I learned early on in the Air Force how to recognize the good leaders and learn from them. That carried over to the early part of my career at Indiana University. I think my leadership qualities have grown from an ability to recognize good leadership when I see it and sort of take on those qualities.
The people I’ve learned from the most are personable and have open minds; they take information from whoever has good information and make good decisions based on that. When you start working with senior leaders, you can tell which ones are interested in understanding the issues and taking your input and which ones are not.
As a leader, I also take in whatever I can. I will make a decision and, in a lot of cases, I set the strategy, get out of the way and let our experts implement it. For example, we started integrating our campus security at IU in mid-2009. We’ve been tuning it ever since. If you look at it holistically, there is synergy across emergency management, law enforcement, environmental health and safety, events management, cybersecurity and nondigital privacy. We’ve made sure policies, programs, job descriptions and salaries are consistent across the campuses.
Bring Together All Stakeholders to Discuss Security
When all those units were placed under my oversight, one thing I was interested in was to have senior leader meetings. The leadership from the different units knew of each other, but they had not worked together or coordinated that much. So I put them in the same room and asked them to share information about what they were working on, what kinds of things they were dealing with and what challenges or barriers they had.
It was amazing to me how many of them shared the same barriers. Some people were working on almost the same projects. They had significant overlap. I sat back and let them go through that.
Conversations got lively. Collaborations began to happen. The best, starkest example was between cybersecurity and public safety and how they dealt with cybercrimes and incident response. The law enforcement people said to our cybersecurity team, “If you see these five attributes, you need to share that with us straight away. That may be something we want to act on.”
I heard reports that when other universities experienced tragic events, the faculty and students there felt they were not told what to do in an emergency. So we developed a plan to make sure we put information into the hands of our faculty and students at IU. I told all my directors this is a priority.
They came up with a good list of ideas, and I just got out of the way and let them implement it. We created a safety and security website called Protect IU (protect.iu.edu), and we’re putting placards in every classroom and lab, telling people what to do in an emergency, such as a tornado or active shooter. We also developed an emergency management certification to train university staffers about public safety. We created a new run-hide-fight video with one of our campuses as the setting.
Good Leadership Requires Soft Skills
So leaders need to have an understanding of everything, but they don’t have to have their finger on everything. Leaders that do that stifle the staff. Just getting out of the way is sometimes the best strategy.
My first leadership mentor was a lieutenant in the Air Force. We were in electronics warfare. He was personable. In stressful situations, he would drop these dry little comments that lightened things up. When you are running a mission or operation at 2 a.m., people are stressed out. You really have to get them refocused, and sometimes dropping a one-liner on them brings them back. There are times when that’s inappropriate and wouldn’t work. It’s understanding what works.
I’m also personable. I was a bit of a jokester in high school. I was also in the drama club, so maybe that reduced my social inhibitions a bit. I think that morphed into the personal leadership style I have. Our IU meetings are not jokefests by any stretch, but there is humor. We make cracks about little things, and I think people appreciate that about me.
One thing a leader or project manager has to do is carry the voice and the strategy of the organization and set the goals. A lot of my job is negotiating and being diplomatic and being the hammer when I have to be the hammer. In a lot of cases, I have to convince other people, especially people in the executive offices, that the threats are real, that the things we are trying to implement are in the best interests of the university.
Higher Ed Leaders Need to Provide Guidance on Risk
When we are talking about risk profiles, people may not understand how risks may affect things like enrollment down the road. A prime example is if there is a serious data breach at another university. People at IU sometimes say, “Wow. I’m glad it wasn’t us.” But it’s our job to tell them why it could happen to us, and what things have to be done, and convince them what is necessary to prevent that. If we don’t, we are likely to see a decrease in enrollment because parents and students have less confidence that we are going to protect their data.
So your interaction style — and your ability to explain and translate the issues — will have a direct impact on the response to the things you are trying to implement. For example, you have to explain, “I understand two-factor authentication is an inconvenience, but it’s better than having your direct deposit information compromised.”
As for cyberthreats, the miscreants are smart. They are doing much more social engineering. As the phishing attempts from the outside get smarter, our phishing education has to get smarter. A year and a half ago, we installed our own phishing application, where we phished our own employees, which was controversial. They didn’t understand why they were being baited or trolled by their own employers. But the first couple of attempts, the percentage of people who clicked on the false links were pretty high, and it has gone down steadily since. So it works.
Higher education has to understand cyberattacks are getting more insidious. Institutions have to talk to each other more. EDUCAUSE has a Higher Education Information Security Council, and they help us with REN-ISAC. Through these organizations, we are fostering collaboration and sharing information on threats and vulnerabilities, so we all learn from each other.
What Comes Next for Bruhn
As for future challenges, the areas I oversee all evolve. In public safety, for example, we are considering additional forms of crowd control, so that we can support safe events and safe protests and counter protests. Cyberthreats will continue to escalate. And in the social context, it’s very divisive. Our campuses are pictures of diversity where we have people on all sides of any question. As things continue to foment, we will probably have more protests. If a controversial speaker comes, we will have to make sure people who attend and people who want to protest are safe. With event management, we will continue to train and hope for the best, but expect the worse. We will just have to do the best we can and tune our processes.