By Chris Wessells, senior higher education strategist, Dell Technologies.
A university CIO is responsible for myriad responsibilities related to improving and maintaining technology and services in support of institutional goals. Still, to do that effectively, the job goes far beyond what many typically consider as part of the role.
Hiring engineers and IT specialists? That’s part of your requirements, in addition to protecting personal information of students and faculty, ensuring there is a high-performance infrastructure, as well as providing effective systems and IT services to meet institutional requirements.
A CIO needs to have a variety of skills to succeed, including being capable of managing people and change while also considering financials, managing a budget, balancing technology responsibilities and keeping cybersecurity top-of-mind.
Having served as a CIO at prominent four-year universities in the United States, I learned that in addition to the responsibilities outlined above, the role of a CIO is an ever-changing position that requires constant evolution and adaption to meet the needs of a heavily technology-driven community.
Some of the most important lessons I learned include:
1) Relationships are as important as technology
I quickly learned that building relationships with executive decision-makers was crucial to the success of institutional initiatives. Building bonds with business unit leaders from facilities management to public safety to athletics can be as essential at the relationships with the provost, deans and academic department chairs. That is, the CIO should cultivate and maintain healthy relationships at all levels of the university, which can lead to allies in digital transformation efforts.
Being connected with students is equally important. I found having a student technology advisory committee was an excellent way to listen to student needs, gain insights on how to improve IT services and build trust with the student community.
Building a strong IT leadership team also enables CIOs to form better relationships on campus that will assist in implementing new academic and administrative initiatives.
2) Enforcing shared governance is a must
One common CIO mistake is dictating change without receiving input from others on campus. This is why shared governance, placing the responsibility, authority and accountability for decisions on those who will use the technology, should be a top priority. Shared governance with the academic community is essential to being successful.
Higher education CIOs should be shifting responsibilities from operating technology to more strategic governance responsibilities. Students and faculty are the primary constituents that require technology and services from a campus IT organization, so naturally, CIOs should consider their requirements when assessing and implementing new solutions. For example, before purchasing new classroom instructional technology, it is crucial to consult faculty on those matters; and include faculty in pilot projects and testing. This approach often leads to better decisions that are made collaboratively, rather than having IT simply dictate decisions from a technical standpoint.
Question: What are some tips and guidance for educational entities to ensure the safety and security of their IT data. What steps can and must IT leaders in schools, colleges and universities take to protect their back end data and information, and what should they be most aware about the current threat landscape?
Educational institutions are especially have unique challenges because of the large variety of different end-points that are brought into their environments. It is critical that the IT data is segregated from the networks that can be accessed by these un-managed end-point devices (such as personal mobile phones/laptops etc.). Once the IT data is isolated from the internal unintentional harm, the infrastructure security posture needs to be hardened by modern and thorough unified threat management (UTM) system.
The key tip is to keep these UTM systems up to date and current to avoid new threats. For easier consumption of UTM services, a cloud delivered UTM can be leveraged either instead of or in conjunction with on-premise based UTM solutions. In either case, considering a managed UTM solution should be considered as this will provide the security that the organization needs without significant IT effort, but rather receiving the benefits as a managed service.
Schools are especially prone to ransomware attacks, due to the combination of weak security protocols, out of date computer equipment, and a lack of skilled staff. Digital infections can spread among school computers much the same as biological germs spread among students. Security is unfortunately quite a lot like a treadmill – it never stops. You can never arrive at a state of solid protection, because what was good enough yesterday won’t be good enough tomorrow. New vulnerabilities are continually being found. The need to invest in basic online hygiene is constant.
The best security leaders have given up on implementing perfect protection, focusing instead on Digital Resilience. It’s not possible to stop every attack, but it is possible to plan ahead for how you will withstand and recover from attacks. This requires detailed knowledge, ahead of the attack, about your whole network, so that you know how to recover when any part is damaged.
