Community IT Innovators Nonprofit Technology Topics

Making IT Governance Work for Your Nonprofit pt 3

Community IT Innovators Season 5 Episode 21

Pt 3 delves deeper into implementation, roll out, and overcoming barriers to updating or creating IT governance policies at your nonprofit.

In this podcast follow up to their webinar, Community IT Senior Consultant Nura Aboki and guest Jeff Gibson from Build Consulting spoke with moderator Carolyn Woodard and shared their experiences and insights into the difficulties rolling out your updated policies. How can you overcome barriers like fear or inertia and see this process as an opportunity for your leadership to bring staff together around shared values, and not an onerous chore? What are good ways to get stakeholders on board and successfully  roll out training on the new policies to all staff?

If you are feeling paralyzed about this project to implement your policies, this discussion will give you a roadmap on how to move forward. Learn about making IT governance work for your nonprofit.

For templates: Free Resources for Building IT Policies at Nonprofits has a ton of links for you to start with. Check out this podcast pt 1 and 2 for an introduction.

Is your nonprofit protected?

In our work with clients over the twenty years we have been providing outsourced IT services, Community IT has frequently run into clients with no Acceptable Use Policy at all. In addition to protecting your organization from employee misuse of equipment, IT governance policies are strategic documents that need regular review to stay in alignment with your nonprofit’s goals and tactics.

If your organization has no IT governance documents or they haven’t been updated in a while, this webinar teaches how and where to start creating these vital documents. Our panelists also shared their experiences and successful strategies to roll out these policies to all staff, and gave ideas on updating your training on these policies to be fun and engaging. The key takeaway? Collaborating: the IT department needs to work with other teams to incorporate various needs and insights. 

Your organization’s protection from cyber crime and multiple legal issues rests on your staff understanding and following your IT policies. Don’t get caught without policies you can rely on and refer back to when situations with cyber attacks or disgruntled employees arise.

As with all our webinars, this presentation is appropriate for an audience of varied IT experience.

Community IT and Build Consulting are proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.

_______________________________
Start a conversation :)

Thanks for listening.


Carolyn Woodard: Welcome to the Community IT Innovators’ podcast. My name is Carolyn Woodard, and I am very happy today to be moderating a continuation of our conversation with my friends Nura Aboki from Community IT, and Jeff Gibson from Build Consulting.

I’ll let each of them introduce themselves, and then we’re going to talk a little bit more about IT policies that you might need for your nonprofit, and how to roll them out, and the barriers that you might need to overcome to be able to implement those new policies. 

Nura, would you like to introduce yourself?

Nura Aboki: Thank you, Carolyn. My name is Nura Aboki, a Senior Consultant at Community IT. I help our clients with IT planning, IT budgeting, road mapping, IT management of infrastructure, and support. It’s a pleasure being here on this podcast. 

Carolyn Woodard:  Thank you for joining us.  And Jeff, would you like to introduce yourself?

Jeff Gibson: Hi, my name is Jeff Gibson. I’m a Senior Consultant with Build Consulting. We focus on the nonprofit sector, helping clients do implementations, selections, change management, and change readiness.

I’ve been in IT about 25-ish years, helping with analytics and operations in the private and public sector. And I’m happy to be here as well. Thanks for having me.

Carolyn Woodard: I’m so glad to get you both back. We just did a webinar on IT governance at nonprofits, and I felt like we hadn’t really had enough time in that webinar to delve into these two topics. 

So I wanted to go back and just talk a little bit more about when you’ve realized that you have a problem, your IT policy is not updated or maybe you don’t have one, you need to create one. And now you have gone through a process to create that IT policy, whether it’s an acceptable use policy, an AI use policy, a disaster recovery policy, a data retention policy, any of the policies that we talked about in the webinar Making IT Governance Work for Your Nonprofit


Now that you have your new updated policy, could you tell us a little bit about some anecdotes or tips or best practices for rolling those new policies out to your staff? 

Nura, would you like to go first?

Nura Aboki: Yeah, thank you. We’re thinking of a scenario where you’ve already done the drafting of this policy.

It is very important for you to make sure all the stakeholders are in agreement that the policy meets all the expectations. So before implementing the policy, ensure that it has been reviewed and approved by all relevant stakeholders. 


Launch Plan

With that consensus, we then would say, build up a launch plan. 

