A Q&A with Dr. Kelley Misata of Sightline Security and Cisco’s Wendy Nather
Have you or your company donated to a nonprofit recently? In the security industry, we are always very focused on protecting enterprises due to the amount of money that’s at stake if they are compromised, as well as the critical services that many of them provide. But have you thought about nonprofit security?
Today’s nonprofits handle vast sums of money in the form of donations, and the services they offer are some of the most critical in the world – from food banks to shelters, medical care, and more. Not to mention the sensitive data they maintain on both donors (including large enterprises) and those who use their services. Think of the catastrophic consequences of inadvertently divulging the address of a safe house, for example, or not securing the identity of people who call into a suicide prevention hotline. In many cases, it could be a matter of life and death.
And yet, nonprofits are so focused on their mission of helping people that they don’t always take the time to consider just how important security is to that mission. Furthermore, they don’t often have a lot of resources available to safeguard their environments. Security vendors also don’t typically tailor their solutions and messaging to nonprofits – instead focusing on the for-profit space. In reality, securing nonprofits protects us all – from those who rely on them, to the individuals and corporations who support them.
Cisco’s purpose is to power an inclusive future for all. According to Wendy Nather, Head of Advisory CISOs at Cisco, “Technology is for everyone, so security has to be for everyone.” Over the past several years, Cisco Secure has been on a journey to make security simpler and more accessible. To help further that vision, we have recently invested in Sightline Security, a nonprofit that is bridging the gap between information security and charitable organizations.
Today we’re talking with Dr. Kelley Misata, CEO and Founder of Sightline Security, as well as Cisco’s Wendy Nather, who serves on the board at Sightline. Together, they will shed some light on why safeguarding nonprofits is vital for global security.
Q: Thanks to both of you for joining. Kelley, could you please start by telling us what Sightline Security is, and why it was founded?
Dr. Kelley Misata: Sightline Security is a nonprofit organization that is helping other nonprofits assess, evaluate, and find solutions to improve security risk in their organizations. It was founded in 2018 as a result of my PhD dissertation research, which looked at the cybersecurity preparedness of domestic violence and human trafficking organizations.
As a survivor of cyberstalking myself, I found that the nonprofits I went to for help were not as equipped to handle my situation as I’d hoped, nor was I able to understand a lot of the technical aspects of what was happening to me. That is ultimately what led me to study cybersecurity and enter the field. From there, I really wanted to work with nonprofits to help them support others like me who need to be kept safe – both in the physical and digital realms.
Q: What did you uncover as a result of your research?
Dr. Kelley Misata: While some people questioned whether nonprofits would be interested in participating in this research at all, I actually found that many were quite hungry for security, and just weren’t sure how to consume it. For instance, they were unfamiliar with common security terminology, unsure of what type of protection they needed, and why. So, it’s not that nonprofits don’t care about security – they just don’t know how to go about doing it or why exactly they need it. And at the same time, most security vendors do not factor them into their product design and marketing, so nonprofits tend to get lost in the shuffle.
Q: Wendy, what is your involvement with Sightline Security, and how did you get involved?
Wendy Nather: I am on the advisory board for Sightline, and I got involved simply through believing in Kelley’s mission and wanting to help with it. She has overcome a lot of challenges in her life that have made her the right person to lead this organization, and I was inspired by both her as a leader and her vision.
Having worked for a Swiss bank, and for a state government, with vastly different amounts of money available to protect those organizations, I know how hard it is to implement effective security. It’s never just a matter of not wanting to spend money. There are so many dynamics that come into play that make it difficult. It is very important that we democratize security, and empower groups like nonprofits to secure themselves on their own terms.
Q: Why is it so important for everyone that we secure nonprofits?
Dr. Kelley Misata: With so many people either using the services of nonprofits or supporting them, they are woven into the fabric of our world. Everyone who interacts with them – including large corporations – should be concerned about how nonprofits are protecting their data and assets. The pandemic has only furthered this need for concern, as nonprofits are stretched thinner than ever, and the number of charities around the world continues to grow.
