JISC Security Conference Day 2

It’s been a few days since the JISC Security Conference however I am only now seeing light at the end of the tunnel, having spent the last few days catching up following my two days out at the event.   As such I thought I would share some thoughts following Day 2 of the conference.

Defend as one

During the course of the 2nd day of the conference I attended a number of sessions where various educational institutions shared their experiences of cyber incidents.   I will admit it was good to hear their experiences as generally all we get to hear of in relation to cyber incidents in schools, colleges, and universities, is the news posts which lack any of the detail as to the cause and impact of the incident, or of the resulting recovery operations.   It would be good to hear more of the details around cyber incidents in schools, etc, as there is a great opportunity for use to learn from the experiences and collectively seek to be more secure, with this being summed up by the JISC conference tag line, “Defend as one”.    I will however note the challenges in relation to this due to the sometimes sensitive nature of such information.

Cyber:  An IT issue?

Now the event itself was very useful for me as a Director of IT, being surrounded by others in similar roles however, as identified by one of the speakers, this also represents a challenge.    Technology security is not solely the responsibility of IT.    It is the responsibility of all those who use technology, who manage or are the owners of data, who lead departments and who lead or govern within educational institutions.      Equally all these people need to be onboard and considering what they might be doing in the event of a critical technology incident where they will need to try to keep operations going while the IT team focusses on the technical issue.     Yet the JISC security conference was mainly attended by IT people.   Clearly there is need for others to be more engaged, and I will certainly be looking to try and encourage other non-IT senior staff to attend events like this in the future.

Third Parties and supply chain risk

As the second day proceeded, I started to see some key themes and messages coming out, some of which aligned with some of my thinking, with one of these being the risk associated with third parties and the supply chain.   Increasingly we are using more external solutions, either online based solutions, or solutions where we have technology solutions from a third party running on our networks.   Examples might include a third party hosted web-site solution, a CCTV solution hosted on site, or a visitor management solution hosted on site.    These solutions have access to school data or may be on the school network, and as such may either represent a risk to the data should they suffer a cyber incident or could represent a risk to the school network.   If on the school network, they might introduce vulnerabilities, which we are unable to address and where instead we must wait for the supplier to identify and resolve by developing and deploying an update or patch.   So this risk highlights the need for due diligence before introducing new solutions.  This didn’t really happen during the pandemic, as we sought to act quickly to address the challenges so there is work to do in carry out the due diligence for systems now in use.   Also, due diligence at the point of purchase represents a snapshot;  Most technology solutions evolve over time, with new functionality being added or existing functionality adjusted and changed, meaning the due diligence which was originally conducted is now out of date and inaccurate.  This highlights the need for periodic review, but this is then yet another task or piece of work which needs doing, and who does this due diligence where departments across a school, college or university as sourcing their own solutions?  For me the key here is we need to look to do more in relation to examining the cyber resiliency and disaster recovery plans of the third parties we use.


Another theme which came across was the extent of the cyber incidents described.   Basically, in some cases it meant going back to scratch, turning everything off and rebuilding.   But this takes significant time running into weeks and months.    This means it is key to identify the priorities for the recovery.  What systems and processes need to be recovered first?    If we don’t stop and consider this now, when things are running, we will likely find ourselves in the middle of an incident with every department and users screaming that they system or process is most important, and we will then waste significant time trying to debate and decide.    Clearly there is need to examine all the systems and technology in use and then identify a clear and documented priority order for these systems such that when an incident occurs there is a clear priority order with which to work with.

Data Governance

The issue of data governance was particularly notable in discussions related to HE, to universities and this is likely due to their size and scope when compared with schools and colleges.   That however is not to say that the same challenges don’t also exist in schools and colleges.   The key question here is about the basics of data management and knowing what data we have, why we have it, where it is and likely most importantly who is responsible for it.   And in terms of responsibility, I am not referring to IT teams being responsible as they run the systems the data is stored on, but who the owner of the data is.  For example, admissions data doesn’t belong to IT, it belongs to the admissions team, while pastoral data belongs to the pastoral team.    IT can never know the processes and uses of all the data stored by different depts on IT solutions, therefore they cannot therefore be responsible for the data management side of such data.   It is the data owners that are responsible for what data they gather, how it is stored, how long they keep it, etc.    It was key from some of the discussions that greater effort needs to be made to ensure all understand who is responsible for what data. 


