William Sams, the CIO of Ohio University in Athens, Ohio, has submitted his resignation weeks after the university disclosed a series of information security breaches that exposed the personal information of tens of thousands of students and alumni.
Sams will continue in his role until a replacement is found, according to a statement on the university’s Web site.
Two top IT staffers -- the university's director of communication network services and the manager of Internet and systems -- have already been suspended and face possible termination over the incidents.
"The IT organization at Ohio University is positioned for a major transition into a 21st century leadership position," Sams was quoted as saying in the statement. "However, it has become clear to me that a new energy level and skill set is going to be required in order to allow our IT organization to realize its potential," he added.
The development should come as no surprise to anyone, given the scope of the breaches, said Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa.
But "whether or not the CIO was really at fault in any of this is anybody’s guess," Lindstrom said. "Only the insiders will know if he could have done more and didn’t or whether there was a more persistent problem to begin with," he said.
Sams’ resignation comes amid an IT reorganization that is being implemented on the recommendation of an external consulting firm brought in to audit the university’s security after several breaches were discovered between late April and early June this year.
The audit report from Naperville, Ill.-based Moran Technology Consulting LLC identified a siloed culture and a quasicombative relationship between the university’s network and computer services groups as reasons for a relative lack of good security practices.
Based on recommendations from the audit, the university began restructuring its central IT group. As part of the effort, the university is assigning formal roles, responsibilities and accountability for those working in its central IT organization. About 90% of the staff working in this group are expected to be affected by the restructuring.
The university also plans to deploy real-time and scheduled measures for protecting its systems against viruses on every Windows-based server.
The changes come after the discovery of five separate security breaches, including one that exposed personal information on 137,000 people. The first one was uncovered on April 21, when the FBI informed the university that it had in its possession disk drives containing patent and intellectual property data from a server at the university's Innovation Center.
Less than a week later, university IT officials disclosed that someone had broken into a server supporting alumni relations and had remained undiscovered for more than a year. In early May, the university said that a system belonging to its Hudson Health Center had been broken into, potentially exposing Social Security numbers, dates of birth, patient IDs and clinical information on nearly 60,000 current and former students and faculty.
It was at this stage that Moran was called in to review systems housed in the university's computer services center. That review resulted in the discovery of two more security holes.