Additionally, we are seeing an uptick in attacks on nonprofits – both targeted, and generalized attacks that go after any organization with security vulnerabilities. We’re also seeing attacks against our nonprofit members that originate from third-party providers, such as the Blackbaud ransomware. So, the idea that nonprofits are immune to cyberattack is starting to shift very quickly.
Wendy Nather: There’s just as much money in nonprofits to be targeted as there is in other businesses. But there are also many opportunistic attacks where people simply scan the Internet for low-hanging fruit. The attacker won’t care about how altruistic an organization’s mission is – it’s just another open door that they’ll walk through.
As providers, if we simply ignore organizations that fall below the “security poverty line,” their weaker risk posture will eventually affect us all – whether it’s in the form of proliferating attacks, financial impact, data exposure, and the list goes on.
Q: Kelley, as a nonprofit itself, what is Sightline Security doing to help alleviate these challenges?
Dr. Kelley Misata: Being a nonprofit actually helps us better understand and tackle the challenges of other nonprofits. We are able to serve as a translator between what nonprofits need and what security vendors are offering. Using the NIST Cybersecurity Framework, we help nonprofits determine where they are with security and what they’re lacking, and help them make sound business decisions based on industry best practices. Charitable organizations have unique levels of resources and needs compared to other industries, and even compared to one another, so a cookie-cutter type of approach won’t work for them.
Q: How many nonprofit members are you working with today, and what exactly do you offer them?
Dr. Kelley Misata: Today we’re working with 25 active nonprofit members, with plans to expand that into the hundreds and eventually thousands. Our engagement with members includes:
- A formal assessment and gap analysis of their security posture.
- A discussion with them about their results and priorities.
- Introductions to security providers like Cisco that we’ve partnered with to help them.
- A member forum where nonprofits can talk to one another and share their security experiences and insights.
By collaborating with companies like Cisco, we will be able to educate and help more nonprofits implement security in a way that meets their specific goals. At the same time, we are taking everything we learn from nonprofits and sharing it with security providers. We want to help the industry deliver solutions that work better for the nonprofit space, which is largely an untapped market.
Q: Do you have an example of how you’ve translated the need for security into language that nonprofits can really understand?
Dr. Kelley Misata: Yes, for instance, we like to start our conversations with nonprofits by talking about ‘information security’ versus ‘cybersecurity.’ Oftentimes, ‘cybersecurity’ sounds like a foreign term that does not relate to them. But once we explain that information security means protecting the names, addresses, photos, and so on, of those they serve, it makes more sense and motivates them to learn more. They tell us that it feels within reach for them.
For example, there was a nonprofit IT director we were working with who could not get anyone in his organization to use multi-factor authentication (MFA). By interviewing 10 people within the nonprofit, we uncovered that the way security was being explained to them was too technical and esoteric. Once we relayed that to the IT director, he was able to reposition MFA as a means of helping his staff safeguard the people they care for and serve. And now they have MFA!
Q: For nonprofits with limited resources, which security technologies and best practices should they really be focusing on?
Dr. Kelley Misata: From a technology perspective, multi-factor authentication is essential, as well as password management. Another thing I would urge nonprofits to do, both from a technical and policy standpoint, is to formalize their onboarding and offboarding processes. When you have so many volunteers, board members with access to financials, and so on, coming in and out, it’s a huge security risk not to have documented onboarding and offboarding procedures in place.
Wendy Nather: Taking a step back, mission-driven work is about getting resources to those in need. It’s about considering exactly what an organization requires in order to deliver those resources, and what might get in the way. For example, is the organization relying on donations? Do other people want the resources? Nonprofit security means protecting that pathway of resource to recipient, which can become easier with Sightline’s help.
Q: How can people find out more and get involved in nonprofit security?
Dr. Kelley Misata: As we’ve tried to stress in this interview, better security for nonprofits equals better security for everyone – from individuals to enterprises. While Sightline Security is spearheading this effort, we need other nonprofits and corporations to get involved. Any nonprofit that wants help with security can come to Sightline, as well as any security vendor that wants to learn about tailoring its solutions for the nonprofit sector. You can visit our web site to get started.
We look forward to working with Sightline Security and evolving our mission of making strong cyber defense more feasible for everyone.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels