Coursework moderation, exam bodies and technology

One of the big advantages of productivity suites like Google Workspaces for Education or Office 365 is the ability to easily share and collaborate.   This is great within schools, allowing students and staff to share and work together on documents and projects, however I also believe it starts to provide some other benefits for education in general, such as in relation to coursework moderation and exam bodies.

I have long believed the exam boards have lagged a bit behind in terms of technology use.   I remember being a visiting moderator for a vocational IT qualification some 15yrs ago and being presented by mountains of print outs.   I was visiting schools across England to carry out moderation activities relating to the evidence students had created in working with technology tools such as website development tools, spreadsheets, email clients, etc, yet it was all being printed out for me to look at.   I dread to think, on reflection, how many trees were cut down in the process.     It was around this time that I decided as a teacher of the same vocational qualification that I wouldn’t repeat this mistake, so I worked with our network manager to come up with a way to structure student evidence such that it was easy to extract and burn onto a CD (remember this was 15yrs ago!) which could be handed to the visiting moderator, rather than trying to bury them under mountains of paper.  Through the CD the moderator would have access to all student evidence in a structured and easily navigable form as opposed to a pile of A4 folders of printed evidence.

Office 365 and Google both allow for the easy sharing of digital evidence, which solves the above issue which I had previously solved with a CD, some network setup and a few batch files.    Recently working with one department who were using OneNote to store student evidence, we made use of the Parental Link functionality (See instructions here) to share the content with a moderator.    In some other areas we are using SharePoint for example to share video evidence of student work.   Now some planning does need to go into this, as some schools will have external sharing turned off in relation to data protection, however with a bit of thought and configuration, a solution can be found. 

This all highlights for me the need for exam boards to catch up.   Why arent exam boards providing more guidance to schools in terms of easily sharing digital student evidence with moderators?  Why is it being left to schools and their moderators?   Given most schools will now have either Microsoft’s or Googles suite in place, now is the time to drive things forward.   And it is about time, as looking back, I was trying to go paperless 15yrs ago, prior to the bandwidth and sharing tools which now greatly enable this to easily occur.

Additionally, and looking a little broader, why are we still making so many students sit in large exam halls to complete paper-based examinations following 2 years where the pandemic has meant that students and teachers all over the world have been reliant on technology to collaborate, communicate and engage in learning.   Why arent we looking at how technology can facilitate exams?  Now I note some initial pilots are being trialled but to me it all feels a little late in the day.   Again, there is a need for things to be driven forward here, and I don’t sense the drive and urgency I would expect.  

I feel schools have driven forward their use of technology over the last few years, urged on by needs resulting from the pandemic.   This has been great to see and has left schools in a stronger positive in my eyes.   But why are some of the services which underpin our current education system, such as the exam bodies, not working harder to do the same.   My main concern is that these services may serve to drag schools back, losing some of the technology-based advances we have so recently made.

Why cyber security matters?

I have written repeatedly about cyber security and the fact that cyber security is an increasing risk for schools. In my view, it should be on the risk register and subject of regular discussion but why has it become so important?

Increasing amounts of data

As we become ever more digital within schools, we find ourselves gathering, but also generating, ever more data.   Whether this is the simple demographic data such as name, address, DOB and gender or other data such as browsing history through school filtering solutions and device information for personal devices.   We increasingly have online payment gateways for parents to purchase school lunches or uniform, or solutions which record health and allergy information.   We are gathering ever more data.   And with the ever more data, we are able to generate yet more data by combining it or inferring from it.    So, if the data is the new gold, then schools must clearly be untapped gold mines from a cyber criminals point of view.  As such cyber security is important in keeping school data safe.

Schools being hit

Looking at the newspapers and online press and it wont take you long to find a school or group of schools which have suffered from a cyber incident.    The reports often indicate the need for school closures while recovery is attempted.    This clearly shows that schools are being hit, and possibly even specifically targeted, and that a cyber incident has a significant impact.   Given this context, that schools are suffering impact from cyber incidents makes it difficult to not consider cyber security and mitigating risk as much as possible.

Schools as soft targets

The purpose of a school is education, teaching and learning.  As such its resources are focussed on this.   This means schools, despite having large amounts of data, are not investing in cyber security to the same extent companies may do.   This is both in terms of cyber security technologies but also, and possibly more importantly, in staffing with cyber security experience.  Now I feel this isnt that surprising given the general shortage of cyber security professionals and the resultant potential wages they can demand.   Schools will therefore find it difficult to match such wages.    Additionally, schools will have a variety of different systems and hardware, including student and staff personal devices possibly, all connected to their network often with updates unapplied or poor general security setup.  The focus of IT will largely be on enabling teaching and learning rather than maintaining a tight security perimeter.     This all leads to cyber criminals seeing schools as soft targets. 

