Once a high-flying tech wunderkind, Stanford GSB Chief Digital Officer Ranga Jayaraman now finds himself out of a job
When Ranga Jayaraman first stepped onto the campus of Stanford University in 1978, he was a self-described geeky young man with little more than $140 in his pocket and a pair of suitcases. Jayaraman had just graduated with his mechnical engineering degree from the Indian Istitute of Technology in Madras, and his foray into Stanford for graduate work was the first time he had been in the U.S.
Within four years, the tech prodigy earned three Stanford degrees, including a PhD in mechnical engineering, that landed the wunderkind a job with IBM’s prestigious Thomas J. Watson Research Center. After high-level stints with IBM, Hitachi and NVIDIA Corp., Jayaraman got the chance to claim what was in all likelihood his dream job in early 2011: To be the CIO and associate dean of one of Stanford’s most acclaimed schools, its Graduate School of Business.
To return to the institution that had helped to transform his life was in many ways the ultimate reward. After four years in the job, he was given the title of chief digital officer. Last week, he was fired by his boss, Dean Jonathan Levin, two weeks after the school disclosed a data breach of the business school’s financial aid records by an MBA student.
‘STANFORD HAS BEEN WONDERFUL TO ME & THIS GOES WITH THE TERRITORY’
Stanford GSB Dean Jonathan Levin
Levin had known about the breach since October when Adam Allcock, now a second-year MBA student at Stanford, sent him a lengthy report analyzing the data the student accesed on the school’s computer servers. Much worse than the data breach—the result of information that was stored improperly in a shared folder in June 2016—was the discovery by Allcock that Stanford’s business school had misled thousands of applicants and donors about the way it distributes fellowship grants and financial assistance to its MBA students.
For years, the school claimed that it only awarded scholarship dollars on the basis of financial need. Allcock found that claim to be completely untrue. He discovered that Stanford had routinely funneled millions of dollars in tuition discounts to students without regard to their financial needs, often favoring admits who were female and those from the financial sector, even though many had more savings than students who received no scholarship help or less financial support.
Though Dean Levin became aware that a student had gained access to what was confidential information and Allcock’s subsequent analysis in October, he terminated Jayaraman last week after days of negative headlines in newspapers and websites all over the country. The tech veteran has no ill feelings about what happened. “Stanford has been wonderful to me and things just happen,” he says. “This goes with the territory. There are times when one has to be held accountable, and I am totally fine with it.”
LOT OF A JOB FOR FAILING TO MOVE INFO UP THE CHAIN OF COMMAND
Jayaraman did not lose his job because a student found his way into a shared server that exposed 14 terabytes of highly confidential student data detailing the most recent 5,120 financial aid applications from 2,288 students, spanning a seven-year period from 2008-2009 to 2015-2016. He now finds himself unemployed because he failed to immediately notify the dean or the university of the breach when it was called to his attention in late February of this year.
With the benefit of hindsight, Jayaraman says, he should have informed his boss and the university of the issue after Allcock had alerted the school to the breach. But Jayaraman says he failed to recongize the scope and nature of the exposure when told about it from a member of his team and immediately went to work to lock down the system. At the time, he didn’t even know the student had accessed sensitive data on financial aid, and he certainly didn’t realize that the student would spend 1,500 hours analyzing the data to complile a 378-page report that would ultimately embarrass the school.
Surprisingly, perhaps, it was Allcock who let the school know about the problem in the first place–in a meeting on Feb. 23 with Jack Edwards, director of financial aid. Edwards quickly alerted Jayaraman’s team. The group was able to remove some permissions within an hour of that meeting. To secure all the files, however, they had to meticulously navigate the structure of the shared network drives, scan through the directories and validate actual permissions versus intended permissions and correct them. That took until early March.
‘THIS IS THE KIND OF STUFF THAT HAPPENS DAY IN AND DAY OUT IN IT’
“At the time this happened in February, we did all of the go-fix-the-problem steps,” recalls Jayaraman. “We made an assessment in terms of what had happened and what actions needed to be taken to fix it and prevent this from happening again. What I failed to do was ask one question: ‘What could have been the nature of the content that was in these files and folders and is there super sensitive content that would trigger additional actions like disclosure.”
After all, data breaches in IT departments are as common as dandelions in an open field. Moreover, this exposure did not result in the disclosure of emails that changed the outcome of a Presidential election or credit card leaks that led to significant fraud. In fact, the exposed files were not available to anyone outside the Graduate School of Business and the names of actual students who were given scholarship money and financial aid were not accessible.
“This is the kind of stuff that happens day in and day out in IT,” acknowledges Jayaraman. “You are always making a judgment call, beyond the immediate action of containment. In this case, when I looked at all the available information and no one was raising alarms about super sensitve information, I decided to let it go. I did not have indicators that triggered the hair on the back of my neck to stand up. In retrospect, would I do the same thing today? I would say my instinct now would be an abundance of caution. I would scan the content to see if if there is sensitivity in the data. But we don’t scan content in people’s folders as a matter of course. Our job is to provide the capablity for people to store things.”
