is something that is stated in common language that can be understood by the technology group and the business.  I believe it lays out a clear path forward for us.  In a previous post I have talked about running our senior administration through the Info-Tech CIO Business Vision Survey which is about understanding the business and measuring the business satisfaction.  This is about driving alignment and trying to move us towards acting as the businessAt the moment I am going out to visit each of the people who have completed the survey and, upon reflection, I really think those visits are all about driving alignment and talking about getting IT to act as the business.

Olympics and network contention

The network in the University environment is an interesting beast.  Some people would consider it a bit of the “wild west”, while others would probably say it is a very monitored and controlled environment.   In reality it lies somewhere in between.   We don’t shape the traffic on the main campus network  and we generally don’t monitor activity.   That being said, we do monitor such things as overall usage (not individual usage) and contention to help us manage the environment and ensure good performance.   If something is wrong, we need to know and respond quickly.

Most people would like us to have a network with unbounded bandwidth, but that wouldn’t be fiscally prudent.   Currently we have two commercial links of 1 Gbps and 2Gbps, respectively, as well as a research link at 10 Gbps.    On most days this really acts like a bottomless cup of coffee and people don’t experience contention.  The design also gives us good redundancy if one of the links were to go down (as happens occasionally).

All this flies out the window during the Olympics.   If you look at the graph in the link below, you can see that we did saturate the network occasionally, during the week of Feb.10th.   The level of activity is about 2x the norm.   It was especially high around noon, which is usually when there was a hockey game.   So – what do we do in these situations?   It does not seem to have elicited any complaints.  Personally, I have noticed minor slow downs, but nothing significant.  It appears the contention happens on the commercial links where people stream content, and given peering, some of our normal ‘business’ travels over the research link which has greater capacity.

So, for now, we will continue to monitor events and we will not try and ‘shape’ the traffic.  Hoping that the Olympics continue to be scheduled during reading week :-)


Selling Management to Techies

In the December 2013 Issue of the HBR, David Garvin wrote an interesting article on “How Goolge Sold Its Engineers on Management” (   There were a few things I found interesting about this article, the first of which was it being buried in a Spotlight on Making Your Company Data Friendly Section.  Certainly not what I expected, although it does talk about mining HR data.

More interesting for me was how they shaped the culture to have a richer and deeper understanding of management through direct engagement from their employees.   The interesting piece here is the tech sector and the unique challenges that come with managing techies/engineers.   All of this change didn’t happen overnight and these things take time.    They brought in a culture of 360’s and worked with the managers on developing a series of core competencies or behaviours.    They then used this list to get a common language and asked their employees to rate their managers, twice a year. It sounds a bit like a 360 light and the list of questions included such things as: are they being a good coach, do they empower the team, do they micro manage, is there clear vision and strategy, do they have technical skills…  None of this is new, but you can see how some of these would resonate with technology professionals.    They made sure there was a good understanding of each of these behaviours across the organization and they added in some qualitative questions on behaviours that were seen or should be seen.   They encouraged the managers to share their results, and set targets for improvement.    They also mined the data to observe more subtle differences and help validate the results, as well as the process.

At the end of the day they saw most improvement in the managers who scored lowest and they nurtured a better understanding and respect for the management role.  It was a good article and an interesting process that could be replicated.

On a side note, an interesting take away for me was the management/employee ratios.   If we take the 5,000 managers, 1,000 directors and 100 vice presidents away from the 37,000 total employees at Google, that leaves 5,000 managers for about 31,000 employees, or a ratio of about 6 to 1.  We recently did a reorganization here that created a new cohort of operational managers and we sit at about 6.5.  There always seems to be a debate around too many, or too few managers. Maybe we are ok J


Business Vision

We recently conducted a CIO Business Vision Survey using the services of Info-Tech.  This is a survey of senior people at the institution designed to determine stakeholder  need and improve engagement.  It is a big step in ensuring  that we have common vision, shared governance, and joint accountability.  The survey focused on IT satisfaction and value, IT relationship satisfaction, business priorities, and core service satisfaction.