Young Peoples personal data

Banks and other financial organisations are increasingly using data to identify unusual activity on an individuals account as a method of identifying and stopping fraud.    The challenge with young people is that, to start with, little data exists as they setup their first account, their first loan, their first hire purchase agreement and eventual mortgage.    Therefore, from a cyber criminal point of view, having access to sufficient personal data to initiate identify fraud is better with young people, where little data exists, than with older people.   With young people the first transfer into a bank account in the control of a cyber criminal is more likely to get lost in the wealth of other firsts for these individuals.    Again, this points to school data as a gold mine for future frauds and financial gain on the part of cyber criminals.

Safeguarding

We also need to consider safeguarding.  Students are increasingly online in schools and also at home.    Schools need to keep them safe in school, and cyber security is a part of this, in ensuring their online activities are safe and secure, their devices remain secure, etc.   Additionally, schools need to ensure that, through the data schools have on students, they remain safe outside of schools.   We need to ensure that their data remains safe and secure such that it cannot be used to malicious ends in approaching them online.  

Conclusion

Cyber security matters.   I would even go so far as to say critical.   All schools need to consider cyber security and not just as a one off but as an ongoing process.  Cyber security needs to be part of school culture in the same way that safeguarding has become part of school cultures over the last 20 years (it may be longer than this, but my experience is limited to just over 20 years).  We need to ensure we do all we can to keep schools, their systems, data, staff, students and wider community from cyber risks, to prepare for inevitable incidents which will happen and to make all aware.   It’s a big ask I think so first step is to ensure we have at least given it some thought, started talking about it and started sharing our thinking.   To that end I hope this post has been of some use.

The asymmetry of relations between schools and the providers of solutions they use.

During last year a third-party software solution vendor decided to change its pricing model, which in turn resulted in a significant cost increase to the school.   It is only now however that I have had time to write and share my thoughts on this.   Now, I can understand their reasoning for the increase, given their model made them significantly cheaper than the competition when we originally looked to source a solution, and therefore despite providing a similar service, they would have had lower income.   That said, it still felt unfair.

So, what are the factors here?

Communication

In this case the communication wasn’t great, as it wasn’t until our renewal that they communicated the cost increase with us, where clearly, they must have planned the change including modelling its impact on both the company and its users.    I would have hoped that they would have clearly communicated their plan for a price increase in advance, outlining to customers the reasoning for the change and how the new funds would be invested and used to the betterment of the product and therefore its loyal customers.   A little bit better communication, and more information may have made me at least a little more understanding as to the change.   Sadly, in this case all we got was a quote with a price significantly higher than the cost from the previous year.

Training and sunk costs

Following this unfair treatment, it might seem logical to simply change vendors, especially now where this vendor is now comparable in terms of price with other solutions.   The challenge here is that we can’t purely look at the bit of software and its cost, we need to consider the number of users, type of users, training and support, the complexity of the system, etc, if we are truly to identify its impact or the impact of trying to change systems.   This is where it gets difficult as it will always be easier to stay with the solution you have, than to change to a new solution, especially where the solution you have has been in use for several years.    You have already paid the cost of setting the solution up, adjusting processes and training users.   With any change in solution these costs will still need to be paid.   At this point you need a robust motivation to change, where in my case, the minor feeling of unfairness is unlikely to be enough.

So, what to do?

I decided that as the total cost of moving to a new solution was higher and represented more uncertainty, despite the feeling being unfairly treated, I decided to stay with the vendor in question.   I did however make sure our unhappiness as to this incident was made clear.   Maybe there will be some potential for negotiation on cost following this however at the time of writing this is unknown.   I know this decision seems imperfect, but we live in an imperfect world.

Wider implications

The above incident however highlights the wider implication where we invest in solutions for use in our schools whether they be learning platforms, productivity suites, management information systems or other solutions.   As we invest, and use and eventually embed each system, we need to consider what our exit strategy might be.    Although we hope each third party may have us, the customer, in mind it is likely their key focus is on their continued commercial operation and on growth where possible.   As such the customer isnt us as an individual school or MAT, but schools, the collective group of schools they currently or in future may wish to sell to.

We are investing in their platform to provide something to our schools which we can’t provide for ourselves.    They however are less invested in us as we are but one school in a sea of schools to which they sell their product.   The relationship is decidedly asymmetric.

Conclusion

I wish I had a solution for this issue but sadly I do not.   The relationship between a school and the third-party solutions it uses isnt balanced and as such even if the vendors direction is currently aligned with yours, it is unlikely to remain so.

The only recommendation I can therefore offer is to be aware of the asymmetry of the relationship and have an eye on possible alternatives should the push become significant enough to offset any training or other costs.    Also, where unhappy, be sure to make vendors aware as it is likely you won’t be the only person, and if a vendors collective user base all complain the vendor may be forced to reconsider any proposed changes.

The big vendors we are all using, such as Google and Microsoft, may represent the above issue taken to an even large scale.  If their solutions ceased to align with school needs, how easy would it be to move solution, where all your data, your training, etc is so heavily invested in these solutions continuing to remain in alignment with individual school needs.   This may be an even more significant risk, however hopefully one which we will never need to realise.   As such it may therefore be ok to have at least considered the risk.

9 Years of blogging

Feb 12th 2012 and I was sat on the bed at night, creating my new blog.   My first post was a short one, but little did I know that I would still be blogging some 9 years later.   374 posts have passed under the bridge since that evening at home in our villa in the UAE.   Now I sit at home writing this, some 1000’s of kilometres away from where my blog began, now living in Somerset rather than Al Ain.

My blog has never had a huge readership; to be honest it barely has a small readership; however, I have found the process of writing useful for myself, forcing me to order my thoughts before typing them out.  At a recent virtual event, someone commented about where I find the time to blog in addition to my normal workload as a Director of IT.   There is only a limited time in the day, and this will never change, so I try to avoid concerns about the lack of time.  Instead, I have always sought to prioritise, and that includes putting some time aside to write my blog.   Often this has involved stealing a small amount of time here and there.   As I type this, the Amazon TV series Reacher is on in the background, and I am half watching it as I type this.    Given I try to just get my thoughts down, rather than seeking to create a literary masterpiece, this works for me.   Most of my posts have been written in a single sitting rather than being reviewed and edited, which explains, and hopefully excuses, the number of typos, grammar errors and sentences which read poorly.

The other benefit I have found from blogging has been the fact it creates a record of my thinking.    As such, when I look back it provides a window into my thinking at a particular moment in time, in the past.  I have found this useful in charting how some of my views, opinions and beliefs have changed over the last 9 years.   We seldom admit or even appreciate how much our views and beliefs change, however having a written record, has helped me to realise how much and where I have changed, and where I have not.     I think in future, when I look back on the period 2020 – 2022 and the pandemic, I might find particular value in the records of my thoughts and from this there might be a number of learning points which I can take away.

I also hope that in blogging I am contributing to the wider world, to the education and technology discussion.   Ultimately is this not something we all wish for, to have achieved something and left something behind.   I hope that at least some of my thoughts have contributed something meaningful to the discussion, and I hope to continue to do so.

Blogging isnt for everyone, and to be honest I never really thought it was something I would get into.   That said, I would recommend that if you are thinking about it, just do it.  Don’t worry too much about who will read your posts, about what you will write about, etc, just be yourself and share your thoughts.   The more people sharing in my view the better, especially as we continue to work through the difficulties presented by a global pandemic.

So, with this, that’s 375 blog posts in 9 years.   Onwards to another year and I look forward to continuing to share my thoughts.

Thoughts on Safer Internet Day

This week included Safer Internet Day, the 8th of February, with a lot of additional posts on internet safety making their way onto social media.   I think safer internet day is great to sign post resources, focus thinking and share thought and ideas regarding online safety, however equally I worry that it becomes a single shot deal.  I worry that it signifies the 1 day a year when online safety receives a focus.

I have recently tended to focus on the cyber security aspect of online safety in particular, talking to students about securing their accounts, data breaches, etc.   This has largely been due to my interest in this particular area and a feeling that this area is sometimes neglected or is believed covered through a discussion of what makes a strong password.  I think that students have found our discussions useful however I wonder about the overall impact where these discussions happen infrequently.     Students may listen intently, engage and even contribute, but once they return to their daily lessons and the daily requirements of study, homework, etc, I feel that the discussion of cyber security and the concepts raised may largely become lost in the sea of other information and priorities.   When they next pick up their device, or sign up to a new online service do they give thought to the presentation they received, or do they simply repeat their previous behaviours and sign up with little consideration for online safety?

One of the big challenges is how we fit digital citizenship, online safety and cyber security into the available time such that it occurs regularly.   With ever increasing curriculum requirements the available time is only shrinking, and I note that seldom do we see net impact of curriculum changes resulting in less things to cover.    As we use more technology in our schools, as our students use more technology in their education, but also in their day to day lives, surely, we need to spend more time discussing the risks, as well as the benefits.   Surely, we need to spend more time looking at how we manage ourselves in a digital world, how we manage our online identity and our personal data.   But where is this time coming from?

And this is the crunch;  Safer Internet day, which I have already acknowledged I like, may highlight the limitation of our current approach to online safety.    It feels tacked on, an additional item, rather than something core, something truly important.    We might run presentations or get guest speakers in, but all this really does is tick a compliance box.   To truly cover online safety we need something more embedded, something which is ongoing throughout a students time in schools or colleges, we need to develop a culture of online safety.   We ideally need everyone modelling behaviours which represent good online safety, whether this is the teachers or the students.   We also need poor behaviours to be challenged and questioned.