Chronology of What Happened at Stanford
| Date | Event |
|---|---|
| June, 2016 | Some MBA student financial aid records are stored improperly in a shared folder |
| September, 2016 | Jonathan Levin, a superstar professor in Stanford’s economics department, becomes dean of the Gradaute School of Business, succeeding Garth Saloner who had resigned |
| September, 2016 | More financial aid records for MBA students became accessible on the same server, now totaling 14 terabytes of data on the most recent 5,120 financial aid applications from 2,288 students |
| January, 2017 | First-year MBA student Adam Allcock was at home remapping his personal drive from the MyGSB network. A script popped up that instead mapped all drives at the GSB, allowing him to accidentally gain access to the financial aid records |
| February, 2017 | Allcock informs financial aid director Jack Edwards of the data breach |
| February, 2017 | Chief Digital Officer Ranga Jayaraman’s team begins to lock down the system, securing all files by early March |
| October, 2017 | Allcock sends to GSB Dean Jonathan Levin a 378-page analysis of GSB’s financial aid policies, finding that the school had misled thousands of applicants and students for years |
| Nov. 17, 2017 | Dean Levin publicly informs GSB community of breach and concedes the school misled applicants that all its fellowship awards had been granted on the basis of financial need when that was untrue |
| Nov. 30, 2017 | Dean Levin apologizes for the data breach and says he was not informed of the problem until eight months after Allcock told Edwards in financial aid |
| Dec. 1, 2017 | In a contrite email to colleagues, Chief Digital Officer Jayaraman says he is leaving his job |
Stanford University Graduate School of Business – Ethan Baron photo
‘MY REACTION WAS OOPS, I SHOULD HAVE TOLD THE DEAN WAY BACK THEN’
While Dean Levin’s only public comments on the controversy have occurred in two emails sent to GSB students, faculty and staff on Nov. 17th and Nov. 30, his second message suggests at the very least irritation that he was not notified of the breach when it was patched Jayaraman’s team. Levin wrote: “They did not understand the scope of the exposure and did not escalate it to me or relevant university offices for further investigation. The episode makes clear that we will need to implement improved practices around data security, and especially, to ensure that if problems are identified, they are escalated and promptly addressed in full.”
Stanford MBA student Adam Allcock
In October, after Dean Levin received Allcock’s report, the dean called Jayaraman into his office for a conversation over what had happened. Immediately, Jayaraman realized he had made a mistake in not notifying his boss eight months earlier when his team found out about the problem and quickly fixed it. “My reaction was oops,” concedes Jayaraman. “I should have done this way back then.”
On Friday, Jayaraman sent his colleagues a remorseful goodbye email, informing them of his departure. “I take full responsibility for the failure to recognize the scope and nature of the J Drive data exposure and report it in a timely manner to the Dean and the University Information Security and Privacy Offices,” he wrote. “I am fully accountable for this inexcusable error in judgement.”
‘MISTAKES ARE AN OPPORTUNITY TO KNOW THE LIMITS OF OUR KNOWLEDGE & IGNORANCE’
For now, Jayaraman is wrestling with the lessons from the controversy. “A total network system is a combination of technology, process and people,” he says. “One of the greater lessons to keep in mind is that failures result from the interplay among tech, people and processes that result in possibliities, good and bad. As a soceity we must keep these things in balance. For all the benefits technology has brought, we are still in the infancy of understanding how technology can be both helpful and harmful and how we can protect against the downsides. The flaw would be thinking that at any given time we are perfect.”
A few years ago, when he was the CIO of NVIDIA, Jayaraman read a book called Chasing The Rabbit written by Steven J. Spear, a senior lecturer at MIT’s Sloan School of Management. A quote from the book has stuck with him to this day, he says: “No team can design a perfect system in advance, planning for every contingency and nuance. but great teams can discover how to keep improving a system to be better and better.”
“Failures, adverse events and mistakes are the little alarm bells that trigger the learning of teams,” reasons Jayaraman. “The greater lesson is that every organization that wants to be high performing should view mistakes and adverse events for what they are. They should trigger an exploration of where a system is weak and how it can be strengthened. I strongly believe that mistakes are an opporutnity for a team to know the limits of our knowledge and our ignorance and to learn from it and become stronger.”
DON’T MISS: STANFORD STUDENT NEWSPAPER SLAMS DEAN LEVIN IN EDITORIAL or STANFORD MISLED MBAS ON FINANCIAL AID
The post Why Stanford GSB Dean Fired His Chief Digital Officer appeared first on Poets&Quants.
from Poets&Quants
via IFTTT
No comments:
Post a Comment