Alan's first five years at Loyola University New Orleans read like a case study in change management under pressure. He inherited a 45-year-old mainframe that some staff still describe as the greatest system ever built, navigated the cultural resistance of moving business processes back to the departments that own them, and did it all while a hurricane shut the campus down for a month in the middle of the implementation. The technical migration was the easy part. Getting people to accept that having more control over their own systems was a benefit rather than a burden was the harder work, and Alan is candid that it is still ongoing. What that experience built in him is a clear instinct about where the real friction in technology adoption lives, and it is almost never in the technology.
The ghost student problem Alan describes is one of the most specific and underreported AI threat vectors this podcast has covered. AI agents are being deployed to enroll as fake students in online programs, submit falsified identification documents, collect financial aid and Pell Grant money, and disappear. Alan knows it is not unique to Loyola because he has compared notes with CIOs at other universities and found it spreading. The tell that cracked it open at Loyola was an address verification check that started returning properties actively listed for sale on Zillow. That single data point revealed the fraudulent enrollment pattern and prompted a broader vetting process that now correlates IP location, phone verification, SSN identification, and address data before admissions decisions are made. It is a practical, layered response to a threat that most institutions have not yet acknowledged publicly.
The two stories Alan tells about his new registrar are the best argument for democratized AI problem-solving this podcast has captured in a single episode. The first: a grade change workflow that had defeated IT for a year, attempted through the ERP's native tools, abandoned at 80% completion, and then solved by the registrar in 16 total hours using ChatGPT to build a Google Form with scripting, a logging sheet, automated email routing, an approve-deny button for the associate dean, and a two-day reminder trigger. Simple, elegant, and built by the person who understood the process because he lives it. The second: a class scheduling tool that replaced a week of whiteboard and Post-it note work with a 10-minute automated output, complete with a shareable dashboard for the facilities team to assess building impact before scheduling repairs. Alan's response to both was not to shut them down but to help vet them for security and get them into production. His philosophy is explicit: if IT becomes the bottleneck, shadow AI fills the gap. He would rather be the person staff bring ideas to than the one they hide them from.
Resources mentioned in this episode
This episode is brought to you by CyberLynx.com
CyberL-Y-N-X.com.
CyberLynx is a complete technology solution provider to ensure your business has the most reliable and professional IT service.
The bottom line is we help protect you from cyber attacks, malware attacks, and the dreaded Dark Web.
Our professional support includes managed IT services, IT help desk services, cybersecurity services, data backup and recovery, and VoIP services. Our reputable and experienced team, quick response time, and hassle-free process ensures that clients are 100% satisfied.
To learn more, visit cyberlynx.com, email us at help@cyberlynx.com, or give us a call at 202-996-6600.
You Can't Outrun a Script: AI Security in a Law Firm with Michael Massey - Ep 220
Why AI Rollouts Fail and What Employers Did Differently with Kelley Kage - Ep 219
Machine Speed Attacks, Voice Agents, and Why Bad AI Excuses Fail with Keith Trawick - Ep 218
CIO
Loyola University New Orleans
Matthew Connor: Matthew Connor here, host of the Cyber Business Podcast. Today we're joined by Alan Schomaker, CIO at Loyola University New Orleans. Alan, welcome to the show.
Alan Schomaker: Thank you, Matthew. Glad to be here today.
Matthew Connor: It's great to have you. Before we get too far in, a quick word from our sponsors. Hackers are getting smarter — is your security keeping up? Cyberlynx sells industry-leading, AI-powered cybersecurity solutions that detect threats in real time, so you know about an attack before the damage is done, not after. Learn more at cyberlynx.com. And now back to our show.
Alan, for those who aren't familiar, can you tell us about Loyola University New Orleans and your role there as CIO?
Alan Schomaker: Absolutely. Just to clarify for people — there are four Loyola universities around the country: Chicago, West Coast, East Coast, and us on the Gulf Coast here in New Orleans. I've been here for five years now, just hit my five-year anniversary. It's been a Jesuit-based university with about 5,000 students, including a law school on campus.
The past five years have been a tremendous amount of change. When I arrived, Loyola was running a 45-year-old mainframe system for all of its business applications. Getting the university off that mainframe and onto a cloud-based system was the first major task I had to take on. And right around that same time, AI hit the scene — so we went from early tech to future tech in a pretty compressed window. There are still people on campus who swear the mainframe was the greatest system ever and miss scrolling through green screens. The technical migration was honestly the easier part. The cultural side — changing business processes, pushing more ownership and capability out to the departments, convincing people that I was giving them more power rather than taking something away — that's where the real work was. And that dynamic is very similar to how we're now approaching AI.
