How to Get Cross-Departmental Buy-in for Cyber Security Work
When we speak with nonprofit professionals, we often hear this: “My organization must take cyber security seriously… but the decision makers don’t agree.”
The people who are doing the work of moving the organization’s mission forward often know the risks best – after all, you’re the ones working within its community, speaking with those it serve, seeing its issue areas in the news, and fielding comments and DMs on social media. You know firsthand the high price organizations pay when targeted, in staff time, donor dollars, and reputation.
When staff tells leadership that cyber security work is imperative, but doesn’t give a positive response to increasing cyber security efforts, one of these things is usually happening:
Leadership assumes cyber security work is very expensive and does not have budget available to dedicate to it.
They are unaware of the real risks and implications of not having a strong cyber security foundation, because “cyber security” sounds too nonspecific.
They think that cyber security work will take a lot of staff time, and the organization is already short on staff.
They think cyber security is an issue for the IT department to handle.
These concerns are valid and have solutions. Cyber security work can be done at any size budget (including no budget) and there is always something that can be done. And yes, cyber security work does take time, but putting safe practices in place now lessens the response and recovery time after an incident.
We have a bias towards action, especially when it comes to protecting an organization’s mission against hackers and cyber threats.
When leadership doesn’t have the resources or see the urgency in putting good cyber security practices in place, we suggest another route: working within the organization to unite the three departments that are most likely to understand cyber security risks, the implications of breaches, and may already be putting measures in place.
Security breaches are increasingly turning to non-technical ways to get into organizational data. Everyone across a nonprofit is already making multiple choices every day that directly affect the overall security.
Every day, nonprofit staff are making security decisions as they work.
Here’s how departments—beyond IT—can find importance and a shared mission in digital security.
Get the Finance Team on Board
Start with the finance team. When it comes to protecting the organization, protecting financial assets is usually what comes to mind first. Ensuring that the resources that fund the mission and payroll are safe is perhaps the most easily accessible part of cyber security.
The finance team already understands that they handle and secure financial data daily. Getting buy-in is about protecting sensitive financial information that can be used to exploit the institution: ruining its hard-earned reputation, scamming those who are connected to you, or creating financial nightmares by opening and closing accounts and running up debt.
It’s vital for the finance department to develop and follow through on processes that ensure the safe transfer of funds to vendors and employees, protecting login information, and keeping financial information secure. Approval processes and careful attention to detail are also very important for catching potential leaks and breaches early.
Bring in Development
The development team works hard to create long-lasting and reliable funding streams for the organization, which can be lost in a breach. They also understand that a security breach is not just a loss of assets, but a breach of trust, too. Combined, it has the potential to create problems for all donors and, consequently, the development team. Personally identifying information can be released. Donors can be targeted by dubious actors for scams. Credit card and account numbers can be compromised. And when donors feel that their assets have been mistreated or that the organization has given them headaches, it will be harder to continue to partner with them for future work.
The development team owns the processes for ensuring that donor information stays secure. They understand the need to be good stewards of donor data and the high stakes of a potential breach. Developing failsafes and choosing appropriate software makes a huge difference in caring for current and future funders.
Talk to Communications
And since we’re talking about trust, let’s talk about the communications department. Their work supports establishing brand trust in public-facing campaigns for the long haul. The comms team builds on the brand, continuing a trajectory that increases awareness, donors, and funding. When there’s a security event, they have to spend time responding to stakeholders and repairing the organization’s reputation.
There are many “soft” places where bad actors can successfully find inroads through communications work. From spoofed emails to social media breaches to deciding what information is shared publicly, the comms team makes important decisions and can act as a bulwark.
Next Steps
The next step to moving cyber security further is to have conversations with the people in these departments to understand their current efforts, challenges, and vision for the future. By making cyber security a regular topic of conversation, particularly among the Finance, Development, and Communications teams, you’re elevating its importance and urgency among your colleagues.
When organizations empower their departments to see how their particular skills, focuses, and interests can support cyber security, it not only protects the organization, it makes the entire team stronger, and supports the security of the community it serves.