Developing organisational culture is a long term and slow process, which in my experience is often the sum of lots of little actions taken across an organisation, which adds up to a statement of “how we do things around here”.   As we use greater use of technology, we need to be increasingly focussed on making sure our usage of technology is “safe”.   

But technology, unlike culture, moves quickly so we have no time to waste.   I think we all need to ask ourselves, what is the online safety culture like in our school and how can we develop it, how can we make sure it equips students with the knowledge and skills they need in this increasingly digital world.

A third party cyber incident

Schools make use of a variety of third-party solutions with these solutions increasingly involving both the software and the hosting of the solution; The days of all third-party solutions being hosted on school servers in a school server room are fast disappearing.    School data is more and more stored in third party solutions, with data ranging from simply a list of email usernames and passwords to much more significant and sensitive records which might include medical information, financial information, etc with the school frequently being the data controller and the third party the data processor.   As such, ultimately, the security of the data is the responsibility of the school, yet these third-party solutions are increasingly seeing data breaches.

So, what might this look like when a third party suffers a data breach, such as a ransomware cyber incident?

The first few days

It is likely the third party might first attribute issues to common or garden IT issues and outages before they realise, they are suffering a cyber incident such as ransomware.   So, to start with you might get simple “we are investigating an IT issue” messages in reply to tickets logged.   At this point it is important to realise, even if they are now aware of the cyber nature of the incident, they are likely to be limited on what they will be able to tell schools due to legal risk, cyber risk of tipping off the cyber criminals and due to fear of providing information which might later turn out to be incorrect.   There is also the need to prioritise managing the incident rather than seeking to manage communications with those schools affected.   As such for the first few days you should expect to hear little useful information, with this being potentially very frustrating.

Issue identified

There will then become a point where the issue will be identified.  So, you might be told that a ransomware incident took place on a given date and that specific actions were taken however as before you will get little other information.   If you are hoping to know what ransomware strain was used, how it entered the systems, what specific actions were taken, which schools were impacted, etc, you will be waiting a long time.   You will get enough information to be considered informed but little beyond this.

It is now a school cyber incident, and the appropriate senior staff need to be made aware, although there is relatively little detail available which can be shared.   Ideally at this point you will know what data is stored by the impacted third-party solution however if you do not, the first step will be to establish the extent and type of data potentially affected and therefore the risk to the school.   It is also at this point good to consider the comms side of things and what message you might want to send out to your various stakeholder groups dependent on the, yet undetermined, impact of the incident.    For schools it is about a reasonable measure of preparedness rather than rushing to share;   Its that balance between pushing out comms too early, where you don’t know much or where what you know may later prove to be incorrect, or leaving it too late and being accused of not sharing information early enough;  There is no “perfect” solution to this, it is simply a risk based judgement call based on the incomplete information available at the time.

At this point, now we know that there is a cyber incident and the possible data and school impact, it may be necessary to consider an initial report to regulatory authorities such as the Information Commissioners Office (ICO) as well as to the NSCS and Action Fraud, plus it may also be worth raising with insurers.   In terms of the ICO, a quick phone call for advice to their helpline is an easy step which can be taken at this point and may both yield helpful next steps as well as evidencing an attempt to take reasonable measures in response to the incident.

The first two weeks

We now move on to the forensic analysis as hopefully your third-party vendor gets an outside cyber expert to pore of their systems, the activity logs, etc to give them a clear (or as clear as possible) picture as to the events and what data might have been accessed or exfiltrated.     Again, information is likely to be slow in being shared, again due to the perceived risks to the third party.   It may be that they have nothing to offer beyond that which has already been shared.

Again, it’s back to risk-based decision making in relation to comms.   What needs to be shared, with who and when?   This will very much be determined by the nature of the incident itself with a major incident where data has been exposed needing urgent communications whereas an incident which resulted in IT outage, but no data loss may not.   My key advice here is to ensure logs of activity and decision making are kept so these can be used in later review.   Knowing who contacted who, when they contacted them and the reasoning behind decisions can be very valuable in establishing the reasonableness of actions taken should the context of the incident change or should new information become available.

Wash up

There will then be a point where the third party will consider the incident closed and where update pages, etc, put in place in relation to the incident may stop being updated or may even be removed.   At this point there should be some summary as to learnings from the incident and about future changes in processes, security measures, etc.   if you don’t receive such an “after action” report then it is important to press on this matter.   You are unlikely to receive much specific detail on the incident however you should at least receive a broad description of the issue plus some evidence of planned measures to prevent reoccurrence, and therefore some reassurance that things have been learning and that actions are being taken.

