Tuesday, June 19, 2012

What "Outsource the Transactional, Keep the Transformative" Looks Like

Late afternoon on Friday, September 30, 2011 I got a call from our Information Security Officer who told me that there was a report of a Web accessible file containing 18,000+ records of sensitive personal information on UGA employees. And so I began my career as Chief Information Officer at the University of Georgia. My first month on the job was focused on responding to this incident and working with others to put together a plan to reduce the risk of something like it happening again. Phase 1 of those efforts, directed primarily at better securing routine transfers of sensitive personal information, has just been completed.

Since that disclosure over 11,000 hours of effort have been directed at examining, eliminating, or encrypting regular transfers of sensitive personal information, with the result being a 93% reduction in the routine transfer of such files. Additionally, where such transfers are required for business or regulatory purposes, the sensitive personal information is encrypted so as to reduce the risk of inadvertent disclosure should the file be lost or intercepted.

For my organization, completing this work was a mammoth effort that required us to turn the strategic direction of our application development teams on a dime so that they could focus on this project and complete this necessary work. For CIOs and IT organizations trying to get their hands around big projects that sometimes lack momentum, here’s what worked for us.
  • Depend on your best and brightest. The project succeeded because it was led by the right team of individuals who, possessing the right competencies, were ready to take on a project of this magnitude. I’ve yet to be let down when handing off our biggest challenges to our best and brightest employees.
  • Clear their plate of all other responsibilities, there must be no distractions. Big projects require focus, so when assigning your team a big project you must clear their plate of all other responsibilities. Otherwise, the priority work really isn’t a priority.
  • Support from those outside IT is critical. In the case of our remediation efforts, the tradeoff for prioritizing this work was less attention for regular, routine requests for application support. Having support from our University leadership and administrative departments for this shift in resources was critical.
We are not yet done; this is only phase 1 of our efforts to more fully protect sensitive personal information at the University of Georgia. As we move forward, our implementation of the Banner student and financial aid systems will continue these efforts on the student information side of our administrative applications. On the finance and human resource information side, we are working application by application to identify and take advantage of opportunities to better protect the use of sensitive personal information. While we will never be able to eliminate the risks of disclosure of sensitive information, these efforts will go a long way towards reducing them through enhanced awareness and better technical controls.

Last year I wrote a piece for EDUCAUSE Quarterly called "Outsource the Transactional, Keep the Transformative" where I argued that we need to keep strategic activities in-sourced and that more transactional IT support activities are stronger candidates for outsourcing. I think that many times we get this backwards, particularly when we hire expensive teams of consultants to tell us what to do about complex problems we don't fully understand. Our approach to UGA's SSN remediation efforts mirror what I believe is the right approach. The thought leadership about what we should do, how we should do it, and when was accomplished by our management team in EITS, led by Jenna King. When we needed more help with the more transactional parts of the project, specifically the editing of mainframe programs and JCL's, we turned to a third-party IT services firm for additional support. This is what "Outsource the Transactional, Keep the Transformative" looks like in reality. In my fifteen years in this business, I have never been more proud of the work of a group of individuals.

2 comments:

  1. Congratulations Tim! You have a great team and they have an astute and visionary leader.

    ReplyDelete