Summary6 min read

Podcast Summary: CTRL-ALT-LEAD with David Hinson

Episode: Plumbing, Not Hype: The Real Higher Ed Tech Priority
Host: David Hinson
Release Date: June 9, 2026

Episode Overview

This episode, “Plumbing, Not Hype: The Real Higher Ed Tech Priority,” features David Hinson delivering a direct critique of the current infatuation with AI in higher education IT. He argues that while AI dominates headlines and boardroom conversations, the real, urgent need for institutions is to overhaul, secure, and simplify their foundational technology infrastructure—the “plumbing”—before chasing new technology trends. Hinson provides seasoned insights into risk management, vendor accountability, data governance, and operational discipline, sharing actionable strategies for higher ed IT leaders.

Key Discussion Points & Insights

1. The Hype vs. the Reality in Higher Ed Tech

Timestamp 00:15-02:00
- AI is overhyped and detracts focus from urgent technical priorities.
- Major decision-makers (CIOs, CFOs, Presidents) recognize that flashy tech like AI is secondary to infrastructure challenges.
- Quote:
  
  "AI isn't the priority right now. Not even close. It's a shiny hood ornament on a car that currently lacks a working transmission." — David Hinson (01:05)

2. Higher Ed’s Bloated Tech Landscape

Timestamp 02:00-03:40
- Universities have long acted as “high end tool managers,” layering on new software and systems without strategic oversight.
- The age of IT “curiosity shops” is over due to tighter budgets and rising cyber threats.
- Quote:
  
  "We collected applications like hoarders, layering system upon system, patch upon patch, creating an architectural nightmare..." — Hinson (02:24)
- Demographic shifts (enrollment cliff) and cybersecurity escalation make risk management paramount.

3. “Cleaning Up the Plumbing” – What It Means

Timestamp 03:40-06:10
- Core infrastructure components under scrutiny: ERP, SIS, legacy identity management, critical SaaS connections.
- Historic preference for departmental autonomy has produced fragile, siloed systems (e.g., “extension cords through all the windows”).
- The new mandate is to manage institutional risk above all else.
- Quote:
  
  "If we don't clean up the plumbing, nothing else we build on top of it is going to matter." — Hinson (03:10)

4. Cybersecurity and Vendor Risk Management

Timestamp 06:15-11:00
- Higher ed is now the prime target for professional ransomware syndicates due to porous, sprawling architectures.
- Third-party vendor breaches (with reference to Instructure/Canvas incident) affect far more than just the vendors—they are existential threats to campus operations.
- Institutions must treat vendor breaches as direct threats and immediately trigger full incident response protocols.
- Quote:
  
  "Their perimeter is your perimeter... each vendor incident should immediately trigger the exact same enterprise incident response plan..." — Hinson (08:38)

5. Demanding Proof and Setting Standards for Vendor Relationships

Timestamp 11:00-13:10
- Use tools like SOC 2 Type II attestations and the HECVAT (Higher Education Community Vendor Assessment Tool) as shields against risk.
- Quote:
  
  "A vendor's marketing slick says they're secure, but a SOC 2 report actually proves it..." — Hinson (12:00)
- Any reluctance from vendors to provide these is a red flag.
- Compliance and documented resilience are more important than technological “prevention” hype.
- Real zero trust architecture comes from enforcing rigorous standards.

6. Operational Simplification and Financial Survival

Timestamp 13:11-16:00
- Redundant applications increase costs and risk—they must be eliminated.
- IT leaders need the fortitude to deny non-strategic departmental tech requests.
- Moving to the cloud and deprecating legacy systems frees capital and reduces complexity.
- Quote:
  
  "We aren't just shifting workloads. We're stripping out structural costs." — Hinson (15:00)

7. Data Governance and Integrated Strategy

Timestamp 16:01-17:38
- Disconnected data systems undermine proactive decision-making.
- True data strategy relies on solid governance and creating a single source of truth, not chasing analytics dashboards.
- Clean infrastructure enables clean, actionable data.
- Quote:
  
  "...if your data is trapped in five different disconnected systems... You don't have an enterprise. You have a collection of competing fiefdoms." — Hinson (16:40)

