Can the Enterprise be agile ‘enough’?

In the role of the CIO I spend a lot of time thinking about what the enterprise should do and what distributed IT should do.   There is a balance there that seems like a never ending tug of war, rather that a collaborative approach to supporting IT with common vision, shared governance and joint accountability.  For me, it inevitably comes down to the fact that there exists a view that Enterprise is just not agile enough.  As the speed of innovation seems ever increasing, this agility challenge seems to get deeper.   Our community wants to use the latest and greatest and we aren’t always in a position to do that.

The question then  becomes, why can’t the largest IT shop on campus, with the most collective knowledge and experience, be more agile and meet the needs of the community.   I think the reasons are many, and some are complex, but today I was reminded about one of them, and it focuses on risk and privacy.

Here at Queen’s we have been rolling out more and more functionality around Office 365 (probably slower than the community wants).  One of the pieces that we were missing was around Groups.   This is a huge piece of added functionality for our community.   We have rolled this out now, but we have not done it for students, and I know this will frustrate the community and they will struggle to understand what they probably see as a stupid decision.   I assure you, it is a well thought out decision, that maybe the distributed support units would not have reached, but at the enterprise we must consider the risks.

The issue here is around the fact that the membership of the groups is visible to the whole community, and from a privacy perspective student information must be treated differently than the information of our employees.   Many moons ago, when I was a student, we used to pick up marked assignments in a box outside the faculty office – you could see everyone’s mark.  I also recall seeing class lists with names, ids and grades posted on the wall.   This normally doesn’t happen anymore and we take the issue of student privacy very seriously.

We will find a way around this.   The obvious solution is to make groups “private” and that functionality has now been created in O365, but it looks a little buggy.  As the enterprise, we need to make sure this is all worked out before we go live, another piece that makes us seem less agile.

So, at the end of the day, back to my role as the CIO, I need to work with the community to ensure they understand why we appear to not be agile.  The community needs to understand the risks and embrace the need to ensure they are mitigated at the enterprise level.   Maybe we are actually agile enough, we just need to agree on what needs to be done to role out a new solution/service…. common vision, shared governance and joint accountability.





What is that app scraping and what do ‘they’ know about me.

I recently changed out my phone (and OS) and it has me really thinking about what I share and what is being tracked.  We hear about this all the time, so I was really surprised about how vulnerable I felt setting up my new phone.  It shouldn’t have really been a surprise, but made think I need to pay more attention to how and when I share information about myself.

I think a couple of caveats are in order.   I don’t use a lot of apps.   I don’t see value in most of them, as I use the smartphone as a productivity device rather than an entertainment device.  I get the entertainment value, but maybe I am an outlier.

I have used many different types of phones over the years and my most recent phone was a Microsoft Nokia device.   It worked very well and integration with my Office365 tools was seamless.  I would have stuck with the OS if they had an acceptable new release.   My new phone is an android device.  I have been there before, and was one of the very early adopters, so thought the transition would be easy.

Setting everything up takes time, no matter how you slice it.  What surprised me was how quickly things were linked to each other and how much it was telling me about others (and myself).   You know the kind of things…. “hey, you did this, you should talk to so and so because they did this too”   I am paraphrasing, but it is the essence – your behaviour and behaviour of others makes linkages and suggestions.  Don’t get me wrong, I love some of the connections and it makes my life easier, but some of it was really creepy.   I am not sure where the line is, but currently feeling it has been crossed.

As an example, last week we decided to go out for dinner and I decided to book my reservations on Open Table . It worked fine, aside from the weather, but not the fault of the app.  When I got my entre it contained Jerusalem couscous and it was delicious.  I had never had this, and I thought I would google it and learn more.   After I typed Jerusalem, it automatically prompted me with couscous as the first choice….. I found that odd.  Was this really the most popular search, or did it know something about me?   Did it know what restaurant I was at – did it know the menu, did it connect the dots.   I have no idea, but given everything else I had seen over the last few days with the new phone, it was a question that crossed my mind.

