Feb 18 2008

Burst of Vitamin 'C'

Pointers from CIOs and CISOs on getting the most value from systems teams.

Pointers from CIOs and CISOs on getting the most value from systems teams.

In higher education, running a tech enterprise is much like running the IT department of a large conglomerate, with all the inherent pitfalls of turf and budget battles.

To get the most, for the most users, requires a team approach. You have to bring your “A” game, say higher education, C-level executives that EdTech spoke with: Pete Siegel of the University of California, Davis; Richard Kogut of the University of California, Merced; Bradley C. Wheeler and Tom Davis of Indiana University; and Louisiana State University’s Brian Voss and Brian Nichols.

You also need to take a long view — not into just the next quarter or the next semester, maybe not even the next year — because in setting vision and a strategy relative to return on investment, IT in the university environment is quite distinct from big business, says Kogut, CIO for UC Merced.

“Industry has a short-term business case perspective,” he points out. “A company can talk about how much money they’re going to put behind a project and make a calculation on every server they put up and how much money it will bring in,” he says. “We have a fixed budget, and our business case is very long-term. It’s tied to attracting students and faculty, not to numbers.”

Kogut should know. Though he’s had previous stints in IT at Georgetown University in Washington, D.C., and Brown University in Providence, R.I., he also worked for 13 years with IBM’s French division in Paris.

“What can you do in IT to affect the bottom line in a university? You must be organized to be efficient,” Kogut says, because the resources and fixed budgets are “pretty dreadful.” So here are pointers from systems officials at schools both large and small on how they do just that.

Pointer One:

Focus on Outcomes

At LSU in Baton Rouge, Voss credits a business strategy that focuses more on what IT will deliver and less on the technology to get the job done as fundamental to his staff’s success.

“Universities are very complex in their governance structures — the community of scholars is definitely one that is independent and diverse,” the CIO says. “A university is about sharing knowledge, but a university is also a business — finance, human resources and research processes.”

The IT team brought the groups together to discuss what they wanted. “We didn’t talk about technologies or a particular tool. When you start to plan, focus on the ‘what and why’ of IT enablement.” Ultimately, Voss’ crew crafted a blueprint based on outcomes — what each organization wanted to see and why it was important. The process created justification for business cases and for gaining administration support and funding.

Indiana University’s Wheeler says that the focus on outcomes is crucial; without it, projects become mired in discussions about funding. The key thing is sorting out who has decision rights to create a set of outcomes,” says Wheeler, vice president for IT and CIO for the university in Bloomington, Ind. “The reason I find this insightful is that you see colleagues in universities struggling with one or two key decisions, when what you want to do is derive economies of scale and value out of what should be a shared infrastructure — from hardware to support services. This can create more money for specialized applications that are unique to a department or research area.”

Pointer Two:

Take a Layered Approach

There’s no one best project management style that’s replicable everywhere for IT, says UC Merced’s Kogut. “In large organizations, I find matrixed project teams across functional groups — for the help desk or operations — work great,” he says. “But regardless of whether the project team is dedicated or matrixed, we use a formal project management methodology.”

For individual projects, the project manager is crucial for driving the team and meeting milestones. That doesn’t mean you should ignore other people affected by the effort, adds Kogut. It’s important for project teams to include members from across the affected organizations. “It’s a parallel partnership,” he says. But having a project manager is a must because “when a unit is responsible, responsibility gets diffused; when someone’s name is on something, things happen.”

Pointer Three:

Come Out From Behind the Curtain

“Creating a partnership model and transparency are really important,” says UC Davis’ Siegel, CIO and vice provost for information and educational technology. “It sounds easy, but it’s a hard part of the job.”

Siegel, who came to Davis about a year and a half ago after six years as CIO at the University of Illinois, Urbana-Champaign, says that a chief emphasis during his first months on campus was removing the mystery surrounding IT and his organization.

To do this, he took a long-standing group, the Campus Committee for IT, and opened it up to everyone. “We have reps from the administration, faculty and staff — representing the broadest base of stakeholders — and we post on the Web what the committee’s doing,” he says. “We’re still educating folks that everything prioritized by this group is open to everyone on campus.”

Having lifted the blinds on the planning process, the next critical step involved oversight. “Key stakeholders are in charge, not the people with the money,” says Siegel. “What they say matters.”

The same approach works at LSU for IT security, says Nichols, the university’s chief IT security and policy officer. But he also recommends hiring a communications officer.

“Any type of IT organization needs a communications person,” Nichols says. He credits the communications officer at LSU with helping ensure that the community has a much better view of what the IT staff does than it had when he came on the job in July 2005. The university also uses forums, advisory groups and Web site postings to relay information about university IT security policies, new vulnerabilities and sensitive data practices.

Siegel acknowledges that the community approach takes work and more time than a hierarchical IT management style, but the needs of the entire community are reflected in the projects IT takes on, and people don’t feel as if their needs get short shrift. Folks won’t win on every project because of limited resources, “but the most important projects will prevail.”

