Shared control and cross-functional discomfort
Services not functions
I’ve created a lot of strategic plans over the years and they’ve evolved quite a bit as my own experience and sophistication about ‘strategy’ have grown1. I’ve written a fair amount on this blog about strategic planning as well. I’ve also talked quite a bit about the notion of trust and collaboration, developing trust with your community and collaborating with partners who have shared concerns. We have librarians and educational technology specialists, for example, who both create risk (by standing up new technologies and services) and try to mitigate it through policy and practice. In a healthy institution, these and other constituencies work together. But we still often stay focused on our swimlane - our service or our infrastructure - and we lose sight of the pool.
Reflecting a bit more about the recent Canvas incident that I posted on last week, however, got me thinking about the nature of strategic planning and its impact on resilience. In this post I want to ask the question of whether we need to think more broadly about strategic planning: to change the scope from “cybersecurity” to “institutional resilience” and if so, what that might mean for how we do strategic planning for information assurance.
You see how I brought that broader term, information assurance, back into the discussion. Recall that I define information assurance as an umbrella term that encompasses several distinct yet highly interdependent areas of expertise. These core domains include cybersecurity, privacy, data protection and curation, risk management, and resilience. I do this because I think it’s an excellent gateway to thinking about an organizational strategic plan, and not merely a cybersecurity strategic plan.
Now some of my cybersecurity brethren may be saying “you dope, of course I worry about items like privacy and data protection, I see the scope of what I do as touching almost every aspect of the institution - as you yourself have argued.” That’s wonderful if you’re doing that and I’ve seen many of my peers include these in their planning efforts. But let me ask the question a different way: if someone were to ask your privacy officer, your enterprise risk manager, your registrar or your librarians what role they play in institutional resilience, would they point to your strategic plan or to their own? And if the latter, what exactly is coordinating those plans when the system is under stress? If you framed the question using the term cybersecurity, they might at least acknowledge you. But in many organizations, regardless of goodwill and collegiality, everyone stays head down in their lane, just trying to remember to not bump into the edge of the pool with their head.
More to the point - while your senior executives no doubt expect the CISO to be on point for cybersecurity matters, and the CPO for privacy matters, given the entwined nature of digital systems and business functions (including research and instruction) who will they turn to for addressing mission continuity under degraded conditions? While I would want my facilities staff to be prepared to respond to a tornado destroying a building, and my cyber staff to respond to a ransomware attack, the reality is that everyone would be involved when classes are disrupted or health is put at risk2. As many schools learned from the Canvas incident, regardless of where a problem arises, a rapid and effective response requires marshaling a small army, not a unit. Similarly, proactively building the resilience to weather a storm requires that same army preparing in advance, far more than simply working out an incident response plan. You’re not looking for “incident response” but adaptive capacity across functions.
Let me put this more bluntly: I’m proposing that a mature institution will take a digital equivalent of an “all hazards” approach to cyber risk and ensure that a singular organizational strategic plan is created that addresses the totality of information assurance. Creating such a plan involves more than simply including various stakeholders in each other’s plans - that’s what we euphemistically call ‘coordinating’. In practice coordinating means “develop your own plans but meet once in a while for input.” What most institutions call “coordination” is not integration, it’s parallel planning with occasional conversation. Each domain develops its own strategy, and we reassure ourselves that alignment exists because we meet periodically. It doesn’t.
An “all hazards” approach, taken seriously, requires something much more demanding: a single, integrated strategic plan that treats information assurance as a system, not a set of adjacent functions. This is not about inviting more stakeholders into the room; it is about abandoning the idea that cybersecurity, privacy, data governance, and resilience can be planned independently at all.
Such a plan must cut across the boundaries imposed by the org chart and instead organize around collective risk and continuity. Otherwise, we are not building resilience, but rather, we are coordinating silos.