How are you going to launch it? You should be intentional about this policy because you want it to be successful. Building that launch plan will help you develop and outline the roles and the timetable for launching the policy itself and all the parties that will be involved.


Communication Plan

Then a communication plan is also important here because policy needs to be effectively communicated. So effective communication – you need to think about your company’s appropriate channels for communicating, messaging and also understanding your workforce and taking everybody along in your communication plan. 


Lead by Example

And there are also aspects of this rollout that you want to consider, things like you want to lead by example. You want to set a positive example for employees by demonstrating compliance with the organization’s IT best practices. If they see that you are also following the policy, then that is definitely something that will resonate across your workforce. 


Engage Stakeholders

The one other thing that I want to mention here is you want to engage the inter-departments that you have. All the departments that you have, operations, IT, all of them need to be brought into the fold. But operations and IT seem to be kind of working together. Either IT is part of operations or if you are large enough, you may have IT separately. There needs to be some collaboration between IT and operations and then the other departments that you have at your organization to have a successful rollout. 


Provide Active Help

I will add that you want to also provide active help. You should offer assistance, hands-on assistance, to employees who may not be familiar with the complex systems that you may have, or even your IT systems. And you want to demonstrate how to implement the policies to them. That way they are conversant and they understand it clearly and they understand the repercussions for violating such an IT policy.

Carolyn Woodard: Thank you so much. That all sounds like great advice. Maybe it’s easy to say, but with a lot of things in IT consulting, if it were easy to do, we wouldn’t have as many consultants. 


Who Is Best to Roll Out IT Policies?

Jeff, I want to turn it over to you and maybe ask a little bit more probing questions. In your experience, when you have a team that has put together this policy, is that team also usually best suited to create this rollout plan?

Are there other people that you need to bring in at that point when you’re going to be training people on a new policy or a revised policy?

Jeff Gibson: I would think so. Probably a subset of those folks. 


Involve Stakeholders in Planning AND Rollout

And then the other thing is the training and rollout allows you to continue the communications plan that you started, getting that buy-in, all the way from senior and executive leadership down to departmental leadership. And those are the folks that I would probably engage in in training and rolling out new policy, because if you did it correctly, they probably had input into the overall policy based on their respective business unit needs, departmental needs, whatever. 

But then it also continues that communication plan by showing that the departmental leadership has bought into this policy change and this change in approach as well, and that they can relate it to specific, “why do I care?” kind of questions from departments that are a little more niche than other departments in your organization, say finance versus your help desk folks.

Involving those folks really continues the organizational level buy-in and it also allows them more specific responses to questions that certain departments might have as related to that policy. I think that’s a positive all the way across from cradle to grave on the policy rollout. It allows you to practice what you preach the whole way through.

Carolyn Woodard: I’m going to ask a follow-up question, Jeff. 


Mandatory Training Requirements?

Are you a fan of mandatory training or are there times when mandatory training is a good idea and times when you wouldn’t recommend it?

Jeff Gibson: I don’t know that anyone’s a fan of mandatory training, but you have to do it. Especially with the compliance and policy stuff. I mean, it’s getting so dicey for noncompliance in a lot of sectors that you just have to.

We’ve all got to eat our vegetables, but it really does speak back to that notion that you just constantly, be consistent and persistent, tie why we’re doing this into something tangible for each user or each department. And that shows you that it’s not just, “the mothership is dictating that we have to do this now.” It doesn’t really take root when you roll something out that way.

Carolyn Woodard: It seems like what you said, Nura, of making sure leadership is leading by example. If you see someone high up in your organization in the mandatory training, it definitely goes a long way toward reinforcing that it really is mandatory. 


Involving the HR Department in IT Policy Development and Roll Out

Nura, it seems like at some point, your HR department is going to have to get involved, whether that’s because somebody has not kept to the policy, has not complied with it, or hopefully before that happens, with making sure that understanding the policies is part of your performance review.

Can you talk a little bit about strategies for getting HR involved?

Nura Aboki: Earlier, I mentioned that the stakeholders have to agree, and HR should be part of that stakeholder team that puts together this policy. And because HR has hooks into everybody at the organization, they see everyone’s role at the organization and have a deeper understanding of employee engagement. We even have approaches to training techniques that they’ve used that could easily make it a part of their onboarding of new hires or even ongoing training for existing employees.