There was a lot to think about on Day 2 and to be honest I havent as yet had a sufficient amount of time to properly stop and reflect on the day or on the wider conference as a whole.   And I suspect it will be a few weeks and maybe the end of term before this will properly happen.

That said the above represents some of my initial thoughts based on some of the copious notes I took during the course of day 2.

I will end on an important message as I see it; This can all seem like doom and gloom.  The “when” rather than “if” of a cyber incident, the size and impact of such an incident and the multiple things we need to be doing to prevent and prepare, but against the backdrop that no matter what we do it may still happen.    We cannot allow it to be all doom and gloom.   My view is therefore that we need to simply seek to continually improve, to not try and do everything, but to try and seek to be more secure today than we were yesterday.


JISC DigiFest: Digital Citizenship

Following my DigiFest session I thought I would share some thoughts which went into my session.

Slide1It is important to firstly acknowledge that our views on technology are very much the result of our experiences.  My experiences include learning to code in Basic on the Commodore 64 at an early age, before moving on to AMOS basic on the Amiga and then QBasic, Visual Basic and C++ on the PC.    This early use of technology, and the ability to develop software to solve problems has very much shaped my views.    Now, today I walk around with a mobile phone with over a million times more memory than my commodore 64, from less than 30 years earlier, and the growth rate across the period has not been linear.   A perfect illustration of this lies in how long it took various technologies to reach 50 million users.    Radio took 75 years whereas TV only took 38 years.   Bringing us close to today, Facebook got the time to 50 million users down to 3.5 years before Pokemon go managed it in less than a single month.   It is clear from this that the pace of changing is quickening.

Looking at our use of technology today we find that most of us now use technology for communication or entertainment in the form of mobile phones, social media and on-demand TV.   We are also increasingly being required to use technology to access governmental services, council services, banks, etc.    Technology is now integral to our lives and here to stay, complete with the ever-quickening pace of change mentioned earlier.

Slide2The more I think about the pace of change and the way that technology is becoming an integral part of our everyday lives the more the movie Ready Player One comes to mind.   In the movie Wade Watts makes use of virtual reality to live a double life, living as Percival in VR.   As the film progresses it becomes clear that his two lives aren’t as separate as he would like and that events in virtual reality impact on real life and vice versa.   For us, like Wade Watts, our lives in real life are inseparably linked to our digital lives.   In fact, I believe that it no longer serves us to think of digital citizenship as the term implies that there is something else available, a non-digital citizenship, when in fact there is not.    Possibly the discussion should not be of digital citizenship at all but simply citizenship.  As Danah Boyd, in her book, Its Complicated said, although the apps might change our online connectedness, our need to share and the challenges around privacy are “here to stay”.

Resulting from this new technology there are benefits or potential benefits and we need to acknowledge this.  A couple of examples include the current exploration of self driving vehicles plus the recent use of choreographed drones as an alternative to traditional new years day fireworks.  In relation to current events around the globe, there is also the use of Artificial Intelligence (AI) to identify new antibiotics and other drugs.   We need to prepare to make the best of these new opportunities and to ensure the students in our educational establishments are prepared.

But with the above benefits, there are also risks.    Fake news and the ease with which videos including interviews can be faked will increasingly make it more difficult to tell fact from fiction.   We also have challenged to individual privacy and risks around habits and potential addictive behaviour plus also the potential for platforms to go so far as to actually shape and influence human behaviour.