I can just see the eye rolls taking place as you read this. “You dope, strategic planning is already complex enough, now I need to throw it out and scope it even broader?!” Well, sort of. Naturally, there’s still a need to do functional planning, both tactical roadmaps and strategic plans. If you manage some function - library data curation services, online instruction and pedagogy, privacy, or security - then you need to establish goals and roadmaps that will guide your programs. But the institution will be weaker if it lacks a plan that acknowledges and addresses the system of information assurance. So what barriers and what opportunities are there for moving forward?
Some of the barriers are pretty obvious: leadership and budgets reflect org charts and different functions are intrinsically more expensive than others. Technology costs and market forces dictate that your 20-person security team is going to be more expensive than a 20-person library data curation team, or a 20-person educational technology team3. Greater costs imply greater resources which lead to greater capabilities, and that changes the flavor of strategic planning pretty directly. We must acknowledge a harsh operational truth: money dictates and reflects political gravity on a campus.
I suspect this cost asymmetry can be somewhat mitigated by staying focused on the goals - the what you’re planning on doing - rather than the how. Perhaps your goal is to ensure instruction can continue despite a 24 hour disruption to internet or LMS access. The plan can then detail who has to prepare for that and point to activities in their work plans. Use the strategic plan to inform and guide your operational roadmap, but avoid turning it into one. This is the hardest part of every strategic plan.
But even more so than leadership and budgets, I think a bigger challenge is a lack of models for this sort of planning. The only place I’ve seen this tackled is the material produced by risk management offices - the canonical source for “all hazards” planning. But these don’t seem to be adopted, modified or not, into cyber risk management, especially in higher education4. Cybersecurity plans are driven by IT infrastructure, data curation strategies are bound to the Library, and privacy initiatives are dictated by the cudgel of compliance5. Even institutional strategic plans often struggle to do more than offer motherhood and apple pie references that point to a siloed function’s subsidiary plan.
When I think of a strategic plan that addresses risk, I think the product is the process. The lasting value comes from surfacing risk - that sunlight is the best disinfectant. An organizationally scoped strategic plan will illuminate for leadership that, for example, the risk from ransomware isn’t just a concern for your IT and cybersecurity teams. It’s an issue for procurement, for researchers and educators, regardless of where the ransomware lands. This is to say that the process of creating the plan brings transparency to the question of where risk is and how it’s mitigated. I am arguing that this is at least as important as, if not even more important than the plan for action itself. It’s the acknowledgement of a problem necessary before recovery is possible.
The plan does matter though. An effective plan should drive the creation or refinement of your continuity of research and instruction planning efforts. It should help cut through the roadblocks of control, ego, and status. But let me say something about this head-on. I think part of why many of us struggle to achieve the kind of collaborative planning I’m suggesting is precisely because it requires not relinquishing control, but sharing it. Of course I can only speak for myself, but I know many of us frankly resent or at least dread sitting across a table with individuals we don’t truly respect as experts as they suggest changing how or what you should be doing. You’re the senior cybersecurity administrator, and you’re the one who will be held accountable when something goes wrong. I’ve seen this same issue and reluctance from privacy officers when the cybersecurity team treats a major PII exposure as merely another security incident. I’ve seen both teams actively hide events from the other.
You work hard to maintain and manage your span of control, and sitting down with others in cyber-adjacent fields can feel awkward. I’ve no doubt those in these adjacent domains are having the same thoughts. They may cede to your cybersecurity expertise, but would bristle at being told how to manage their instructional services (for example). Rightfully so. What I recommend is that you use that tension as a barometer. If the tension is too high, then either someone is wandering too far outside of their expertise or you’ve identified an area that needs examination. In either case this needs to be the dead fish put on the table - the unsaid conflict that everyone can smell but nobody wants to name. Ask yourself, what decisions and how governance will be impacted or be changed by exploring that issue.
Remember, you’re still going to want to have a cybersecurity strategic plan as the head of cybersecurity - but the institution needs that information assurance strategic plan. Institutions mis-model risk because they plan along org boundaries rather than system dependencies. As I’ll argue shortly, if you want to address asymmetric accountability you really have to go past those organizational boundaries.
