Current Issues Survey Report, 2008

The ninth annual EDUCAUSE Current Issues Survey results show a good deal of movement among the most critical challenges facing campus information technology leaders in 2008.¹ Thirty-two percent (589) of 1,845 EDUCAUSE primary member representatives responded to an e-mail invitation to complete the web-based survey in December 2007. Table 1 shows the institutional demographic breakdown of respondents. Survey participants were asked to check up to 5 of 31 issues in response to each of four questions (see Tables 2 and 3).

* For an expanded table of the 2008 survey choices, showing all sub-items that the Current Issues Committee defined as constituting each issue, see http://www.educause.edu/2008IssuesResources.

Each year, the Current Issues Committee tries to develop a survey instrument that balances issues across time with (a) emerging, less-relevant, and receding issues; (b) converged issues that no longer make sense to separate; (c) split issues that are too complex to continue as one; and (d) changes in the evolving IT nomenclature. For 2008, the committee introduced the following changes to issues and subtopics.²

Communications/Public Relations for IT (new choice in 2008)

• Developing a communications plan for IT
• Sending regular, targeted communications to faculty, staff, and students
• Communicating with the millennium student
• Communicating the value of IT, internally and externally
• Dealing with the press/media
• Maintaining internal IT communications
• Explaining the return on technology investments to leadership and stakeholders

E-Learning/Distributed Teaching and Learning (includes "E-Portfolio Development and Management" from 2007)

• Developing infrastructure to support learning technologies
• Supporting distance learning and virtual campuses
• Using active, collaborative, and immersive learning environments
• Aligning technology use with student expectations and institutional mission
• Integrating emerging tools (podcasts, immersive environments, mobile computing)
• Realigning policies, organizational structures, and procedures
• Supporting information and technology fluency/literacy
• Integrating library, learning, and support resources
• Promoting the effective use of technology in instruction
• Supporting faculty development
• Conducting assessment and evaluation of e-learning programs, instruction, and student learning
• Developing and managing e-portfolios

Support Services/Service Delivery Models (includes "End-to-End Service Assurance" from 2007)

• Providing 24 × 7 help desk
• Establishing service level agreements (SLAs) with internal clients
• Centralizing versus distributing support
• Developing standards for support services
• Developing "smarter" support models (knowledge bases, self-help tools)
• Managing customer relationships
• Individualizing/personalizing support
• Testing (functional, load, integrity) applications with automated scripts prior to "going live"
• Monitoring services end-to-end to assess end-user experiences
• Handling incidents/alerts efficiently and effectively when problems occur
• Establishing/negotiating SLAs and organizational level agreements (OLAs)
• Evaluating and implementing IT Infrastructure Library (ITIL) practices and standards

It is also worth explaining another survey issue the committee decided to handle in a special way: What to do with the emerging topic of cyberinfrastructure? Cyberinfrastructure now refers to much more than the National Science Foundation (NSF) standards for information sharing between the agency and researchers. Cyberinfrastructure is the nexus of hardware and software systems, distributed computing, data, communications technology, tools for collaborating, and research communities. The committee decided not to create a top-level item for cyberinfrastructure in 2008 but, rather, to include a new sub-item on "meeting standards for cyberinfrastructure, integrating distributed computing, networks, data, and communications technology" under three other top-level items: Identity/Access Management, Infrastructure, and Research Support. It may well be that cyberinfrastructure will merit a separate top-level choice in next year's survey, but for this year, the committee chose to reflect it in three established issues.

2008 Survey Findings: All Respondents

The following observations reflect the aggregate patterns of focus and concern among IT leaders across all types of institutional size, Carnegie class, and governance.

Stability Among Top-Three Issues

Since 2003, the top-three issues in terms of strategic importance to the institution (Question 1) have been, in various rankings, Administrative/ERP Information Systems, Funding IT, and Security. Funding IT was ranked number one for three straight years, 2003–2005, until 2006 when Security and Identity Management (a single issue then) emerged as number one. In 2007, Funding IT moved back into the top spot, with Security as number two. This year, Security is number one, Administrative/ERP Information Systems is number two, and Funding IT has dropped to number three. It is tempting but risky to draw inferences about trends in the profession or higher education generally to account for these shifts. When you consider that the three top issues are spanned by only one percentage point between survey respondents who cited them among the top-five strategic issues (Security: 41.2 percent; Administrative/ERP Information Systems: 40.5 percent; Funding IT: 40.2 percent), the salient point is that these issues collectively continue to be the critical touchstones for IT in higher education. When any one of them falters, whether through major data-integrity breaches, system implementation glitches, or budget cuts, an institution's or system's strategic health is threatened.

What's In and What's Out

Issues that move into or fall out of the top ten are a key measure of what is on IT leaders' radar (see Table 4, 2007–2008 Comparison of Top-Ten Issues for All Questions). Across all institutions in 2008, there are several interesting moves into and out of the top ten. Change Management appears for the first time (number 8) in 2008, while Strategic Planning drops off the list of issues critical for strategic success (Question 1). Are these two sides of the same coin, or does one subsume the other? Strategic Planning, which has been one of the more stable issues in the top ten, focuses on alignment—of IT strategies with institutional missions, of campus stakeholders' goals with IT planning, of resources with priorities. Change Management has two dimensions, one in the larger sense of culture change and the other in developing a process for handling IT changes that are made on a regular basis—patches, upgrades, replacements—that can be very disruptive if there is no Change Management process in place. Ultimately, Change Management requires planning for change: defining what the change is, understanding how it will impact existing systems, and communicating, testing, and evaluating it once implemented to make sure the change accomplishes its intended purpose. It is not that IT leaders no longer care about or are not "doing" strategic planning; rather, change is especially on their minds in this cycle. Indeed, Change Management also appears for the first time in the top-ten issues with the potential to become more significant in the future (number 10, Question 2), and among those on which IT leaders are spending most of their time (number 5, Question 3).

