Ohio University CIO Resigns Following Security Breaches

The fallout from a recent string of security breaches at Ohio University continued last week with the resignation of William Sams, its CIO and assistant provost.

A replacement has yet to be named, and Sams will continue in his position until one has been found, said a statement posted on the Athens-based university's Web site. Two top IT supervisors -- the university's director of communication network services, and its manager of Internet and systems -- have already been suspended and face possible termination over the incidents.

"The IT organization at Ohio University is positioned for a major transition into a 21st century leadership position," Sams was quoted as saying in the statement. "However, it has become clear to me that a new energy level and skill set is going to be required in order to allow our IT organization to realize its potential."

William Sams

SAMS says the university's IT group needs "a new energy level and skill set." Sams was not asked to resign -- it was a decision that he made independently, according to an OU spokesman.

Not a Surprise

The development shouldn't come as a surprise to anyone, given the scope of the breaches, said Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa.

But "whether or not the CIO was really at fault in any of this is anybody's guess," Lindstrom said. "Only the insiders will know if he could have done more and didn't, or whether there was a more persistent problem to begin with."

Sams' resignation comes amid an IT reorganization following the recommendation of an external consulting firm. The firm was brought in to audit the university's security after several breaches were discovered between late April and early June.

The first breach was uncovered on April 21, when the FBI informed the university that it had in its possession disk drives containing patent and intellectual property data from a server at the university's Innovation Center.

Less than a week later, university IT officials disclosed that someone had broken into a server supporting alumni relations; the breach had remained undiscovered for over a year. That incident resulted in the exposure of personal data belonging to 137,000 people.

In early May, the university said that a system belonging to its Hudson Health Center had been broken into, potentially exposing Social Security numbers, dates of birth, patient IDs and clinical information on nearly 60,000 current and past students and faculty.

Naperville, Ill.-based Moran Technology Consulting LLC was then hired to conduct a complete audit of OU's Computer Services Center. Its review resulted in the discovery of two more holes in early June. Moran's report also identified a siloed culture and a quasi-combative relationship between the university's network and computer services groups as reasons for a relative lack of good security practices.

Based on recommendations from the audit, OU has begun restructuring its central IT group. As part of the effort, the school is assigning formal roles, responsibilities and accountabilities for those working in its central IT organization. About 90% of the staffers working in that group are expected to be affected by the ongoing restructuring.

The university also plans to deploy real-time and scheduled measures on every Windows-based server in an effort to protect them against viruses.

Repeated attempts to reach Sams for comment last week were unsuccessful.

Related:
Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon