IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

IT Risks for Higher Ed: What’s the Worst That Could Happen?

State and federal funding for higher education has many administrators in a spending mood, but sometimes the most important conversations to have are the hard ones. Now is the time to plan for worst-case scenarios.

Chalk drawing of a skull and crossbones coming out of a laptop screen.
The increase in ransomware attacks this year reminds me of a side of information technology that we don’t often talk about. Our excitement around innovation and transformation within teaching and learning, research, and other aspects of the university mission is both understandable and justified. Yet there is exceptional risk when things go wrong — sometimes terribly wrong.

A common adage is that the successful IT organization “needs to keep the trains running on time.” And this is an important insight. Without a strong foundation of reliable and secure services, our IT leaders and organizations won’t be effective partners on higher-level strategic initiatives. But there is always the risk of a rare and catastrophic event — something far worse than a frustrating experience with usability or response times.

I mentioned ransomware as one example. Other major incidents may include a significant security breach exposing sensitive and private data, causing a high-impact downtime in local or cloud services that takes days or even longer to resolve. A natural disaster such as an earthquake or hurricane could impact your IT staff and facilities beyond your disaster recovery and business continuity preparations. And perhaps worst of all from an IT perspective, there could be a series of unforeseen events that results in a permanent loss of institutional data.

We’re all aware of this potential downside within the IT leadership community. The important question to consider is, are we truly, adequately prepared? And are we communicating clearly with our executive leaders so they understand and support our risk mitigation efforts? To be more specific, are we all on the same page in how much we’re investing to reduce the chances of a worst-case event during our collective watch?

There is rarely enough funding to cover all the exciting innovation and transformation opportunities that might benefit the institution. It may be tempting over time to move money and positions to those opportunities and away from operational costs such as risk mitigation. Where to draw the line on acceptable levels of risk with IT-related services is a challenging responsibility. Discussions initiated by the CIO with executive leadership, including areas such as university counsel and audit services, are a best practice to facilitate communication and ultimate buy-in for what is needed.

Another suggestion for dealing with this issue: initiate a peer review, or hire a third-party organization that is well-versed in risk mitigation within higher education to assess your operational technology and data risk.

It’s not possible to be 100 percent assured to avoid the unthinkable. Yet it is possible, and advised, to have sometimes-uncomfortable conversations and assessments to ensure everyone understands the risks, acceptable levels of it and mitigation efforts. It’s much better to spend valuable time and resources up front to avoid a catastrophic event than to recover from one.
Mark Askren is an IT executive and leadership coach with 35 years of higher education experience. He most recently served as Vice President and CIO for the University of Nebraska. During this period he was elected to the EDUCAUSE Board of Directors, served as chair of the Internet2 Community Engagement Program Advisory Group, and was a member of the Big Ten Academic Alliance for IT. Prior to that he served as Assistant Vice Chancellor for Administrative Computing Services at the University of California, Irvine, where he was also a member of the University of California’s Information Technology Leadership Council. Mark also held the positions of Assistant Vice President for Application Development and Data Management at the University of Illinois, and Assistant Dean for Information Technology at the UC San Diego School of Medicine.