Another thematic instance of what's in and out is the disappearance, on the one hand, of Course/Learning Management Systems and Faculty Development, Support, and Training from the strategic issues list and, on the other hand, the emergence of E-Learning/Distributed Teaching and Learning (number 9 in 2008). In 2007, C/LMS made the top-ten issues list not so much because of the galvanizing impact of the Blackboard-WebCT merger or the copyright-patent controversy (though that may have been a contributing factor) but because of the evolution of this technology as a mission-critical enterprise system and its accelerating use as a fundamental teaching and learning resource by institutions of all kinds. It may well be that in 2008, C/LMS and Faculty Development, Support, and Training are now understood to be aspects of E-Learning/Distributed Teaching and Learning, and this, in turn, may reflect the emerging influence of instructional technology and design as both a key element of the IT organization's mission and an expanding niche of the profession.

Also notable is the reappearance of Staffing/HR Management/Training as number 10 among the issues of strategic importance. This issue last appeared in the top-ten in 2001 when it was number 4. A year after the turn of the century, IT departments in many institutions were still grappling with the staffing challenges that the Y2K milestone had presented, either for massaging homegrown administrative legacy systems to perform in a new millennium, with increasing demands for web-based services, or for developing new skills to integrate and manage newly purchased ERP systems. While never very far out of the top-ten issues between 2002 and 2007, the emergence of Staffing/HR Management/Training as number 10 in 2008 may signal a renewed awareness among higher education CIOs of the challenges of recruiting, remunerating, and retaining a skilled IT staff. Whether it means hiring people with specialties in such emerging areas as security and identity management, and instructional design and technology, or cultivating those skills in existing staff, CIOs face a daunting test to provide a workforce that can meet their institutions’ IT needs in the midst of constrained institutional budgets and increasing competition for experienced professionals.

Potential to Become More Significant

In this category (Question 2), more often than not, you can substitute "worrisome" for "significant." These are the issues that CIOs think will be keeping them up at night in the future, if not already, demanding more of their time and already stretched staffs and budget resources. In addition to Change Management (also appearing for the first time among strategic issues), two notable new issues are cited among the top ten with potential to become more significant in 2008 and beyond.

Compliance and Policy Development traditionally evokes state and federal laws and regulations represented by the alphabet soup of regulations: ADA, CALEA, DMCA, FERPA, HIPAA, SEVIS, and USA PATRIOT. As this article is being written, the College Opportunity and Affordability Act is advancing through the U.S. Congress with two requirements that could dramatically affect the IT organizations of institutions with federal financial aid programs: (1) to advise students not to commit copyright infringement and to "report to students annually on policies and practices with respect to copyright infringement on campus networks"; and (2) to develop plans for "alternative" offerings to unlawful downloading, such as subscription-based services or "technology-based deterrents to prevent such illegal activity."³ Compliance with a vague federal requirement to deploy unproven technologies with considerable new costs is understandably high among IT leaders' future concerns.

Assessment/Benchmarking has been included as a choice on the Current Issues Survey from its inception, focusing on such challenges as evaluating the academic and administrative benefits of IT, assessing the IT organizational model, identifying effective metrics for benchmarking IT services, and adopting formal assessment methodologies. Now, with broader public pressure for cost-benefit accountability and student learning outcomes assessment in higher education, IT organizations must consider their role in supporting the institutional response. There are no clear national models or standards for aggregating institutional data and creating actionable plans to improve student recruitment, retention, and academic success. Many institutions are struggling to find the right ownership/partnership for addressing these new mandates between academic and student affairs, information technology, and institutional research.⁴

Occupying Most of IT Leaders' Time

For Question 3, new challenges have risen to the top ten for CIOs in 2008: Change Management (number 5), Collaboration/Partnerships/Building Relationships (number 8), Communications/Public Relations for IT (number 9), and Compliance and Policy Development (number 10) all appear on this index for the first time. These supplant Disaster Recovery/Business Continuity, Identity/Access Management, Electronic Classrooms/Technology Buildings/Commons Facilities, and Support Services/Service Delivery Models from 2007. It is not that the latter cluster is no longer important but, rather, that at many colleges and universities, they have been more fully integrated into the IT organization and in general are no longer a primary focus of the CIO. It is worth noting that one of the new issues on the CIO's plate in 2008—Communications/Public Relations for IT—is a completely new survey choice this year, reflecting an emerging recognition that a critical aspect of the IT organization's mission is to tell its story to numerous constituencies in and out of the campus community.

Across All Questions

Comparing results from all respondents, three issues rank in the top ten for all four areas of strategic importance, future significance, IT leaders' time, and cost:

• Administrative/ERP Information Systems
• Infrastructure
• Security

Three other issues are on the top-ten lists for three of the four areas (all but Question 4, cost):

• Change Management
• Funding IT
• Governance, Organization, and Leadership

How do the overall results of this year's survey compare to last year's? In addition to those issues discussed above that appear for the first time in 2008 or that dropped off a top-ten list from 2007 (see Table 4), the issues whose relative positions changed the most were two in the strategic importance group:

• Infrastructure: up three positions to number 4
• Governance, Organization, and Leadership: up three positions to number 7

It would be a stretch to say that these two are the most volatile issues for IT leaders because a swing of three ranking positions, up or down, must be seen in the context of other issues in a given year's survey. If Infrastructure and Governance hold these positions or rise further in subsequent years, we can then try to account for the forces that establish a trend.

Top-Ten Current Issues Defined⁵

Following are brief profiles of the top-ten issues that IT leaders say are the most important for their institutions to resolve for strategic success.

