Welcome to the second of a 2 part podcast from our recent webinar on IT Governance for Nonprofits. In part 1 my guests, Nura and Jeff, gave us an overview of the most important IT policies to have, and talked about the process to create or revise them.
We shared some templates on our website, CommunityIT.com, and did two polls to find out how many nonprofits in our audience had acceptable use policies, and what their communication style was within their organizations.
In part 2 we talk about the implementation and roll out of new or revised policies, the barriers to starting this project, and we give some tips on keeping your policies up to date in the future.
If you are having a little FOMO, I encourage you to join us live on a webinar and ask your own questions. You can see all the resources shared in the webinar in the transcript on our website, communityit.com.
Welcome, everyone, to the Community IT webinar. This one is Making IT Governance Work for Your Nonprofit. My name is Carolyn Woodard. I’m the Outreach Director for Community IT and the moderator today. I’m very happy to hear from our guest speakers, Jeff Gibson from Build Consulting and Nura Aboki from Community IT.
Jeff Gibson: I’m Jeff Gibson. I’m with Build Consulting.
Nura Aboki: Hi, I’m Nuradeen Aboki, Community IT Consultant.
Rolling Out the Policies
How do you roll out policies to new and existing staff? We have some ideas here.
You can work with HR for new hires and at performance review opportunities. I think a lot of us are familiar with how you get the HR employee handbook on the first day or the first week of work and it has the acceptable use policy in there and probably a bunch of other policies, whether or not you can absorb it at that time.
So working with HR to make sure that those policies are re-rolled out periodically. What’s effective to roll out to existing staff and are there tactics that work?
So Nura, would you like to take a first try at this?
Nura Aboki: Yeah, sure. Thank you. Part of the rollout process is to initially get the stakeholders to agree on the implementation of the policy itself.
We have agreed that we are going to do, for instance, an acceptable use policy. We’ve agreed on the final version. Now it’s time to roll it out.
Then having a launch plan is something that an organization should have in place. That launch plan will
- outline the roles and timetable.
- Also this needs to be circulated to all the parties that are involved for agreement. The role players need to know and the timetable to actually go for launch.
Then the one key important thing is to have a communication plan because as you’ve seen, a variety of organizations have different modes of communicating with their staff and different channels. So usually an organization should use the appropriate channels, messaging to make sure that everyone that is part of this policy has received the policy or will be receiving the policy appropriately.
And there needs to also be leadership involvement, since we agreed that the stakeholder participation should include leadership.
Leading by example is going to be a key way to get this roll out possible. Setting up positive examples for employees to demonstrate compliance with the organization IT practices or policy, giving those examples will show that this policy could work. I can see myself complying with this policy. It’s not just one way – the policy here is the policy, follow it – but having a conversation about how this policy actually helps with the mission of the organization.
And then setting milestones to communicate the IT policy and just to make sure people are not overwhelmed. So if you put a milestone, you can basically just track all those milestones in the plan. That way, it’s not too many changes at once.
Make sure each policy is rolled out timely, appropriately, making sure people have the bandwidth to receive it well.
And also ask questions and provide feedback that way you can kind of measure the success of the IT rollout policy.
I know that Jeff mentioned something about leveraging trends. You want to have a protocol to ensure that you’re encouraging people to follow the compliance that is outlined in the IT policy. So if there is any new advancement in technology, you want to make sure that after a review of the policy, you go back to your communication plan.
You also think of examples that you can share to motivate people, but maybe the adoption of a new AI, acceptable use policy, for instance.
So that kind of continuous improvement and continuous review is going to be helpful in having the rollout be successful.
I would add just two more points here.
- Explaining the importance and the significance of the IT policy, just making sure it is thoroughly explained that there is no chance for misinterpretation and people understand what they are signing up for.
- Make sure it’s distributed, accessible. It’s not buried in a handbook somewhere.
Make sure it’s readily available, accessible, and put it in as part of your commitment to ensuring that these IT policies are clearly explained to staff, either in all staff meetings periodically, or referenced at least once a year, so people are aware. They easily can get forgotten because of other priorities that the organization may have. So those are the steps that would summarize.