Pointer Four:

Deliver on the Future

Take advantage of the somewhat slower pace of campus IT to stay ahead of the technology curve, advises UC Merced’s Kogut. “Organize in terms of where you think technology will be in the future, not where it is today,” he advises.

Organize teams now; don’t wait for technology to arrive. “Do it as soon as you see the trend,” Kogut says. “You want to assimilate technology rather than have everyone fighting for their turf.”

Although most techies will have heard this refrain before — no matter where they’ve worked — long-term planning is a real possibility in higher education IT. “It’s harder to pull off in a corporate setting, which is bottom-line driven and hierarchical,” Kogut says. Of course, there’s a flip side. “Our budgets don’t change much unless there is a huge crisis or a huge opportunity.”

Pointer Five:

Create a Career Path for Your IT Staff

While on a review team at another university, a dean once pointedly told Indiana’s Wheeler that the dean’s in-house network engineers were getting expensive — “almost as much as my professors.” Wheeler responded and asked what career path the dean was providing for his IT staff? Almost none was the answer. Wheeler notes that leveraged IT services can create career paths for rotation and development within a large IT services organization and to and from schools or departments.

“Realize that the best you find will leave you because there is no career path,” he says. At Indiana, he’s striving to change that by using long-term performance incentives and creating more senior-level jobs tied to the university’s increasingly integrated infrastructure.

Plus, he says, finding and keeping the right staff is also a lot about recruitment. “Over time you find folks who are very comfortable with this type of career or folks who might be at the top of their profession already,” he says, and so welcome the higher education challenge.

Pointer Six:

Embrace Your Faculty

“One of the primary things we deal with in higher ed is facilitating the undergrad and grad education process,” says Davis, Indiana University’s chief information security officer.

To do that demands understanding the faculty’s needs and figuring out how best to serve them. At Indiana, the IT department supports a large multicampus environment. IT serves as the Internet service provider, supports systems for research work and runs health systems for the university’s medical school programs.

To maintain a relationship with the faculty, “we have Faculty Council Technology and Policy subcommittees,” Davis says. The benefits include learning about a need before it becomes a crisis, understanding the risk particular research might pose and fostering opportunities for IT to partner with the faculty.

Voss at LSU agrees and says it’s a way to avoid letters to the chancellor labeling IT as “that poisonous department.” He has a part-time faculty liaison “who helps us relate better to the faculty. We also have a similar position for students.”

In the end, by reaching out to faculty, everyone is served, Davis says. “We have to balance offering IT that’s reliable, functional and facilitating.”

A Few Aha! Moments

  • Richard Kogut at UC Merced: “Start lobbying for things you need or want to do at least two years in advance. If someone doesn’t want something to happen, it’s easy in higher ed to prevent change. Avoiding change is a cultural thing that permeates everything.”
  • Bradley C. Wheeler at Indiana University: “In academics, a vote of 25 to 1 is considered a tie. On the corporate side, they would just make it so.”
  • Pete Siegel at UC Davis: “You can develop cohesion within an organization, but it’s a little more complex across the campus when working with other vice chancellors and provosts. They have folks who view themselves not as customers but as partners.”
  • Brian Voss at LSU: “One thing IT in higher ed suffers from is the black-box concept: You put money in and get something out. No one understands what the IT organization does.”

Five Tips for a Sunny IT Security Team

Joined at the hip with the CIO is the security chief and staff on any campus. But running the security technology team has its own special requirements, says Tom Davis, chief information security officer for Indiana University in Bloomington. Davis has five must-do requirements that he expects of his 14-member staff:

  1. Reach out to constituents. “Information security is at a point where we have the technology to produce secure environments. Although we may not have the funds, it is there and available to us. What is not in place, in many instances, is good communication with constituents. We should focus on reaching out and developing relationships with them.”
  2. Develop a good rapport with the staff responsible for maintaining IT resources. “You have to have a trusting relationship with those running the systems. You can’t be like Deputy Barney Fife, pointing out the bad things. IT should be a resource for those technicians instead of acting like the police.”
  3. Befriend the university’s internal audit group. “To deal with security or privacy incidents when they happen, it’s important to have a good relationship with your internal audit group and internal legal counsel, so you all can work as a team when Social Security numbers are lost, someone hacks into a system storing credit card numbers, or e-mail containing sensitive information is misdirected. It’s important to mobilize an incident response team.”
  4. Understand state and federal compliance laws. “A CISO needs to know these laws and use them to their best ability. On July 1, 2006, a state compliance law went into effect in Indiana, and we spent a significant amount of time on a dog-and-pony show visiting campuses and faculty retreats and discussing it. There is individual criminal liability involved, so it is important that everyone understands the importance of security. People can be held individually accountable for data disclosure and loss.”
  5. Maintain open communication and relationships with the senior administrators and the board of trustees. If you don’t, then you won’t get the funding you need to do your job or understand what is expected from the security team. “Budget is a struggle every year, but our senior administration knows what we’re dealing with. I’ve never submitted a proposal for funding that was denied.”