No. 1: Security

It is no wonder that IT security has again emerged as the top strategic issue for colleges and universities given the increasing amount of critical data and new services that are available electronically and need to be protected. The persistence of security incidents and reported data breaches, and a growing number of compliance requirements including security-related state and federal regulations and contractual obligations, make this a central and acute concern of all IT organizations, no matter their institutions' sizes and missions. College and university personnel have a daunting task to ensure the security of information resources while operating within a culture of openness and decentralization. In addition, the changing nature of the threats continues to challenge IT organizations. Among the issues that institutions need to address are the following:

• Are you aware of the federal, state, and local laws that may govern the data for which you and your institution are responsible and that may dictate the appropriate and necessary responses to any breach?
• Does your institution have privacy and security policies that encompass all of the institution's IT resources and not just the central systems? Are the policies enforced consistently across the enterprise, reviewed regularly, measured for effectiveness, audited for compliance, and updated to reflect changing needs? Do your procedures reflect your policies' goals?
• Does your institution have a formal, documented security-incident response plan that includes procedures for detecting, reporting, alerting, escalating decision-making authority, containing, remediating, and returning to service? Does the plan set in motiona notification process when protected data have been potentially compromised? Do you have staff trained in computer forensics or ready access to experts? Do you have processes in place for dealing with law enforcement agencies?
• Do your senior administrators recognize their roles as information stewards? Have you developed clear, consistent policies and procedures for classifying, handling, retaining, and disseminating information and appropriate security controls for protecting critical and confidential resources?
• Does your institution have an enterprise IT security program to address the changing nature of IT threats and the increasing number of compliance requirements? How do you ensure that you remain current with respect to the changing regulatory landscape? How have you addressed the changes in the e-discovery rule with respect to litigation holds?
• Is IT security viewed as a funding priority? Are there necessary funds to facilitate and support improved security measures on a campus-wide basis?
• Do you have a chief privacy officer and/or a chief information security officer for striking the balance between privacy and security? If you do not have the resources for such a position, where/with whom does the responsibility reside? Are there sufficient staff trained and assigned to assess the risks to, and ensure the privacy and security of, the institution's information resources?
• Has your institution planned or completed a comprehensive risk assessment to identify and prioritize vulnerable areas and ways to mitigate potential risks, including those caused by lost or stolen mobile devices? Do you routinely consider privacy and security implications before buying or deploying new systems or technologies?
• Does your institution provide an awareness and training program in privacy and security? Does it include awareness of the defensive measures appropriate to your institution to protect systems and data? Do you regularly communicate information about your policies and procedures to your constituents?
• Has your institution built the appropriate infrastructure to improve security? If infrastructure services are outsourced, does your provider have these measures in place? Have you implemented a unified threat- and vulnerability-management system that includes such features as firewalls, VPNs, antivirus, antispyware, antispam and antiphishing, bandwidth management, intrusion prevention and detection, and content filtering? Has your institution engaged an independent entity to assess the effectiveness of these measures?
• Do you and your security managers regularly consult the website of the EDUCAUSE/Internet2 Computer and Network Security Task Force (http://www.educause.edu/security)?

No. 2: Administrative/ERP Information Systems

While ERP systems have been a familiar part of the IT environment for years, institutions still consistently spend the most resources on them. Also, despite the arrival of new technologies and concepts, ERP has risen in strategic importance to second place from third last year. In fact, ERP has stayed in the top five for all questions for all institutions.

In addition to large initial implementation costs, IT leaders typically find that staff development, user training, business process modifications, regulatory compliance, and a very limited pool of talent are acute challenges and drains on resources. Annual maintenance, licensing, and consulting services are also getting more expensive.

Looking for new markets to penetrate, the major ERP vendors have been busy with acquisitions and product-line expansions. Advanced enrollment management, business intelligence, and live key performance indicator dashboards are a few of the new applications that vendors are promoting for improved institutional data analysis and decision making. While higher education uptake of these ERP add-ons has been modest, rising student expectations and increasing recruiting competition may drive more institutions to invest in getting strategic value out of ERP data that are now usually oriented toward purely transactional use.

In general, open source and best-of-breed systems have been and will continue to be attractive to higher education. However, uncertainties about the total cost of ownership of open source systems continue to leave many institutions wary of these options.

Selection of a new ERP system or evaluation of an existing one has become so involved and complex that one might want to consider letting an independent consulting firm run the assessment and RFP processes. Undoubtedly, defining the needs and making the final decision must stay with the institution's stakeholders and executive leadership.

Considerations for increasing value while reducing overall ERP cost will include:

• What stakeholder dependencies and expectations must be factored into making sure you have the right system for your institution?
• How do the concepts of "empowering strong leadership" and "fostering appropriate governance" relate to ERP system oversight?
• Does your IT organization have a formal and effective staff development program to meet the demands of ERP management?
• Does your institution have a comprehensive and formal user-training program? Do you use faculty and other champions to train others?
• When and where does it makes good business sense for your institution to outsource system services?
• What staff members and processes does it take to stay current with patches and upgrades?
• Have you developed and do you enforce a strict policy on customization?
• Do you have a reasoned (and institutionally accepted) approach to decisions about centralizing and decentralizing aspects of system maintenance and application services?
• Are you deploying new and proven technologies, such as virtualization, when and if possible?
• Have you reduced the risk of significant unplanned costs by implementing best practices, such as creating and testing a disaster-recovery plan and implementing a comprehensive security plan?

No. 3: Funding IT

For the first time since the inception of this survey, Funding IT has fallen out of first or second position. In a recent University Business IT spending survey, 51 percent of CIOs and IT leader respondents reported an increase in IT budgets over the prior year. The survey found that "despite decreasing technology costs, computer hardware and enterprise software still claimed the biggest portions of most budgets."⁶

IT leaders continue to face growing expectations for new and existing IT services that exceed budget capacity; escalating maintenance costs that take up larger percentages of IT budgets; and increased funding pressures at federal, state, and institutional levels.

As challenges continue, approaches to funding IT are evolving. Increasingly, campuses are recognizing the need to involve the CIO in the institution's highest level of planning and governance. IT leaders are devoting more time to campus communications, multiyear planning, and presenting IT opportunities in the context of the institution's mission (focusing on results versus the underlying technologies). These changes are having a positive impact on funding IT through better-architected results, informed decision making, and improved expectation management.