Conclusions

“Hope for the best but prepare for the worst”

For me the key thing is to prepare for these kinds of incidents in advance, and not just in terms of IT support staff, but in terms of the wider staff body.   A desktop exercise where a virtual scenario is played out is the easiest way to achieve this, with SLT and other key staff involved.  At the end of such an exercise all need to be clear that, in the event of a serious incident, although we want quick resolutions these are often impossible or inadvisable, with police, insurers, regulatory bodies and cyber security experts all likely to contribute their views on what should happen and when.   Constant phoning IT for updates is only likely to slow the process down.    We need to all be ready and aware of the likely slow nature associated with painstaking initial investigation and even more painstaking, or is that painful, recovery operations.    We also need to be clear what things may or may not be possible as we seek to return to “normal” following an IT incident.

That said, we also need to be proactive in identifying data which might potentially be impacted, preparing communications, preparing contingency measures and otherwise being as prepared to deal with the incident as best as is reasonably possible.

As technology becomes more and more important to the operation of our schools, I suspect we need to spend more and more time on preparing for the eventuality where it goes wrong, with cyber incidents being an increasingly likely source of this eventuality.

Phishing de-evolved

Phishing emails change over time as cyber criminals seek to change their approaches to improve their success rates and achieve better outcomes.    That means that the type of phishing emails schools and their staff have to contend with have changed over time.  As such I would like to share some observations on the changes I have observed.

Lets go a few years, but not too many, so maybe 6 – 10 years.   At this point I remember receiving phishing emails however finding them reasonably easy to recognise.    The below for example was an Apple based phishing email.

The identifiers are reasonably clear in the spelling and grammatical errors and in the lack of branding, not to mention the email address.   I note it conveys a sense of urgency, an important tool in a cyber criminal’s arsenal, however it relies, due to being from a known organisation, on being believable, which to most users I don’t believe it was.  That’s not to say that some people wouldn’t fall for it, as we are all susceptible to errors or momentary lapses in concentration.

Fast forward a few years and the cyber criminals got much better at making their phishing emails believable, branding their email appropriately and even copying the styles of common productivity suites and other commonly used tools.    The below are just two examples:

Although these malicious emails were successful for a while, the issue here is that they have become common and therefore users in general are more cautious around them.  Again some people will click on links, etc, but most now either ignore or treat with great care.   Now the common nature of these type of emails may be part of the story as to why I don’t believe we fall for these emails quite as often, however I also acknowledge that phishing awareness training materials have increasingly focused on these types of emails, building up an awareness of the need for care.   So where next for phishing?

More recently I believe I have seen an increase in very simple emails rather than the branded type.   The simple emails are more akin to the emails from 10yrs ago although are actually even simpler and basic.   Being simple and basic they remove the grammar and spelling errors as they contain limited text.    They also tend to be made to appear to come from known individuals such as colleagues so remove the issue of branding.    Additionally, they are, due to their simplicity, different from the big, branded phishing emails so they are less likely to set off users phishing “spider-senses”.   The below is just one example:

Here the limited information allows users themselves to mentally fill in the blanks as to why this particular colleague might be contacting them and what this might relate to, and you would be surprised just how many of us can come up with a valid reason for a random colleague, friend or other acquaintance to reach out in this way.    It goes right back to the psychology of urgency and also FOMO (Fear of missing out), using this rather than technology to seek to entrap users, a technique that cyber criminals have tended to be good at.  In the above case the telling indicators of a phishing email continue to be the email address itself, and the need to look beyond the display name, and also the unexpected nature of the email, which should also be seen as an alarm bell.

For me looking back it would appear that phishing emails evolved from basic emails to more complex and convincing branded constructions.   They are however now “de-evolving” back to simplicity, taking advantage of psychology and also of the ever busier worlds we live in, and in education, given the pandemic, I don’t believe things have ever been busier.

I also think it is important to acknowledge that first sentence of this post, regarding cyber criminals “changing their approaches” and seeking to “achieve better outcomes” would be at home in an email or document from a corporation or other organisation seeking to improve its success.   Cyber criminals are behaving in an almost business like manner and given this we can only expect their approaches to continual change and adjust as technology, user awareness and user training develops.    For the foreseeable future I suspect we will be continually engaged in a game of phishing “whack-a-mole”.

So, what do we do about this?

I continue to believe that user awareness is the key.    The more users are aware and vigilant the better.   Additionally, users need to be clear on how to report concerns or incidents, and the culture needs to be such that users feel safe in reporting when they get it wrong.   My view is we are all likely to get it wrong at some point, if we havent already!  

Cyber security and data protection awareness cant be seen as a static program, a set training package or a yearly training session.   It is dynamic, ever changing and ongoing, much in the same way the attacks are; We need to see it this way and to seek to deal with it with similarly dynamic and constantly evolving approach.