Schools plan for many different kinds of disruptions – extreme weather, earthquakes, etc. What all schools have in common is they are online, and this means planning for an online disruption is mandatory. A good way to start is by mapping out the school’s network of resources, to understand what depends on what.
Sivan Tehila, director of solution architecture, Perimeter 81
Cyberattacks are becoming more and more frequent and sophisticated. While at the same time, many organizations are adopting cloud-based infrastructures. This is why cloud accounts are being targeted more than ever. The easiest way to hack into your cloud environment is by exploiting the cloud account credentials. As well, there are many different types of threats for cloud environments, such as cryptojacking, insecure APIs (application programming interfaces) and more.
However, insufficient Identity accesses are the best vulnerability for an attacker to exploit. This is why we will probably see a high demand for identity providers and single sign-on capabilities and especially Zero Trust remote access solutions.
Response from Roger Sands, CEO and co-founder, Wyebot.
Roger Sands
Traditional teaching methods are being replaced with eLearning initiatives, smart boards, and 1:1 computing. This tech-forward education is leading to a new, tech-friendly environment that is more complicated than finding room in the budget for new laptops, Chromebooks or iPads.
IT Administrators and schools as a whole need to understand how new devices will impact an existing network, and what work needs to be done to ensure the network grows along with, or faster than, the new eLearning demands.
Today, there are an endless number of devices connected to a school network, including personal devices, classroom devices and school-wide IoT devices, like thermostats, printers and security systems. Each device is unique: some will be only 2.4GHz compliant; some will support higher spatial streams and data rates; some will be used frequently, others only rarely.
Regardless, they will all compete for airtime and impact the performance of the overall network if the proper systems and protocols are not in place. To ensure optimum network performance, schools should:
Provide, and enforce, a BYOD policy. At the very least, schools should limit the amount of personal devices students and staff can use, if they allow them at all. To avoid personal devices from slowing down eLearning initiatives, IT Directors should move personal tech to services that are 2.4 GHz only, while the eLearning activities are on 5 GHz.
Monitor and identify all devices on the network, and what they are doing. Tools that offer device fingerprinting and recognition support 100% network visibility, so IT knows exactly what the network is supporting, and how it needs to grow. It also allows IT to efficiently identify which devices experience problems and how best to resolve any issues. Ideally, the tool will also give historical data on each device, which allows for quick resolution to those pesky intermittent issues.
As IT directors optimize their networks for eLearning initiatives, it’s important that they look ahead and plan for the future. IT Directors should be looking three to five years ahead, and build a network that will support future needs. By defining network needs early, schools will ensure they’re prepared for what’s ahead, while still maintaining the budget.
Response from Samir Tout, professor of information assurance, School of Information Security and Applied Computing, Eastern Michigan University.
Samir Tout
In the last decade, we have witnessed a shift in the IT landscape with the rise of cloud computing, mobile devices and the Internet of Things (IoT). As a result, a new era has begun—one that brings along promising infrastructural enhancements, albeit with new challenges to the modern enterprises, including educational institutions. This necessitates that IT leaders at schools and universities perform a thorough analysis of how this will impact their systems, networks, and most importantly their data.
Educational institutions produce a massive amount of data about their students and staff. Such data constitutes a luring treasure trove for hackers who may launch advanced attacks against various layers of the school/university systems. IT leaders at these institutions must pay attention to key measures that are still common even to a great degree to the modern IT landscape.
If established, these measures would mitigate or possibly eliminate the risks of potential intrusions. They include: system hardening, secure perimeter architecture, anti-malware and endpoint defenses, strong encryption, establishing and adopting security policies, and applying information security principles such as least privilege, separation of duties, and role-based access control.
Furthermore, one of the most forgotten yet important measures is security awareness training and professional development for the staff that maintain the institution’s infrastructure. This has become even more vital with the advent of the modern IT landscape mentioned above, as staff members must stay up-to-date or otherwise risk being ill-equipped to properly maintain the infrastructure and its hosted data.