IT organizations historically focused funding efforts on operational priorities (rates, lines of business, metrics); however, it is becoming increasingly important to balance this with strategic and organizational perspectives. Brian Hawkins recently noted,

IT leaders will continue to be challenged by funding pressures and new service demands; however, if progress continues with shared vision, campus-wide communications, and multiyear IT planning, perhaps one day funding will eventually be able to drop even lower if not off this list altogether.

Key campus considerations include:

• As budgets continue to tighten, are new funding options being considered versus just concentrating on cost cutting? Are changes in the global market allowing for new sources of labor and markets for your institution? Have assessments been completed on how technology can address the most pressing productivity issues on campus?
• Are IT initiatives presented in the context of competing institution-wide opportunities and issues? Are university-wide leaders involved in IT governance for investments and expectation setting? Are peer and vendor relationships being leveraged to the institution's fullest potential? Are nontraditional partnerships investigated (for example non-higher-ed partners for data center back-ups)? Are co-development/joint research collaborations explored?
• Where IT organizations have been allowed to assess chargebacks, are the rates creating desired incentives for decision making and control? Are multiyear service trends documented and shared to inform the campus about the growth of new service offerings and changes to existing offerings? Are cost-saving options, such as e-mail outsourcing, investigated? Are financial plans presented with benchmarking that is meaningful on your campus? Two essential resources for benchmarking IT funding in higher education are the EDUCAUSE Core Data Service (http://www.educause.edu/apps/coredata/index.asp) and The Campus Computing Project (http://www.campuscomputing.net/).

No. 4: Infrastructure

It is not surprising that the management of IT infrastructure has consistently been an EDUCAUSE top-ten current issue for the past several years. In 2008, it jumped three positions over 2007 to number four. The challenge of maintaining and enhancing campus infrastructures has become more acute due to a number of factors: environments becoming more complex and subject to intrusions and security breaches; more demanding technology users and higher expectations for always-on service; new pressures on sustainability and the environment; and budgets that are never quite sufficient to cover priority investments.

Supporting robust connections to regional and national networks; maintaining, managing, and securing campus backbone networks; and providing robust connections to the desktop require sound fiscal planning and commitment to providing for the basic computing and telecommunications needs of the college or university. And that's just the network! Among the other critical components of the IT infrastructure are voice services, software licensing and life cycles, the exploding need for storage, and facilities for disaster recovery and business resumption. The IT organization at some institutions is being asked to fund and maintain new infrastructure projects, such as wireless and VPN, while not yet being able to fully fund and support the "traditional" wired infrastructure. Indeed, this issue embraces all the elements of the emerging topic of "cyberinfrastructure," which has come to mean much more than the NSF's raised bar for secure information transfer between researchers and the agency.

There is an expectation that IT infrastructure, like electricity and water, is always there when needed. While infrastructure may not be a showcase item, it is the bedrock for those technology-related activities that promote and enhance the reputation of the institution. Infrastructure is the "silent partner" in teaching and learning, scholarship and research, student services, administrative applications, and outreach and engagement.

Newer and emerging important aspects of infrastructure are changing how we must manage in the future. The necessary focus on "green computing"—in particular, energy conservation—will have a demonstrable impact on future infrastructure decisions. Shared data facilities, virtual machine technologies, consolidation strategies, and power management are a few of the growing expectations for infrastructure plans and investments.

Key questions related to IT infrastructure include:

• Does your institution have a life-cycle funding model that allows for regular and continuous upgrade of IT infrastructure components?
• Are you able to predict an accurate trajectory for bandwidth needs? Is there a plan in place to assure that those needs are met?
• Is IT infrastructure addressed in your institution's strategic plan?
• Have you initiated a "green computing" program at your institution?
• Is your technical network staff up-to-date on emerging technologies and standards? Do you provide professional development opportunities to assure that staff will acquire necessary skills? Do your network leaders participate in national or regional networking groups?
• Does your infrastructure have built-in redundancy to provide continuous service? Have you arranged for alternate sites for business continuity in case of an emergency or disaster?
• Do you periodically consult with deans, chairs, faculty, and administrators about the adequacy of IT infrastructure? Have you measured your students' satisfaction with the IT infrastructure?

No. 5: Identity/Access Management

On increasing numbers of campuses, awareness of the challenges of Identity/Access Management (I/AM) has grown beyond the provenance of the IT organization to an institution-wide commitment, albeit grudgingly in some quarters, to new network usage and information access protocols. As institutions develop plans and operations relating to each of the major elements of I/AM—identification, authentication, and authorization—awareness and action both are maturing.

I/AM was initially associated with Security in both the EDUCAUSE Core Data Service (http://www.educause.edu/apps/coredata/) and in previous Current Issues Surveys (http://www.educause.edu/CurrentIssues/875). Beginning with the 2007 Current Issues Survey's separation of Security and Identity Management into two distinct issue choices, I/AM has gained new importance. This isn't to suggest that Security is less important but, rather, that I/AM appears to be taking on a broader perspective similar to the evolution of business continuity planning in relation to disaster recovery.

Similarly, there has been a clarion call from IT leaders to educate and inform campus constituencies about the importance of I/AM because so much depends on the risk awareness and active vigilance of individual network users.⁸ Organizations such as EDUCAUSE, the InCommon Federation, Internet2, and the NSF are making concerted efforts to develop applications and policies for I/AM. However, these appear to be just the initial steps required to alert the community that more needs to be done. Recently, EDUCAUSE launched a spotlight series of web seminars on how IT professionals are addressing specific I/AM challenges on different campuses (http://www.educause.edu/SpotlightSeries/15139).