8. Redefining the Role of the Campus CIO

Timestamp 17:39-20:05
- The CIO must shift from perceived “cost center” to business-minded risk manager.
- Speak the language of business: risk mitigation, capital preservation, operational resilience.
- Show boards and CFOs how tightening up the tech stack directly impacts student outcomes and college finances.
- Quote:
  
  "When you sit down with your CFO, you shouldn't be pitching a tech project. You should be pitching a business solution." — Hinson (18:13)

9. Hinson’s Personal Playbook and Case for Operational Discipline

Timestamp 20:06-22:09
- Draws from 15 years of experience, emphasizing real-world consequences of poor (vs. sound) infrastructure.
- Institutions that succeed prioritize operational discipline and foundation over hype-driven expansion.
- Quote:
  
  "I've watched institutions thrive because they had the discipline to stop chasing the hype cycle, roll up their sleeves, and fix the core pipelines first." — Hinson (21:25)

10. Call to Action: Focus on Infrastructure

Timestamp 22:10-23:55
- Urges leaders to ignore vendor-driven panic and glitzy trends.
- Audit, simplify, secure, and rigorously govern tech “plumbing.”
- The real survivors will be those who have the operational maturity and discipline to secure their core, not those with the most tech “toys.”
- Quote:
  
  "The institutions that survive the next 10 years won't be the ones that deploy the flashiest tools. They'll be the ones that had the operational discipline to simplify their footprint, secure their data pipelines, mandate uniform crisis response for vendor breakdowns, and manage their institutional risk with cold, hard metrics." — Hinson (23:20)

Memorable Quotes

"AI isn't the priority right now. Not even close. It's a shiny hood ornament on a car that currently lacks a working transmission." (01:05)
"If we don't clean up the plumbing, nothing else we build on top of it is going to matter." (03:10)
"Their perimeter is your perimeter... each vendor incident should immediately trigger the exact same enterprise incident response plan..." (08:38)
"A vendor's marketing slick says they're secure, but a SOC 2 report actually proves it..." (12:00)
"We aren't just shifting workloads. We're stripping out structural costs." (15:00)
"...You don't have an enterprise. You have a collection of competing fiefdoms." (16:40)
"When you sit down with your CFO, you shouldn't be pitching a tech project. You should be pitching a business solution." (18:13)
"I've watched institutions thrive because they had the discipline to stop chasing the hype cycle, roll up their sleeves, and fix the core pipelines first." (21:25)
"The institutions that survive the next 10 years won't be the ones that deploy the flashiest tools. They'll be the ones that had the operational discipline to...manage their institutional risk with cold, hard metrics." (23:20)

Notable Moments & Tone

David Hinson’s delivery is assertive, seasoned, and unsentimental, blending real-world war stories with concrete recommendations. He uses vivid metaphors—like broken plumbing, architectural nightmares, and “shiny hood ornaments”—to cut through jargon and hype, encouraging his audience to “roll up their sleeves” and focus on what really matters: foundational security, operational discipline, and measurable risk mitigation.

Important Timestamps

00:15 — AI hype critique and setup of main argument
03:10 — “Plumbing” metaphor introduced and explained
06:15 — Cybersecurity landscape and vendor risk elaborated
12:00 — Explanation of SOC 2 and HECVAT tools
15:00 — Financial case for cloud migration and simplification
16:40 — Data governance and “single source of truth”
18:13 — How CIOs must frame discussions with CFOs/boards
21:25 — Recap of real-world experience, operational discipline
23:20 — Final call to action: survival is about strong fundamentals

Takeaways

Ignore the AI hype until core infrastructure and security are addressed.
Vendor risk management is non-negotiable—treat breaches as institutional crises.
Enterprise simplification, not accumulation of tools, is key to survival.
The campus CIO’s value is maximized when they act as risk managers and business partners.
Strong data governance and operational discipline ensure institutional resilience in the face of modern challenges.

Summary by an expert podcast summarizer. Use this as your roadmap for actionable IT leadership in higher education.

