Who Should Control Technology Decisions on Campus?

Recently, I was speaking with an Assistant CIO of a very prominent university, and he told me the following story:

“New applications are popping up all of the time, and we only find out about it once they announce it on our internal news digest. Business units across the university don’t even understand that these are IT projects! The vendors love to go to business leaders and tell them that they don’t need IT; all they have to do is buy a turnkey solution. We have tried to go to Purchasing to encourage them to call IT if they think a purchase has an IT component. A lot of times, though, Purchasing can’t tell because it’s a niche technology hidden within a larger service. All the while, people are complaining that working through IT slows everything down.”

IT used to be the epicenter of technology decisions. Higher education has gotten swept up in an overarching trend, however, which is impacting every industry: the meteoric rise of the line of business as a technology decision maker. The quote above hits on a few reasons this is happening

1. Perception that IT is a road block to productivity instead of a productivity enabler
2. University departments have their own budgets, and most of the time, their budgets are significantly higher than IT’s budget (I’m looking at you, Recruiting, Admissions and Advancement)
3. Vendors actively selling to university departments and going around IT altogether

The ship has sailed on bringing all technology decisions back under the central umbrella of IT. I am surprised, however, that given the collaborative nature of Higher Education, that IT would be so actively shut out of these purchasing decisions. This creates a litany of problems that will be difficult, not to mention expensive, to unravel later. One of the biggest problems (there are more): this Wild West mentality to deploying applications significantly raises the risk profile for campuses.

Why do I say that? Even though university departments may be comfortable deploying cool new solutions and cutting out IT, to this day and probably for many days to come, cybersecurity responsibility inevitably rests with the CIO. IT cannot secure what it doesn’t know about, and especially on large campuses, they will not be able to ferret out all of the solutions being deployed without their knowledge.
Hackers love application vulnerabilities. Take, for instance, the Equifax breach. Equifax has acknowledged that the attackers were able to enter their network and steal the data for potentially 143 million people by exploiting a vulnerability on the Equifax website (i.e. an application). What applications on your campus are web facing? Have you vetted all of them thoroughly? How can a university department, without the aid of IT, possibly ask all of the right security questions before they give an application access to potentially sensitive information?

These are scary questions, and I would encourage all university department heads: talk to IT first before you deploy. The technology decision doesn’t always have to rest in the hands of IT, but everyone should be contributing to security. It may briefly slow you down now to include IT, but it will save you a big headache later. Trust me.