IT leaders must set strategic goals that embrace the above measures as part of the fabric of the institution. This means, among other things, that they include them in their strategic plan, allocate proper budgets for them, and support them with resources and, when necessary, expedited approvals.
Educational institutions are a target for cyber crime, just like any other business or non-profit. Concrete, measurable steps need to be taken to protect assets. Making use of a framework greatly helps this. A framework has specific metrics and criteria included in it. This provides a tangible resource to assess against. Usually, an outside team is brought in to walk through the assessment. Once the assessment is done, a remediation list exists. With a list, priorities are established and budget/human capital are applied.
FERPA is a federal law that addresses privacy of student
records. It is not broad enough for a school to base its entire cyber security
posture on.
Specific steps that all institutions should take include:
MFA — Multi-factor Authentication is a step beyond passwords. Logging in to access a system requires not just a password, but something else. That something else can be a prompt on a phone, a code generated by your phone, a text message, a hardware token that is inserted into a USB port, a finger print … the list goes on and on. The school needs to be aggressive in ensuring there are no gaps in their MFA deployment. If all logins require MFA, but VPN access doesn’t, the crooks will find this quickly and exploit it just as fast.
Policies – While these are seen as the boring part of network security, they are critical. Who is allowed to do what? What is not allowed? What are reasonable expectations? If something happens, what is the response plan? Who is included? Who communicates to whom? Policies run the gamut and should be not only created, but yearly reviewed.
Separation of duties — Smaller schools in particular will tend to have one or two key IT staff. These staff are responsible for deployment of new technologies, while managing existing equipment. Picture this, staff is assigned to deploy a new wireless system. As they learn the components, software is installed/configured, firewall rules updated – they are do everything they can to make it work. In the end, it does. But, is the config optimal? Is it secure? Were the firewall updates done in a judicious and cautious manner? Having additional eyes on a project, particularly those that are subject matter experts, is not only helpful but critical.
Executive support — No cybersecurity progress is made without senior administrative, chancellor, and/or principle support. It’s pointless yelling into the wind for staff to try to move something forward without senior buy-in. With management support, funds and personnel follow. Educational facilities never have an abundance of either. But, management’s support allows what meager resources there are to be appropriately channeled.
What should education’s IT leaders be most aware about the current treat landscape?
The old saying, “When everything is important, nothing is important” comes to mind. There are always external threats. They will never go away. But, learning institutions are in a unique spot when it comes to insider threats. Insider threats, in a traditional business, are where staff are working as, or being used by, criminals. Schools are unique targets for insider threats.
They exist to encourage learning, challenging ideas, trying new things, even pushing boundaries. Labs need to be setup for students to learn and try things. The same systems students use for learning, academia uses for grading, class management, and transcript creation. Students are brought very close to critical systems. Insider threats are very real threat to educational institutions.
Good cyber hygiene is critical to protecting “back end data.” Regular software updates and patch management are critical in mitigating known software vulnerabilities.
Two-factor authentication is vital to hedge against phishing and other social engineering attacks. Appropriate data encryption serves to protect critical data. And, vulnerability scanning/management of the environment is key to identifying and closing all known system vulnerabilities.
Modern firewalls and end-point protection protect against ransomware and reduce the overall threat landscape. And cyber security awareness training for all users is critical to help them understand common social engineering-based threats and attacks. Assess and validate cyber security controls in place to protect data stored in any hosted/cloud-based system.
The current IT landscape is full of concerns. Anything that cybercriminals can monetize is a risk. Probably the most common problem I hear about is ransomware, which can be addressed by managing patches/updates and ensuring off-site backups are regularly completed (and isolated).
Response from Heather Paunet, vice president of product management at Untangle, a provider of network security for small-to-medium businesses (SMBs), including educational entities.
What’s the most important IT solution that must be implemented now across your district/college/university (despite budget limitations)?