The danger in the benefits and risks of technology is the currently common resultant binary views of either technology as infinitely good or inherently bad and evil.    Sadly, these views are seldom of little use as to view technology as purely good is naïve whereas to consider it as purely negative equally naïve and simplistic.   The reality is that technology and more particularly the use of technology for a given purpose will lie in between the extremes of good and evil, positive and negative.   Any use of technology is likely to have its positives but also its drawbacks or unintended consequences and therefore we need to consider carefully the pro’s and cons and seek a balance.

slide3Looking at how we prepare our students for the world and the issues listed above I can see the things which we do satisfactorily, through our eSafety programmers, however I can also see those areas where little or nothing is currently offered.   We currently discuss the importance of privacy settings on social media, of having strong passwords, of how online content, once posted, will remain permanent and of the need to be aware of bullying online.   These areas are currently covered.    Sadly, however little is said in relation to the conflict between user convenience and individual privacy, between individual privacy and public good, and between social media reporting on or actually creating the news and truths which we come to believe.     These are the areas which we need to discuss, for which there isn’t a single answer and therefore where the most we can do is help students develop their own views through discussion.  It is through discussion that we can hopefully ensure that students, when presented with the infinite challenges of technology use, will approach them with their eyes wide open.

This brings me nicely to raising a couple of examples, from the many examples available, which would make valuable discussion topics for use in our schools.

Algorithms and AIs can be manipulated by an individual or organisation, to their own ends.   

Do we understand why algorithms might exist?     Do we understand why an individual or organisation might seek to “game” an algorithm and the potential gains which may arise?   The use of a series of mobile phones to fool googles traffic analysis algorithm into identifying a traffic jam where one doesn’t not exist, resulting in it redirecting traffic away from a given street, being one simple example of what is possible.

Governments can filter and censor content based on political motivations.    

Do governments need to be able to filter content for public safety?   But could their filtering be used to shape public perception or to revise fact to their own political ends and political gain?   What is truth and should governments be allowed to control and revise truth?    We have already seen governments filtering internet content with their filtering then being identified as being lacking transparency and in their own self interest; Filtering of TikTok being one possible example of this.

Online companies can gather and sell your data for profit.  

Do companies need to gather all the data which they gather?   Do they have the right to sell this data?   Where data is anonymized is it possible for data sets to be combined which then might reverse the anonymisation process?   A simple example of this being a cellular carrier selling on viewing habit data.

Mary Aiken in her book, the Cyber Effect, identifies the need for us to “make sense of what’s     happening” and only through discussion is this likely to occur however one concern I have is where these discussions might happen.   In the current crowded curriculum they tend to be banished to the IT classroom, a subject which not all students will study.   I don’t think this is sufficient.   These discussions need to take place throughout schools, across the subject areas, across the stages, with students, with staff, with parents and with the local community.   Discussing the challenges of technology needs to become part of the culture, simply the way we do things around here.

As Danah Boyd stated, “Collaboratively, adults and youth can help create a networked world that we all want to live in”.  If I am to ask anything following my session at DigiFest, I would ask this:  Lets begin with a discussion in our schools, colleges and universities, any citizenship related discussion where technology has its part to play complete with its pros and cons, but let’s do it today.

You can access my full presentation from DigiFest 2020 here.

Final Note: As we now engage in much more home and distance learning due to the Corona virus it may be more important than ever for these discussions to happen, and to happen now!



JISC DigiFest: Thoughts from Day 1

JiscD1I thought I would share some initial thoughts following day one of JISC DigiFest.  The event was launched with a very polished and professional pre-prepared video displayed on screens scattered around the events main hall, focussing on the rate of change in relation to technology and some of the technological implications of technology on the world we live in.   The launch session also included a room height “virtual” event guide introducing the sessions and pointing you in the direction of the appropriate hall.    In terms of the launch of a conference this was the most polished and inspiring launch I have seen albeit on reflection there wasn’t much particularly innovative or technically complex about it.