Roll-Out Strategies for IT Policy at Nonprofits
Carolyn Woodard: Thank you. There was a great comment in the chat from Michelle, who says that with IT policy changes, we roll out to the operations team first because that team is the most tech savvy and the least change adverse. So it seems like they get their champions, the people that are going to be most excited and least frightened by the change first, and they help them work out the kinks.
Once we work out the kinks, we put together documentation and roll out to all staff. And then she says she also puts a couple of preemptive 15-minute meetings on the calendar for folks who need more assistance. So that’s really smart and strategic to identify the people that will be the most resistant and give them that extra help to understand the new policy.
And sometimes with the new policy, really, you don’t have to change anything. You have to know it, but you don’t have to change what you’re doing. But if there are changes that are going to have to happen, make sure that you give them that extra hand holding. Thank you, Michelle, for that comment.
Jeff, do you have other examples of ways that you can roll this out? And is it different getting the attention of new staff and getting the attention of existing staff? Do you have different strategies?
Jeff Gibson: I do. Back to an earlier point that was made, is calendaring the change. This is tough for organizations, but use as much sway as you have on HR to have a yearly review with all necessary people in that review of the employee handbook.
And then the other thing that I always want to consider at that level is, are there discipline-specific or subject matter expertise policies that need to be reviewed? Acknowledge that they are reviewed in terms of if you have a database administrator, that’s a much more buttoned up policy adherence than data handling than your average staff member is.
Does the financial department need to have more in-depth training on financial handling, vendor management, et cetera? The policies page on an intranet is a great idea, because it’s all in one place. You can set a reminder, review that, and you get folks in the habit of going there.
And then especially for new employees, you don’t remember much from that first couple of days. So it’s a place for your new employees to refer to and they know they can look at it when they have a chance to take a breath.
If you have an HRIS (Human Resource Information System) system or your cyber provider may have plugins for training on certain policies, then you can also end up negotiating. If I get 90% of my staff to review this CBT (Computer Based Training) with a successful passage of it, can I get some money knocked off of my cyber insurance? I’ve used that several times to where if they know your staff is well-trained and there are policies in place, they will give you a reduction.
I’m not guaranteeing it, but at least it’s a place to start negotiating. And then if it’s CBT-based, you can also focus even deeper on, maybe some folks didn’t do well on the CBTs, they’ve scored under an acceptable margin. Then that’s the time to target them for focused in-person training, one-on-one training because these folks are usually in critical roles and some of these processes and policies require 100% compliance for the success of the organization.
A lot of organizations will have something in their HR management system, or an outside third-party vendor can come in and there’s a subscription and you can kind of dictate what trainings you want and ones that you can customize.
And they’re usually fairly affordable. I know money’s tight everywhere, but it’s a really good way to get a handle on your overall organization with some data behind it and let you target where you need to train or communicate better or what departments need more specialized training.
Overcoming Barriers
Carolyn Woodard: Nura, would you like to talk about some of the biggest barriers to creating these governance policies?
Nura Aboki: One of the main ones we’ve seen is prioritization. Oftentimes, an organization, especially nonprofit organizations, are focused on their mission and they just want to achieve their mission. And that takes priority over spending the resources and time on IT governance or IT policies.
Another aspect of this is just the lack of resources or limited resources. Many nonprofits operate with limited resources, which can make it difficult to allocate sufficient time and personnel to IT policy development.
Also some may have a different mindset altogether, where nonprofits often focus almost exclusively on the mission and goals, which can lead to IT being overlooked and undervalued.
So those are some of the factors. But there are ways to overcome these barriers. But I want to hear from Jeff if there are more barriers that Jeff might have.
Garnering that leadership buy-in and that communication of leadership buy-in. Having your leadership communicate to the general staff is another.
And then the time.
I wish I had a magical response to the time thing. Harkening back to what we were saying earlier, you have to prioritize based on the urgent needs of the organization. And there will be times where you have to have difficult conversations with leadership and department heads and other staff, that we just can’t do X right now because this new situation caused us to refocus.
When you’re communicating things like that, it’s important to set a time frame and to stick to that time frame. Most folks will give you some grace if you have a date attached to something. You know, saying, we’ll get back to you. IT, the famous black box of information, we have to change that perspective.
And then one of the things that I learned every time I had a different assignment, or a different job is you have to break out of the IT barrier. “We’ll call you if something horrible happens. Otherwise, you know, you don’t need to talk to us, we won’t bother you.”