Districts, colleges, and universities should highly consider investing in a multi-layered unified threat management solution to protect their network. With the increase in BYOD devices on campus, it is essential to create layered network security, and provide separate networks.
Separate networks will allow only authorized users access to personal data within the now segregated administrative network. Student and third-party vendors can still access the internet on the common network, but are limited with zero access to other content sensitive information such as social security numbers, payment information, or confidential records on the administrative network.
Using this layered approach is extremely important for students, allowing them to be protected from accessing inappropriate content, and their behavior can be monitored, flagging anything that may require an intervention for their well being. For example, being able to know if students are searching for “bullying” or “self harm” can ensure that students are given extra help, support and advice that they may need to get them back on track.
In a perfect world and with a blank check, what IT investment would you make to support your current educational entity?
A robust next-generation
firewall to protect the gateway from malware, spam, viruses and phishing while
allowing web content filtering, application control, and bandwidth management
to monitor student, staff, and faculty access and ensure student safety, and
student well being on campus.
Tools4ever, one of the world’s largest providers of identity governance and administration solutions and services, continues to demonstrate its commitment to enhancing classrooms through education technology by exhibiting at the 2019 CETPA Annual Conference. The conference is scheduled for Nov. 12-15, 2019, at the Anaheim Marriott and Convention Center in Anaheim, California.
Tools4ever
Throughout the conference, Tools4ever will provide live demonstrations of its cloud-based identity management solution, HelloID, at booth #445. HelloID, used by hundreds of schools, colleges and universities throughout North America, represents the next evolution in Tools4ever’s 20-year effort to increase the usage and support for education technology in the classroom. HelloID enhances learning experiences by providing admins and educators with the solution they need to provide secure access to learning environments, educational devices, and self-guided service and technical support.
“The annual CETPA conference is the premier tech event for K-12 leaders in California and we are excited to be a part of it for our 13th consecutive year,” said Drew Olsen, Director of Sales – Western US at Tools4ever. “California is a leader in student data privacy protections, thanks to CETPA’s leadership. However, with the ever-increasing number of cyberattacks at the K-12 level, districts must remain vigilant in protecting what information is available while streamlining how it is accessed to best leverage EdTech in classrooms and beyond. We look forward to meeting with our customers and partners at the event to further demonstrate how identity and access management remains a critical component of any district’s technology strategy.”
The California Educational Technology Professionals Association (CEPTA) advocates improving administrative information processing in public education throughout California and prepares its membership to better meet and support technological needs. The annual conference brings its membership and partners together to share ideas and foster dialogue about information technology pertaining to the classroom. The conference includes the latest and best technology tools targeting improvement across teaching, learning and administration.
CETPA members include education’s CTOs, technology directors, network managers and engineers, database administrators, and district and county superintendents.
TOPdesk, a leading global provider of innovative enterprise service management solutions, today announces that it has been named a “strong performer” by analyst firm, Forrester. TOPdesk is profiled as one of the top 15 vendors that “matter most,” as detailed in the Forrester’s report, “The Forrester Wave™: Enterprise Service Management, Q4 2019.”
According to the Forrester Wave™ evaluation, the globally serving TOPdesk “has shifted to fully address the ESM market during the past few years and has oriented its strategy to provide for all forms of service requests, expanding its collaborative abilities and out-of-the-box modules.”
Per the report, “TOPdesk has grown steadily in North America, gaining popularity with midsize enterprises and public sector organizations, including higher education, and is pursuing a strategy of steady organic growth.”
“TOPdesk is a well-rounded ITSM and ESM product with fast time-to-value,” the report continues. “Request management is notably strong, with Kanban, intelligence, and costing … The platform is built for speed of utilization … [and] is well suited to midsize enterprises looking for a tool with both ITSM and ESM capabilities and experience.”
