Actually, that didn't quite get it off my chest. I need a bigger rant.

I said: "To make matters worse, people usually apply for a (low paid) CIO role in a university rather than, say, a Fortune 500 company, because they don't have the skills to actually cut it in the corporate world. In other words, they are mostly also of doubtful competence."

Quite likely, this lack of genuine ability is why so many try to simply copy models they have read about in introductory books (i.e., usually simplified corporate models), instead of designing systems actually appropriate to the institution they are meant to be serving.

To take just one fundamental area where there is a glaring impedance mismatch, much corporate IT policy is directed toward keeping the company's information secret from outsiders. Academic institutions, on the other hand, are built on the fundamental principle that open sharing of information promotes the growth of knowledge. Indeed, there are quite a few types of information generated by academic institutions which it is actually illegal to conceal from the public, at least beyond a certain date. Many of the decisions about the privacy or publication of material must be taken at quite a low level, and it is inappropriate for the IT department to have a role in it.

Another problem is time scales: corporations are concerned almost entirely with the period leading up to the next AGM. A few of the more long-sighted ones might have a 5 year plan. Tax records have to be kept for 7 years, then incinerated as soon as possible. Universities, on the other hand, regularly maintain records for multiple centuries, and may expect researchers to quickly and easily obtain access to documents generated 300 years ago. That may not be especially common, but records such as academic transcripts are quite routinely required a quarter of a century after they are generated. A properly designed academic IT system would concern itself with ensuring that a botanical sample collected on an expedition to Africa in 1827 was fully described on-line and did not become misplaced; whereas the CIO probably doesn't even know the university has such samples, and instead lays awake at night dreading the possibility that students might be able to email porn to one another. At my friend's former institution, the CIO managed to get his way and implement a blocking filter to prevent any kind of image or audio file from being emailed, just in case it was porn or pirated music, (of course that's easily circumvented by anyone who understands MIME types), meanwhile the on-line index of the university's collection of rare ancient coins was taken off-line, and eventually shut down altogether, because it was on a system not supported by the new "SOE policy".

Still another problem is the relationship to the user base. In corporations, 99% of the users of your IT systems are employees, servants of the company that must do as you say, or else. At universities, the largest component of the user base -- undergraduates -- are your *clients*, and will tell you to shove your "acceptable use policy" where the sun don't shine, if it isn't acceptable to *them*.

Another very serious mismatch is the purpose of email. In a corporate venue, email is used for exchanging information to generate profit. As such, a very large number of uses are deemed "inappropriate" or "unacceptable". In an academic setting the most important use of email is the discussion of ideas, and many uses which are "unacceptable" in the corporate setting are not only perfectly appropriate but actually desirable. Yet many universities have adopted email "acceptable use policies" which are simply copied from corporate ones, and actually violate their own academic freedom rules. Case in point, my friend's institution adopted a rule -- no doubt mindlessly copied from a corporate one -- that email users "will not record or process information which knowingly infringes any patent". Of course, in an academic setting this is meaningless drivel; exchange of information for academic discussion *cannot* infringe on a patent, only commercialisation can. But such a policy is likely to have a chilling effect on academic discussion of new technologies, and at a university it is highly inappropriate that it even be mentioned in the policy.

I could go on and on, there are dozens of examples, but at any rate it is obvious that the corporate model is totally inappropriate.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/newsbriefs/159/758#758