But IT has to be outward-facing and communicative. Really speaking to users about their respective concerns and what you’re doing as an IT organization will help them, ease their job, secure their job, improve the success rate of whatever the discipline they’re executing on.
IT just generally has to get outside of being looked at as the plumber. IT has to be looked at as an enabler, you know, especially given how invasive technology has become, even in the last 10 years, much less five years.
There’s not many organizations or groups within an organization that aren’t impacted by IT. And they have to be informed on how to use that IT to enable and better their mission, but also sort of the risks that are associated with these new, very powerful tools. AI is a perfect example.
And then the timing is critical. It’s much harder to limit usage to non-IT teams of a new tool if it’s already on their PC. You need to have that just-in-time sort of approach of policy training.
Get the policy there before the tool is sitting on the finance guy’s desk who is playing around with AI. He has no idea if it’s a public LLM (Large Language Model) or a private one or whatever, or the risk to the organization associated with just putting up organizational IP out into the greater model.
Some of it’s just diligence, sticking with leadership, explaining to them on their level, explaining risks of not refocusing the rest of the staff on behaviors.
Carolyn Woodard: I think you hit on something that I hadn’t really thought about before, about IT being outward, and making connections with some departments or teams that wouldn’t necessarily think they had an IT interest.
One example is that HR might have their own systems that are pretty walled off usually from everybody else’s, but involving them in a performance review, helping the person in that review explain that they understand the acceptable use policies or the new AI policy or whatever it is that has changed and get their buy in and collaboration. That’s a really interesting tactic.
We had someone also ask about being able to convey the risk to leadership if it’s something that’s going along, going along and not seen, not prioritized because it isn’t seen as a huge risk. Be able to communicate that to them, which is something IT often can do, especially if they’re working on the cybersecurity aspect.
Q and A
Where do we check for compliance?
For me, I was thinking something you said earlier, Nura, about you have a policy and then are the people who are under that policy complying with the policy?
If your policy is you can’t use ChatGPT, how do you know that people are and how do you manage those expectations? Do you guys have some examples or ideas?
Nura Aboki: What comes to mind are setting security controls or technical tools that would allow for enforcement of policies. So because we are vendor agnostic, if you have an email system, you have files in the cloud, some of the cloud providers will have a governance tool, for instance, that will set certain classifications for documents, sensitivity, confidentiality, and a certain group of people in the organization should only have access. If someone tries to delete or copy a file from one section of the file system to another, perhaps that could be a violation.
Tools that are monitoring the devices that people have or have been assigned, whether they are installing third-party applications. Even some of these tools prevent the installation of third-party applications and changing the configuration of the device that is issued to staff. So there are tools that allow for the enforcement of these policies that may help with compliance tracking.
Having the policy is one thing and enforcement is another challenge, but at least having a policy is a good start for your organization.
Carolyn Woodard: Especially at nonprofits because we’re very friendly, team-oriented. It can be difficult to lay down the law.
Would an IT disaster response policy normally be part of a larger organizational DR (Disaster Recovery) policy?
Jeff Gibson: Yes, absolutely. It’s integral. Outside of ensuring quick, fast enablement of communication from the organization to the outside world, the DR piece is critical. I mean, you can’t pay your people anymore if you can’t find your files anymore.
I would almost argue that DR from an IT perspective is becoming equally as important as the rest of the organization. An organization can shut down for a day or two. If an organization loses all of its data, you’re starting from scratch.
If an organization can’t pay its people, you’re really starting from scratch and you’re going to have a myriad of other issues that are going to result from that. But absolutely.
Carolyn Woodard: And it could be a non-hacking disaster. It could be a flood in your office. With everything in the cloud, it’s less likely. Although it could be internet is down on the East Coast for 24 hours, or what have you.
Jeff Gibson: There are still a frightening number of nonprofits that just don’t have the ability to finance a move to the cloud. I see a lot of on-prem systems still, a lot of backed up data on large terabyte drives, things like that.
I think it’s just a matter of having a DR policy and a DR mitigation plan on a budget. Even if you have nothing to spend, thinking it through and doing tabletop exercises, making sure documentation is available offline. It calls back to the old days, but that big three ring binder with up-to-date information, that’s always going to be sitting there.