As Jeff mentioned, I want to emphasize it’s important to ensure that your staff understands the reason behind the policy and how it will benefit them and the organization as a whole. Because there was this question, why? Well, it may be superficial in the beginning, but if HR can deliver that value, that understanding, it can hopefully communicate it effectively and early before it gets too late. 


Changing Training Requirements for Existing Staff/Revoking Access

Carolyn Woodard: I know, Jeff, that there are some situations where you have to go through training before you get access to something, especially with databases. I’ve been in situations where there wasn’t enough training, and I thought, oh, this person has access and they don’t know what they’re doing with this field. 

Do you have advice or best practices on if you have a new policy or you’re going to implement something like that? When people have had access to a database, but now you want them to have training before they can go further?

Jeff Gibson: Usually, that’s necessitated by non-compliance, so generally, there’s some other dicey things going on. One of the places I’ve been, we had a pretty long data handling stream. Any set of data that other departments were dependent upon would have gone through four or five different people touching it prior to getting to the ultimate goal where analysis and next steps were generated from that cohesive set of data. Generally, we go in after some department and IT have spent three or four days trying to reverse engineer where this change occurred.

It’s usually mildly contentious when some of those things are going on anyway, because some incident will occur and then a group of people will get together and develop a policy very quickly, and then they’ll try to roll it out. 


Have a High-Level Policy and Get to Specifics Too

But the trick there is, rolling out data handling procedures, core data handling procedures that go across departments, find the least common denominators. If you start with that, then you can get into the department-specific rules. But generally, a high-level organizational policy is great.

And then if you can craft that to the individual departments, talking about their specifics, that’s helpful. But a lot of times, once you give somebody something, anybody who’s ever been around a kid or a puppy or me would know that if you give them something, they think they own it right away. So, rolling that back is tough. 


Communications Matter

But I think in that situation where you put a hold on things in terms of access, I think the trick there is quick, concise discussions. 

Let’s go back to where people really don’t like it when you take something away that they already have in their possession. It goes back to those core things that Nura and I have said and everybody else on the planet has said. It’s that consistent execution. 

“Here’s why we’re doing this.” Keep it simple. Keep it consistent and get it moving. You know, nature hates a vacuum. So, any kind of quiet time, everyone will come up with their own answer as to what’s going on, what the outputs are going to be, and they’ll already start feeling their reactions to something that they don’t know what the reaction is.

So, get a correct number of people that are representative of all groups in a room, hammer it out, decisively execute and roll it out. 

And then, the one I’ve seen in the past that has not gone well, is where you will test someone’s understanding of the policy. That can be dicey. As an IT leader or HR leader, you have to know that they have read it and complied with it. But, making it into a test is sort of dangerous. I think a conversation about understanding a new policy is better than, “okay, go back to your desk, take this test and then we’ll give you access.” That’s a little draconian.


Cybersecurity Policy Concerns and Roll Out

Carolyn Woodard: I agree. I know neither one of you are cybersecurity experts, but one of the reasons that we need policies are for the cybersecurity risks. And we need some way to ensure that all staff understand what’s coming into their inbox and what they should click on. 

And if they click on something that’s not totally right, who do they talk to, who do they tell about it? 

Do you have any advice, Nura, on conveying the “why” of cybersecurity risk policies in something like your acceptable use policy?

Nura Aboki: In the nonprofit sector, some organizations have had some security incidents that they may not have expected, but it led to reputation loss аnd financial loss. 

Educating staff about common security incidents would be important, because those are incidents that they could relate to, because it’s happening across the industry. It is important, as IT professionals or business leaders, to be conversant in those security incidents. As a nonprofit leader, you may be looking at your risks, and those security incidents could be a threat to your organization. It’s important to be aware. 

And if you may not have access to the information, talk to the IT professionals that know your industry well, that could share those stories. Because they’re real stories, you may get people to pay attention and to understand the value of adhering to such policies.

Carolyn Woodard: If I can blend what you and Jeff both said, make it relevant. Make sure that the people who are involved in that tool or that process are engaged in setting and rolling out the policies, so it’s not something that somebody over in this other department told me I have to do.

But then also using the current environment, there are all of these risks coming in and threats to your organization. And so, utilizing that will help people take it really seriously, which they need to take it seriously. Well, thank you so much for that. 


Overcoming Barriers to IT Policy Roll Out

I think I’d like to pivot now to something that we talked about in the webinar of overcoming barriers.

One of the reasons that people may not have updated their existing policy or created a policy around acceptable use, data retention, or disaster recovery is because of barriers to doing that. 