A day in the life of a Director of IT

The below post was originally shared via the Association of Network Managers in Education (ANME) on 20th December 2021

Different schools use different job titles for the work that I do, and in addition, the specific tasks and requirements differ from school to school based on size, context, budgetary constraints and a variety of other factors. As such, I thought I would share a brief outline of a day in my life.

So, it’s Thursday, December 2nd and the day kicks off for me around 8:15 am when I arrive at the office and get set up for the day. My first port of call is to get email on screen plus my collection of daily web pages including my To-Do list, our help desk and other apps I need on a daily basis. One of the first things I look at is any alerts in relation to suspicious user account activity to see if there is anything that might merit my involvement plus also to make sure anything which requires logging is logged ready to be reported to SLT.

My next activity was a quick chat with our Network Manager in relation to some Wi-Fi usage data I had been looking at. We started gathering the data and analysing it in response to some general student complaints regarding Wi-Fi connectivity, however, the data doesn’t quite support the existence of a general issue, albeit individual students may have specific issues in relation to their devices, connectivity, or services which they are trying to access. Rather than requiring general action, these issues will require contact with the students to try and identify and resolve their specific, individual issues.

At 9:00 and my first meeting of the day, with our Director of Finance. There are a number of current projects which make up the agenda for our discussion plus a discussion of cyber security issues and some recent infrastructure challenges we had been facing.

As is generally the case, the meeting is a packed one and, in this case, even runs beyond the allocated one-hour slot. Immediately following the meeting, I spend a little bit of time digesting the discussion and noting down any actions, making sure these are added to my To-Do list as appropriate.

10:30 and I am working on our annual IT Services perception survey. This is basically 3 surveys that go out to staff, senior school students and prep school students to gauge their experience and perception of IT Services and of our devices, infrastructure, etc. We have been gathering this info now for around 5 years and it is the longitudinal nature of the data, rather than the in-year data which is most useful as it highlights trends over time. I spend a little time preparing the relevant surveys and the associated communications that go with them, plus make sure to keep a number of key staff aware of the planned release of the surveys.

Following this, my next task relates to phishing awareness. We recently ran several awareness tests on small groups of staff whereby we sent a fake phishing email to them to see if they identified the email as malicious or if they fell for the bait. I now need to write up a short report on the findings from the most recent test so this can be shared with SLT for their info. This process has been useful in identifying the type of phishing emails that staff tend to fall far, which then allows us to direct awareness training to this area.

My department weekly briefing is my final task before lunch. This is a weekly document rather than a face-to-face meeting and serves to share thoughts, notices, etc with the IT Services team hopefully also serving as a record of activities, etc and as a repository of useful info. It isn’t a long task to create these each week as I tend to follow a rough template. This week’s briefing turns out to be a slightly longer one, but this is mainly due to sharing some of the positive feedback I had received in relation to the team’s recent activities.

Following lunch, I have meetings with the Head of IT at our prep school and our Director of EdTech for our senior school. I work closely with both, where their focus is very much is on what happens in the classroom and the pedagogy, my focus is a little more on the technology, infrastructure, support services and cyber security. The key thing is together we are able to provide a guiding direction in terms of technology use within the school, each able to bring our different experiences and skillset to bear in discussions. Due to this, we make up a central part of the schools IT Management group which also includes SLT members and a number of teaching staff. This week’s discussions focus on the school’s technology strategy and expanding on it so staff have a clearer understanding of it, plus on the now-launched satisfaction surveys.

The end of the day (5pm) is now fast approaching so I spend a bit of time continuing to work on my end of term report. I try to provide a termly report which contains useful data in relation to our infrastructure, systems, user support, etc. The purpose of the data is very much about transparency and making sure that the SLT is always aware of all the work going on in IT Services even when everything is working fine. It also serves to identify trends, opportunities, and concerns. I find the report particularly useful in continuing to build awareness in relation to cyber security risks. As much as possible I try to use readily available data to avoid it taking too long to process however, the reports still do take a bit of time to produce. In my view, they are however well worth the effort in avoiding IT Services disappearing behind the curtain until the next issue arises.

Reflections

Looking back, it was a reasonably busy day with a number of reports being written. I suspect this was largely due to the fact we were fast approaching the end of term but also the end of the calendar year and therefore some of these reports needed to be in before everyone broke up for the winter break. Cyber security was certainly high on my order of thinking, however, this is increasingly the case. Our technology strategy, which we recently updated, was also high on the priority list.

I suspect, although Directors of IT, or those in similar roles at other schools, are all travelling in roughly similar directions in terms of technology use within their school or schools the route taken can differ significantly. As such my day may look totally different to your day, but that’s not a problem. The key is that we each know in which direction we wish to go, and are taking the necessary steps to get there.