This was the first time we had attempted to do this sort of high-level stakeholder engagement.   What appealed to us in the beginning was the low risk of this undertaking.  It was all done by Info-Tech.  We simply provided the list of the stake-holders and they did the survey, prepared the reports, and engaged with us in a discussion.  There was no financial cost to this.  The biggest investment on our part was the time of our senior people who filled out the survey.  This is certainly a significant cost and we appreciate the effort in making IT@Queen’s better.

The results we received were interesting, and very helpful.  As an example, one of the things that was delivered was a Service Gap Score across a variety of services.  This is the gap between the importance individuals place on a service and the satisfaction they have in the delivery of the service.   At the one end of the spectrum we have a positive gap on Faculty and Staff devices, while at the other end we have a negative gap around administrative applications, campus infrastructure, analytical capability, and reports.   I don’t think we were surprised by this, but it is certainly a loud and clear message, which was also highlighted in our external review – IT@Queen’s.

Next steps for us are to review this material in greater detail.  There is a large amount of qualitative and quantitative information.  Part of the process will be engaging with those who filled out the survey and digging a little deeper.  49 people filled out the survey and they include, Deans, Associate  Deans, Department Heads, AVPs, and Directors.  Once we have those discussions we will publish the results and begin working on incorporating this into our strategic plan.  Then we will start the cycle over.   We are also going to be seeing if there is an opportunity to get other HE insitutions to use this, so that we can include it in our CUCCIO benchmarking initiatives. The intention will be to do this on an annual base and use it to measure change.

Privacy by Design

Earlier this month we had the pleasure of hosting Dr. Ann Cavoukian, the provincial privacy commissioner.  Talking to a few people after the lunch seminar it really sunk in that we are so fortunate to have a person with such an international profile in our own backyard.

The session was jointly sponsored by my office and The Surveillance  Studies Centre at Queen’s.  Needless to say there was a heavy focus on surveillance, that included an impassioned plea by the commissioner to protect what we have, and exercise our rights through engagement.  It was a fascinating overview with some interesting insights into something I haven’t thought a lot about.

The piece that I was most interested in was the work the office has done on Privacy by Design.  Dr. Cavoukian has a compelling argument that introducing technology doesn’t imply that we have a zero sum game, as long as we take privacy into account in the upfront design of our systems.  Sometimes I find that there is a perception in the community that the introduction of technology into many parts of our lives has inherently compromised our privacy.  If you practice privacy by design you can have both the technology and the privacy.

This is particularly relevant to us in higher education as we  continue looking towards technology to streamline our business process and drive efficiencies in order to balance our bottom lines and keep up with the community demand for new and richer services.  As we venture into the cloud  we must ensure that we actively embrace our role as stewards of the information that is entrusted to us.  We must understand the differences between private information and confidential information, the implications and limitations of encryption and how we build transparency into our processes.

When we recently rolled out Office 365, we undertook a Privacy Risk Assessment at the beginning of the process. At the end of the day I think we have a better service, where we had a much better understanding of privacy and our role going forward.  We ensured that the community reaped the benefits of a much richer collaborative suite, while not compromising privacy – win-win.



Techies to Leaders

We recently created a new leadership team within our ITS unit.   The team consists of four Associate Directors and a group of Coordinators.  The Associate Directors have had varying leadership roles in the past, but many of the coordinators are taking on new responsibilities and transitioning from technical roles to leadership roles.  Throughout my years in Higher Education I have always found it a challenge developing leaders within the technology sector, especially those with a strong technology background.   I remember when I moved from being a Statistical Analyst to becoming a Manager and I missed the old work..  I liked working in the trenches, dealing with grad students and using my technical skills to solve problems.  It was very rewarding work and it was something that energized me.

It was hard to give that up, as it is for many people, and it is also hard learning a whole new set of skills.   Some people feel drained at the end of the day by leadership and we are not always helping them by moving them ‘up’ into these leadership roles.  I have had a few of these situations where people just didn’t get energized by their new role and it was difficult to watch their passion disappear.  Addressing these issues can be challenging, but usually at the end of the day there is a sense of relief on both sides if you do address them early and deliberately.