Jeff, would you like to talk about some of the most clear barriers to getting started on this project?


Lack of Knowledge

Jeff Gibson: I think the biggest one is just, especially with a smaller organization, largely nonprofits, but there are very small IT and HR organizations in the private sector as well, is the lack of knowledge. And the fact that some of these are ever-shifting.

If anybody watched the GDPR rollout over four years, or the GBLA rollout over six, I think they’re still technically rolling it out. I think there’s two years left of changes. But that’s a three- or four-hour kind of study every time they came out with a new section of that policy or a new section of the legislation became relevant. 

GDPR is the European right to be forgotten – essentially, your data privacy. Anybody who resides within the European Union, if they’re from there or they just moved there, if they have a European address, they have the right to request your organization to forget about them and/or anonymize your data to the point where they’re unrecognizable and then validate that within 72 hours. 

The other one is the Grand Bailey Leech. It’s just a fiduciary and sort of control set of legislation for organizations dealing with, in the private sector, depending on what their barrier of business is. It impacts cybersecurity, cyber insurance, your audits frequently bring those up. 

Those types of things that are mandated, they change a lot. Even the forms you use change a lot, and the government’s not big on sending you the updated forms. So I’ve done audits with a three-year-old form before, and they will have the government roll it out six weeks before you started but it didn’t necessarily feel compelled to tell anyone.

The barrier is the lack of information and lack of time, which is our constant, you know, Achilles heel. 


Lack of Buy-In from Leadership

And then the sort of buy-in from leadership. It’s always, go do everything you’re supposed to do, but I’m not going to make a lot of extra time for it. It’s that conversation with leadership, to say, look, this is a thing we have to do and explaining to leadership what the ramifications are of not doing it: higher cyber insurance costs, potential breaches in information, constituent information, financial impact to the organization, cost of doing business increases. 

There’s a litany of trouble and effects that could happen. For the last 25 years, we’ve been saying, “Oh, we’ve got to get to these policies, we’ve got to get to 20 different organizations, we have to get to these.”

Now they’re becoming forced, whether it’s by fines or government control or insurance costs or security concerns or whatever the case may be, but a lot of forcing mechanisms have shoved policies to the forefront in a way they’ve never been. 

I think getting that buy-in and leadership, and that’ll allow you to get a little bit of time to implement the policy. And then like I said in the webinar, they also explain to leadership and constituents and stakeholders, we’re not going to be able to do this project because we have to do these things.

And that is a tough conversation, but also, going back to the old trope, explain why it’s relevant to the organization, explain why we have to do this and why it’s necessary. 


Have a Public Time Frame for the Implementation 

And then also it’s helpful just to give them a time frame. “We think this will impact your timeline by six weeks.” People give you a lot of grace if you explain, give them a time frame, so it’s not the IT black box.

Carolyn Woodard: That is good advice to give people a time frame. Thank you so much, Jeff, for that explanation of the regulatory structure of the reason the policies are needed. And maybe more recently we feel forced to put policy in place – that maybe we’ve been going along without a policy for the last 20 years of our nonprofit, but now we can’t get insurance. So, in fact we have to have this policy. 


Barries to IT Policy Know-How

Nura, are there any barriers to knowledge, particularly around an IT policy itself? And do you have any advice on overcoming those barriers?

Nura Aboki: There are barriers to IT knowledge. 


Lack of Resources, Including Staff

One is a lack of resources in general. Nonprofits operate with limited resources, which can make it difficult to allocate sufficient time and personnel to develop an IT policy. And the IT policy development requires expertise, understanding your business, and essentially trying to make sure you tie it to your strategic goals. Aligning your IT policies with your strategic goals, this will help you ensure that technology investments directly contribute to your mission.

In order for you to overcome this IT lack of resources barrier, you want to take a look at how can you upscale yourself? How do you leverage what you have, leverage communication or IT to upscale your staff?

There are certain new technologies, emerging technologies that can help you quickly get started on developing. 

The first IT policy that you may think of is acceptable use policy if you want to update your policy. You may hear AI, AI, but you definitely want to be careful about which AI you use, and you want to have an understanding of what the risks are in using AI results, generated results. 

But if you don’t have anywhere to go to, this is one way you can curate information. AI will pull some samples for you to help you get started. But you need to really get a professional involved that has experience, not just about the development but also with rolling policies out successfully. We talked previously about this, but certainly I see the lack of resources as a barrier and upscaling your staff as one way to overcome that barrier.