Pledges 2022

Once again it is time to write my pledges for the year and I note this year a number of people online suggesting they won’t be sharing any pledges this year due to current pandemic situation being stressful enough, without adding the additional pressure of trying to meet some well meaning targets set at the beginning of the year.    I can totally get this thinking;   If you look at my review of 2021 you will get a sense of how I felt I “survived” the year rather than making progress, growing or flourishing as I would have liked to.    As such I considered not sharing any pledges this year however I have decided to stick with it and share.   I share my pledges, most likely for my future self rather than for anyone else, although I hope you find some use or insight in my thoughts too.   I share these targets with clear understanding of how the last two years have been challenging, unpredictable and [forgive me for saying it] unprecedented, and the year ahead already looks like it will be no different.   But I will share my pledges nonetheless, albeit I may adjust my expectations accordingly.

So let’s get started:

Exercise and Health:

I have done very well in the last year with my exercising and general fitness and in particular with running.   My plan for this year is to try to maintain this, and to again manage 750km worth of running during the course of 2022.   Now I acknowledge this will very much be dependent on my health as illness will impact on my ability to run however, I think it’s a fair target.   I also note the maximum distance I have run to date in a single session has been 8km.   By the end of 2022 I would like to be able to complete a full 10km running session, even if this involves some periods in the session where I may slow to a walking pace.  

Another area I would like to work on this year is reducing my alcohol intake so managing a month period (so 30 or 31 days) without a beer.   I suspect this will be a challenge as for me a beer has always been key to relaxing or to helping with stress, however I am concious that reliance can have a negative impact on health.   As such I want to try to adjust what for me is a habit.

Wellbeing / Happy memories:

A key aspect when I reflect on the year past is those memories of positive or enjoyable events.   This year I want to build in more of these, so more occasions where I do something outside my normal.  This might simply be getting away for a break, or doing a new activity, or buying something memorable but the key thing is to generate positive memories which will come to mind when I look back on the year in the December 2022.     I have already started considering possible ideas here with a planned holiday already on the cards, and a possible idea to do something a bit different in Dec 2022.    That gives me at least 2 items but ideally, I want to have 6, so something to remember in each of every 2 month period.

Reading:

My reading has become a bit of a habit with 12 books minimum read per year, however it has become a habit which has lost some of the enjoyment and some of the learning, replaced by simply process.   I would like to get back to enjoying more of my reading this year and to again learning more.    As such I am only looking at reading 6 books this year but including some non-fiction in there for enjoyment and being more selective of the books I read for learning purposes.   I also need to be better at simply putting a book down where it isnt working for me.    I hope to look back in Dec 2022 and to have renewed my enjoyment in the reading I have done.

Contributing:

This is something I want to focus on this year, continuing my current contributions to Technology in Education and Education more generally but also to the IT sector as well possibly.    This will include my tweets and social media contributions, my blogs and my podcasts plus my involvement in different groups including the Association of Network Managers in Education (ANME).    I also want to try to develop new opportunities and ways for me to contribute and share with others.

Work:

Lots gets done during year and I think that can be my problem in that I don’t, at the end of the year, quite appreciate all the work and effort that has gone into all that has been achieved.   As such this year I want to take regular breaks to stop and reflect on all that is achieved and on the work required to make these achievements actually happen.   Very seldom is any task in my role achieved simply, instead they involve meetings with stakeholders, planning time, implementation, faulting finding and problem solving, adjustment and evaluation.   I need to be more appreciative of this work, albeit it sits behind projects or tasks which appear simple when written down on a bulleted list of to-do items.

I think in my work life I am also seeking some new challenges.    For this I already have some thoughts and projects which will help here including a project in relation to contributing and sharing as mentioned earlier.   This very much comes down to me making things happen and is down to a bit of creativity and innovation on my part.

Conclusion

For the last couple of years three words have been in my thinking being prioritisation, entropy and reasonableness.   When I look back from Dec 2022 on these pledges, I aim to have these words in my mind to ensure that the pledges here do not unnecessarily add stress to the days, weeks and months ahead.   If I need to prioritise other things, over the above pledges, if the world, my role, etc changes unexpectedly or if the pledges become unreasonable in the context 2022, then not meeting them is fair and totally expected.   That said, for me anyway, having the pledges provides an insight on my thinking as it is today, for me to reflect on once I reach the end of the year.   It provides an outline for a planned direction, again for reflection, even if I end up not fulfilling some of the detailed actions.    For me anyway, I think there is more benefit in writing this than there is a risk of this causing unnecessary stress for myself.   But this is an individual decision we each need to reach.

2022 is another year.    2022 is another opportunity to feel positive about my efforts.   And so with this in mind, I need to make 2022 the year I want it to be; This makes me think of Covey’s circles;  I shouldn’t allow that which I cant control or change, my circle of concern, to impact on my happiness and sense of progress.   I should however focus on that which I can control or change, my circle of influence.    And with that in mind, its onwards and upwards!

