Investments in Nonprofit Cybersecurity
This week, some musings on money, grants, and investors.
Eww. Money. What a gross topic.
Ericius Security has been working on cybersecurity for nonprofits now for just over five years. In that time I've learned a few things about the state of IT and cybersecurity in the nonprofit and missionary worlds.
One of my bigger observations is that modernization is holding back security. Many organizations are working with equipment that's too old: it's no longer supported by the manufacturer, the operating systems aren't receiving security updates, the firewall is past end of life, etc.
At the software level, we can sometimes fix this by applying new software atop aging hardware. But, from experience, running Windows 10 on a machine built for Windows XP… Well, it sucks.
The general advice is to replace computers every six years to keep up with degrading equipment, changing hardware capabilities, software requirements, etc. But let's face it: that's EXPENSIVE. And the further behind you get, the more expensive it becomes.
Security itself is also expensive. It takes time and hard work, which means hiring experts--either outsourced or onto staff. The hardware can be pricey, the licenses are worse. And if you start ingesting and storing data into a Security Incident and Event Manager (SIEM)… woah boy can the costs stack up fast!
Driving Security
One of the drivers of security in the for-profit world is investments. Investors (usually some variant of private equity) will reach a deal with a company trying to grow. The business gets some cash, but not for free. That cash comes with WORK. Work modernizing, work standardizing, fixing, improving, acquiring new people, businesses, tools, etc.
It seems to me that nonprofits and missions are missing this core driver.
Money that's freely spendable on cybersecurity is very limited. Most technological grant money is for software that departments outside of IT and cyber are using--for example accounting software. Tech grants for refurbished hardware are inherently a bit on the older side in exchange for being more affordable. It's making a small dent in hardware/software modernization, but not usually enough. Available security specific software and tools are usually severely limited--you can probably find an anti-virus suite but good luck finding one of the best ones, much less endpoint detection and response (EDR) or SIEM.
To make matters worse, when you buy a tool you buy the work. Nonprofits are flocking to open source tools because they are "free" only to spend hundreds upon hundreds of hours building, operating, and maintaining those systems. Organizations who can afford to buy top tier software still have to deploy it, manage it, use it. They need the people that do the work. And people in cybersecurity are BY FAR the most expensive cost, even just in terms of salary, but also in terms of training.
If you get all the people and all the software, you then need to establish, strive for, and implement a cogent risk management framework. Many nonprofits (with the notable exception of those operating in the health care space) can be oblivious to their regulatory requirements or what standards they need to reach to establish prudence.
Fixing it?
What's missing in the nonprofit space is the private equity equivalent: an investor or set of investors that don't just have a pot of cash to throw at anyone who asks, but have the expertise and know the standards necessary to help nonprofits reach a level of prudent risk management. Not a handout, nor free chicken, but cash that can be spent broadly on needs like salaries should come with the expectation to demonstrate prudence and coaching on how to get there. Growth equity, but for cyber in missions.
It occurs to me that this is what many granting foundations already do, just not normally for cybersecurity. So if we collectively are going to solve cyber in missions, this is one of probably seven or so drivers that needs to be tuned.
But, speaking of musing: maybe I'm overlooking the people already fixing this driver. Know of anyone working on funding modernization and security for nonprofits or missions? Contact me at the email in our footer and let me know!