Mining this data and making the connections can add value, but it makes me wonder who else is accessing this information and driving something from it.  There is a business in here too and we know ‘they’ are using the information.  There was an article in IT World Canada about Pokemon Go and it raises similar questions and talks about being vigilant on what you share.

My advice, go back and check your apps and see what you share and make sure it is necessary.   Find the right balance for you.




Don’t take the bait

Many of you will have read  the news about the  cyber-security event at Calgary.  Our thoughts are with the team there who are recovering from a very difficult situation.   At this point we really don’t know what has happened aside from a few brief media releases.  All hands at Calgary are likely on deck and our debrief with them will happen in due course.

We at ITS continue to monitor for malware and it is important that our communities become more vigilant when responding to emails and clicking on websites.    At lunch today I was stopped by a couple of faculty members who asked me what happened at Calgary.  Malware can come from various sources including phishing.  Their response was simply “who is stupid enough to click on these phishing emails?”, and my response was, lots of people do because it is getting really hard to identify them.  If in doubt don’t click, call the IT support desk or check for alerts on our website or go to the phishing page..

Here at Queen’s we continually monitor the network for anomalies, we regularly apply system updates, test for vulnerabilities on critical systems, actively run anti virus and malware and work at educating the community.   In the last year we have expanded our security team by adding two more staff, and recruited a new Information Security Officer.

All of these initiatives mitigate the risks, but we can’t eliminate the threat completely.  Ransomware is prevalent on the internet and it is growing exponentially.  Not all parts of the community are as forthcoming as Calgary has been, so we don’t hear about all the incidents.  Fifteen  years ago hacking was more of a sport, now it is malicious and criminal.  It is a rapidly moving target and we are evolving with it.



The end of an era – change can feel hard


Have you ever been in a situation where something has been around so long that you couldn’t imagine the world without it?  Then “someone” makes a decision to take it away and your first reactions are fear, resentment and anxiety.    You feel a sense of loss that slowly translates into doubt as you begin to question why this decision was made.   You become anxious and confused and you can’t imagine how you could live without ‘this’.  It is really easy to get stuck here, and that can end up being problematic.

In these situations you need to be deliberate in order to move forward.  You need to step back and separate fiction from reality and explore the reasons behind the decision.  You need to question what is really the worst thing that can happen, and look objectively at how you can move forward.   You need to question what is important, that you got from ‘this’, and what do you really need.  This will allow you to better understand and work through the change.

At the end of March we closed our Campus Computer Store.  The Store has been around for a long time and has touched a lot of people over the years, but the world, and the market has changed.   It used to be that every fall many students would pick up a new computer when they arrived on campus and now they all come with one already.   We are seeing vendors like Apple and Microsoft selling directly to their educational customers and there is a proliferation of on-line competitors.   The store has always had two sides, retail and internal procurement. Over the last few years retail sales have gone down dramatically, which has really put the operational model we use into an unsustainable position and we needed to rethink how we do this.

On top of that we have seen a big push towards commoditization of desktop technologies.   When we standardize on our desktop and mobile devices, it enhances the user experience, becomes less expensive to procure and easier to support, freeing resources for other more meaningful activities.  If we are being truly objective, close to 100% of the devices we use on our desks should be treated like a commodity.  When we come into work there is a phone on our desk (stay tuned on that one) and we simply accept it is there.  There may be choice of a few models, depending on your role, but if it breaks we bring you a new one that looks and works the same.   We need to think about our desktops and laptops the same way.   As we evolve more into cloud services, there is less reason for storing files locally and most of us should have a common set of tools available. That allows us to simply swap out a machine whenever a problem arises.   There will be exceptions to this and some people will have unique needs, but they should be few and far between and can be accommodated.

At the moment you can go to the procurement site and you can buy just like you did before and have goods delivered directly to you.  You may even notice some of the prices are better, and there is no mark-up, which was necessary to cover the costs of running the store.  In the next short while you are going to see a list of preferred desktops and mobile devices to make your decisions even easier.