Matthew Connor: And I imagine that cultural resistance plus the AI wave hitting simultaneously created quite a whiplash. What's the cyber landscape looking like for you in that environment?
Alan Schomaker: You know, we had some interesting things come up. Like other universities, we recently experienced the Canvas outage that affected schools across the board. And during our ERP implementation, we had a hurricane come through New Orleans that shut us down for about a month right in the middle of everything. So it's been up and down.
On the security side, the threat landscape has shifted significantly. We're now seeing attacks at machine speed using AI — and the most effective attack vector remains the human one. Users opening phishing emails, clicking on social engineering attempts. AI is making those attacks dramatically more convincing.
One specific threat we've been dealing with — and I've heard this from CIOs at other universities as well — is what we call ghost students. AI-powered agents are being used to create fake student identities in online programs. They generate convincing documentation, get enrolled, and then commit financial aid fraud — collecting Pell Grant money and disappearing. We discovered it when we started cross-referencing submitted addresses and found they were homes listed for sale on Zillow. That was the tell. We've since implemented a vetting tool for our admissions team that correlates IP location, phone verification, SSN validation, and address data to flag suspicious applications before they get through.
Matthew Connor: That is the first time I've heard about that one. Fascinating — and alarming. And it really does illustrate what you're up against, because the social engineering piece is where even well-resourced organizations get beaten. MGM had all the money in the world, security was literally their core business as a casino, and they still got taken down through social engineering at the administrator level. If it can happen to them, it should be a wake-up call for every smaller organization wondering how they defend against this. And I think the only real answer is AI tools — like Darktrace and others — that are monitoring every account, learning how users normally behave, and flagging when something deviates. When Alan's email suddenly doesn't sound like Alan, or he's doing things at hours he's never worked before, the system stops it and calls for a human to investigate. That's the kind of defense that actually scales for organizations that don't have a 24/7 SOC.
Alan Schomaker: Exactly right. And we need tools that can respond at machine speed. For organizations like ours that don't have around-the-clock staff on weekends and after hours, agentic AI that can take at least preventative actions — stop a threat before it becomes a full incident — is not a luxury, it's a necessity. The administrator gets the alert on their phone, reviews it, and can release or escalate right there. That model works really well for smaller organizations.
Matthew Connor: And I think small organizations actually have to lean into AI even more than the large ones on the security side, because they don't have the headcount to compensate for the gaps. But I want to ask about something you touched on — the governance question. We talk to a lot of CIOs and CISOs who are very focused on controlling AI, putting guardrails up, making sure it doesn't run wild. And I think that's important. But how do you balance that with not becoming the bottleneck? Because the real risk is that if IT is seen as the entity that shuts ideas down, you end up with shadow AI — people doing things you don't know about at all, which is far worse.
Alan Schomaker: That's exactly my concern. Shadow IT has always been a problem in higher ed — servers kept in offices, things flying under the radar. Shadow AI is the version of that I'm most worried about now. The way I've tried to address it is by being genuinely open and receptive to what people are building, so they come to me rather than hiding it. I don't want IT to be the bottleneck.
And I think there's a broader point here: CIOs sometimes get overly committed to the tools they've already invested in. You've spent a significant chunk of your budget on an ERP system, so the instinct is to force every problem through that tool. But a decision that was right six months ago based on the information you had may not be the right call today. Things have changed. We have to be willing to pivot.
I'll give you a real example. One of our persistent problems on campus was the grade change process — when a student disputes a grade and the professor agrees to change it. It sounds simple, but the current process was a chain of emails through the professor, associate dean, and registrar that could drag on for two or three weeks with no accountability and no tracking. Our IT team had spent about a month trying to build a workflow in our ERP system and got it to about 80% — it just never quite worked the way it needed to.
Our new registrar came to me a couple of weeks ago and said he wanted to show me something he'd built. Using ChatGPT, he created a Google Form with scripting behind it. It logs the request, sends an email to the associate dean with an approve/deny button, documents every action with a timestamp, and automatically sends a reminder if nothing happens within two days. Elegant, simple, completely solves the problem. He built it in about 16 hours over a week. He was almost hesitant to show me because he thought I'd shut it down. I'm glad he came to me, and I told him we're going to production with it in two weeks after we finish the security review.