A [honest] reflection on 2021

Firstly, let me say I am glad to see the back of 2021.   The end of the year has been very challenging, and not in a good way, including significant family health problems in December and a bout of Covid over Xmas.  Looking back at the year in general I find it difficult to actually find much positive to reflect on.   As such will just be glad to see 2021 draw to close and will have my fingers firmly crossed that 2022 will be a better year.

Beer anyone?

So, reflecting on my pledges seems like a good place to start in reviewing 2021.   Back in Jan 2021 I suggested having a dry January or at least 1 dry month, free of alcohol at some point during 2021.   I will admit I never got close to this and as the year draws to a close am drinking more.   I put some of this down to stress however also admit that a beer is one of the few vices I have so think it is fair to have at least some, hopefully balanced, drink based enjoyment and relaxation.   This, however, is something I want to address in 2022 although am not sure a dry January is possible.

Time for a book

My reading in 2021 continued with more than 12 books read across the year.   This has been a pattern now for a couple of years and I do wonder if now I am reading just to meet the target rather than for the enjoyment or to gain new insight or knowledge.   My reading has very much been non-fiction so this is something I need to consider.   I think maybe adding some fiction to my reading list, just to mix things up might be a good way forward.

Running man

If there was one area where I think I did reasonably well in 2021 it was in my running.   By the end of the year I had run over 750km during the year, way more than the 500km I predicted.   I think I am healthier for it.   I will admit my runs lacked much consistency although I did achieve consistency where it counted in simply getting out and running in the morning throughout most of 2021.   Going forward I may need to find some new running routes possibly or some other way to keep my running fresh and interesting rather than just a chore.

In need of a holiday

Again, the pandemic put paid to any breaks or holidays away so when I look back the year seems to have gone reasonably quickly.  I suspect this is largely due to everything becoming routine so lacking in any significant memorable moments in order to mark the passage of time throughout the year.   I suspect this further adds to my feeling of 2021 as a bad year for me as there is simply little to look back on where I am happy to have achieved something or have enjoyed a specific event, break or holiday.

Connecting and contributing

This year saw me start sharing some little 10min podcast episodes in addition to my usual blogging.   I had been considering doing this for some time but never got around to it until late on in 2021.  This is something I want to continue to produce and hopefully build on in future.     I also finally got back to a face to face conference, in the schools and academies show, where I presented an EdTech focussed session.   The other face to face conference I was due to be involved in, was sadly cancelled due to the ongoing pandemic.     

2021 also saw a lost family contact reach out to me.   I had held off reaching out myself for reasons which are my own, however for them to reach out allowed contact to be established and hopefully this is something which can be slowly developed and worked on in 20222.

Take notice

I kept a journal over the course of 2021 and this is something I may reflect on in more detail in future.   I think if there is anything consistent that can be taken from my notes it’s a sense of frustration and a lack of progress.   I note I even mentioned feeling depressed with things on a number of occasions.   I think this about typifies the year as I see it.

Mental Health

This links to the point above.   A lot of 2021 felt like simply going through the motions.   It was busy.  Things got done.  But did I draw much enjoyment from things?   I think generally I didn’t.   It was generally “run of the mill” processes.   I wonder though whether the ongoing news broadcasting regarding the pandemic and the restrictive measures being put in place, and generally depressing news played into this, making me feel more depressed than I maybe had done in previous, non-pandemic, years.    I also wonder whether a certain amount of isolation on my part, with a limited friends group unlike when I lived in the UAE and had a large friends group, also plays its part here, only added to by the isolating impact of the pandemic.    I will admit that I need to consider my own mental health;   My exercising is part of it, however generating positive memorable moments, having enjoyable activities planned, and much more also goes into establishing positive mental health.   It may just be that doing this, in the current context of the UK and the world may just be that little bit more difficult.

Overall

When I look back to January 2021 I mentioned that I suspected 2021 was “Likely to start of[sic] challenging”.   I think the reality is that it didn’t merely start off challenging but continued to be challenging throughout the year, ending on a month of very significant challenges.   Am I happy on reflection with 2021?   Sadly, I think the answer is no.   It seemed to pass quickly which I believe suggests it was devoid of many memorable, positive moments.   If I was trying to sum it up in a phrase it might be that 2021 “wasn’t anything to write home about”.   I also acknowledge I considered myself depressed at various points in the year and this might colour my reflection.   I will also admit there were some positives, its just that they were subsumed in the general negativity of the year in general.

2022 is a new year.   It’s an opportunity to start afresh.   So with that, I will shortly close the door on 2021 and hopefully move forward into 2022 with an aim to make the year a better one.

Happy new year to all when it arrives and may you all have a great year, stay safe and remain well.