CIO50 2023 26-50 Andrew Hottes, Cranbrook School

Name: Andrew Hottes
Title: Chief digital information officer (CDIO)
Company: Cranbrook School
Commenced role: April 2018
Reporting line: COO
Member of the executive team: No
Technology Function: 9 staff, 5 direct reports

Having already brought ICT financial governance and rigour to Cranbrook School, based on his 25 years of experience in ICT, chief digital information officer Andrew Hottes set his sights on helping the school reach the top of the class in another critical area under his remit.

Over the past two years, Hottes led Cranbrook School to become the first school in Australia to achieve the gold standard in information security management – an ISO27001 certification.

Hottes had already demonstrated his strategic vision and leadership capabilities in helping the school respond to COVID-19.

After moving the school to the Cloud in 2019, Hottes then led the school’s ICT rapid move in response to Covid-19 – enabling the switch to complete online learning across all cohorts within just five days.

Building on this achievement, Hottes has since been driving the school’s ongoing digital transformation journey.

However, when shifting his focus towards the critical issue of cybersecurity, Hottes realised the school was still in its infancy when it came to proactive security modelling.

It needed to develop a robust security posture to help protect its sensitive data and intellectual property.

After a thorough evaluation process, Hottes proposed the school should aim for an ISO27001 certification.

But gaining this globally recognised standard for information security management systems (ISMS), was not going to be easy feat – especially as no other school in Australia had done so.

“Achieving ISO27001 certification is a challenging task, necessitating substantial investment in time, resources, expertise and requiring executive sponsorship,” Hottes tells CIO Australia.

“Obtaining this certification requires organisations to implement a comprehensive set of security controls and procedures that ensure the confidentiality, integrity, and availability of information

assets.”

His proposal was reviewed in detail and ultimately backed by the Executive team who were supportive in every aspect of improving the school’s security posture.

A security-first mindset

By focussing on developing and embedding a security-first mindset within the school’s technology operations, Hottes ensured that data security was consistently a top priority in decision-making. He implemented a comprehensive set of security controls and procedures to improve the protection of the school’s sensitive information, including student data, financial records, and intellectual property.

In addition, Hottes educated staff on the importance of security – enabling them to make informed decisions and strengthening the school’s security posture.

The project also called for balancing the overall needs of the school with the privacy and security concerns of all stakeholders, including students, parents, staff, and external parties such as board members and alumni. Drawing on his extensive ICT experience, enabled Hottes to approach these technology changes and initiatives with sensitivity to stakeholders’ concerns while driving positive outcomes.

Another achievement was his proactive approach to internal email phishing campaigns, which reduced the number of opened or clicked malicious emails. This strategy has identified areas for increased staff training to make the school more resilient to cyber threats.

Overall, implementing ISO27001 certification at Cranbrook School has emphasised the significance of data security and control to staff in their operations. The project helped the school achieve several of its business objectives, including:

Protection of sensitive information: The implementation of stringent security controls has helped safeguard sensitive information, such as student data, financial records, and intellectual property, from unauthorised access, allowing the school to fulfil its legal and regulatory obligations, while ensuring that confidential information remains secure.

Enhanced reputation: Achieving the ISO27001 certification has and demonstrates Cranbrook School’s commitment to data security, a critical factor for parents and students when selecting an institution. It has positioned the school as a leader in the education sector setting a benchmark for other schools to follow.

Improved operational efficiency: The adoption of standardised security controls, procedures, workflows, and policies has begun to streamline the school’s operations, resulting in increased efficiency and reduced costs. These standardised procedures also allow for more efficient use of resources and time and more work is to be done in this area.

Solidifying a trustworthy and reliable reputation

As the first school in Australia to achieve ISO27001 certification, Cranbrook School has solidified its reputation as a trustworthy and reliable educational institution, says Hottes.

“This certification provides parents, students, and stakeholders with increased confidence in the school’s ability to safeguard their sensitive information as much as possible.”

It has also enhanced its reputation and operational efficiency, setting a new standard for educational institutions across Australia.

Building relationships with key individuals, including other C-level executives, and leaders from various teaching and operational divisions of the school, was vital to Hottes success in this project. It allowed him to understand concerns, address issues, and demonstrate the value of technology initiatives.

By developing contingency plans and being transparent about potential risks, Hottes could ease concern, overcome objections, and instil confidence in technology initiatives across the school.

“This approach is especially crucial when addressing data security, confidentiality, and privacy, as these areas require a high level of sensitivity,” he says. “With the support of the Executive, the ICT team and the school community, a lot has been achieved in this area – however there is still a long way to go.  There are no guarantees and with the ever-evolving threat landscape, we need to remain as vigilant as possible and continually look to improve our processes and controls”.

His strong track record of delivering innovative technology projects such as cloud computing, data analytics, and workflow automation, as well as pedagogical-focused technologies, earned the trust and respect of staff and executives across other departments and faculties.

Louis van Wyk