On top of that, ITS is going to expand the Direct Computer Support program to support hardware.  “This means that your desktop computer will be just a device you use, can be easily replaced, and have a predictable and consistent fixed cost over time.

It is hard when something you are used to changes, and it is normal to be a little cautious and have questions.  However, don’t let the feelings of  loss and frustration distract you from being objective.  Try and understand the need for the change, engage with the individuals and groups supporting people though the  change, help shape the change, explore how the change can help you and you may end up in a  better place than you are today.



Wanted – faculty whisperer who is highly regarded as a soothsayer and has the ability to walk on water…..

Have you ever wondered what it takes to be a good CIO?    As with most leaders you could list such things as being honest, collaborative, creative and inspiring, or having strong commitment, positive attitude and the ability to execute.   A team player who provides a good cultural fit, would also seem desirable. However, thinking specifically about a CIO, are there things that are  inherently different that require different attributes?”

There are many interesting insights in CEO’s seek CIO’s with a “Bias for Action” that really set the bar pretty high for a CIO and make me wonder how you can possibly get there.  I think expectations are so broad and high that you need to have a strong team reporting to you, and you need to report up to  a strong team.  That is the only way to become transformational and  develop the ability to “walk on water” .

The most interesting piece for me, was the need to “gut-think”.  They argue that CEO’s are able to act faster because they “trust the gut”.  The suggestion is,  many CIO’s tend to be analytical and rely on evidence based decisions and that takes time.  “CIOs who can channel their inner CEO by reassessing their business, adjusting their strategy and executing earns the coveted “transformational CIO” moniker”.   These are arguably the most successful CIO’s, but I want to challenge the notion that is that simple..

It comes back to the actions of  the teams you deal with, or maybe just the culture you live in.   I think higher education can impose certain constraints on the CIO that at times conflict with this need to gut think and make decisions quickly.  I don’t think it is across the board, but there is a strong culture to think things through very deeply and consult very broadly, before undertaking any action.  That is not necessarily bad, but sometimes it can lead us to become handcuffed and we don’t do what is needed.  Even when we do make decisions, by the time we get there it may  too late because the world has changed or the problem itself, that we are trying to resolve, has become bigger and needs another approach.

So, I think I agree that organizations are asking a lot from their CIO’s, and deep down they want their CIO to be transformational.  However, I am not sure that our governance structures in higher education are  mature enough to support the CIO driving transformation.   Maybe we need to just trust our gut more and go for it – who knows, maybe we can all walk on water.

Your mission, should you choose to accept it…..

Suppose you are given an opportunity to present a SWOT about your organization.   The audience is an incoming Provost and all their reports, including the Deans.  The rules are it has to be a verbal pitch and you have 3 minutes maximum to present.   Others in the room will also be presenting their SWOT’s.   You can only do one Strength, one Weakness and so on. That is much harder than it first appears.  This is your archetypal elevator pitch, so what would you say?

I presented  this challenge to my peers in CUCCIO and the response was startling.   I ended up with about 40 CIO’s responding, which is about 2/3 of the community.  It has led to some interesting discussions and some valuable data.    There  is a lot of commonalty between schools, but each school is also unique in terms of their maturity and what they focus on.   I will summarize some of the responses and finish with my statements, as this was a real exercise for me.

In terms of full disclosure, I see Strengths and Weaknesses as being internal to the organization, while Opportunities and threats are external to the organization.  Strengths are characteristics that give your unit an advantage over others, while weaknesses are characteristics that place your unit at a disadvantage relative to others.  Opportunities are external elements that exploit your advantage and threats are elements in the surrounding environment that could cause challenges.   Inevitably people read this differently, and the lines get blurred.  I hope this clarification helps explain my SWOT statements..


Most CIO’s talked about their people.   I don’t disagree we have great people, who are very dedicated, in higher education, but if we all have great people then how is this an advantage?   In addition, several CIO’s talked about a buy-in to the Enterprise.  I think this either plays out from the size of the school – the smaller the school the more buy-in to enterprise – or from the maturity of the school.   By that I mean the more mature the school is the better handle they have on enterprise computing.   Engagement was also mentioned frequently and I think this plays into the need for CIO’s in HE to build consensus and drive norms which may differ from other sectors.

