Category Archives: Uncategorized

Gravitas and Grit: How IT Leaders Inspire Peak Performance

Presenters

  • Dianna Sadlouskos, Strategic Alliance Partner, Next Generation Executive Search
  • Joanna Young, Principal, JCYCIO
  • Melissa Woo, Senior Vice President for IT & CIO, Stony  Brook University
  • Brendan Guenther, Director for Academic Technology, Michigan State University
  • Russell Beard, Vice President of Information Technology, Bellevue Colllege

NOTE: any errors, omissions or inadvertent misrepresentations are completely my fault. This conversation moved quickly and there was a lot of audience participation my fingers weren’t quite quick enough to catch – I beg your indulgence, dear reader. – Paul

DS: No powerpoint today (yay!), we’re focusing on conversation today. Provided definition of “Grit” by Angela Duckworth (too long to capture).

DS – Question 1: How would you translate grit into your own personal path to leadership?

MW: “stick-to-it-iveness” was the key for me. I went through so many search committees, it was crazy. I incorporated feedback from coaches. Ask for feedback!

JY: first CIO job I applied for was an abject failure. The search consultant’s feedback was really helpful…it was tough, but amazingly helpful advice. Over prepare!  Every meeting you have with your president is a new interview.

RB: you have to have the ability to be patient and learn to breathe.

DS – Any essential grit stories to share?

(Audience member) It’s not only about grit, it’s about the people surrounding you. So many people said “you were great!” which was not helpful as I needed. I interviewed for 13 jobs before I got the one I have now. Just keep going.

DS: just because you don’t get a job, it’s OK, you may still be a very good candidate…you’e not a failure!

DS – Do you think that Grit is something you can develop in people?

BG: I think so. Everyone hits bumps in the road, sometimes you don’t bring the right people onto your team, you have to be able to adapt.

MW: you have to consider tough love. I tend to force people into projects that they are not comfortable with so that they have the opportunity to grow.

JY: job for life is no longer the case. You have to be able to force yourself into a role you’ve never had before. I had no telecom in my background, but I ended up running the largest broadband project in my state (having “wicked smaht” people around me was a great help).

DS – Interest and Practice: is there a difference in how you guide development of these attributes in mid-level managers versus millenials?

BG: the things that you are (where and how you grew up, etc.) have a lot to do with how you think.

JY: I now work for a millenial, someone I hired as an intern. We are learning so much from one another…he is completely fearless. People earlier in their career tend to have a higher degree of confidence (let ’em fail fast and learn fast). However, I want to give them guide rails to keep them from crashing and burning.

MW: at a conference I was at last week, keynote was about “radical candor.” Millenials are not as delicate as you think! Treat them as they are early career.

DS – is there advice you can give the group about how you inspire practice in aspiring leaders?

(Audience member) I don’t give advice, I ask a lot of questions. People with good social IQ pick up on what you’re doing, and will work through things in their head. Set parameters “here’s where I don’t want you to go.”

(Audience member) Give the person permission to fail, but coach them back to success.

DS – How to inspire mid-level managers to engage and re-invigorate their interest?

JY: get a different job and/or a different team.

RB: you’re prepared and need to manifest the presence to perform.

How does talent versus effort impact leaders?

JY: effort is great, but you need to apply effort effectively. Don’t use a teaspoon when a backhoe is the tool you really need. Talent is like a big “T” – you may have depth in tech, but you need to have breadth in business, how your campus works and more.

BG: you have to have the ability to identify talent. For effort, being able to identify the right talent sets among different people to work together.

DS: Can you share examples of staff who were talented but struggled?

DS: Tiger Woods vs. John McEnroe

JY: some of those staff are people who run with scissors who are very talented but are a danger to themselves. Often these people think of themselves as the smartest people in the room.

(Audience member) the smartest people in the room biggest issue is the fact that many of them are unable to be coached.

(Audience member) Coaching those team members is really helpful. For my team, when hiring, the skillset comes second to the ability to work within a team.

JY: rhetorical question: what’s more important: technical skills, or ability to work with faculty? (scattered callouts of “faculty”).

MW: you need to be able to have the difficult conversations to people.

