Being the CIO of a non-profit gives you an entirely different perspective in terms of managing people, resources, and technologies.
David Goodman would know. He has been involved with managing IT operations for different non-profits for most of his professional career. He used to be the CIO of International Rescue Committee, and currently is the CIO-in-Residence at NetHope, an umbrella organization that is a resource for some of the world’s largest non-profit aid organizations.
“The biggest challenge for non-profits about IT is that few people understand it in that context. We usually don’t have any roadmap or a sizable staff for how we are going to implement any new technology. Many organizations don’t have any dedicated infosec staff, or if they do they only have one person for this task.”
Often, IT takes a hit due to unplanned consequences that is more because of the where the non-profit is located than anything related to the technology itself. For example, he tells the story of a nonprofit that opened an office in a very insecure country. “We opened an office there to help benefit refugees, which is our mission. We made connections with the local militia to make sure that we were permitted to do this and didn’t have any issues until one day our office was overrun by the militia and our people were taken hostage. They didn’t like what we were doing. While that doesn’t happen too often, it was pretty scary for our staff and volunteers. They took all of our computing equipment. Eventually, we were able to get them to release everyone, although two Americans were held in a hotel for a few extra weeks.”
Planning for this situation is a challenge, as you might expect. But the office had no incident response frameworks, no security policies. “There were passwords written on whiteboards. There were staffers using personal Skype accounts to communicate with headquarters. Because all the laptops were stolen, the rebels were using the staff’s personal Skype accounts that were set to autologin and were sending messages impersonating the staff. They couldn’t easily shut down these personal accounts.” Eventually all personnel returned safely and everyone was accounted for. But they lost all their equipment: “that was never seen again.”
Few IT managers or CIOs have to deal with this kind of situation. “It is pretty nasty stuff, and it is because of the nature of how many international nonprofits operate and the places they have their offices are often in conflict areas. This means we don’t just worry about IT security, but the safety of the staff too.”
Here is another example. At one international nonprofit, he wanted to improve the organization’s password policies. The issue was that many of the staffers are scattered around the world and don’t regularly login to their enterprise Active Directory domain controller which meant that staff didn’t get regular notifications of expiring passwords. “So for the field staff, we set their domain passwords not to expire. As you might imagine, this wasn’t great infosec policy, so I tried to implement a better one that had complexity and change management built-in. I got buy-in from senior management and approval from the CEO. We were ready to implement it, and I sent a reminder email to some of the affected parties, including the CEO.”
Suddenly he scuttled the whole idea: “He told me that he had been using the same password for more than 30 years and wasn’t about to change it now. So the very straightforward and approved password policy was shelved, and there are probably still hundreds of people using non-expiring passwords around the organization.” Goodman couldn’t get him to understand why a better password policy matters.
All is not gloom and doom however. At NetHope, he is working with a number of major donors, including the Gates Foundation and MasterCard International, to create non-profit specific security controls that can be used for guiding IT auditing and compliance. “We will have a set of best practices on how to appropriately secure critical data, all based on existing standards like ISO, NIST, and PCI. We will also provide implementation guidance so that nonprofits without dedicated info sec staff — which is nearly all of them — will know how to implement these controls.”