Other things that were mentioned included Infrastructure, Applications, Services, Project Planning and Governance.   Governance was only called out once, but it probably blends into engagement and enterprise.  Almost every item on the list resonated with me, the challenge is picking only one.

My response:

The ability to take an institutional view. By that I mean we have the  capacity to understand the complexity and scope of the enterprise environment and design and implement  solutions that satisfy that environment in an efficient and cost effective way – this is true whether it is administrative, academic or research technology – I think IT has a unique view across those disparate domains ( examples would be our ERP , or our institutional LMS.


Governance came up frequently as did recruitment and retention.  Governance has been top of mind for many of us and given we still see it on these lists it is a tough one to resolve and some of us till aren’t there.    Agility, maturity, language, culture were mentioned in various ways. Size, capacity and redundancy came up with someone lamenting that “there is too much work keeping the lights on and not enough put towards grow and transform”.  This is an ongoing challenge.  Internal challenges within the unit were also mentioned frequently, referencing such things as silos and inability to take ownership as a team. This category is  normally the easy one to tease out in Higher Education IT.

My response: 

We are not always good at speaking the language of the business and this challenges our ability to effectively communicate the value of IT. We frequently find that advancing institutional IT priorities must rely on persuasion and influence rather than common vision and goals and this takes a long time. This means that we aren’t always agile and this frustrates the Faculties who have resources, to the point they build their own solutions.  We then sometimes let go of institutional solutions, or water them down, which can further increases the divide between faculties.


Not surprisingly the biggest opportunity was around cloud and shared services.  There are clearly many definitions around the cloud, but they all contain the same message around finding efficiencies, creating agility and enhancing security. Many people also referenced various campus initiatives that were redefining IT support on campus.   New technologies, internal pressures, efficiencies and campus culture were also mentioned,   There was a theme running through many of these that the organizations were maturing and there was an opportunity to engage in a new and different discussion.  In other words there was an optimistic view that the community was starting to be ready for this dialogue.

My Response:

Shared services across HE, including the cloudWe are looking for some level of aggregation to cut costs and/or satisfy a growing pool of unmet demands.   The catch here is that we must undertake our due diligence to ensure our information resources are well protected – we can’t outsource stewardship or ownership of Personally Identifiable Information and Intellectual Property.  This doesn’t always sit well with the community when they see it as another delay.


The top threats were equally split between finances and cyber-security.  In some cases there was discussion that the financial challenges were impeding the ability to deal with cyber-security which is somewhat troubling.  The rate of change was also called out by some people as being a challenge.  Somewhat related to this is the notion of unrealistic expectations in our community, to the point that someone actually sated that there was  “a divergence of expectations and reality”

My response:

The increasingly hostile security and privacy risks that need to be responded to in a highly distributed decision-making landscape.  Like the rest of the world we probably aren’t really aware of the threats and the risks and they have become malicious and costly to mitigate or clean up.


Given the prolific response to the exercise I think this gives us some relevant material to work with.   We are looking at sharing the detailed responses with the CUCCIO community.   I believe that going through the exercise helps us shape our thinking and hearing other perspectives is incredibly valuable in validating our thinking.

Postscript: …as always, should any member of your team be caught thinking about this,  we will disavow all knowledge of your actions and/or this post.



The demise of the Canadian University CIO…?

I remember many years ago a colleague joking that CIO stood for “Career is Over”.   In those days there was lots of turnover and success did not always translate into longevity in the role.  Some recent departures in the Canadian University sector are making me ponder whether there are systemic issues that are causing our best and brightest to leave the sector.

I have talked about CUCCIO (Canadian University Council of CIO’s) in previous posts, but maybe just a little refresher.  Most University CIO’s in Canada are members of this group.   We engage on a daily basis through our lists, and meet face to face three times a year.   The group is very collegial and there is probably a core group of 35-40 at each meeting.  It is an important organization with some great leaders.  We learn from each other, we advocate, we commiserate and we make HE IT better when we get together.