RB: Honest feedback is important and one of the most important things we do as leaders.

How do you encourage staff to take risks and grow?

JY: influence your environment to make failure acceptable, so long as learning occurs.

BG: our role as coach/mentor is to help our staff pull the layers of failure apart so as to teach lessons that they can grow from. You HAVE to be there when your people fail.

RB: questions like “you should think about” were great, not prescribing solutions was important for me.

Is Cloud Identity Ready for Higher Education?

Presenters:

  • Jon Allen, Assistant VP & CIO, Baylor University
  • Kevin Phan, Associate CIO, Pepperdine University
  • Mahmud Rahman, Director of Systems and Banner Services, Mills College
  • Dennis McDermott, CMO, SVP Global Marketing, Fischer International Identity LLC

Level Set

What was the state of your IDM efforts prior to your recent project? What were the biggest challenges you were addressing with your IDM deployment?

JA: we didn’t have a lot in the way of IDM. We had scripts, and Oracle database and batch files. Life cycle becomes difficult in situations like this! We knew we needed to manage it much better than we were. Should we build the car or drive the car?

KP: we’re similar to Baylor: disparate systems, everything was manual, Peoplesoft as system of record, AD authentication, batching and scripts for accounts management; no meaningful events for updating accounts. Going to an off-the-shelf system helped us manage things better.

MR: we had a pretty good system, fed data from Banner into LDAP. However, our system would breakdown, and our system didn’t do deprovisioning well.

Setting a Course

What components did you look for in an identity management solution? Which were most important to you and why?

JA: our search happened about four years ago. Traditional on-premises solutions were great and polished, but they didn’t necessarily work well with the systems we had on our campus. It was more a business and knowledge problem than a technical problem. Very few consultants understood our systems or what we do. We understood the routine functionality of in/out and when things were supposed to happen, but our edge cases were killing us. Audit was made difficult because access forms were being sent by email.

KP: it took us over a year to review the various vendors. Fischer’s system worked simply and easily for us…one connector to our Peoplesoft tables and we were ready to go.

MR: we’re a small school and we had to rely on others’ research to help guide us. We’ve been on hosted platforms for years now with Blackboard and Google, so our fear level was low. Vendors that understand the specific needs of students (meaning of stop outs, incompletes, etc.) was very important to us, and it’s surprising how few vendors actually do get this.

Resistance to Change?

How much resistance did you receive regarding outsourcing your IAM infrastructure? Who was resistant and how did you win them over? What would you say to those who prefer home-grown solutions?

JA: since I was the one bringing this project to the table, there was little resistance (I’m normally the one who slows projects down!). A big part of getting people on board was sharing what it would do for them as stakeholders, i.e. HR provisioning of new staff and faculty. Once HR saw what it would do for them, they were completely on board.

KP: we had political resistance. We overcame that by demonstrating cost savings with our CFO. We also were able to translate business value by showing reduction in number of help desk tickets. Convincing internal IT folk was the hard part…giving up control was WAY more challenging than it should have been.

MR: we had no resistance. Most people don’t see IDM as something important unless they can’t access resources. Sysadmins are no longer the ones who have to deal with the day-to-day ordinary functions. Our time spent on IDM is a lot smaller now.

Deployment

What was your approach for deploying IAM? How did you mitigate risk to achieve project success?

MR: we should have had more conversations with HR and Admissions first (there was turnover at the time, which continues). The people responsible for setting flags and attributes initially have moved on, so IT is playing a significant teaching role for the organization. The process allowed us to get a lot more granularity with respect to roles, which we accomplished before through creating exceptions (build exceptions into patterns).

KP: learning what our customers’ pain points were guided what we did first. Password management was a big problem, so we tackled that password self-service portal first. Second phase was the top 30 action codes in Peoplesoft. Most of the time, I had to “be a parent” to the project team when addressing challenges around control.

JA: we limited the scope of the systems to key systems first, including Banner and O365.

Sharing Outcomes

What are the top factors that made your project successful? What would you do differently? What would you say about home-grown IAM?

