When Bill Badertscher arrived at Georgetown University three years ago, campuswide security was handled in several departments with little coordination among teams. It was time for a change. Badertscher is Georgetown's senior engineer for facility and safety control systems and leader of a new IT team that focuses on the same areas. The goal is to address enterprise risk management (ERM) by redefining it to include nontraditional systems. Understanding that security is mission-critical has led the University Safety and Information Services departments to work together in unprecedented ways.
Badertscher spoke with CSO about the program, as well as the challenges and changes he's encountered in helping bring Georgetown's ERM strategy up to speed.
CSO: Let's start with an overview of where Georgetown's ERM program was before you came on board. What were some of your first steps when you started in your current role?
Bill Badertscher: Georgetown had experienced several significant security project failures and data security breaches. So at a high level, it was recognized that a strategy was needed to address systems in the facilities and security spaces. That strategy was led by our CIO Dave Lambert and resulted in the formation of several new groups within IT.
When I first came on board, a budget was established to immediately replace some legacy systems, including access control and video surveillance. However, early assessments identified a much wider range of needs; initial wish lists totaled more than $60 million in new spending. That level of funding isn't available, so it's been key to do risk assessments to prioritize our needs. These have focused our efforts on access control, video surveillance, emergency response and fire-protection systems.
What are some changes you've made?
Georgetown recognized early on the need for IT to take a leadership role in the replacement of departmental systems and independent cabling networks. Our data network has sufficiently matured to accommodate the power and communication needs of security and other systems. This is important because nearly all new systems today interface with the data network. Our philosophy is to leverage the data network as much as possible and closely manage data security along the way.
Our ERM program is not just about facility and security control systems. Along with my group, we have new groups responsible for scholarly information systems; research and regulatory administration; data security and policy; and advancement. So it's not just my group. It's actually a collection of new initiatives that are reaching out across the university to address enterprise risk. That includes facility and security control systems, but a lot of others as well.
What have been some of the bigger challenges along the way?
One of the bigger challenges when I got to Georgetown was the roles and responsibilities issue. In a very siloed environment, facilities have their own administration and they are very independent. So one of the immediate reactions was a lot of defensiveness among the folks in the departments wanting to know why information systems was stepping into what they thought of as their turf.
As a result, there's been a lot of education. We specifically are not trying to take over operations in those spaces, but we need to understand what their business needs are so we can put the proper technology in place to meet those business needs.
We've come up with a simplified model. The business units describe to us what they need, and then we describe how that is accomplished through technology. That's been very successful in helping to communicate to key stakeholders that we are actually partners.
You say legal principles are a driving force in your ERM strategy. Can you explain what you mean?
It goes back to prioritizing our risks. A lot of security spending decisions are made on an emotional basis or in response to incidents. But at the end of the day, the most significant risks we face are incidents that lead to lawsuits or have a negative impact on our reputation. Like our peers, Georgetown has defended against its share of lawsuits and has endured scrutiny by the media and parents. A key element that comes into play, for us, is understanding due care, which is the care that a reasonable person would exercise under the circumstances. Further, we practice due diligence to make sure the security controls we put in place are effectively operationalized and maintained.
There is also the matter of foreseeability. For example, if students were getting assaulted in particular areas of the campus, we can't turn a blind eye to those incidents. There is a lot of established case law that outlines what universities should be doing to protect parking lots, for example, or residence halls. So we have to make sure we are evaluating what our peers are doing and staying on top of best practices. The very real connection between what we are doing and how well it mitigates our risk is based on the legal consequences of what we do.
Various stakeholders across the university have their own ideas about what good security means. Some people want to put card readers everywhere. Some people want to put cameras everywhere. And some don't want either. We base our decisions on a clear understanding of the risks involved. This includes identifying our assets and assessing the threat environment and our vulnerabilities--and then communicating our plans.
This story, "Enterprise risk management: all systems go" was originally published by CSO.