In addition to questions raised in last year's Current Issues Survey Report,⁹ questions for Identity/Access Management include the following:

• Do you understand the case statement for alerting campus leaders to the need for a comprehensive approach to I/AM planning? Several cogent arguments for a campus-wide effort can be found at http://www.educause.edu/EDUCAUSE+Review/EDUCAUSEReviewMagazineVolume42/WhatHigherEdLeadersNeedtoKnowa/161915 and http://www.educause.edu/ECAR/CampusITSecurityLeveragingIden/157579.
• What is the status of your campus plan for addressing I/AM?
• Has the institution planned or completed an IT risk assessment?
• Where does the institution stand in relation to the essential policy development that is necessary to support a robust I/AM implementation?
• Have these policies been shared with campus leaders as part of a business case or communications strategy?
• Are the IT staff aware of the long-term goals to integrate the systems of identification, authentication, and authorization?
• In light of your staff and institutional resources, have you considered external expertise to help with planning for I/AM, regarding either policy or technical development? For a list of I/AM software vendors, see http://www.educause.edu/wiki/IDM%2FIAM+Software+Vendors?redir=.
• Are you aware of the growing repository of information available at the EDUCAUSE website on I/AM (http://www.educause.edu/IdM)?

No. 6: Disaster Recovery/Business Continuity

Disaster Recovery/Business Continuity (DR/BC) first appeared in the Current Issues Survey in 2001 and made it to the top-ten list in four of the past five years. In the same period, according to a 2007 ECAR study,¹⁰ about half of the responding institutions suffered disruptive events that triggered an emergency response. About 60 percent of institutions have a strategic plan for IT disaster recovery.¹¹

However, in a world where nearly 50 percent of the business functions are considered mission-critical¹² and expectations of always-on service are the norm, the classic reactive mode of disaster recovery—hours or days of downtime while back-ups are retrieved and data recovered—may not be good enough. Instead, institutions are shifting their focus to more proactive planning for organizational resilience, building their capability to respond rapidly to unforeseen change with service-oriented architectures, data mirroring, and server virtualization, among other strategies. A few institutions have even gone so far as to create an organizational resilience unit.¹³

Whatever approach an institution takes to DR/BC planning, some person or office should have specific responsibility for coordinating it. Such planning is a complex, iterative process that requires support from the entire institution, not just IT, particularly when the focus is on resilience. Resilience needs to be introduced into the ordinary management and decision-making processes about technology and systems, and a designated sponsor helps ensure such integration. Collaboration is also essential to building resilience, not only collaboration within the institution but also with partners in the larger community, in the region, and in other parts of the country. The development of national and state standards for crisis management¹⁴ has made larger-scale collaboration easier by providing a common language and procedures.

While the traditional approach of threat/vulnerability assessment and risk management continues to be important, capabilities assessment is also critical. What capabilities—multiple communication platforms, well-understood telework procedures, virtual support services—are in place or must be developed to ensure the recovery and continuance of the organization?

There is, of course, a cost for building resilience, but the cost of recovering from an unplanned disruption is often many times greater. Critical questions for DR/BC include:

• Has your institution assigned responsibility for coordinating DR/BC planning to a specific individual or office?
• Has your institution conducted a risk assessment to determine likely threats and mitigation factors? How much of a risk are your current operating methods?
• Has your institution conducted a business impact analysis to determine mission-critical applications and restoration priorities?
• Does your institution have a documented and tested DR/BC plan for each mission-critical application? Is there a program in place for continuous revision and testing of the plans?
• What processes and capabilities are needed to make your institution resilient? Do you have a plan for building and testing these capabilities?
• What opportunities for partnership exist within your state or region to provide resilience to your institution and your partner institution (a shared regional data center, cross-training, joint testing exercises, for example)?
• Does it make sense for your institution to outsource some DR/BC functions?
• Are issues of DR/BC and resilience routinely included in every discussion about new technologies at your institution?

No. 7: Governance, Organization, and Leadership

The issues surrounding IT governance in higher education are complex indeed. While, on the one hand, many of these issues are institutionally and organizationally agnostic, others very much reflect the history and culture of our individual campuses. What may seem to be simple questions, such as the IT leader's title and reporting line, are anything but simple. Complicating many of these discussions is the fact that within a very short amount of time (at least in institutional terms), and within the institutional memory of many on our campuses, IT has gone from being nonexistent to an ever-visible presence requiring ever-more resources in terms of staffing, budget, and time.

Many of our campuses have reached the point of enlightenment where the head of the technology organization is called upon as needed to discuss obvious technology-related matters. However, fewer than half of our institutions have the top IT administrator sit at the cabinet level (although the trend has been modestly increasing). The EDUCAUSE Core Data Service (http://www.educause.edu/apps/coredata/) for 2003 shows 30 percent of CIOs reporting to the president and 44 percent sitting on the cabinet, while the data from the 2005 survey shows those numbers increasing to 31 percent and 46 percent, respectively, and for 2006, 32 percent and 48 percent. These institutions recognize the value of having someone with a deep understanding of the strategic and transformative values of technology participate in broad institutional discussions.

At the same time, our constituents are concerned with who is involved in technology-related decision making. Much as the CIO wants to be engaged at the highest level of institutional discussions and decision making, so too does the campus community want to be involved in the IT process. As a result, the institutional committee structure should ensure opportunities for involvement from all members of the campus, not just the faculty (who frequently have involvement in such matters codified in the governance). Of course, it is also important to structure incentives and responsibilities so that involvement is a practical reality and not just a theoretical right. It is also important to determine what to share with the institution's governance board and to be aware of its expectations of involvement in technology discussions, an issue that is on the minds of many IT leaders, as shown by recent discussions on the EDUCAUSE CIO listserv (https://www.educause.edu/community/cio-community-group).

For senior members of our profession to be welcomed "at the table," it is imperative that they convey both an interest in and understanding of the complete spectrum of issues that are of importance to the institution. Such interest should not develop in a vacuum. We need to ensure that the next generation of IT leaders not only has technical expertise but also has been regularly exposed to and engaged in the issues of the day that affect our institutions and higher education in general. Cultivating such an awareness can be difficult when IT staff treat their work as "jobs" rather than "professions," making staffing and professional development (see issue number 10) so critical. Indeed, leadership development is a frequent topic of interest at both national and regional conferences.¹⁵

Important questions to ask about governance and leadership are:

• Do you have appropriate advisory committees, and are they constituted to ensure broad constituent input?
• Has the IT governance process been designed in a coherent fashion, or is it simply an accretion of inherited practices and institutional traditions?
• Does the IT governance process have the performance measures and other metrics necessary to make informed decisions? Does it make decisions on that basis?
• Are you creating professional development opportunities within your organization to engage your staff in discussions of a broad set of issues facing your campus and higher education?
• Has your campus reexamined the reporting relationship of the CIO as well as given the CIO a place on institution-wide committees, including the executive cabinet?
• Is the CEO willing to charter and actively support the advisory committee(s)?