Over the last year and a bit I can think of 8 CIO’s from this group of 40 who have left their roles, all but one of which were at a U15 (research intensive) school.  Prior to that, a couple of well-respected long serving CIO’s also retired.   This has an impact on an organization like CUCCIO, and on the Canadian University Sector.   These were some of our best and brightest. People who were driving organizational change and transforming the way we thought about IT. I feel the loss.

These individuals left for varying reasons, some stayed in HE but went to other countries, while others left the sector entirely. My question – Is there something systemic drawing or driving them away?   Certainly the CIO role can be a challenging one.

In trying to encourage collaboration across Universities I have been thinking a lot about why it is so challenging in IT when we see other parts of our institutions, such as the libraries, have success.  When I talk about collaboration I mean much more than just collaborative buying clubs, I am thinking about infrastructure and services that multiple institutions plan, invest in and share.

CIO’s in public sector institutions often work in an environment where expectations for IT in our communities exceed what can be achieved with the resources we have to work with.   At times many of us can be head down trying to meet these expectations, sometimes with a very singular focus driven by institutional priorities.  There can also be little tolerance in our communities for IT failure and that can push us to be more risk averse than we would like, or need to be. Although we are working hard at it and we are moving forward, many places haven’t truly embraced technology as a strategic enabler and look at IT as just another cost centre.   This makes it really hard to motivate real change and encourage our organization to advance where they need to.  There is simply very little capacity for collaboration

A few years ago I was talking to a colleague who moved from HE to a private sector agency.  They looked great, were happy and there was excitement in their voice.   They said that when they had good ideas for moving the organization they had instant support from the CEO and there weren’t long drawn out consultations with the community.  They were still doing their due diligence, but made decisions faster and resourced them appropriately.  They said it was fantastic to deliver what their community was asking for in a timely and responsive manner. They were doing it well and their staff were happy. It was fun being a CIO again.

So I leave you with a few questions that I hope will be discussed at our next meeting of CUCCIO.  Is there a systemic issue, or is this just a blip?   Is the grass really greener on the other side?  What can we do to help create an environment for success? How do we make up for this loss of talent and what are our collective plans for succession?

Encouraging Collaboration between Universities

We have all heard our favorite quotes about failure being an essential part of creativity innovation and moving forward.  My favourites focus on the notion that failure is simply the act of gaining experience.   Even though we encourage and embrace failures in our students and faculty when it comes to learning, research and discovery it has always been elusive in administration and especially in IT departments. We simply won’t talk about about our failures, and I think that is a challenge.  If we want to work collaboratively, the biggest success will be driven from sharing our failures.

This morning I went to the gym early  and jumped (stumbled?) onto the bike with the intent of catching up on some reading from the most recent Educause Review.  The first article, Embracing Failure to Spur Success: A new Collaborative Innovation Model by Kim Wilcox and Edward Ray really was a good start to my day.

They talked about some of the problems we are all facing and how each of us are making progress, but “the progress could be even faster and more dramatic if we did two complementary things: collaborate with each other across campuses, and embrace. share and learn from failure”.   I couldn’t agree more.    I could sense my cadence get faster as I read this.   I recently invited a colleague of mine from another ‘system’ to speak at a meeting of my peers from across Canada.  The discussions were on shared services and I remember the colleague saying, “I am not sure what I can say about that, because what we did wasn’t a complete success”.   My response – that is exactly what we need to hear.  That is the value that you bring to us, to be open and honest about what didn’t work.

Wilcox and Ray are  talking in the article about the University Innovation Alliance.   A consortium of 11 major public research universities looking for new and innovative ways to collaboratively address shared problems.   They point out the need for candor and that rests on a strong foundation of trust.    To help develop that trust they have agreed to a common set of goals and it seems like there is some unwritten commitment to be frank and open when it comes to sharing.

