Cybersecurity

I forgot my password on the dark web.png

How I became an Accidental CISO

My journey into cybersecurity began unexpectedly in the summer of 2022, when the nonprofit that I worked for won a contract to provide a range of program administration services for a state agency. Super exciting. Large contract. Extra money to fill the coffers at a time when the organization was struggling to recover from the Covid shutdown and the remote work transition of 50+ staff and volunteers.

But also super stressful. The agency's cybersecurity requirements asked for compliance with ISO and WaTech standards, cybersecurity insurance, written cybersecurity policies, incident response procedures, and a full time CIO role in the organization.

I was initially brought on as an IT consultant for a short-term contract, tasked with preparing this new agency for onboarding to our IT managed services program. However, with the team already stretched thin, I found myself stepping in to address a concerning gap: formal cybersecurity policies. We essentially had none. So, I started by creating a comprehensive summary document with the idea that detailed policies would follow later.

To structure this, I utilized the NIST Cybersecurity Framework, working backward to assess our existing infrastructure, planned enhancements, and the client agency's contractual requirements. The process revealed significant gaps between our aspirational written summary and reality, and frankly, it kept me up at night. So I proposed a formal IT security program to the Executive Director, who approved a 24-month project charter. I recruited a project sponsor and two experienced cybersecurity experts, built a timeline, and got started.

Over the next two years, while juggling other roles and responsibilities within the organization, I built a cross-functional incident response team, launched an awareness program, implemented external network scans, audited insurance compliance, identified privacy and data security compliance requirements, conducted a software and information asset inventory, facilitated two external gap assessments, created risk registers organized by admin functions and program, and then set about working 1:1 with decision-makers to implement controls and processes. It was a huge undertaking. But the biggest challenge that I did not fully overcome was the resistance to adopting modern security practices from the existing IT team who were wedded to old school on prem traditional perimeter thinking. I was just beginning to see the early signs of progress when the ED retired. But I am getting ahead of myself with this story.

One of the coolest professional benefits of working in a capacity-building nonprofit is the opportunity to share knowledge. As I built our internal IT security program, I adapted enterprise and government cybersecurity resources for our environment and, six months later, began a client-facing tech mentoring program to extend these learnings to other nonprofits. Nonprofits need a different approach to establishing a security program because government and enterprise methods are a poor fit. Based on my internal work, my external consulting and mentoring work, I developed a methodology for working with nonprofits and structuring their adoption of security controls, policies, and processes. I believe it is essential to take a vendor neutral approach by considering cybersecurity risk and options for managing risk holistically. Too many nonprofits buy tools and services they don't need and can't manage effectively.

After unofficially serving as CIO for two years, I was officially appointed CISO. I continued in this role until the long-standing executive director retired. The new leadership, unfortunately, didn’t share the same vision for cybersecurity or continuing the tech outreach program, and I knew I'd be starting from scratch. Driven by my passion to support nonprofits in securing their missions, I left to found Ragland Institute, a nonprofit dedicated to adult education, capacity building, and mentorship. Ragland is committed to supporting the 501 Secure program established to continue this vital work for as long as it is needed in our sector.

Over the last three years, I've focused on establishing and teaching solid security practices that are accessible and realistic for nonprofits based on their risk and resources. I specialize in working with organizations that are new to cybersecurity and do not yet have programs in place. I help nonprofits set up clear policies and guidelines, manage human risk, and meet their compliance responsibilities. I enjoy working with cloud first tech and have focused on building my expertise in Google Cloud Security and best practices for hardening Google Workspace and Entra. I find particularly interesting dealing with the challenges of 'shadow IT' and BYOD and, if not bringing them into a secure environment, then at least educating leadership, admins, and users on how to reduce and monitor the inherent risk.

I love creating cybersecurity awareness programs and training that connect with a range of stakeholders (e.g., new employees, board members and volunteers, staff with high visibility roles such as executive directors and hr managers). No matter the audience the goal is helping people understand why security matters and how they can play a part. Plus, I work with organization leaders to create plans to keep operations running smoothly, even when facing unexpected challenges. When there's little or no security in place, the first goal is to identify the most critical data, systems, and processes and create a plan for when things go wrong. Long-term I help nonprofits build a strong security foundation to keep their

operations resilient.

As Executive Director of Ragland Institute, I hold many roles as we work through our startup phase. I work daily to build the organization's capacity to support more nonprofits with free resources, vendor neutral advice, and low cost planning. I also provide cybersecurity planning and awareness services and serve in the capacity of Fractional Nonprofit CISO for organizations that need assistance with change management on a short-term basis.

Things I read

Cybersecurity Chapbooks