MR: we have a very smart Banner programmer! We also had a lot of cooperation from other IT staff, particularly sysadmins and the help desk. Our vendor also understood Banner well, which helped a lot. Also, my boss backed me up (huge). If I had to do anything differently, I would probably create more role granularity and more conversations with certain groups on campus like the provost’s office.

KP: top factors were understanding business value and translating to the business units. Understanding systems and data, looking a few steps ahead, identifying potential issues that might come up, having honest conversations with your team, all of these were important. What would I change? It took two years to complete because we didn’t apply enough resources to it.

Baylor Case Study

Why IDM? Security lifecycle, compliance, one of the main controls left. It’s the who, why, what, where, when of people accessing your systems. It’s the keys to the kingdom, it’s nothing sacred, it’s security.

IDM is hard! It’s the ultimate of integrations and it’s something we must have. Project failures are rarely technical. Systems worked where people understood higher ed and IDM. Consultants must know your business.

You need to clearly understand integration, UI (for follow-through and understandability), and you also need some flexibility to address special use cases.

Six months from start to Go Live. Staff must be bought in; testing is critical. Timelines are achievable if stakeholders are available and willing to work in a collaborative way.

Full provisioning: account creation, licensing managed and authorization. However, it doesn’t have to be completely automated. For example, we have a termination list: replaces non-interactive emails, allows for audit trail, deprovisioning the most critical part of the IDM. When we flipped the switch, we had to deal with the edge cases, which allowed us to clean up a lot of the data (source of authority).

IDM is a life cycle. Identity is constantly changing, and perfection is not possible.

Lessons learned: communication (need more of it), wrong assumptions (you can’t assume that HR understands their role – they’re worried about payroll), we want real time access (mistakes like name changes or account deletions are real-time too). Testing is good, but you’re not going to catch everything.

Going forward: more integrations, further refinement, expanding reach to applicants.

Great results: account provisioning/removal smoother, processes are documented.

Student Privacy Boot Camp

Presenters

  • Michael Hawes, Director of Student Privacy Policy, US Department of Education
  • Amelia Vance, Education Policy Counsel, Future of Privacy Forum
  • Rachel Rudnick, Privacy Officer / Assistant Director, University of Connecticut

Resources

What is your top privacy concern?

Attendees have many reasons for being here (several on GDPR, the European Union’s privacy law – something International students will care about). I’m specifically here to learn more about the use of student data within web applications. For example, how do we let students know how we’re using their data, beyond ToS (Terms of Service) or EULA (End User License Agreement).

Types of Risk

Keep in mind the “front page of the newspaper” kinds of risks, because that’s a significant driver on the perception side of things.

  1. An actual security or privacy risk
  2. Risk of not being in compliance
  3. Perception Risk

Michael Hawes’ Segment of the Session

By the end of this session, you’ll know a lot more about PTAC – Privacy Technical Assistance Center. This provides loads of guidance and tools you can use in your work.

ED’s role in protecting student privacy

  • We administer & enforce federal laws governing the privacy of student information (FERPA)
  • Raise awareness of privacy challenges
  • Provide tech assistance to schools, districts, states, colleges and universities
  • Promoting privacy and security best practices

What is Privacy?

Privacy and security are related, but not the same thing.

Privacy: the state of being free from intrusion or disturbance in one’s private life or affairs.” Components include:

  • Info
  • Bodily
  • Territorial
  • Communications

Privacy Principles (from NIST):

  • Authority and purpose
  • Accountability
  • Data Quality and Integrity
  • Data Minimization and Retention
  • Individual Participation and Redress
  • Security
  • Transparency
  • Use Limitation

IT Security:

  • Focused on confidentiality
  • Integrity
  • Availability

Privacy and Security overlap at Confidentiality & Integrity, plus Accountability, Audit and Risk Management

FERPA 101

  • 43 years old, passed in 1974
  • Applies to all institutions receiving federal funds under any program administered by the Secretary of Education
  • Gives eligible students the right to access and seek to amend their education records
  • Protects personally identifiable information (PII) from education records from unauthorized disclosure
  • Requires written consent before sharing PII – unless an exception applies

FERPA definitions

PII: is info that alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.

