Read part one of this series: Top cybersecurity and IT assessment tools for nonprofits
Read part two of this series: Why nonprofits should kick off 2022 with an IT and cyber assessment
Previously, we covered how nonprofits can prepare for a cyber and IT assessment, plus the tools they can use to perform one. For the last article in this series, we’ll take you through how to actually conduct the assessment.
The cyber and IT assessment checklist for nonprofits
A cyber and IT assessment requires time and a certain level of expertise to perform. If your nonprofit has both, you’ll be able to make the assessment truly valuable to your organization. We’ve put a together a five-step, high-level overview to give you an idea of what the assessment should consist of.
1. Define your objectives and ideal state
The first step in the assessment is to determine what you want or need to get out of doing it. Is it just to identify your risks, or is it also to define the gaps you need to close? Is it to build a long-term roadmap for future improvements?
Consider how you can use the assessment results to work toward or achieve parts of your organization’s overarching strategic plan. Depending on what your ideal state and objectives are, you can prioritize the areas you want to improve and identify how to tailor the assessment to help you meet your goals.
Often, the assessment can identify process improvements that you can achieve with little to no cost, so keep these more minor improvements in mind alongside any greater strategic initiatives when determining your objectives.
2. Assemble your stakeholders
Build a consensus of your objectives and ideal state by assembling your stakeholders. You want to make sure the assessment is valuable across the organization, so you should gather your stakeholders early in the process and get their input and agreement.
It’s important, too, to appoint a project manager at this stage to oversee the assessment and ensure it’s on track to meet your goals.
3. Assess your current state and gaps from your ideal state
There are two main actions you should take to understand your organization’s current state.
The first is to conduct stakeholder interviews. These stakeholders should be individuals with good insights into your technology, operations and processes and how they all interact with each other. Since this is a cyber assessment and not just an IT one, they should also understand the sensitivity of your data and the risk associated with a data breach or business interruption. By speaking to these stakeholders, you can learn about your organization’s current capabilities, pain points and opportunities for improvements.
The second is to leverage a combination of tools to scan and analyze your systems. By using these tools, you can better discover how your current state differs from your ideal state. You may discover cyber vulnerabilities such as an outdated firewall or business continuity issues such as out-of-warranty pieces of equipment. You may have discovered some of these issues during your stakeholder interviews, but the tools provide the technical evidence needed to support these user stories.
4. Define improvement initiatives and set priorities
With step three completed, you’ll have a list of your opportunities for improvement. Step four is to analyze each one, determine how they align with each other and prioritize them.
There are different ways to prioritize your improvements. Some nonprofits make budget the biggest qualifier, but you’ll likely find you’ll have some low-hanging fruit that’s easier to implement versus some opportunities that are higher effort or higher cost.
Since nonprofit organizations are focused on providing better outcomes for their community, how you can make more of an impact should also be a consideration. If you can make improvements that result in less manual, paper-based processes, you can give your staff more time to focus on delivering impact to your community. If you prioritize mitigating your highest risks, you can reduce the chances of a devastating cyberattack that steals client data and/or takes your systems offline completely.
Lastly, make sure your improvements and how you prioritize them tie back to your organization’s strategic goals.
5. Create your roadmap and structure your projects
Once these priorities are set, create a roadmap that details what actions you’re going to take and when, the expected outcome and the expected cost involved. With this roadmap, you’ll have a document you can not only refer back to and track progress on but also use to tell your story. For example, if you’re applying for a grant to help you pay for improvement initiatives, it helps to have the roadmap because it’s already laid everything out, from the action to the intended outcome.
After the roadmap is complete, assign project owners who are responsible for accomplishing each initiative. Without ownership over these initiatives, they’re likely to sit on your roadmap with little progress made. By setting owners and expectations, you can help ensure your goals are met over your expected timeline. What’s more, make sure you know what “done” looks like so you can officially close out these initiatives and the overarching project.
Avoid these common pitfalls when conducting your cyber and IT assessment
Before you begin this process, keep in mind a couple pitfalls we often see nonprofit organizations encounter.
The first is worrying about the budget before you even get started. While you want to make sure you’ll have the money to finish the project, it’s important to overcome the common barrier that not having the budget to make improvements means you shouldn’t do the assessment all. You’ve seen how critical the assessment can be, so look for one of the many partner organizations that offer reduced licenses for technology, as well as grants you can apply for to receive the necessary dollars.
The second is not working as a team. Your project manager can interview stakeholders to get the user stories you need, but they aren’t going to understand all the technical details. Your IT staff understands the technical but isn’t going to be aware of every pain point across your organization. This assessment cannot be achieved by one person alone. By collaborating as a team, you can all align to the same outcome and truly coordinate how to meet your end goals within a reasonable timeframe.
If your organization doesn’t have the time or in-house expertise to tackle an IT and cyber assessment, turn to Wipfli. Our team regularly performs cyber and IT assessments for nonprofit organizations, as well technology health checks and cybersecurity services.
We’ve also developed a sample RFI for a cybersecurity and IT assessment that your nonprofit can use to find the ideal third-party. Click here to download this free sample RFI.
Sign up to receive additional nonprofit content and information in your inbox, or continue reading on: