anaging Risk and Exploiting Opportunity (EDUCAUSE Review) |...http://connect.educause.edu/Library/EDUCAUSE+Review/Managing...1 of 208/01/2009 18:41
FOCUS AREA: EVOLVING ROLE OF IT AND LEADERSHIP© 2008 H. David Lambert
EDUCAUSE Review,
vol. 43, no. 6 (November/December 2008)
Managing Risk and Exploiting Opportunity
H. DAVID LAMBERT
H. David Lambert is Vice President and Chief Information Officer at Georgetown University.Comments on this article can be sent to the author atlambertd@georgetown.eduand/or can be posted to theweb via the link at the bottom of this page.
The role of the Chief Information Officer, one of the newer positions in higher education senior leadership, continuesto transform and evolve, often heading in surprising directions. Not only are the technologies changing at a dizzyingpace, but it often feels as if the role itself, as well as what institutions need and expect from the CIO, is transforming just as quickly.Recently, with sweeping changes in institutional priorities, the increasing pervasiveness of networked information with all the good and bad that entails, and the growing expectation from boards, both public and private, that collegesand universities need to anticipate and manage risk more effectively, the CIO has assumed a “go-to” leadership role inthe institution. I am not sure, however, that this new centrality of the CIO has happened in the way that analysts hadanticipated and advocated. Many commentators have focused on the emergence of the CIO as an academic leader who projects organizational alignments that serve to integrate pedagogic support centers, libraries, and ITorganizations. This change in role has indeed happened in many institutions, particularly liberal arts colleges, andthis certainly represents an important opportunity for the CIO and the institution. But I believe that the growth of theCIO role has been driven more by other factors.Let me elaborate. Increasingly, the CIO is working with new executive partners across the institution, since businessprocesses that were not traditionally dependent on digital technologies now require complex central enterprisesystems. No more than five to seven years ago, what we commonly refer to as “enterprise applications” were generally characterized by the “Big 3”: financial systems, student systems, and human resources systems. The CIO’s ability to work with key business leaders to support these three types of systems was often what defined success. For example,one of the first new enterprise applications was the learning/course management system (L/CMS). But what startedout as a departmental application to provide low-level tools for classroom management and instructional materialsdelivery has now become arguably the most mission-critical application in the academy. When the L/CMS isn’tavailable, the most basic function of the higher education institution—teaching students—is substantially hindered.Furthermore, these tools are becoming critical to managing the institution’s risk (Can the institution maintaininstruction if it loses the physical campus?) and exploiting new strategic opportunities (Can the institution jump-starta new international campus by using the L/CMS to deliver instruction to a location on the other side of the world?). We have also experienced major growth in the critical use of information technology for communications. The e-mailservice that was introduced many years ago as a “convenience” service is now seen as a multi-purposecommunications vehicle for the institution, supporting the transmission of official information to students, enablingthe research faculty’s collaboration with research teams across the globe, providing lifelong engagement with alumni,and supplying the basic fabric of communications for institutional administration. Much the same story can be toldfor the institution’s web services. A capability that was often relegated to student projects run on departmental web-servers sitting under the proverbial “techies’ desk” has now become the vehicle that is expected to serve as arecruiting magnet for new students, become the “website of choice” for thousands of alumni, and serve as theplatform for communicating the institution’s core vision, mission, and values. The loss of web services or a breakdownin the performance of e-mail is now equated with a major institutional failure, creating a new focal point in theinstitution’s risk management profile.In addition, we have seen rapid growth in the use of digital technologies in institutional functions for which the CIOhas traditionally had little, if any, responsibility. At Georgetown, for example, we have had to create an enterprisesystems team (parallel to our more traditional student, finance, and human resources teams) to support new applications in the safety and facility areas including camera systems, fire alarm systems, incident managementsoftware, an integrated Safety Command Center, and centralized climate management systems. All of these run (or will run) across the integrated IP network infrastructure for the campus, making the capacity and availability of thatinfrastructure yet another key element in institutional risk management.Finally, higher education has increasingly moved into the crosshairs of new regulation at the local, state, and nationallevels. Data privacy legislation enacted primarily at the state level is the perfect example. Scores of colleges anduniversities have experienced large-scale crises as the result of system compromises or lost computer equipmentcontaining large amounts of legally protected data such as Social Security numbers and credit cards. These incidentshave cost institutions scarce financial resources and have caused strained relationships with students and alumni whose information may have been compromised. Even though these incidents most often involve resources that are well outside the traditional range of control of the CIO, it is the CIO who is usually held accountable and who isexpected to manage future risk of data exposures. On the bright side, CIOs have often been able to use thisaccountability to alter their responsibility in ways that allow them to address core data security and privacy issuesthat they have not been able to influence in the past. Nevertheless, these efforts have consumed many more resourcesthan often are available, affecting other critical priorities. Similar effects have resulted from new regulations in
VIEW A PDFOF THIS ARTICLE
Leave a Comment