Education records are any records directly related to the student that are maintained by, or on behalf of, an educational agency or institution.

The Netflix Prize from a few years ago is a good case in point (algorithm to improve their movie recommendation engine). The de-identified data was able to be re-identified by data researchers, based on movie preferences! Favorite movie became highly identifiable information.

  • Directory information exception
  • Students don’t attend school anonymously
  • Allows schools to release certain information without consent. A few examples:
    • name, address, telephone, electronic mail address
    • date and place of birth
    • photographs
    • weight & height of athletes
  • Schools/Districts must designate data elements they consider to be directory information. Common uses: yearbooks, concert programs, telephone directories.
  • Students have a right to opt-out of disclosures under the directory information exception.

School Official Exception: schools or LEAs can use the school official exception to disclose education records without consent to a third party if the 3rd party:

  • performs a service / function the school would otherwise do themselves
  • under direct control of the school / district
  • uses education data in a manner consistent

Health or Safety Emergencies Exception

  • Disclosure necessary to protect health & safety of the student or others
  • Articulable threat to health or safety
  • Typically law enforcement

Parents of Dependent Students

  • A school may choose to disclose, without the students consent, a student’s ed record to that student’s parent if the student is sa dependent for IRS tax purposes.

Judicial Orders & Subpoenas Exception

  • School may disclose PII from ed records necessary to comply with a judicial order or lawfully issued subpoena
  • Reasonable effort to notify eligible student of the order before complying with it
  • Some judicial orders and subpoenas are exempt from FERPA’s notification requirement

Financial Aid Exception

  • Ed records may be disclosed in connection with financial aid

Studies Exception

  • Permits disclosure of PII that are for or on behalf of the school for developing, validation, or administering predictive tests
  • Administering student aid programs
  • Improving instruction
  • Must specify purpose, scope, duration

Attendee question: what counts as consent?

  • Must be written (electronic must be authenticated).
  • Has to specify PII that will be disclosed
  • Has to specify category of people it’s going to
  • Has to specify purpose
  • Has to be voluntary (for example, it cannot be waived in a “blanket ToS” at the beginning of the term)

Data Governance, Online Services, and Predictive Analytics

  • Increase in data silos at IHEs and the importance of Data Governance
  • Guidance on Protecting Student Privacy while Using Online Educational Services (2014) and Model Terms of Service (2015)
  • Be mindful of privacy and ethics when using predictive analytics in higher education

HIPAA

  • If an institution keeps student medical records, HIPAA (generally, but not always) applies, not FERPA
  • Student and treatment records can be very complex! Engage counsel when working with this data

As recipients of federal student aid, universities are financial institutions under the Gramm-Leach Bliley Act.

Audience question: is there a NIST standard for transmitting FERPA data? Yes! When in doubt, ask the school about their requirements for PII.

CASE STUDY 1: DATA BREACH

Knowing how to respond when you’ve had a data breach can be really helpful. Thank about each of the roles needed in your org. The full extent or impact of a data breach is rarely known up front. Don’t get ahead of yourself.

We broke up into groups and discussed the following:

  • Public & Internal communications/Messaging
  • Response Plan

Things to consider:

  • How can you prevent this in the future?
  • Policies & Procedures
  • Central # to call should they have questions
  • FERPA training implemented in any way? Whoever would respond to such breaches should definitely be trained.
  • Have reporting obligations changed?

Federal Laws and Actions

  • FERPA rewrite
    • Potential rollback of 2008/2011 updates
  • Several student data privacy bills introduced in Congress in 2015 and a FERPA re-write may pass in 2018. One bill has been re-introduced in 2017 so far.
  • 40 states have passed 126 laws since 2013
  • Over last 5 years, states have enacted over 100 laws governing how schools and their service providers collect, use, and protect student data

Unintended Consequences

  • Words matter: definitions and vague language; governance needed
  • Fear-based policies
  • Privacy problems with privacy legislation
  • Need for input
  • Penalties

Big case of unintended consequences: LifeTouch (a billion-dollar photo vendor) is impacted and engaged politically because photos can be classified as PII. What do they sell? Yearbooks.

Interesting Trends

  • Governance
  • Transparency
  • Contracts
  • Opt-in or Out Requirements
  • Device and social media privacy
  • Audits
  • Training
  • Penalties (financial & criminal)

State Laws

  • Of 106 state laws passed on student privacy since 2013, only 26 are applicable to higher education.
  • Most laws discussing higher ed either do not differentiate between private or public institutions or higher ed, or only apply the law to state schools.
  • Reflects a perceived inability by state legislators to govern private institutions of higher education.

Lack of laws

  • 75% of data breaches occur in higher ed, so it’s surprising that there aren’t MORE laws governing data breaches in higher ed.
  • In total, 19 states since 2014 have passed laws that included at least one provision targeted at researches. Most of these are governance-focused, but some are far more restricted.

What is Driving These Laws?

Typical comments that encapsulate what’s driving these laws:

  • “What is ed research, and why do I care about it?”
  • “Researchers are able to get access to student data and use it for whatever they want”
  • “Parents should always be allowed to opt their child out of research that will not directly improve their child’s ed or help their child in some direct way”
  • Beyond IRBs

Rachel Rudnick, University of Connecticut Privacy Officer

I think of my role as mostly a compliance function. How many campuses have a privacy office and officer? It differs from campus to campus; there’s no one way to manage it.

Do you have a designated Privacy Officer?

  • What is a privacy officer?
  • Privacy vs. Information Security
  • Privacy Office
  • Centralized function vs. embedded?
  • Just part of someone’s job?

Where Should Privacy Report?

  • Compliance (good place to start, should have buy-in of C-suite)
  • Legal
  • IT
  • Audit
  • Provost
  • Registrar
  • President/Board
  • Nowhere? Everywhere?

Models to Consider

  • Compliance/regulatory function vs. Program
  • Centralized vs. distributed (embedded)
  • Big picture comprehensive program vs. regulation-by-regulation
  • Reactive vs. Proactive approach

What is Privacy?

This is a gross oversimplification, but this helps folk understand privacy a little better, especially when they need to call someone for help:

  • Privacy is the WHAT
  • Security is the HOW

What does a Privacy Officer Do?

  • Does not mean I have a “Do Not Disturb” sign on my door!
  • Knowledge of ever-evolving rules
  • Oversee program
  • Serve as privacy resource/Subject Matter Expert
  • Write and possibly enforce policies
  • Review/draft contract language
  • Assist/provide guidance to faculty, staff, students, constituents
  • Investigate concerns/complaints
  • Educate/conduct training
  • Breach mgmt
  • Internal/external communication
  • Create and maintain relationships/partnerships
  • Work hand-in-hand with the ISO
  • Be a team player > committees, committees, committees…

To manage privacy properly on a campus, you need great partnerships!

Partnerships & Collaboration with Stakeholders

  • ISO
  • Legal
  • Audit
  • Risk Mgmt
  • Senior Mgmt (buy-in, elevator speeches)
  • Functional Offices (registrar, bursar/financial aid, research compliance/sponsored programs, HR/Payroll, Health-related units, etc.)
  • Compliance Cowboys: liaisons to support your efforts; train the trainer

Tools

  • Data inventories
  • Records retention & Info Mgmt strategies
  • Privacy Impact Assessments (PIA)
  • Maturity Modeling
  • Nymity’s comprehensive approach
  • Beg, borrow and steal from colleagues

External resources

  • HE-CPO group (supported by EDUCAUSE)
  • IAPP
  • Law firms
  • Vendors (webinars, free tools)
  • NACUA/AACRAO
  • FERPA|Sherpa
  • PTAC

Want to Be a Privacy Officer?

EDUCAUSE has resources, search for Higher Ed CPO Primer, Parts 1 & 2 on their web site

 

The 2016 EDUCAUSE MEGA Post

Hey y’all! Here’s my “MEGA POST” for my stint at the 2016 EDUCAUSE national conference in Anaheim from October 25 – 28.