As an organization we have a responsibility to ensure that we recruit and retain people.  Retention can take many forms, but part of it may be providing people with a career path, and that may include helping people move into a leadership role.   If we do this we need to give people the tools they need to succeed and we need to support them.  As an aside, there is often a challenge of creating career paths that stay within the technical stream.   Putting technical leadership on par with more traditional leadership can be problematic.   If you have this one figured out let me know.

In a recent article by Robert M. Fulmer in the Wall Street Journal, Do Techies Make Good Leaders, he highlights how deliberate we need to be in order to develop these people.  He hints that maybe it is harder to develop technical people into these roles and we thus need a different focus.    He points to five areas  that I think are very important for devloping all leaders.

  1. Formalize the System
  2. Focus on the Data
  3. Value Leadership
  4. Engage the Audience
  5. Encourage Coaching

I found the insights in section two to be extremely revealing and simple.   He suggests you measure leadership on the individual’s ability to complete performance development plans for their subordinates, along with their ability to advance the careers of those who report to them.   I never really thought about intentionally tracking that information.   To me it is all about developing a talent management plan, creating succession plans and changing the dialogue we have with our staff.

Creating leadership within an organization starts at the top.  We need to model the behaviour that we want to see and this isn’t always easy.  If you live within the technical side of the discussion, you probably won’t be developing good leaders, unless they have good mentors outside the organization and that is where good coaching comes in.

We recently hired a new person in our organization.  They came from outside of higher ed and they  non-technical, but had a professional designation.  One of the first things we did was find a couple of people inside the broader organization, but outside of IT, and set up a coaching/mentoring relationship.  These people  understood HE and were more aligned with this persons professional designation.   Will this work?  I am not sure, but I hope so..   It is very dependent on the individuals involved.  This is simply part of our responsibility to developing leadership within our organization.

The other piece I liked in the article was about engaging the audience.  We need to respect the people we are developing into leaders and keep them engaged and growing their skills.  It reminds me of a book I once read called “Leading Geeks” by Paul Glen.  In the book they talk about unique aspects with in IT ‘people’, including how they work, how they are motivated, how they respond to leadership, their organizational culture and subsequently how you manage to full potential in this type of environment.      I think we have done some good things with our new leaders in ITS, but we need to keep our foot on the gas.  The tendency in IT is to push this off as everyone’s plate is too full, but I think that only impedes us in the long run.

So, at the end of the day is it hard developing leaders, yes.   Is it harder to develop IT leaders, maybe.  If we are deliberate and focus on the five areas mentioned above, we can certainly get there.





‘I’ is for Innovation

Daniel Burrus, in a recent HBR Blog post, talks about how the role of the Chief Information Officer (CIO) is becoming obsolete and we must move from “protecting and defending the status quo to embracing and extending new innovative capabilities.” In his post he suggests that we need to become Chief Innovation Officers. Burrus goes on to say that is our responsibility to move away from simply looking at keeping the lights on and cost containment to thinking about how we can transform the way to do business.
This article hit a chord with me as we are preparing our 2014-15 budgets and looking at a cost containment exercise, due to the challenges faced in publicly funded Higher Education. In parallel, I recently saw a Gartner paper that talked about cost containment strategies and how IT can contribute to savings. The traditional approach would be to think about IT as a cost centre, but given that IT is normally less than 5% of the overall operating budget, making cuts here tends to give small savings. What would be more effective, would be to look at how we can drive savings through the use of technologies. If we can generate savings across the entire organization by changing the way we do business, then we can create an impact.
In essence, this is about driving innovation through changes in our business practices and the technology tools that we use. The challenge in making this happen is ensuring that IT has a seat at the table and the credibility to deliver. In HE many of us struggle with this, and the result can be significant shadow IT that sometimes has the appearance of being more response and effective. I am sure everyone has heard a story about how the central IT department messed up a project and because of that should never ever be trusted again. Projects can be complex, expectations can be wide ranging and outcomes may not always fully understood. On top of this we don’t really like change and don’t always support projects the way they need to be supported, whether that is right at the top or down in the trenches. Burrus does highlight that we need to go beyond change, and think about transforming what we do.
At Queen’s we have started to talk more about IT@Queen’s, rather than simply ITS (the central IT department) and this opens a whole new discussion. When we start wearing our institutional hats, so much more becomes possible. If we really want to be transformative we need to look at defining our core competencies and focusing on our value add at all levels within our organization, while embracing new things things like Software and Hardware as a Service. Here at Queen’s we have already moved 50,000 student accounts to Office 365 and have moved some of our Learning Management Systems to SaaS. As Burrus points out IT is “quickly becoming an integrated collection of intelligent services that are on demand, on the move, and on any device.”
The CIO has a significant role in articulating and delivering this innovation/transformation to the C-suite. The CIO possibly has a unique perspective in this forum and the subsequent responsibility that comes with that. As an organization we need to evolve to the point were we are not pre-occupied with keeping the lights on, but instead we are looking ahead to what may be and embracing the transformation that entails. Not easy to do, but it is the only way that we will survive.