You might not have access to a knowledge base that you’ve crafted over a decade, but a lot of the old school stuff is still out there. It’s just hard with the cost of cloud and the cost of some of the AI tools and enabling a lot of the DR stuff.
Carolyn Woodard: We did a webinar on cyber liability insurance a couple of years ago that’s still very valid and appropriate. One of the things that our guest said was to have just the phone numbers of your insurance provider and the police for when you do suffer a malware or they have encrypted everything. She had had a client where the number to call the insurance provider was encrypted, they couldn’t get it. It was very difficult for her and she said, yeah, just a piece of paper that has those important phone numbers on it is important.
Jeff Gibson: One thing to tap into is the insurance providers. Insurance providers can help and can and will help you create disaster recovery policies usually included as part of the cost of your coverage.
They don’t want you to have a cyber incident either. It’s much more expensive for them. So, they’ll hook you up with auditors, resources at their disposal that won’t cost you anything and that can really help you kind of point out the weakest parts of your plan or your organization. So don’t forget to leverage those.
Carolyn Woodard: Exactly. We’ve done a couple of webinars. You can find them on our site about disaster response and how to create those plans.
As you said, Jeff, it doesn’t have to be a very expensive exercise. It can be just your leadership team figuring out who’s going to do what in the event that something is inaccessible.
I want you each to tell me one thing that you would say to convince the board of a nonprofit of the importance of policies. So who wants to go first? You can only say one thing.
What’s the most important thing to be convincing to your stakeholders?
Jeff Gibson: It’s easy, but it literally can impact the continuation of the organization, the business. It is a business continuity concern.
You’re not overstating it when you say, this could be the end of it from a financial or a data perspective.
Nura Aboki: I agree with Jeff, and I would add the reputation of your organization at this stage.
Having good technology policies protects your organization’s data and reputation by providing clear guidance on what is acceptable and how to manage risky situations.
Carolyn Woodard: I want to jump in and say that both of you are available to take more questions. You can get in touch with us through our websites: www.buildconsulting.com for Jeff and communityit.com for Nura or myself.
Learning Objectives
I wanted to go back over our learning objectives. I hope that after this presentation, you
- understand the essential IT policy documentation for nonprofits and how to prioritize. We have a bunch of priorities, right? We have the acceptable use policy, and then also disaster recovery and data retention necessities.
- We hope that you have learned how to create or update these IT policies, and we shared some templates. I shared the link to our website where we have a bunch of other links to templates that you can use.
- Learn tactics and strategies to roll out policies to all staff. I want to thank both of our experts for sharing your experience and anecdotes and ideas on that. As you said, it’s not easy, so don’t worry that you haven’t been able to do it, but hopefully we gave you some ideas to try.
- And then of course, understanding the barriers to implementing IT governance and how to overcome those barriers.
I think when we were talking about this presentation, one thing we kept coming back to was people’s emotional response to the idea that they have to do this project, right?
You might have an intellectual understanding that this could be the end of your nonprofit, that the risks are very real, and that you need to have these policies in place. But if you put an hour aside and you start working on it, either you can’t find your old policy, or you can’t find a good template. It just seems overwhelming. And you say to yourself, well, I’m not going to do that, even though I know that I need to. So, a tactic is to overcome those kinds of emotional responses and just make small changes, make it into smaller tasks that you can do that are going to lead up to your big accomplishment.
I love your idea, Jeff, of putting stuff on the calendar, making time and just setting reminders. And then in the future, once you’ve got your policies, setting those reminders so they don’t get out of control and out of date again. Annually, quarterly, whatever works for your organization, putting that reminder on your calendar, setting those meetings and bringing the people, stakeholders back together, your leadership, to just revise them.
It’s so much easier to revise it and just say, oh, no, nothing’s changed. We’re good for another quarter. Or, this AI is really growing, and we need to incorporate that. So let’s change a couple of these other things.
Those are all such good pieces of advice.
I want to thank everyone for joining us today. We know you have a lot of other things that you want to be doing.
And Nura and Jeff, I want to thank you both so much for sharing your expertise with us today. Thank you.
Jeff Gibson: Thank you for having me.
Nura Aboki: We’re happy to be here. Thank you.