Tuesday, October 25

Wednesday, October 26

Thursday, October 27

Friday, October 28

  • [ KEYNOTE ] Because I Said I Would

Preparing for That IT Strategic Planning Project: A Data-Driven Approach

Presenters

  • Jerrold Grochow, CIO-in-Residence, Internet2
  • Sara Jeanes, Program Manager, Internet2

Underlying Ideas for this Seminar

  • Data: facts and statistics collected together for reference or analysis.
  • If you can’t define it, you don’t know what your data says
  • If you don’t analyze it, you don’t know what your data means
  • If you don’t organize and present your analysis, you can’t convince anyone of what it means
  • Data is most valuable when it can be turned into information that can be used for action

Goals

  • Understand what data is important to different constituencies
  • Learn practical approaches to collecting, organizing and presenting that data
  • Start to apply this framework to your own strategic planning projects

What is Strategic Planning all About?

  • Determining where we are now (org assessment)
  • Determining what drives us to the future (drivers & trends)
  • Determining where we want to be in the future (ID strategic issues)
  • Determining how we’re going to to get to that future (develop strategic business plan)
  • “If you don’t know where you want go go, any road will get you there.”
  • “If you don’t know where you are, it’s tough to figure out how to get to where you want to be.”
  • Being aware of external drivers that influence our organization
  • In short: where/what/how, now and in the future

What Makes Data Important?

  • Things that get measured get managed
  • Can be used to look for trends
  • Helps democratize the process by removing emotions
  • Value to the institution
  • Allows for effective SWOT exercise
  • Sets the stage
  • Raises a strategic issus
  • Highlights a trend
  • Distinguishes a constituency
  • Presents a resource concern

Different Types of Strategic Planning Projects

  • Initial plan
  • Revisited plan: why? what changed?
  • Plan update
  • Organizational focus: resources, culture
  • Service focus
  • Technology focus

Strategic Planning Data Planning Framework

  1. Determine type of project and focus
  2. Determine key questions/issues
  3. Assess & define data
  4. Collect data
  5. Perform analysis
  6. Organize & present

Types of Data Needed

  • Skills assessment: what do we need?
  • Who is using our resources, and how?
  • Retention and recruitment: who is leaving and why? What’s their demographic? What are the demographics of the various departments?
  • What’s the data we’ve already got? Staff counts, project portfolio, budgets, etc.

Two Principal Types of Data

  • Primary: data you collect specifically to serve the needs of the strategic planning activity
  • Secondary: data you have (or can get) that was collected for other purposes but that will be useful
  • You are going to have to use data you already have
  • Internal secondary data: operational data, i.e. logs, usage data, help desk ticketing system, admissions data, anything in IR, IPEDS, infrastructure, monitoring, etc.

Operational Data: Service Utilization

  • Definition: how much of a particular service is used by different groups of users
  • Measure: what best shows usage
  • Analysis: trends/patterns
  • Organization/presentation: table, chart, interactive graphic

External Secondary Data

  • What data can you readily get that would be useful?
  • EDUCAUSE Core Data Service, NSSE, IPEDS, census, industry surveys (Gartner, Forrester, McKinsey)

Internal/External can be both primary and secondary

  • Internal: about the organization
  • External: about the environment

How do you collect data?

  • Instrument your systems, surveys, questionnaires, focus groups
  • Sensors

What Kind of Data?

  • Text, numbers, pictures
  • Qualitative
  • Quantitative
  • USE BOTH, to show impact and value

Timing: When Do You Collect Data?

  • Before: to help ID and frame issues, and to ensure the planning process can proceed smoothly.
  • During: as discussion uncovers additional data that would be useful
  • After: to better manage your organization and monitor progress against plan
  • Always: for the reasons mentioned above

How Can We Best Present Data?

In ways that best resonate with the audience, in ways that show importance. For example: “That’s the equivalent of a the cost of a full-time grad assistant” or “IT capital plan == building capital plan” or “system maintenance == building maintenance”

  • Text: quotations, narrative, video
  • Numbers: tables, charts, graphs
  • Pictures: infographics, photos

Institutional Strategic Priorities

  • Understand research and learning/teaching focus areas! This will tell you where senior leadership of the institution wants to go.
  • Understand the financial areas! This will interact with research and learning/teaching focus areas.
  • Understand the technology focus! You’ll be able to explain how this will interact with all the other areas.