E-mail – the business and personal divide.

Back in the beginning of time, when the internet was first being born, very few people had an email account, and if you did, its use was very limited.   I still remember Netnorth being established (google it) and the excitement it brought.   It was about connecting disparate universities in Canada and allowing us to set standards and protocols to begin using things like e-mail.  That was a time when fname@domain worked because there weren’t 5 million John Does and I ended up with  It was all very informal.

In those early days there were not many people to talk to so your inbox was never overflowing.  Communications were predominately work based.   As the commercial internet evolved, we began to see more email accounts and people began to use their University email account for personal use.   The line was blurred, it was familiar and it just grew that way.  Nobody was really thinking long term and there really wasn’t a pressing problem for getting yet another email account.

Probably about 7 or 8 years ago I actively began using an external email account and separating my personal correspondence from work correspondence.  The transition is not an easy undertaking and there is an investment needed.  To me, this seemed prudent, as I did not want people to assign my personal views to the University and I didn’t want my personal correspondence accessible on the University systems.   Many of my peers did the same thing, but there are still many people in higher education who do not make that separation.

The interesting question is whether this is a problem or not.  In the last few months I have been made aware of a few instances where people expressed strong personal opinions on issues outside of the University, using their University email accounts.  People external to the University felt  these views were associated with the University, because it came from a University email account.  In one of the instances the individual signed the email with their personal address.  I assume this was intended as a signal that it was, in their view, not representative of the institution.  There was likely a big disconnect happening here.

Is this one of those problems unique to universities.  I suspect not, but I also suspect it is more prevalent in higher educations.   How do we resolve this?  Given that we have ‘tolerated’ this until now, I suspect it needs to be an education of the community around best practices and talking about why it is a better option for them personally.

At Queen’s we have a series of Email and FIPPA Best Practices.   Right in the opening paragraph it is noted that: “Email is increasingly used for conducting University business and is viewed as a University record”.  I think this is consistent with a trend towards separating out your personal email and it is interesting to note that an email is a University record.  It also goes on to state: “Whenever possible don’t use email to communicate confidential or sensitive information or personal information” and “Email bears University identifying marks. Use the same care with it as you would with University letterhead”.   I think these can be interpreted in different ways, but there is clearly a delineation being made.

These are  good practices that we should all follow and I think the last point is particularly relevant.  Whether or not you believe there can be a separation between business and personal on the same email account, people external to the community may see it the same way as issuing something on letterhead.  It is simply in your best interest to avoid confusion by separating out your personal emails.   Accounts are freely available and can be easily linked, so the barriers are small.

In addition to these best practices, the University has also has been updating a series of policies around Information Security.  The latest iteration of the Acceptable Use Policy states, in Seciton 5.1: You will use Queen’s IT resources for the academic and administrative purposes for which they are intended.   This is very clear, and although this notion has been around for a long time it has never been enforced.  It would be challenging to change that position now.

The easier course is for us to  build awareness around the pitfalls of using your University email for personal use, and the advantages from separating it out to an external account.   A lot of my private sector colleagues have disclaimers at the end of their emails.  In addition to the legal issue it addresses I think it also builds awareness around the institutional  record

So at the end of the day, is there a problem?   I think there is, but the community practice is moving us away from the problem. I think that building a little more awareness on the issue will allow people to make their own informed decision and we will see less use of the institutional account for personal correspondence.