No. 8: Change Management

IT organizations large and small, private and public throughout higher education are under constant pressure to advocate or influence institutional change. For most campuses, the CIO has the dual role of delivering service and support and acting as an agent of collaborative change throughout the organization. CIOs use change management (i.e., the purposeful and structured approach to transition from a current to a desired state) to align their organizations to match the college or university's core requirements. In addition, CIOs use change management methods and practices to ensure service levels, improve the consistent delivery of operations, and improve predictability of support and innovation.

Change management allows the CIO to engage in purposeful change by defining processes, disclosing methods, and facilitating the desired outcomes for both systems and for processes and services. For these reasons, the practice of change management informs the role of CIOs and IT management throughout the institution.

CIOs have been calling for professional practices in change management in recent articles and presentations.¹⁶ For example, Geoff Scott reminds us that IT in higher education must be more flexible and, therefore, more responsive as its management improves. While change management practices may start with vision and leadership, few IT leaders and their institutions are trying to improve governance through explicit management practices.¹⁷

Change management is a management practice informed by defined methods. Although no single method or practice will suit all institutions, here are a few questions that will help organizations establish purposeful, managed change:

• What is your institution's culture and capacity for embracing change? How can you improve the adoption of change when it is right and needed?
• Since "culture eats change," how can you align/realign management practices with an emphasis on culture?
• What process improvements and skills alignment do you need to support before significant change can happen?
• Which of the multiple layers of your IT organization are most in need of transformation?
• In order to involve every layer of the organization, which leaders, stakeholders, and external constituents need to be engaged in change management?
• Do you make the best use of data to establish a need or to explain why change is needed?
• Have you deployed ITSM (information technology service management) or similar standards and methods as the foundation for change?
• Do you communicate with the campus with regular and timely information that helps stakeholder groups acknowledge, improve, and celebrate?

No. 9: E-Learning/Distributed Teaching and Learning

The CIO invests in E-Learning/Distributed Teaching and Learning by efficiently hosting enterprise-level hardware/software, securing access, and ensuring data integrity. Through strategic dialogue with campus stakeholders, CIOs are responsible for adopting and implementing new technologies to support teaching and learning. However, the rapid rise of Web 2.0 technologies to support user-generated content, build collective intelligence, and share information across a participatory community of learners internal and external to the campus alters the pace of adoption, points of entry for adoption, and configuration of leaders who should be discussing resulting issues. As faculty and students self-select and adopt emerging social networking tools and applications residing outside the local IT environment, campus dialogue must focus on impact on the underlying IT infrastructure, content retention, and protection of user (and content) rights.

When balancing the ongoing support of enterprise-level technologies, the natural state of emerging technologies can dissuade CIOs from investing significant resources. As experienced in the early years of learning management systems, institutions must figure out how to create a roadmap for turning the emerging technologies into productive tools for supporting the next-generation e-learning environment. Examples include e-portfolios, wikis, blogs, podcasts, e-learning repositories, and virtual worlds.

Institutions can remove barriers to creating a campus e-learning roadmap and respond proactively to emerging technologies they do not control by addressing the following questions:

• Is there active and collaborative engagement, not merely a division of labor, between the CIO, the library, and those responsible for fostering an effective teaching and learning environment?
• Is the CIO in dialogue with legal counsel, provosts, and records managers about the issues inherent in instructional use of emerging, user-focused applications? Because technology developments always outpace policy, are these individuals willing to reach common understanding of what is at stake without attempting to curtail the use of such services?
• Are the aforementioned leaders providing faculty with consistent information about the benefits, risks, and tradeoffs in using services that either fall into the category of emerging technology or exist outside the university's purview? For example, will graduates be able to access a pilot e-portfolio service that is either housed on a server in a school of education or offered at no charge by an external vendor? What are the implications of student blogs hosted off campus?
• Do the IT staff appreciate that faculty adoption of emerging technologies may require rapid accommodations in the configuration of the institution's hardware and software infrastructures that have been hardened for security purposes?
• Is the institution monitoring the progress of e-learning technologies and strategically implementing those that require institutional oversight? The resources of the EDUCAUSE Learning Initiative are a recommended guide.

No. 10: Staffing/HR Management/Training

The Staffing/HR Management/Training issue is IT's Achilles' heel. It may not always appear on the top-ten critical issues list but is always present. Every issue in IT has associated with it some kind of staffing challenge, whether recruiting and retaining talented and qualified staff, providing much-needed professional development opportunities, or managing staff morale and work environment. Current research has raised concerns about the anticipated departure/retirement of aging IT leaders,¹⁸ which requires planning for knowledge transfer.¹⁹ Another current issue is the life style and expectations of Net-Gen workers—they want a better work-life balance than their predecessors.²⁰

Successful recruitment and retention of IT staff require a partnership with the campus HR department to foster innovative initiatives.²¹ Ideally, this partnership should be characterized by an atmosphere that encourages flexible and innovative approaches to finding and keeping staff.²² Factors such as lower-than-market compensation, highly specialized and perishable skills, and ever-tightening budgets add to the challenges. Many institutions try to reduce dependence on the available pool of IT workers by "growing their own" staff through creating internship programs or hiring recent graduates. According to the U.S. Department of Labor, 64 percent of Americans who leave their jobs say they do so because they don't feel appreciated.²³ It is also clear that location plays a large role in both recruitment and retention. Size and location of the community, proximity to high-technology centers and cities, cost of living, commute, life style, and pace all can be counted as factors.

