2023 Dec Pod Nura IT Assessment and IT Maturity
Carolyn Woodard: Welcome everyone, to the Community IT Innovators’ podcast. My name is Carolyn Woodard and I'm the Outreach Director for Community IT. I'm here today with a Senior Consultant, Nura Aboki.
I want to ask you Nura, what is one thing that you wish people knew about with regards to non-profit IT?
Nuradeen Aboki: Well, thank you for having me. One thing I wish people knew specifically has to do with their IT maturity level - the IT maturity level as it pertains to the organization. Understanding the organization's IT maturity level has a number of effects that could lead to improvement in the way you achieve your mission.
How do I know our maturity level? Maturity level, it can be a buzzword, but it's something that one needs to know. Where are we right now? Do we have technology debt? What level are we at? Do we need assistance? Do we have good partners that work with us?
So, understanding maturity level is something I want people to know that would help them in understanding their needs for technology and then be able to make investments today to help them move to higher maturity levels or improve their IT.
The standard is out there. A number of organizations have looked at IT maturity level standards and strive towards moving from a lower level where they have maybe zero maturity to higher levels.
It’s not a process that I would say, can I go from a zero to five in two years or in one year? It's not necessarily that organizations will have to follow through that way. Some organizations like to stay in IT maturity level two for a variety of reasons.
But in order for you to know your maturity level, there is a prerequisite that we highly recommend.
Typically, it’s the technology assessment or review that is done by your IT partner or an auditor or someone outside that would come in and look at the overall technology status of your organization:
- people,
- process
- and the technology itself.
The IT assessment review tends to have a very structured approach to it and methodology that it follows, where your staff are going to be interviewed and asked a variety of questions. Your IT leadership, if you have an IT leader, is also going to be interviewed to understand their perspective on technology.
And then your process documents are also going to be reviewed if you have any documentation related to on-boarding, off-boarding of staff or on-boarding new technology, off-boarding of old technology. All of those process documents are going to be reviewed.
This would allow a holistic view of an outsider into your organization, just having an understanding of whether or not some of the processes that you currently use are mature enough to put you at a maturity level that is higher than the average or it's weak and needs to be improved and your maturity level is lower.
So, it's a way to actually know where you are and then begin to think about how I can move up to be mature in my organization in terms of the use of technology.
Carolyn Woodard: In your experience, it seems like it's been important that this has to be done by an outsider. Is it something that if you're within the organization, you're too close to decisions that have been made and maybe internal attitudes that you have around IT? So, it’s hard to take that step back and actually do a neutral assessment, whereas an outsider can come in and have a clear-eyed look at where you're at in your different systems and your attitudes toward IT?
Nuradeen Aboki: Exactly right. Giving this responsibility to a third party helps you recuse yourself because of your heavy involvement in the day-to-day engagement in your organization. So, it would give you an objective review to actually allow a third party to come in, without any bias, to critically look at your needs and provide a report that helps you look at ways to improve.
We are always looking at organizations to improve, as technology advances so rapidly. IT transformation is happening at a very fast pace. Some organizations are reluctant to make investments because they are perhaps comfortable with the legacy systems that they have. Or perhaps they are unaware of what is out there.
If things are not broken, maybe they are comfortable. But technology moves so rapidly that if you are behind, catching up can also be a challenge. So, bringing in a consultant to take a good look at your organization’s technology, if there are indicators of technology debt, it's worthwhile. You can understand where this technology debt is, in the infrastructure or maybe in the people that manage IT, or even the processes that are governing IT are lacking. That holistic report would help you make choices in terms of your investment and areas to improve.
Carolyn Woodard: I'm going to jump in and give a quick plug. We have an article on our website about technology debt within nonprofits specifically, some of the factors that can lead to being in technology debt, not having invested in your technology over time. Then when you're trying to get up to current processes, it can take you longer and be more painful to get up to where you need to be. That article is on our site. People can read it there.
So, why is it so important to do an assessment? I know you work with larger clients, like 100 staff and higher who often have their own IT department and they're partnering with us for either consulting or some of the MSP services that we provide.
Is there a size at which it makes sense for an organization to do an assessment like you're talking about?
Who should have an outsider come in and really dig into what the IT looks like at their organization?
Nuradeen Aboki: That's an excellent question and for every size organization, there is a level of assessment that can be done.
We have multi-level assessments.
We can do a comprehensive technology assessment. For larger organizations that have complex infrastructures, bigger systems, that want to get a good sense of what they have, why they want to make those investments.
Other assessment types are light. They focus on especially smaller clients that maybe tend to, 10 to 50 people that have most infrastructure in the cloud, meaning they don't have any servers on the premises. Those organizations would be able to consider the light assessment, looking at their cloud infrastructure and evaluating what they would need to improve their cloud experience or cut costs in terms of running infrastructure in the cloud.