Start Small

Another thing I want to mention here is also, you want to start small. If you don’t have any IT policy, if you want to update your policy, you want to look at which policy is most effective right now.

And what we found and have seen now in the nonprofit sector is the Acceptable Use Policy is the most important. If you’re able to get that single document done, then you can add other documents gradually. There are some situations where a nonprofit will be required to develop a policy so that they can get the funding for a project or a cause.

So those are unique situations. And in those cases, you probably want to work with a professional that has done this in the past to help you achieve those developmental goals for creating an IT policy.


Mindset Change

Lastly, one of the barriers that I think we emphasized in the past, is certainly the mindset that nonprofits have of focusing exclusively on their mission and goals, which can lead to IT being overlooked or undervalued

But changing mindsets, getting the board involved, the executives buy-in, can promote IT and the use of technology, which will drive and improve their programs. And in a sense, there will be a consensus around, “hey, let’s develop policy to help us achieve our mission.”

Carolyn Woodard: Well, and certainly a professional board will have a governance committee for board governance. So those may be some champions that you can involve to encourage your leadership to develop your governance of the organization itself around some of these policies. 

And I just want to jump in and say there are a bunch of resources on our website, from that webinar on IT governance, with some links to templates; Making IT Governance Work for Your Nonprofit. Because I would imagine that another barrier is knowing where to start.

So, if you have an existing policy that may be a decade old and doesn’t refer to AI or cybersecurity or other tools that you’re using, you probably still want to start with what you have and update it.

But if you don’t have a policy at all, we do have some links to some templates. I know one of the barriers is finding templates that aren’t so generic and often aimed toward larger corporations, not even nonprofits. They’re just aimed at a big company, and they aren’t very useful. So that’s another barrier that people are going to have to overcome. Finding a template that’s a good match for what you’re trying to do. 


Barriers to Roll Out

Can we go on maybe to some barriers around rolling out your new IT policies, which I know we just spoke about being able to implement these policies, but could you talk a little bit about the barriers that people have? And we’ve talked indirectly about a few of them, like being afraid that someone in a department that doesn’t know anything about the tools that you’re using is going to tell you what to do, is one of them. Maybe fear is another, but can you talk about other barriers to your staff caring about the policies that they need to implement?


Fear/Indifference

Nura Aboki: Certainly rolling out comes with its challenges, and fear is one. Someone is going to tell us what to do, and it may be difficult to take it all in, especially not knowing exactly the consequences of signing a policy. This can be a barrier, but typically this kind of barrier comes when leadership may not have gotten staff involved in the beginning.

If it’s a top-down approach where the leadership is just saying, “Do this, it’s mandated on you,” then that seems to be a situation that will cause fear in the staff.

Carolyn Woodard: Or indifference, right? People who are just like, “I’m going to skip ahead to the end of that video and say that I watched it because it’s all the same stuff and it doesn’t have anything to do with me.” 

So, I don’t know, do you have tips on overcoming that?

Nura Aboki: I also will say leadership should have the servant leadership kind of approaches to understanding the culture of their organization and how they can reel in people to show the value of such IT policies and how their organization’s mission can be achieved by adhering to this IT policy.

Leading by example is one way to overcome this barrier. Staff that are reluctant should be open to asking questions because underneath the concerns, if people don’t have avenues where they can provide feedback or ask questions, then it would be difficult for us to have an understanding. 

Open communication between leadership, HR and the staff should be in place where there’s free flow of information and feedback regarding such policies. 

I think people, once they feel they are heard, there’s chances that that IT policy is likely going to be successfully rolled out. Those are my two cents I would want to share on this.


Computer Based Training (CBT)

Carolyn Woodard: Jeff, I know earlier you talked about computer-based training and that particularly for certain policies and certain tools, you can really use computer-based training. If you can get over that, making people care about taking the training seriously and getting through it, do you have advice for that? 

Jeff Gibson: In terms of rolling it out? 

Carolyn Woodard: And using it? Are there ways to get staff to be more excited about computer-based training?

Jeff Gibson: I don’t know if anyone gets excited about computer-based training, if excited is a feasible goal, but yeah, they will comply. 

I think that the part of computer-based training that’s critical is recognizing it for what it is and using it just for what it is. It’s an indicator.

It’s a red flag. It’s not, “Okay, good. The staff person finally took it three times and now they scored an acceptable score.”

That really is just more of a canary in the mineshaft. That result tells you where there might be some problems and where further training, or further conversations are needed or maybe even a tweak or enhancement to the policy. Maybe IT didn’t think of something, or the stakeholder didn’t think of something when they added it that becomes fleshed out or raised to the fore when someone actually is doing the work on a day-to-day basis when they review a policy or review the training.

I think CBTs are great for wholesale understanding of, “87% of the staff understood what we were saying. This 13%, they didn’t get it. We’ll make them take it again.” But I think that second part is probably the wrong approach. I would say “This 13%, let’s break down why they didn’t pass, what their issues were, and then have a follow-up session of some kind or some kind of further communication with that person or that group.”

Not everybody can afford CBTs. It’s a plug-in to an HRIS (Human Resources Information) system, nine times out of ten. There are also subscription models. 


Other Resources

But then I would say, don’t be afraid to use your resources

Use your insurance company, whether it’s cyber or organizational insurance. They generally have resources that they can point you to that are free or very little cost or sort of group subscription rates for testing.

Even if you don’t have an HRIS, an HR information system, you can subscribe to these services. There are varying price points. There are varying costs per seat to take those tests.

And if not, even in the template section, going back to what we were talking about earlier, a lot of insurance companies have templates for different policies that they will share with you. Don’t take those as gospel, those may be outdated as well. But at least it’s a jumping off point. 

[Community IT did a webinar with Lockton insurance and their free download on controls is very valuable. Cyber Insurance for Nonprofits]

I think that’s probably your best bet. I wouldn’t rely too heavily on any tool. But the other thing is to use your common sense and make sure this policy really applies to your organization. Everybody has that temptation, especially with AI now. I know I’m there. “Oh, we’ll just have AI do it.”

You have to vet that AI result. You have to filter through that to make sure it’s appropriate. That could be even more catastrophic if something was in there in your new policy that absolutely shouldn’t have been in there, and it was missed.


Mindset Change: IT Policy as an Opportunity

Carolyn Woodard: I guess I’ll end with a philosophical question for both of you. In your experience, have you run across organizations, or do you have ideas on turning this policy creation or revision from something that’s just onerous and you have to do it, into something that you can see as an opportunity? A way to give control to staff around what the policy is going to be for a tool that really impacts them? A way to create a caring environment at a nonprofit where people are concerned that everyone is complying with a policy because it’s protecting their organization? 

Do you have any anecdotes or experiences of a leader or an organization that was able to see this as an opportunity? 

Jeff Gibson: I mean, it’s tough. I think the only opportunity I’ve seen from it is it is an opportunity to overcome a challenge in so much that this does force your organization, especially on the IT front, to become a little more consultative.

And it really makes you kind of, even if it’s outside of your comfort zone, get out there and make IT more than just the people you call when you need a computer or when you can’t get to a system. 

It’s an opportunity for, especially IT leadership and staff, to show that they understand the organization more and how IT fits into that organization and some of the IT ramifications upon the organization that maybe those individuals hadn’t considered or hadn’t had a chance to think about.

It might help further the relationship building between IT and your business units or your divisions and show the value IT can bring outside of just, “Here’s your new PC.”

Nura Aboki:  I’ve seen an organization turn this into an opportunity, but leadership had to realize that IT wasn’t at the decision-making table. 

They hired someone that understood the value of technology, but they didn’t know how to implement technology at their organization. So they brought in someone with the experience to sit at the executive team to guide the implementation of IT and make it aligned with their strategic goals. 

Then that person introduced the concepts of IT policies, asking IT governance concerns, and began looking at documentation, review and HR policies. 

It was important, but the right people have to be there, and leadership buy-in must be there in order to say, “Hey, we have an issue here. We don’t have someone or the capacity, do we bring someone outside or do we hire from within? Someone that’s going to own this effort to drive our IT governance and policies and make sure we are in compliance and also carry the staff along and project the investments of IT that needs to be done at the organization.”

Carolyn Woodard: Great answer, both of you. Thank you so much for joining me today and exploring a little bit more of this topic around IT policies, what may be holding you back and some good ideas on implementing and rolling out new or updated policies. 

I just want to thank you both, Nura and Jeff, for joining me today and I really appreciate your time.

Jeff Gibson: Thanks for having us back.

Nura Aboki: Thank you. It’s a pleasure.