Here in Canada the university CIO’s across the country have created an organization called CUCCIO.   We meet on a regular basis and we share a lot of information about what we are each doing.  Since the early days there has been a push towards building trust amongst the membership and this has gone a long way to opening up and sharing not only our success, but our failures.  Our discussions are frank and informative and they add value.  Recently a sub-group from Ontario has started to discuss shared services.  The group is smaller, and given the fact that education is funded provincially it may be easier to facilitate at this level.   That being said we still benefit from seeing what the rest of the group is doing in their respective provinces and learning from their success and failures.

I think the next step for us might be, as outlined by Wilcox and Ray, to get “buy-in from the leaders…. it sends a signal to the entire campus administration and community that collaboration and innovation are to be prioritized and that sharing lessons learned from failure is not only acceptable, but essential”.  We need the whole community on board if we want to drive the type of collaboration that I think we need.

A great call to action, not only for the UIA, but for all of us.

Success is stumbling from failure to failure with no loss of enthusiasm.” Winston Churchill.


Security is everyone’s business ‘redux’

We have been having a broad discussion around information security here at Queen’s and a while back I wrote a blog that talked about how security belongs to everyone and we are only as good as our weakest link.  I thought it would be helpful to share what one department has recently  done and show that this is not insurmountable.  Taking some small, well orchestrated, steps can completely change our security posture and significantly mitigate risks.

Queen’s Advancement Services have recently stepped it up to ensure the information they handle is safe and secure and procedures are consistent across the board.  Currently 99% of their staff have taken the ITS Security Awareness Training.  In addition, 98% of their staff have attended a personal Information Security Session designed for the department.  This covered things like email best practices, handling paper, and mobile device management.  They have also created a Security Standards page for the department and ensured active and signed confidentiality agreements for those handling sensitive information.

On their hardware side they have created physical and logical safeguards for all their devices and  they have moved all of their servers to a secure data centre on campus.  All their applications and business software has been audited by the ITS Security Group and all of their servers are  maintained and patched on a regular basis, with an associated change management protocol.

Congratulations to the team in a Advancement.  You have done a great job and set an example for others to follow.  Our information is valuable and we have been entrusted to protect it.



Safe computing in the cloud

Today I was pointed to an excellent article on the use of OneDrive from the University of Wisconsin Milwaukee:  It outlines the risks of using cloud based storage, followed by excellent information on practices that can mitigate those risks.  This is something I have been trying to start a dialogue on at Queen’s for some time.  It is normally more about how we handle information than the tools we use to transmit it and where it is stored.

One thing I think is important to note:  The article’s focus is OneDrive, but the risks and recommendations it covers apply with many other storage solutions, whether cloud-based or not. Regardless of where data is stored, we all need to pay greater attention to understanding and applying safe handling practices for the different types of data, especially that which is considered confidential or sensitive.

The first part of the article really focuses on these best practices.   We should be cautious when using unsecured connections, make sure our systems are up to date and equipped with the latest virus and malware protection software, consider what needs to be encrypted, use strong passwords, and be wary of unsolicited emails asking for accounts and passwords.  We should all adopt these safe practices, no matter where the data resides. A server plugged into the Queen’s network or on a home network will in almost every case be more vulnerable to being compromised or infiltrated than a major cloud based service used globally.

I encourage people to click on the link in the article which takes you to their data classification standards, where you’ll find a very good distinction between confidential and sensitive data.   SIN, credit card numbers, login credentials or information that is protected under a statute, act or law, are confidential in nature and need extra care.  Our sense is that too often people send this type of information over email, even though email really is not a secure means of transmitting anything valuable.  I don’t think being confidential precludes us from using the cloud to store a file, but ensure you take extra care.   Maybe for these files you want to attach a password to them or if you are at Queen’s you may want to use other servers like QShare or the AD File Shares, even though we do not believe that in and of itself it mitigates the risk.

All in all, the article is a great read and something that we should all pay more attention to.  Our information assets are valuable and we need to ensure we do our due diligence.  How we classify, distribute and handle the information is probably more important than where we store it.   Moving to OneDrive, we have done our due diligence and  have subscribed to a secure environment that protects the privacy and confidentiality of our information.