EDTECH: As a CIO, are there things that you’ve seen that you wish that you had known in those earlier positions?
WADDELL: Something that has been refined is my thinking around budgeting. When you’re a CISO, you don’t have the full picture of the budget. As the CIO, I have a greater sense of budget issues. There were times when, as a CISO, I couldn’t get across the finish line, from a budget standpoint, to do a new initiative or to do it as broadly as I was hoping for, and I would be a bit disappointed. As I’ve matured into the CIO role in my technology leadership journey, I see more of that picture. Now I understand, “Oh, all right, there was a new research lab that needed to be built, and that’s why I couldn’t get all of the money that I needed for that initiative, but I got enough money and resources to actually accomplish the principal aims of the goal.”
EDTECH: You mentioned the tension between IT security best practices and the free exchange of information that’s part and parcel of the university mission. I’m interested in how you strike the right balance.
WADDELL: One of the early principles that I was introduced to was “oil drum security.” If you really want to make a computing system secure, what you want to do is wrap it in cellophane, put it in a box, dump it in an oil drum and fill that drum with oil. It will be 100 percent secure, but no work will get done.
You have to back away from that side of the equation and move toward enabling people to get work done within a secure environment. You start from that as a first principle. Then you build sound, reasonable strategies that allow people to get the job done while still reducing risk. You find that line where everybody can be happy — or where everybody’s a little bit upset — and then you do the work.
EDTECH: What does the relationship between the administration and the IT team look like when IT is supporting the university mission while also accomplishing strategic security goals?
WADDELL: I think the biggest thing for cybersecurity professionals is to get in and understand the actual mission of the university. There are a lot of artifacts that organizations create that describe what we’re trying to do. It’s incumbent on cybersecurity professionals and technology professionals in general to understand what the mission is, to understand the strategic plan, to understand the organizational vision and figure out where you fit in delivering on those promises.