Loading summary

Transcript1 lines

[00:11]
A
This town ain't my home. Set us only for a while. I'm David Hinson and I serve as campus CIO for Bolden Networks for Higher Education. Welcome to Control Alt Lead. If you've spent five minutes on LinkedIn lately or sat through a single board meeting this year, you've heard the sirens. Everyone is screaming about AI. The futurists want you to believe that if you aren't currently deploying predictive algorithms to grade papers, restructure your curriculum, or read the minds of prospective freshmen, your institution is already dead in the water. But let's pause, let's take a breath and talk about reality. Because if you're a sitting cio, a cfo, or a president looking at the actual ledger, you know the truth. AI isn't the priority right now. Not even close. It's a shiny hood ornament on a car that currently lacks a working transmission. The real tech priority in higher education today isn't flashy. It doesn't look good in a glossy recruitment brochure, and IT sure as hell won't make for a sexy press release. The real priority is cleaning up the plumbing. For the last 20 years, higher ed IT departments functioned like high end tool managers. If a dean wanted a specific software package, well, we bought it. If a department head wanted a boutique server under their desk, we provisioned it. We collected applications like hoarders, layering system upon system, patch upon patch, creating an architectural nightmare of siloed data and fragile dependencies. Now those days are over. The luxury of running an inefficient and bloated technology curiosity shop has died because the demographic realities of the enrollment cliff have collided with a hyper aggressive cyber threat landscape. Today our job isn't to manage tools, it's to manage institutional risk. We aren't just technologists anymore. We have to be trusted business partners capable of keeping our institutions financially viable. And if we don't clean up the plumbing, nothing else we build on top of it is going to matter. Let's look closely at what's actually broken. When I talk about the plumbing, I'm talking about the core infrastructure. Specifically your erp, your student information system, your legacy identity management, and your mission critical SAS connections. In most universities, these systems look like a house where the previous owners ran extension cords through all the windows and tapped directly into the water mains with duct tape. We've tolerated this because higher ed culture historically has valued radical autonomy over enterprise discipline. But let's face the math. We're staring down an unprecedented contraction in our traditional student numbers. Budgets are tightening to the point of fracture. At the same time, higher ed has become the number one target for sophisticated collaborative ransomware syndicates. They aren't script kiddies in a basement anymore. They're organized corporate enterprises targeting our ecosystems because they know our architecture is sprawling, porous, and overly reliant on single points of failure. Look at what just happened with Instructure and Canvas. That hit wasn't just a localized data breach. It was a direct strike on the central nervous system of global learning infrastructure. When an exploit compromises a vendor of that scale, the potential for downstream damage ripples across the 8,000 schools depending upon that LMS every single second to deliver course content, process grades, and authenticate identities. When the primary plumbing leaks at the source, thousands of campuses instantly face severe secondary operational exposure. Lets be crystal clear, every single vendor security breach must be treated as a direct attack on the institution itself. The moment a critical third party SAS vendor is compromised. It isn't an isolated vendor issue. It's your issue. If they hold your student data, your grades, or your financial records, their perimeter is your perimeter. That means each vendor incident should immediately trigger the exact same enterprise incident response plan you'd deploy if the school's physical server room was directly attacked or compromised. You don't wait around for the vendor to send a glossy postmortem newsletter three weeks later. You activate your containment protocols, pull your leadership team into the war room, isolate your API endpoints, and treat it with the exact same tactical urgency as a hostile actor sitting inside your firewall. When a crisis like that threatens your perimeter, the board doesn't care about your AI roadmap. They care about operational uptime. They want to know if we can keep our classes online. Are our identity integrations secure? Or is the contagion traveling through our integrations right now? Are our backups immutable, or did the ROT reach those too? This is exactly why we have to stop treating third party SaaS vendors like independent islands and start treating them as extensions of our own infrastructure. We need real weapons to manage vendor risk, and fortunately, we have them if we actually have the discipline to use them. Before a single contract ever gets routed to the cfo, we must demand proof of operational integrity. That means drawing a line in the sand on SOC 2 type 2 attestations and demanding exhaustive disclosures within Hecvat, which is the higher education community vendor assessment tool. A vendor's marketing slick says that they're secure, but a SOC 2 report actually proves it by auditing their operational controls