June 03, 2010, 9:29 PM — When Bill Badertscher arrived at Georgetown University three years ago, campuswide security was handled in several departments with little coordination among teams. It was time for a change. Badertscher is Georgetown's senior engineer for facility and safety control systems and leader of a new IT team that focuses on the same areas. The goal is to address enterprise risk management (ERM) by redefining it to include nontraditional systems. Understanding that security is mission-critical has led the University Safety and Information Services departments to work together in unprecedented ways.
Badertscher spoke with CSO about the program, as well as the challenges and changes he's encountered in helping bring Georgetown's ERM strategy up to speed.
CSO: Let's start with an overview of where Georgetown's ERM program was before you came on board. What were some of your first steps when you started in your current role?
Bill Badertscher: Georgetown had experienced several significant security project failures and data security breaches. So at a high level, it was recognized that a strategy was needed to address systems in the facilities and security spaces. That strategy was led by our CIO Dave Lambert and resulted in the formation of several new groups within IT.
Also see All hazards: Taking leadership to a new level
When I first came on board, a budget was established to immediately replace some legacy systems, including access control and video surveillance. However, early assessments identified a much wider range of needs; initial wish lists totaled more than $60 million in new spending. That level of funding isn't available, so it's been key to do risk assessments to prioritize our needs. These have focused our efforts on access control, video surveillance, emergency response and fire-protection systems.
What are some changes you've made?
Georgetown recognized early on the need for IT to take a leadership role in the replacement of departmental systems and independent cabling networks. Our data network has sufficiently matured to accommodate the power and communication needs of security and other systems. This is important because nearly all new systems today interface with the data network. Our philosophy is to leverage the data network as much as possible and closely manage data security along the way.
Our ERM program is not just about facility and security control systems. Along with my group, we have new groups responsible for scholarly information systems; research and regulatory administration; data security and policy; and advancement. So it's not just my group. It's actually a collection of new initiatives that are reaching out across the university to address enterprise risk. That includes facility and security control systems, but a lot of others as well.
What have been some of the bigger challenges along the way?
One of the bigger challenges when I got to Georgetown was the roles and responsibilities issue. In a very siloed environment, facilities have their own administration and they are very independent. So one of the immediate reactions was a lot of defensiveness among the folks in the departments wanting to know why information systems was stepping into what they thought of as their turf.
As a result, there's been a lot of education. We specifically are not trying to take over operations in those spaces, but we need to understand what their business needs are so we can put the proper technology in place to meet those business needs.
We've come up with a simplified model. The business units describe to us what they need, and then we describe how that is accomplished through technology. That's been very successful in helping to communicate to key stakeholders that we are actually partners.
You say legal principles are a driving force in your ERM strategy. Can you explain what you mean?