Then he said, "Can I show you one more thing?" He'd also built a class scheduling dashboard. The previous assistant registrar used to spend a week at a giant whiteboard with Post-it notes laying out the entire semester's class schedule. This tool pulls data from the student system and room system, matches course enrollment against classroom capacity, and schedules all the classes across campus in about ten minutes. He's also made it shareable with facilities, so when there's an emergency repair, they can immediately see which buildings are affected, how many classes are impacted, and whether it makes more sense to do the work during the day or schedule it after hours.
That is exactly the kind of thing I want to encourage. The registrar knows that process far better than I do — he lives in it every day. With AI, he now has the technical capability to actually solve it himself.
Matthew Connor: And that's the shift, right? You're bringing technical capability down to the front lines where the process knowledge already lives. The person who knows the problem best now has the tools to solve it. Are you worried about IT sprawl as more of this happens?
Alan Schomaker: To some extent, yes. But my bigger fear is shadow AI — people building things I don't know about at all. The way to prevent that isn't to lock everything down, it's to stay open and communicative so people bring their ideas to IT rather than going around us. If I'm approachable and say yes when it makes sense, they come to me. If I say no reflexively, they just do it anyway and I lose visibility entirely.
I'll also say — I had a day recently with no meetings, which is rare. I decided to tackle something that had been sitting on my list: creating views and reports on our legacy mainframe data that we'd migrated to a data warehouse. As a former database administrator, that used to be my wheelhouse. Ten or twelve years ago, a task like that would have taken me two or three days. I did it in about an hour and a half, and the SQL it wrote was honestly better than what I would have written myself. I told one of our programmers who said he still enjoys writing his own code: the last numbers I saw put average AI IQ at roughly 160. It's going to write better code than you. Don't take that as an insult — take your knowledge of the data and your domain and let AI work for you. You become even better when you stop fighting it.
Matthew Connor: You mentioned you're a Google campus and Gemini comes bundled with your licensing. Does that make it hard to justify additional investment in other models?
Alan Schomaker: It does make it a real budget conversation. When you already have a solid model included in what you're paying for, it's hard to make the case for additional spend on Claude or another platform. That said, I think we're starting to see the models differentiate themselves. Claude may be better at coding than Gemini. Different tools are finding their niches. I've been bouncing between ChatGPT, Claude, and Gemini for different tasks and you can start to see where each one excels. I think over time we'll see real specialization rather than every model trying to do everything. And tools like Perplexity that route to the right model for the right task are interesting for exactly that reason.
Matthew Connor: Where do you see AI going specifically in higher education over the next few years?
Alan Schomaker: Our Business School dean is really leading the charge here. He's an entrepreneur who built several successful companies, and he's pushing his faculty hard to teach AI skills because he knows employers are looking for them. The saying he uses is the one you hear everywhere now: AI won't take your job, but someone who knows how to use AI might. We can see the students are already using it — there was a graph from OpenAI showing ChatGPT token usage in the education sector that drops off a cliff on June 1st every year when students finish their exams and go home. They're using it. The question is whether they're using it well.
That's where we have an opportunity. Not just letting students use AI to write papers, but teaching them how to think about it — what hallucinations are, how to verify outputs, when to trust it and when not to. If you're going into engineering or law, the output has to be correct. We have some faculty doing really excellent work in this space, and I'm glad to see more Deans committing to it.
Matthew Connor: And that's the real challenge — because it's easy to let AI do all the thinking for you, but that leaves you deficient in your own understanding and abilities. What we see is that the people who are actually thriving with AI are the ones bringing leadership and communication skills to it — treating it like an intern or an assistant, building up its knowledge of what they need, and using it as leverage rather than a replacement for their own thinking. And if you have a bad process, AI won't fix it. It'll just make the bad process faster. You have to understand the process fully before you can teach it to an agent — which is actually a useful forcing function for improving the process in the first place.
Alan Schomaker: Exactly. Teaching an agent forces you to think it all the way through. Where does the human stay in the loop? What are the guardrails? What do I tell it to stop? If I can't explain it clearly to an AI, I probably don't understand it as well as I thought I did. It creates a holistic view of the problem that wouldn't have come from just automating it blindly.
Matthew Connor: Alan, this has been so much fun. I think we could do this all day. Before we go, can you tell everyone where they can find out more about you and Loyola University New Orleans?
Alan Schomaker: Sure. The university's website is www.loyno.edu. And you can find me on LinkedIn — I'm out there and happy to connect.
Matthew Connor: Fantastic. Thanks again, Alan. Until next time.
Alan Schomaker: Thank you, Matthew. It's been a pleasure.