over a sustained period of time. A HECVAT submission forces them to detail exactly how they handle data governance, privacy and architecture, specifically within the higher ed context. These aren't bureaucratic hoops, they're shields. If a vendor balks at providing an updated SoC2 or hands over an incomplete HeCVAT, that isn't a minor administrative delay, it's a massive red flag. It means they want your students data but aren't willing to prove they can protect it. Proving it's value today means moving completely away from prevention hype and focusing on documented resilient recovery. It's about building a true zero trust architecture and using these compliance frameworks to manage our exposure. If you can't guarantee that your institution can isolate a vendor breach, trigger an immediate internal incident response, and maintain operational resilience without compromising student data, you aren't managing risk. You're gambling with the institution's survival. But cleanup isn't just about cybersecurity. It's about operational survival through enterprise simplification. Every single redundant application on your campus represents two a security vulnerability and financial drain. Every time we allow a department to buy a standalone SaaS tool because they don't like the enterprise option, we're adding friction to the plumbing. We're creating another data silo, another integration point that has to be maintained, and another contract the CFO has to sign as a strategic technology partner. You have to find the courage to walk into those rooms and say no. Not because we want to restrict academic freedom, but because simplification is a financial imperative. When we migrate to the cloud and aggressively deprecate legacy systems, we aren't just shifting workloads. We're stripping out structural costs. We're freeing up capital that the institution desperately needs to keep the lights on and the faculty paid. This brings us to the core of the entire plumbing data strategy. You can't make proactive, data driven decisions to navigate an enrollment crisis if your data is trapped in five different disconnected systems. If the admissions team has one version of a student's reality, the registrar has another and financial aid has a third. You don't have an enterprise. You have a collection of competing fiefdoms. A real data strategy isn't about buying a new analytics dashboard. It's about data governance. It's the hard, unglamorous work of defining a single source of truth. It's making sure that when the president asks for a retention forecast, the numbers are accurate, verified and actionable. Clean plumbing means clean data. And clean data is the only tool that will allow our institutions to make the disciplined adjustments required to survive the next decade. This shift from tool manager to risk manager changes the entire nature of the campus CIO role. For years it was viewed as a cost center, meaning it was treated like a black hole where money went in and occasionally a working laptop came out. To change that perception, we have to speak the language of business. The board doesn't want to hear about server uptime, bandwidth metrics, or network throughput. They want to hear about risk mitigation, capital preservation, and operational resilience. When you sit down with your cfo, you shouldn't be pitching a tech project. You should be pitching a business solution. You're showing them how using tools like SoC2 and Hecvat to vet your stack protects the bottom line. You're showing them how a strict uniform incident response plan for external breaches limits liability. You're showing them how enterprise simplification lowers the total cost of ownership. You're showing them how a modernized, tightly governed data framework improves student retention metrics. You're proving that a disciplined approach to the tech stack is directly tied to the financial viability of the college. This isn't just a theory for me, it's the playbook I've spent the last 15 years executing across different campuses, whether balancing fractional leadership roles or structuring enterprise network strategies. Here at Bolden, I've watched institutions stall out because they tried to build the future on top of a cracked foundation. And I've watched institutions thrive because they had the discipline to stop chasing the hype cycle, roll up their sleeves, and fix the core pipelines first. So stop the hand wringing over AI. Let's stop letting the vendors dictate our institutional strategies with buzzwords designed to create artificial panic. If you want to lead your campus through this transition, look down at the floorboards, check the integrations, look at the data silos, audit the vendor connections that are eating your budget and exposing your perimeters. The institutions that Survive the next 10 years won't be the ones that deploy the flashiest tools. They'll be the ones that had the operational discipline to to simplify their footprint, secure their data pipelines, mandate uniform crisis response for vendor breakdowns, and manage their institutional risk with cold, hard metrics. Get your teams out of the clouds of hype and get them into the trenches of infrastructure. Clean up the plumbing. Your institution's survival depends on it. Thanks for listening. I'll see you. A Better Late than Never this week's episode uses an AI voice clone trained upon hours of my natural speaking voice. While the voice you hear today is cloned. The words, thoughts and ideas here are 100% my own.