University of Wisconsin–Madison

Security, Privacy, and Risk

The University of Wisconsin-Madison and its leadership are concerned about the threat privacy and security risks pose to our core mission. Not a day goes by without the report of a business, government, or other organization experiencing reputational or other damage due to one form of security breach or another.

To improve the UW’s position in this area, I recently initiated a series of steps intended to reduce our institutional risk.

  • I engaged CIC CIO colleagues to conduct a three day review of how UW security is organized, and make recommendations aligned with the Governance, Risk, and Compliance framework emerging from EDUCAUSE. Their report served as the basis for next steps.
  • I opened a nationwide search for a new Chief Information Security Officer (CISO) aligned with this approach, which resulted in the hire of Lori McElroy. Within her first four months, Lori worked collaboratively with all security professionals on campus to get a first-hand feel for capabilities, current initiatives, and possible synergies. This resulted in a new organizational structure formed by merging DoIT Security and the Office of Campus Information Security. I am pleased to announce the official launch of this new service, simply called UW IT Security. It is led by Lori, who is assisted by Stefan Wahe, who was promoted into the position of Associate CISO.
  • Long-time UW-Madison policy professional Gary DeClute now reports directly to Lori so that the critical complementary policy function is more integral to privacy and security requirements.
  • Through the efficiency of a combined security organization, Lori was able to reallocate an FTE to create our new Chief Data Officer position and function. This position is currently open for a national recruitment. In order for the UW to truly identify and mitigate the highest data risks, we need governance, management, and coordination across the multiple functional areas that use data to run their “businesses,” including the business of academic management.

This brings us to the point where I can discuss the project we have initiated to identify, and protect our highest-risk data. In order for us to process applicants, register students, and facilitate processing of Financial Aid, we need to work with Social Security numbers. We also need SSNs to process payroll for the more than 21,000 employees at UW-Madison, and another 32,000 employees of the other UW campuses. Protecting the hundreds of thousands of SSNs is a monumental task that requires concentrated approaches to understand where they are used, why, and how they are utilized within the business of the university.

My office will be stepping up communications about this project with all members of the university over the next few months. As is our normal approach, we will be highly sensitive to the perceptions of all members of the UW community as we undertake this important work. While there are sure to be areas of concern for some in our community, we will strive to balance that concern with awareness of the devastating impact of breaches as we engage in dialogue. The status quo is not an option, so we must find the right balance for UW Madison as we work toward reducing our institutional risks.

I am happy to come to departmental or school and college meetings in order to improve communications about this initiative. I am confident we will find the right balance as long as all of us stay open to navigate with the advice and guidance from formal and informal governance groups.