JiscD1-1The keynote speaker addressed the changing viewpoints of different generations of people focussing particularly on Generation Z, the generation which currently are in our sixth forms, colleges and universities.   I took away two key points from the presentation.   The first was how each generations views were shaped by their experiences particularly between the ages of 12 and 20 year old.   Jonah Stillman used thoughts on space as an example showing how Generation X might have positive views focussing on the successes of the moon landing whereas Millennials may have a more cynical view following the Challenger disaster.   Additionally, Jonah mentioned movies as a social influencer and how those in the Harry Potter generation may view cooperation and trying hard, even where unsuccessful, in a positive manner.  Those born later than this may draw on another series of films, in the hunger games, resulting in a greater tendency towards competition and the need to succeed in line with the movies storyline of everyone for themselves and failure results in death.     The second take away point from the session resulted from the questioning at the end of the session around what some saw as the absoluteness of the boundaries between generations.    I think Jonah’s use of the word “tendency” addressed this concern in that the purpose of the labels was for simplicity and to indicate a general trend and tendency rather than to suggest that all people born on certain dates exhibited a certain trait.  It increasing concerns me that this argument keeps coming up when surely it is clear that there is a need to use simplistic models to help clarity of explanation and that no model, not matter how complex will ever truly capture the real complexity of the world we live in.

My 2nd session was actually the delivery of my own session.   I will be sharing some thoughts in relation to my presentation along with my resources in the near future.   For now I will simply say that the session was not one of my best.   I do however hope that my main message, in the need for greater and broader discussion in relation to citizenship within the now digital world we find ourselves living in was clear.

The third session of the day focussed on  digital literacy programme one particular university had developed.   I found it interesting in this and a later presentation, how digital literacy or digital citizenship appeared to often fall to the library in universities in terms of developing and delivering a programme.    In schools I feel the same topics tend to fall on the IT teaching department rather than libraries however it is interesting that something which should be permissive would find itself localised in educational institutions in a single department rather than being supported across the institution.   It was interesting how the programme the university developed had evolved over time, which seems to me to be the correct approach given how quick technology is changing.  I also found it interesting in that student voice suggested needs which then later students indicated they did not find useful.  In other words students themselves were not an accurate judge of their own wants and needs.     Session five followed a similar topic again looking at digital literacy however the presenters made use of a fairy tales as a vehicle to deliver their message of the pros and cons of the digital world we live in.   I must admit I enjoyed this presentation in its novel approach to delivering the concept in hand.

Session four focussed on partnerships between a university, a local council and a number of corporate organisations focusing in particular on data analysis and business intelligence.  I think schools have some way to go in this area as they regularly gather huge amounts of data however little is actually done with it beyond reporting it to school leaders, parents, etc.   I think the challenge is that schools often lack the resources which a college or university may have at their disposal, such as having data scientists as part of the staff body.   That said, the sessions seemed to indicate the potential for schools to leverage partnerships to fill this gap with minimal to no outlay on their own resources.

My final session of day one focussed on digital transformation, and like the key notes was insightful and inspiring.    Lindsay Herbert discussed the bear in the room, which is similar to the elephant in the room but more dangerous.     I particularly like the way Lindsay stated early on that the world was a “terrible place” citing issues such as the corona virus, fires in Australia, storms across the UK and ongoing technological change.   She then quickly moved on to the fact that we are inherently brave in our attempt to not only exist but to strive to flourish in this world, before then going on to identify various success stories where the bear in the room was tackled.    She left us with 3 main tips, all of which struck a cord with me, in that transformation starts with a worthy cause, requires lots of people and needs to be learned and earned rather than purchased.   The third tip in particular strikes a cord for me as I have encountered change where it has not gone as smoothly as I would have liked, and where significantly more effort was expended than had originally been attended;  In retrospect this may have been the change being earned, plus certainly involved a lot of learning.

Day 1 was useful with the keynote and closing session of the day being my highlights.    Have plenty of notes to digest when I get back home.  Roll on day 2.




%d bloggers like this: