By Karen Graham, October 2020
Our friends at TAG released their State of Philanthropy Tech survey today, and the results indicate that foundations are improving their cybersecurity practices. For example, 53 percent more organizations reported holding cybersecurity insurance than in the 2018 survey, and well over half of organizations said they provide key security awareness training to staff.
Considering more than one in five organizations surveyed experienced a security breach in the past two years, these risk mitigation measures are a good thing. But when an IT department is only doing those types of things, it’s easy to see IT as a utility or administrative function with little connection to program strategy and grantmaking.
While 64 percent of respondents believe IT is perceived as a strategic partner in the organization—a 4 percent increase since 2018—that means 36 percent still believe it is not perceived as a strategic partner. That leaves lots of room for improvement.
The picture for community foundations looks worse. I wonder if this is related to staffing ratios, which have increased faster in community foundations than the whole group of respondents, from one IT person per 21 staff in 2018 to one per 16 staff in 2020. Perhaps as internal IT capacity grows, the perception will shift toward IT as a strategic function in community foundations.
What might it look like for IT to be a strategic partner or leader on cybersecurity in foundations? Imagine a foundation where...
- Colleagues consult the IT team on all matters involving data, especially when making decisions about program strategy. (The survey showed organizations that regularly involve IT staff in program strategy in the solid minority, perhaps contrary to respondents’ beliefs about how IT is perceived.)
- Security is discussed regularly in executive and board meetings, and IT participates in those discussions.
- Grantmaking staff ask for IT input when evaluating grant applications, especially when the grant involves collecting data or uses technology for program delivery.
- Maybe there is a grant initiative for cybersecurity improvements, and if so, IT staff partner with program staff on this.
- IT staff have opportunities to share their security expertise externally, especially for the benefit of grantees.
- The organization overall has a working knowledge of common threats and good practices related to security and the organization culture treats security as everyone’s responsibility.
In order to position themselves as partners, foundation IT staff need to be good partners. That means learning a lot about program needs and strategic priorities, listening deeply, being flexible and agile about technical solutions, finding the right balance between protection and convenience, building professional relationships, winning people over, and constantly shifting between the tactical and strategic view.
In other words, it requires leadership skills that go beyond what IT folks need for the parts of their jobs that involve maintaining and fixing things. In the strategic realm, IT folks are dealing with people, and it’s likely they’re also still dealing with wires and switches. That’s a complex role that requires a complex assortment of soft skills and technical skills—so it may not be easy, but it’s worth attempting. Doing so has benefits not just for the foundation itself but also for their grantees, and therefore for the sector as a whole.