Even as campus functions like building access and emergency response become increasingly dependent on institutions’ information-technology infrastructures, physical security and information technology remain administratively separate almost everywhere. But at Indiana University, officials are nearly five years into an unusual experiment, and they say it’s yielding good results.
The undertaking began when President Michael A. McRobbie set in motion an overhaul of the university administration, which included bundling systemwide physical security and information security into the hands of one associate vice president, Mark S. Bruhn. He reports to both the executive vice president for university academic affairs and the vice president for information technology.
"When you are dealing with so many different sources of information and so many different offices that need to be involved in the response to a problem, there has to be a reporting structure that brings it all together," Mr. McRobbie says.
The changes mean that the university now has uniform response procedures—a tool kit, Mr. Bruhn calls it—that can be applied to cybersecurity and physical-security incidents alike.
"It is that structure that provides us with a huge amount of comfort because we know even if it is a one-off sort of incident, we have a structure that is amoeba-like enough that it can cover just about anything that can happen," he says.
A ‘Dual Relationship’
Indiana’s governance structure is believed to be unique in higher education.
"At most institutions, the public-safety function reports to the vice president of administration or the chief business officer, whereas the IT-security officer reports to the chief information officer or the vice president of information technology," says Rodney Petersen, a longtime official at Educause, the higher-education-technology consortium. He is interim executive director of a new cybersecurity collaboration among Educause, Internet2, and Indiana. Mr. Bruhn, he says, "is unique in that he sits between both of the vice presidents and has that dual relationship."
In part, the combining of physical- and information-security responsibilities recognizes the way functions like policing are increasingly reliant on information technology. The shift also puts weight behind what Indiana officials call an all-hazards approach to potential crises by creating a single focal point for decision-making.
"Mark can give an order that coordinates the police department, that coordinates environmental safety," says Bradley C. Wheeler, vice president for information technology and chief information officer and one of the two people whom Mr. Bruhn reports to. "Or he can assess what his security officer is saying or what the risk officer is saying, and make a trade-off amongst all of these. This does not turn into feudal fights amongst people who have different authority structures or report to different bosses."
The impetus for the administrative changes at Indiana, officials say, came from the attacks of September 11, 2001, and the Virginia Tech shootings, in 2007. The breakdown in information sharing and communication revealed in investigations of both those events was on Mr. McRobbie’s mind when he became Indiana’s president, in 2007.
"My biggest concern coming into the position was really that we had a sort of Balkanization of different offices," says Mr. McRobbie, himself a former vice president for information technology at the university. "That is, there was no one person we could go to and say, How are we responding to this?"
He began re-envisioning the university’s organizational chart. In 2009, when the then-vice president and chief administration officer retired, Mr. McRobbie did not replace him. Instead, working with colleagues, he set about redistributing the departed administrator’s portfolio.
The university brought in Good Harbor Security Risk Management, a consulting firm headed by a former White House security czar, Richard A. Clarke, to study the existing emergency-response protocol. During a "tabletop" exercise in which administrators talked through, step by step, who would do what during a crisis, it became clear that responsibilities were only vaguely understood.
"I think that tabletop was likely the highest-value activity that Good Harbor brought to us, because it was just stark," says Mr. Bruhn. "People walked out of there, well, very, very concerned and uncomfortable, which is what then gave us the additional important momentum on moving ahead."
In the end, some of the former vice president’s responsibilities—like human resources, insurance claims, and purchasing—were handed to the chief financial officer. And Mr. Bruhn, already an associate vice president overseeing information-technology security and policy, saw his portfolio expand to include what would soon be centralized offices of public safety and environmental, health, and safety management. He also took on the newly created office of emergency management and continuity.
The restructuring has played out in anticipated and unanticipated ways, according to university officials.
Some say that the culture of compliance Mr. McRobbie planted within information technology is now permeating other parts of the university, and that the changes also created more channels for personnel advancement.
"I think it is easy to miss the professional career development that happens when you build an organization of scale," Mr. Wheeler says. "It lets people develop lots of talents and move forward, and not feel like they have to leave the university to advance their careers."
Moreover, the reporting structure gives Mr. Bruhn’s office the authority of two vice presidents. Mike Jenson, director of environmental, health, and safety management, says that is particularly relevant for his staff because their work involves enforcing regulations and codes that researchers and administrators aren’t always eager to comply with.
"Often what we are telling people to do is costly," Mr. Jenson says. "If we report to those people, they have an inherent conflict of interest. But the way that this is structured, we don’t report to any of those groups. That is really important."
Tom Davis, chief security officer, says the projects he has overseen since the new governance structure took effect include a centralized video-surveillance system and a standards document that outlines what safety and security features the university wants in new construction and renovations.
"If you look at the way technology has been embedded in things like access control, it takes someone with an IT background and an IT technical mind-set to understand what kind of cryptography is going on between the card and the reader, and is that secure?" Mr. Davis says. Synergies like that, he says, make it apparent that information technology and physical safety belong "under one umbrella."
Unifying Police Forces
Some of the changes in the wake of the administrative reorganization were more pragmatic. Before the realignment, seven university campuses were patrolled by seven separate police departments, using different uniforms, firearms, and purchasing processes.
"Two of the campuses’ police-radio systems were integrated into their custodial staff," says Jerry Minger, director of public safety. "They couldn’t say anything on the radio systems without all the custodians hearing their traffic."
Today the inconsistencies are gone. The police departments have been streamlined into one, all reporting to Mr. Minger. There are shared systems for record-keeping and video surveillance. The police chiefs communicate regularly, both on conference calls and in person.
With information technology seeping into every facet of campus security, Indiana officials say bringing the two together was a natural step, and one that could also benefit other institutions as well. Still, they acknowledge that such a restructuring is a difficult undertaking that requires the right confluence of events.
At the end of the day, Mr. McRobbie says, "it is not about having a nice, complicated chart with lots of people with important-sounding titles. It is about the well-being of the university community and doing all we can to enhance and support that."