Stan Waddell, IT vice president and CIO at Carnegie Mellon University, spoke to EdTech on the lessons learned from his earlier roles, balancing information security with the mission of the university and managing the technological transformations underway.
EDTECH: Before you were a CIO, you were a CISO and CTO. What was that transition like, and how does your experience impact your approach to your current position?
WADDELL: I came up through the telecom industry and started with security when it was fairly new as a primary role in higher education. I made a shift from networking and infrastructure at a time when the university needed policies and ways to respond to threats to data, infrastructure and operations.
As a networking engineer, I worked with security technologies such as firewalls, intrusion detection systems and vulnerability management, so I had some decent cybersecurity chops. I worked as the CISO at the University of Texas Southwestern Medical Center for five years, then moved to the University of North Carolina as the CISO and did that job for two years.
At some point, the CTO role opened up at Carolina. I started thinking that wouldn’t be a bad space to be in, because I’d have a broader impact on the organization. I really loved being the CTO. One of the things that I promised myself in that switch was that all of the things that I believed as a CISO, I believed for a reason, and I would continue to believe them. It has also been a tenet of my approach to being a CTO and a CIO that security matters, but we have to balance the cost of security with organizational effectiveness.
Click the banner to learn more about the benefits of a zero-trust security strategy.
EDTECH: As a CIO, are there things that you’ve seen that you wish that you had known in those earlier positions?
WADDELL: Something that has been refined is my thinking around budgeting. When you’re a CISO, you don’t have the full picture of the budget. As the CIO, I have a greater sense of budget issues. There were times when, as a CISO, I couldn’t get across the finish line, from a budget standpoint, to do a new initiative or to do it as broadly as I was hoping for, and I would be a bit disappointed. As I’ve matured into the CIO role in my technology leadership journey, I see more of that picture. Now I understand, “Oh, all right, there was a new research lab that needed to be built, and that’s why I couldn’t get all of the money that I needed for that initiative, but I got enough money and resources to actually accomplish the principal aims of the goal.”
EDTECH: You mentioned the tension between IT security best practices and the free exchange of information that’s part and parcel of the university mission. I’m interested in how you strike the right balance.
WADDELL: One of the early principles that I was introduced to was “oil drum security.” If you really want to make a computing system secure, what you want to do is wrap it in cellophane, put it in a box, dump it in an oil drum and fill that drum with oil. It will be 100 percent secure, but no work will get done.
You have to back away from that side of the equation and move toward enabling people to get work done within a secure environment. You start from that as a first principle. Then you build sound, reasonable strategies that allow people to get the job done while still reducing risk. You find that line where everybody can be happy — or where everybody’s a little bit upset — and then you do the work.
EDTECH: What does the relationship between the administration and the IT team look like when IT is supporting the university mission while also accomplishing strategic security goals?
WADDELL: I think the biggest thing for cybersecurity professionals is to get in and understand the actual mission of the university. There are a lot of artifacts that organizations create that describe what we’re trying to do. It’s incumbent on cybersecurity professionals and technology professionals in general to understand what the mission is, to understand the strategic plan, to understand the organizational vision and figure out where you fit in delivering on those promises.
At Carnegie Mellon, our mission is the delivery of transformative education, research and outreach — transformative outcomes. We have a strategic plan that describes a number of pillars for how we’re going to reach that. I read those documents religiously and get a sense for where technology fits into the equation. Everything that we do needs to fit into one of those pillars. When you do that, you’re aligned; you’re making sure that the resources are being used effectively, and you’re making sure that the people who are on the front lines of delivering on those promises can do that.
EDTECH: Technology has always been about rapid change, but that pace has been supercharged recently with the rise of remote work and the broad availability of generative artificial intelligence. What do these changes mean for you and others in your field?
WADDELL: AI is sucking a lot of the air out of the room. We’re trying to focus on delivering access to these tools in a safe and effective manner, and in a technological environment that is constrained to Carnegie Mellon University and isn’t adding data to the public models so that we experience a breach of our intellectual property or sensitive information.
We’ve got a number of initiatives that are scheduled to kick off over the next 12 to 18 months that will provide generic access to things such as Microsoft Copilot, and then some access to straight GPT-4 and other models in a sandbox for pilot initiatives in the classroom, in research settings and in the university administration. My goal is to allow us to deliver on those promises that we made when we said that our mission was transformative research, education and outreach.
EDTECH: It seems like a good time to be in a place that is dedicated to transformation. Do you agree?
WADDELL: It is so exciting, especially to be at the birthplace of AI. It is extremely exciting to see this revolution come about and to see how it affects our organization. This is an interesting intersection of events that has led to technology being elevated to a stature and a level of impact that haven’t existed before. This is the IT professional’s opportunity to shine and really have an outsized impact on the delivery of the organization’s mission, and we should take advantage of that.