Comprehensive assessments are for organizations that have 50, 100, to 1000 staff. Typically when we initiate our engagement with clients, through initial conversations, there will be indicators of which assessment we would recommend you do.
Oftentimes, the larger ones we see, a comprehensive one is better for them even if they have everything in the cloud, because it looks at the complex systems they have in the cloud and addresses any gaps that we find.
Carolyn Woodard: I think that's so fascinating because in my experience with IT at different sizes of organizations, it's really easy for it to become very siloed. Different departments make decisions about the technology tools that they need without looking at the entire organization. There could be some synergies to use the same systems or places where it makes sense to keep a system to that department because it needs to be isolated in its security issue. So I really love the idea that every organization could use an assessment.
And I love that there's this opportunity of a lighter assessment. That makes sense if you're coming into the assessment without a lot of complex systems. But yeah, once you get up to a certain number of staff, it's definitely going to be complex.
Nuradeen Aboki: Yes. And that's what we've seen.
I wanted to mention one specific area for larger organizations, it’s the identity management solutions that they use. You may hear it called single sign-on or SSO.
Organizations that are much larger, because they have complex systems, have a number of applications, anywhere from 10 to 50 different applications across a variety of departments. They want to tie it all in one identity. So, every user has a single identity for them to log into a dashboard and the dashboard would show them the applications that they have access to. For organizations that are serious about their identity management, there are a number of vendors. Because we’re vendor agnostic, we also provide guidance around vendors that could be a good fit for your organization.
Where you have all these cloud services, each one of them would have a username and password that is separate. People having to track 10 different user names or 10 different credentials versus having just one credential that gives you access to all. Larger organizations love that idea. Oh, just one ID and that's it? I don’t need to memorize all these passwords? So, we are beginning to see more and more organizations adopting single sign-on solutions to ensure that there's security around all the cloud services that they use for work.
Carolyn Woodard:
Are you finding that some of these concerns are driven by security concerns or particularly insurance? How often does that come up when you're dealing with clients?
Nuradeen Aboki: Yes, I will see insurance companies asking organizations to ensure that they are aware and they mitigate or minimize, even avoid risks to their organizations in order to get cyber liability coverage. There are minimum requirements to ensure that you have good coverage for your cyber needs. Oftentimes, on the application forms, there will be questions around, does this organization have the basic security to protect their identity, for instance, multifactor authentication for all cloud applications?
If you were to follow that and implement it, you see you have 10 different cloud applications. It will mean that you would need to enable multifactor authentication in each one of those. You will have 10 authentication codes per staff to track. But if you take it a step further and say I'm going to deploy a single sign-on solution that integrates all of this so my staff will only need to have one authentication code to worry about, that simplifies the experience, meets the requirements and gives you enhanced security.
Carolyn Woodard: I imagine a lot of organizations haven't thought they needed an audit or an assessment. Then they come to that question in their new cyber liability insurance asking if they have security on all of the cloud tools and applications that all of their staff are using and they don’t even know what staff are using.
At that point, it makes sense to work with an outsider, again, and do a deep dive. Do the assessment, find out what everyone is using and then implement that single sign-on and really make it so much simpler for everyone.
Nuradeen Aboki: That's exactly right. And usually, the cyberinsurance renewals happen every year and organizations are scrambling to meet those minimum requirements in order to get coverage. If there isn’t any attention provided by a third party, there are several technology partners out there that have experience that can assist in filling out those forms and ensuring the technology is implemented and enforced and can confirm that it is in place.
It’s really risky for one to fill out the form without knowledge, because one can be liable for false statements and misinformation. So, it’s always good advice to partner with technology. And my clients really have been good partners in terms of ensuring that we review the forms together and go through each technology that is required. Is it implemented? Okay, if it’s not, we plan in advance. We don’t wait until the last minute. We already started planning for next year’s renewal. It’s in our roadmap, it’s in our budget that we invest and improve our technology so we can ensure we are able to meet those requirements for renewal of our cyberinsurance.
Carolyn Woodard: I’m sure it’s so reassuring for our clients that work with you, to have someone helping them go through those forms and making sure that they are giving accurate information that the security is in place.
Nuradeen Aboki: Yes.
Carolyn Woodard: So, those are your tips going forward:
- Make sure that you know what you have.
- If you don’t know what you have, do an assessment.
- And then a couple of tips on making what you have more secure and more strategic.
- There are ways that you can combine or make investments that help all of your IT work together better.
Nuradeen Aboki: Excellent. Thank you so much.
Carolyn Woodard: Thank you Nura, so much for chatting with me today. I really enjoyed talking with you. And thanks again for those tips.