(7-minute read)
We all either directly remember or have learned about the space shuttle Challenger explosion in January of 1986. It was a Tuesday morning, and I was preparing my daily route as a letter carrier in a small city in northwest Rhode Island. It was long before the public internet and cable news, but it didn’t take long for what was usually a very noisy building to become silent.
In the aftermath of that tragedy the entire nation became familiar with the term “O-ring”, as it was determined that this component was the technical failure that led to the explosion. However, the Rogers Commission, formed to investigate how this disaster could have occurred and be prevented in the future, pointed to troublesome flaws in organizational culture which led to the fateful decision to launch that morning.
Culture: a word that is oftentimes an afterthought, a summary of a larger social dynamic, or something to either applaud or to blame. It can be used in both a positive or negative context (sometimes both at the same time) and being part of the “counterculture” can be a badge of honor to some.
I can speak from my experience as a higher education CISO for seventeen years to the importance of culture to higher ed security success. Both schools at which I was fortunate to serve had a focus on culture as part of the security mission statement, and I can fully say that I would not have been successful in my role or responsibilities without a strong culture of information security on those campuses. While I do love a good breakfast, I learned early in my career the Peter Drucker maxim of “culture eats strategy for breakfast” and I can attest to its truth.
I also know that culture is much bigger than your campus, and the higher ed community is a living testament to that.
I recently attended the annual EDUCAUSE Cybersecurity & Privacy Professionals Conference (CPPC) in Anaheim, CA. If you are in any aspect of higher education information security or privacy, there is no better week of learning, collaboration, networking and peer-support than the CPPC. I look forward to it every year.
The event is an amazing gathering of global practitioners, from those with decades of experience who are eager to share, to those who are new to the profession and eager to learn. The excitement and enthusiasm by and for the community is palpable, with shared purpose, goals, and commitment. If you have never attended, or it has been a while, I encourage you to do so next May in Denver.
This was my fifteenth time attending CPPC, though it was my first time as a vendor. This provided me with a new lens into both the event and the community.
Friends and colleagues, old and new, crossed paths with me in the hallways or on the elevators, came by the Moran table, or attended one (or both) of the two sessions I was honored to be part of. Did the relationship change as a result of leaving my role in higher ed and subsequently joining a consulting firm? Yes, it did, but for the better.
I was still asked questions about what I was doing given the current threats and landscape, but I could respond with the additional context of what I have been seeing and hearing from other clients of Moran. I continued to share wisdom, guidance, and experience in my usual transparent and supportive way, but the new lens I brought as a vendor working across multiple clients allowed me to speak from a broader perspective.
It was also eye-opening to me, given my tenure in higher ed and my new role in supporting it as a consultant, how the security and privacy community sees vendors. It was clear to me that the savvy higher ed security practitioners see vendors as partners, who are not only there to sell their product and services, but also to ensure that what they offer or sell provides value while also increasing security and reducing risk.
Not all vendors, products, and resellers are successful in this endeavor when dealing with higher ed. Only those who understand the mission, the cultural challenges, and the unique hurdles will ultimately be successful. There is great value in having a contract with someone you consider a partner, and not simply a vendor.
This leads me back to culture and the Challenger. When I think of the findings of the Rogers Commission, I can’t help but think of my time leading the security mission at two R1 institutions and being a part of the broader community.
On campus, culture was important with my peers on the IT leadership team. Culture was also important to my ever-growing security teams. It was paramount that I establish and maintain a strong security culture across all areas of the campus. And more broadly, having a strong, transparent, honest, and supportive culture inside of my peer groups and the nationwide higher ed security community played a large role in my success.
I now can look back and recognize that I benefitted from cultivating a strong culture with the vendors that I chose to partner with. They were part of my team and my mission, understood the environment that I was part of, and were never focused on simply getting to go-live. These were long-term partnerships which were a net positive for both sides. I was clear and stood my ground with them, and they with me, as neither side wanted any disasters after implementation. It humbles me that they continue to seek me out for insight and recommendations. That is the mark of a true partnership, and not simply a portion of a sales quota.
My takeaways from CPPC 2026 were numerous. The ones I have been pondering upon since my return are the importance of seeking wisdom and guidance from those who have been there and are eager to share, that cultural success is only complete when your entire ecosystem is aligned, and that you must consider your vendors as part of that ecosystem.
I will continue to be part of this culture that I respect, admire, and cheer for. I’m thrilled to be with Moran Technology Consulting, a firm that is a Mission Partner of EDUCAUSE, supports my full participation in the community, and understands the culture from the inside. We’ve been in your shoes, we understand the challenges, and we want to help.
Our guiding principles at Moran are “expertise, impact, and care”. I can honestly say that those played a role in my higher ed missions even if they were not explicitly stated. That’s how we treat every one of our relationships, and why we are literally part of the community.
Please contact me directly and let’s begin our partnership journey. You’ll find me and my Moran colleagues at EDUCAUSE Annual 2026 and CPPC 2027, but why wait until then?
Moran Technology Consulting, founded in 2004, is a leading information technology employee-owned consulting firm, primarily serving higher education, while also offering services to K-12 and public sector clients in the U.S. and around the world. While many organizations invest heavily in their IT systems, they often don’t capture the predicted benefits to justify these major investments. We specialize in developing actionable plans to help you identify and maximize the strategic benefits of your IT investments.
Moran offers a full range of IT Management Consulting, Information Security, ERP Project Management, and Data & Analytics services. Our team has unparalleled experience, is vendor independent, and is driven to achieve outstanding client satisfaction. Moran’s management team has been working together for over two decades on information technology challenges.