An organization needs to invest in its staff by creating professional development initiatives that meet broad organizational goals while taking into account the specific needs of the individual.²⁴ A multitude of resources exist to guide a campus in this endeavor. The EDUCAUSE publication Cultivating Careers: Professional Development for Campus IT²⁵ offers first-person experiences, practical advice, and real-world examples of what works. Another set of valuable resources can be found on the EDUCAUSE Professional Development web page (http://www.educause.edu/pd).

Critical questions for higher education IT leaders to think about include the following:

• How can we effectively communicate unique IT staffing challenges and ensure ongoing attention to the problem at the institutional level? How can we encourage our institutions to spend more time and money to promote themselves as an attractive place to work?
• How can we work with HR to foster positive recruitment and retention initiatives, especially to streamline recruitment processes to compete more effectively in today's market?
• Can we create new ways of working that will provide stimulating work environments to help attract and retain staff?
• Can we restructure our compensation systems to be more skill- and performance-based? Can we find ways to allow for greater job flexibility and options, such as telecommuting or job sharing, and provide more benefits, such as daycare and study leaves?
• How can we make higher education IT salaries more competitive with industry salaries?
• Should we expand our workforce by looking for talented individuals who do not have formal IT training and work with them to develop new skills? Should we be hiring more recent graduates?
• With the need for continuing technical education increasing and the cost for that training rising, how do we address these financial challenges? How can we predict the next generation of required skills? How can we adequately train our existing staff to meet the new technology challenges?
• With limited ability to provide out-of-cycle salary increases or project bonuses, how do we show our appreciation to our staff?
• How can we take better advantage of the soon-to-be retirees and enable knowledge transfer before they leave higher education? Can we effectively use their skills in a part-time way, should they choose to not fully retire?
• How do we prepare existing and more traditional staff to accept and learn from the new generation of workers?

Context: Other Annual Measures and Indices

It is worth placing the overall responses in the context of other annual reports, digests, and awards for higher education that focus wholly or partly on IT. To be sure, other organizations pose different questions and apply variable breadth and depth probes for different industry sectors and audiences than for college and university IT leaders per se. With this caveat, we see both convergence and divergence.

Association of Research Libraries

At any given time, the Association of Research Libraries (ARL) tracks and researches major issues of interest to its membership of 123 research libraries in the United States and Canada. The current ARL key issues, several of which intersect with issues on the radars of IT leaders, are

• Copyright and intellectual property
• Diversity
• Library support for e-science
• Leadership development
• Legislation and appropriations
• Library assessment
• New models of publishing
• Preservation
• Special collections²⁶

Campus Computing Project

Like the 2008 Current Issues Survey, The Campus Computing Project's 2007 survey found "network and data security" to be the most important IT issue for campus IT officers, having supplanted "instructional integration of IT" since 2004. In addition, "hiring/retaining IT staff" appeared for the first time among the survey's top issues, suggesting increased competition for IT talent and leadership in the economy. The top three concerns were, in descending order:

• Network and data security
• Upgrade/replace ERP systems
• Hiring/retaining IT staff²⁷

CIO Insight

CIO Insight's annual IT survey for 2008 groups the most important perceived trends and best practices under four major headings, a selection of which includes:

• Top five ways to cut IT costs
  • Negotiate better prices from vendors
  • Use server, storage, or desktop virtualization
  • Standardize technologies, vendors
  • Consolidate data centers
  • Purchase IT products as part of a group
• Major e-service areas consuming more resources
  • Business intelligence/analytics/data mining software
  • Content/information life cycle management software
  • Consumer self-service technologies and applications
• M-commerce acceleration
  • Mobile commerce will account for 25 percent or more of all U.S. retail sales
  • More than 25 percent of all U.S. bank transactions will be from mobile devices
• Technology in the next five years
  • Sixty-nine percent of CIOs say their companies will reduce servers/storage devices by 50 percent or more due to virtualization and data deduplication.
  • Seventy-five percent say their organization's IT architecture will be based on service-oriented software, Web 2.0, and related technologies.
  • Fifty-four percent say that "green" IT initiatives will reduce the amount of energy needed to run the organization's computers by 50 percent or more.²⁸

Coalition for Networked Information

The Coalition for Networked Information (CNI), an organization of 200 institutions representing higher education, publishing, network and telecommunications, information technology, and libraries and library organizations, identifies the following current issues and projects in its 2007–2008 Program Plan:

• Institutional content resources and repositories
• Institutional and disciplinary implications of e-research
• Digital preservation
• Electronic theses and dissertations
• Learning spaces—services and environments for today's users
• Organizational implications of e-science and e-research
• Risk management implications of digital content
• Organizational issues in records management and institutional archives
• Open archives initiative object reuse and exchange program
• Institutional infrastructure to support research
• Authentication, authorization, and access management²⁹

Council of Australian University Directors of IT

The Council of Australian University Directors of IT (CAUDIT)—consisting of IT directors of universities in Australia, New Zealand, Papua New Guinea, and Fiji—identify the following top-ten issues for 2007, in order of importance:

• Staffing and workforce planning—skills shortage, retention, and recruitment
• Service management—support and delivery: availability, capacity, change management
• Project, portfolio and risk management
• Governance and IT strategic planning
• Business continuity and disaster recovery
• Identity management—authentication, authorization, access
• Security
• Information management—storage, archiving, records management
• Funding and resourcing
• Administrative systems—ERP upgrades and enterprise architecture³⁰

EDUCAUSE Center for Applied Research

The EDUCAUSE Center for Applied Research (ECAR) research agenda provides a valuable perspective on issues of critical importance to higher education, and the studies and research bulletins that emanate from the agenda help campus leaders make better decisions about information technology. While the most recent research studies and bulletins are accessible only to subscribers, ECAR key findings and roadmaps are available to all as soon as they are published. Numerous ECAR publications, including major research studies, case studies, and research bulletins that were published 18 months ago or longer, are publicly available. In addition, all current and past survey instruments are accessible. In 2008, major studies of practices and trends have been or will be released on

• Cyberinfrastructure resources and practices
• International study of identity management and IT security in higher education
• IT engagement in research in medical schools and colleges
• IT governance in higher education
• IT workforce in higher education
• Student technology use and skills

ECAR subscribers also receive three reports per year from Burton Group on topics such as business process modeling, converged real-time communications, trends in social software, and others.³¹

EDUCAUSE Core Data Service

The EDUCAUSE Core Data Service Fiscal Year 2006 Summary Report, published in October 2007, notes significant increases in the following:

• Centralized IT support staff
• Ratio of IT budgets to FTE students
• Outsourcing of IT services
• Bandwidth tracking
• Personal firewall software deployment
• Campus security risk assessments
• End-user authentication for network access
• Campus wireless deployment and wireless security protocols
• Antispam and antispyware software deployment
• Providing legal music and movie download services
• Completed portal implementations³²

Gartner, Inc.

In October 2007, Gartner identified the top-ten "strategic technologies" that will have major enterprise impacts within the next three years, i.e., having the potential for IT or business disruption, the need for major investment, and/or risk in adopting late:

• Green IT
• Unified communications
• Business process modeling
• Metadata management
• Virtualization 2.0
• Mashup and composite applications
• Web platform and "cloud computing"
• Computing fabric
• Real world web
• Social software³³

Horizon Report

The Horizon Report, an annual collaborative publication of the New Media Consortium and the EDUCAUSE Learning Initiative, identifies and describes emerging technologies likely to have major impacts on teaching, learning, and scholarship. The 2008 edition of the report identifies six key trends over three adoption-maturity horizons:

• One year or less
  • Grassroots video
  • Collaboration webs
• Two to three years
  • Mobile broadband
  • Data mashups
• Four to five years
  • Collective intelligence
  • Social operating systems³⁴

National Association of State Chief Information Officers

The 2007 annual survey of state CIOs by the National Association of State Chief Information Officers (NASCIO) identified the following priorities, in ranked order:

• Consolidation
• Security
• Disaster recovery/business continuity
• Electronic records management/digital preservation
• Health information technology
• Shared services
• Connectivity
• Governance
• Interoperability
• Human capital/IT workforce³⁵

Sloan Consortium

The Sloan Consortium's fifth annual report, "Online Nation: Five Years of Growth in Online Learning," summarizes results of a survey of trends and challenges in online education faced by IT and academic leaders at a broad demographic of degree-granting institutions:

• Almost 3.5 million students were taking at least one online course during the fall 2006 term, a nearly 10 percent increase over the number reported the previous year.
• The 9.7 percent growth rate for online enrollments far exceeds the 1.5 percent growth of the overall higher education student population.
• Nearly 20 percent of all U.S. higher education students were taking at least one online course in the fall of 2006.
• Associate's institutions have the highest growth rates and account for over one-half of all online enrollments for the past five years.
• All types of institutions cite improved student access as their top reason for offering online courses and programs.
• Institutions that are the most engaged in online education cite increasing the rate of degree completion as a very important objective; this is not as important for institutions that are not as engaged in online learning.
• A significant majority (83 percent) of institutions with online offerings expect their online enrollments to increase over the coming year.
• Higher costs for online development and delivery are seen as barriers among those who are planning online offerings but not among those who already have online offerings.³⁶

Universities and Colleges Information Systems Association

The Universities and Colleges Information Systems Association (UCISA), an association representing IT leaders and professionals in U.K. colleges and universities, administered a Top Concerns Survey to its members in 2006–2007, resulting in the following top-ten ranking:

• Resources for IT
• IT strategy and planning
• E-learning
• Business systems
• Service availability
• Architected IT infrastructure
• Governance
• Disaster recovery
• Information management
• Identity management³⁷

Conclusion

The 2008 EDUCAUSE Current Issues Survey, affirmed by most other major pulse-reading in the profession, shows a blend of continuity and change in how IT leaders see their major challenges and opportunities. The traditional top-three issues seen as critical for institutions to resolve for their strategic success—Security, Administrative/ERP Information Systems, and Funding IT—have been the same for six straight years, with occasional shifts between first, second, and third ranking. Not surprisingly, these three appear among the top-five issues perceived to have the potential to become even more significant in the future, with Administrative/ERP Information Systems and Security among the top-three issues occupying IT leaders' time the most and consuming the most human and financial resources.

The survey results become interesting when issues move into and drop out of the top ten. Notably this year, Change Management appeared for the first time (number 8) while Strategic Planning dropped off the list, not so much signaling that the latter is less important or not being done at all but, most likely, that IT leaders see their own organizations as the focus of needed change and as supporters of and catalysts for mission-critical changes at their institutions.

The appearance of E-Learning/Distributed Teaching and Learning among the top-ten strategic issues in 2008 suggests that instructional technology and design is now recognized as central to the IT organization's mission as well as an expanding niche of the profession. The drop-off of Course/Learning Management Systems and Faculty Development, Support, and Training could mean that these aspects of the teaching and learning enterprise are now understood under the rubric of E-Learning.

As an issue not previously seen among those with the potential to be more significant in the future, the emergence of Compliance and Policy Development shows that IT leaders have an increasing awareness of state and federal government focus on accountability in higher education. On campus, this may involve a new or expanded partnering role for the IT organization in identifying, aggregating, shaping, and interpreting institutional data that can support actions to improve student and institutional performance metrics. Beyond campus, it means not only staying abreast of legislative and regulatory pressures to control illegal file sharing, extend broadband access, and ensure net neutrality but also working with campus executives, government relations officers, and associations like EDUCAUSE to advocate on behalf of the higher education community.

Finally, the appearance of Staffing/HR Management /Training on the list this year for the first time since 2001 indicates that IT leaders face an increasingly acute challenge in recruiting and retaining a skilled IT workforce to implement and maintain complex systems as well as to meet the rising appetite for technology services.

All in all, when considering the ups and downs and the apparent eternal verities of issues in the Current Issues Survey results from one year to another, one might paraphrase the novelist Tom Wolfe in saying that IT in higher education is indeed "a profession in full."