There are a lot of opportunities in this approach. Fundamentally you want to move from planning for control within domains to planning for continuity across dependencies. You are reframing the unit of planning: from functions to services. Right now, plans are owned by functions (security, privacy, libraries, IT). The opportunity is to shift the unit of analysis to institutional services. This is not merely cosmetic in that it forces cross-functional dependency mapping and with it shared ownership of outcomes. A consequence of this is to make dependencies a first-class artifact. As we saw with Canvas, most institutions do not know what they’re dependent on. This means the real opportunity is to treat dependency mapping as a strategic deliverable, not a technical exercise. Thus we are elevating continuity from IT recovery to mission continuity and can answer questions such as how degraded can instruction be and still function? What research activities are time-sensitive versus restartable? What administrative functions must remain real-time?
The institutional opportunity that may appeal to your leadership is that this sort of analysis can lead to rebalancing institutional investment based on exposure, not tradition. As we all know, inertia and momentum are the biggest challenges to institutional evolution. They’re part of what enables an underinvestment in research resilience, vendor risk, or identity.
Earlier I suggested using discomfort to inform decision making. This is not easy, but if successful you’re turning cross-functional friction into signal, not noise. We overlook these opportunities so often, as when we hear user complaints about security measures as resistance rather than feedback. Once you start looking for it, you find this tendency manifest in so many parts of IT - and I suspect the same is true in many units that support staff or students.
Ultimately, and perhaps most important, we want to create a shared risk narrative for leadership. Rather than receiving fragmented reports and metrics, the opportunity is to produce a coherent institutional risk narrative, where cybersecurity, privacy, vendor risk, and resilience are presented as one system. Where the trade-offs are explicit and the dependencies are visible. This is what enables actual governance, rather than episodic reaction.
On a very practical note, I want to mention a final opportunity, that of mutual support. Presenting annual work plans that include activities involving other units - and for them to do the same - demonstrates two things to your leadership. First, every large organization suffers from operational friction wrought by redundancy and over siloization. Family squabbles so to speak. Addressing issues at the larger institutional scale is a sign of maturity and selflessness. It is always appreciated. Second, and more important in the long run, it reinforces to your executives that the risks each of you wrestle with are not limited to a functional unit. That all the elements of information assurance are risk centers that affect every corner of the institution. With this you are coaching the institution to think holistically, and realistically, about risk.
I’ve spoken a lot in this post about continuity - business, research, and instruction. The real challenge here is to lift your head from the water and realize the pool is the real focus of your attention; it’s not a race, nor languid training laps. I suspect of all the challenges I’ve outlined, it isn't a lack of templates or asymmetric budgets - it’s the discomfort of sharing control that stifles us. The maturity of a CISO or a CIO shouldn't be measured by the size of their span of control, but by their willingness to share it to protect the institution's mission.
The real constraint is not frameworks or budgets but the psychology of shared control and asymmetric accountability. Remember, shared control implies shared accountability and this produces better governance decisions under uncertainty.
I still do strategic planning, though now as a consultant. DM me if you’re interested in collaborating with me and the firm I work with.
Many people don’t realize that one of the most critical resources on most campuses are the subzero freezers full of biological samples: often irreplaceable and at tremendous risk when power is disrupted. The top three concerns are usually student health, animal health, and subzero freezers during an emergency.
OK, stop ROTFL, I realize few edTech or data curation teams see this staffing level. Nor do anyone but the largest R1s have 20+ cybersecurity team members. But if you can’t have a conversation about salaries with your counterparts, just look at job postings. Cybersecurity positions simply pay 30-50% more.
This strikes me as a ripe area for a community developed template. I’m imagining a NIST CSF type scorecard for information assurance that reflects an institutional posture, not merely cybersecurity.
Please don’t everyone write me telling me how their plan doesn’t do this. I’m painting with a broad brush here.