Wolter Smit, TOPdesk CEO and co-founder, said he’s proud of acknowledgement. “We know — and our clients tell us — that our solution continues to be first-rate. We’re honored to be named as a Strong Performer by Forrester, and are thankful for our clients and partners for helping us get here.”
In the report, Forrester notes ITSM users are looking to increasingly leverage self-service options, speed up service delivery, and enhance their own ITSM capabilities to meet the challenges of changing technology landscapes. TOPdesk believes that it addresses these issues by helping organization improve service management processes; optimize services by providing a user-friendly self-service application; and offers comprehensive support through a continuously delivered platform.
TOPdesk provides a robust platform for improved enterprise services, and a high-quality service management solution with proven fast time-to-value.
TOPdesk develops software that helps organizations efficiently manage the services they provide. Whether this concerns IT, facilities management, HR, service desk or service support, TOPdesk helps organizations support their employees, customers, consumers and citizens. It serves all sized organizations, from small businesses to large multinationals, and is available as a local installation or Software as a Service. The TOPdesk solution can be tailored to meet every organization’s needs.
TOPdesk has 15 branches worldwide: in the US, Canada, Brazil, the UK, the Netherlands, Belgium, Germany, Hungary, Denmark, Norway, and Australia. www.TOPdesk.com
Blackboard Inc. announces the appointment of Edwin Scholte as Chief Financial Officer (CFO). Edwin will join the company on November 4, 2019 and will oversee all financial aspects of the company, including investor relations, accounting, tax, financial planning and analysis, treasury, and capital markets. He will report to the company’s Chairman, CEO and President Bill Ballhaus.
With more than 20 years of experience as a finance and operating executive, Edwin has deep roots in the education sector and extensive experience in international strategic finance partnerships, global expansion, and mergers and acquisitions. He joins Blackboard from Best Merchant Partners, a privately owned merchant banking institution in the education sector, where he served as Managing Director. Prior to joining Best, Edwin served as CFO and as COO of the higher education, professional and international divisions of McGraw-Hill Education. Earlier he held senior finance and operating executive roles at LexisNexis/Reed Elsevier, Wolters Kluwer, as well as a privately-owned boutique incubator of Internet and corporate services start-ups in The Netherlands.
“Edwin’s broad financial and operational experience and deep knowledge of the education sector will be an invaluable asset to our executive leadership team as we continue to execute our business plan and strategic initiatives,” said Ballhaus. “I’m excited to have him join our team as CFO.”
“The impact of innovative technology on delivering better outcomes for institutions and learners is significant, and Blackboard is at the forefront of this exciting transformation in the global education community,” said Scholte. “I look forward to joining Blackboard and working with the team to deliver substantial value for all stakeholders.”
Edwin earned a Bachelor of Science in Business Economics from Haarlem Business School in The Netherlands, and a Master of Business Administration from Duke University.
Educational institutions are especially have unique challenges because of the large variety of different end-points that are brought into their environments. It is critical that the IT data is segregated from the networks that can be accessed by these un-managed end-point devices (such as personal mobile phones/laptops etc.). Once the IT data is isolated from the internal unintentional harm, the infrastructure security posture needs to be hardened by modern and thorough unified threat management (UTM) system.
Schools are especially prone to ransomware attacks, due to the combination of weak security protocols, out of date computer equipment, and a lack of skilled staff. Digital infections can spread among school computers much the same as biological germs spread among students. Security is unfortunately quite a lot like a treadmill – it never stops. You can never arrive at a state of solid protection, because what was good enough yesterday won’t be good enough tomorrow. New vulnerabilities are continually being found. The need to invest in basic online hygiene is constant.
Cyberattacks are becoming more and more frequent and sophisticated. While at the same time, many organizations are adopting cloud-based infrastructures. This is why cloud accounts are being targeted more than ever. The easiest way to hack into your cloud environment is by exploiting the cloud account credentials. As well, there are many different types of threats for cloud environments, such as cryptojacking, insecure APIs (application programming interfaces) and more.
