Nonprofit Radio for July 13, 2026: 5 Project Management Tools For Non-Project Managers, Cybersecurity On A Shoestring & Make Confident Tech Decisions

 

Adrienne Figus: 5 Project Management Tools For Non-Project Managers

From project charter to closing report, Adrienne Figus walks you through the essential tools to help you take control of the changes you may find yourself leading. She’s with Madison College. Here are the resources Adrienne refers to.

 

Edward Wilson & Ellen Samuel: Cybersecurity On A Shoestring

Our panel covers 10 essential security measures every nonprofit can implement right now, without an IT team and without breaking the bank. From knowing where your data is to changing default configurations. And from firewalls to offboarding data. They’re Edward Wilson at ArchTech and Ellen Samuel from Just-Tech. Here are their resources.

Simone Carvalho & Rebecca Kaplan: Make Confident Tech Decisions

Simone Carvalho and Rebecca Kaplan explain when you need an audit of your tech stack, and the steps to conduct the assessment. Along the way, you’ll lean on surveys, interviews and process maps. Simone is with Skeleton Key Strategies and Rebecca is at Feeding America.

 

Listen to the podcast

Get Nonprofit Radio insider alerts

I love our sponsor!

Bridge Conference: The conversations happening at Bridge will shape strategies, careers, and organizations long after the conference ends.

 

Apple Podcast button

 

 

 

We’re the #1 Podcast for Nonprofits, With 13,000+ Weekly Listeners

Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.

Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.
View Full Transcript

Hello and welcome to Tony Martignetti Nonprofit Radio. Big nonprofit ideas for the other 95%. I’m your aptly named host and the pod father of your favorite Hebdomadal podcast. I have to apologize for the audio today in our 2nd and 3rd conversations. Consistent with the lackluster host that you know you suffer with, uh, he, I, Failed to plug in the, uh, microphones to my phone. For these two conversations. You see, at, at NTC, of course, I got all my remote gear. We’ve got 4 microphones set up, one for me and one for, and 3 for, uh, the other, for the panelists, the guests, and those mics go into the mixing board, and the mixing board plugs into the phone because my phone is where my recording app is. I use an app called Hindenburg. Well, for these two conversations. I didn’t realize that I had not plugged my phone in from the mixing board, so the sound you’re gonna hear in those two is just. My phone picking up voices, uh, along with all the ambient noise. So, the phone, of course, is sitting in front of me, so I’m loud and clear in these last two conversations today, but the guests are a little quiet and there’s ambient noise, and I did the very best I could to strip out the, Ambient noise as much as possible without reducing the, the guest voices, and I tried to elevate the guest voices and make them as clear as possible, but Uh, my apologies for the audio quality on the, the last two of today’s conversations. But nonetheless, I’m glad you’re with us. Cause I’d be hit with stomatalgia if I had to say the words, you missed this week’s show. Here’s our associate producer, Kate, to tell us what’s going on. Hey Tony, I’m on it. We wrap up our coverage of the 2026 nonprofit technology conference with three conversations. First 5 project management tools for non-project managers. From project charter to closing report, Adrian Figgis walks you through the essential tools to help you take control of the changes you may find yourself leading. She is with Madison College. Then cybersecurity on a shoestring. Our panel covers 10 essential security measures every nonprofit can implement right now without an IT team and without breaking the bank. From knowing where your data is to changing default configurations, and from firewalls to offboarding data. They are Edward Wilson at Arch Tech and Ellen Samuel from Just Tech. Finally. Make confident tech decisions. Simone Carvalho and Rebecca Kaplan explain when you need an audit of your tech stack and the steps to conduct the assessment. Along the way, you’ll lean on surveys, interviews, and process maps. Simone is with Skeleton Key Strategies, and Rebecca is at Feeding America. On Tony’s take 2. Thank you, N10. We are sponsored by the Bridge Conference. Tony will be with more than 2400 nonprofit professionals at Bridge, July 29 to 31 in National Harbor, Maryland. Info and registration at bridge.org. Here are 5 project management tools for non-project managers. Welcome back to Tony Martignetti nonprofit radio coverage of the 2026 nonprofit Technology conference. My guest now is Adrian Figgis, project manager at Madison College. Adrian’s topic is five project management tools you need, especially if you’re not a project manager. Welcome to nonprofit Radio, Adrian. Nice to meet you, Tony. Thanks for having me. It’s a pleasure. I love this topic, project management, something we haven’t spoken about on the show for a long time. Could you give us a high-level view before we get into some detail? Sure, so this session grows out of what I wish that I had had handed to me when I was first becoming aware of project management as a discipline and the challenges of projects generally, uh, before I became a project manager and a lot of that was handed to me, you know, here at the NTC over the years, many years ago, and so this is I’m here to try to give back and. And see how can I help at least a little bit with people who are dealing with massive projects without a specific project management background and try to increase the overall culture for project management in our nonprofit community. All right, thank you. So let’s dive in. You have, um, you have 5. 5 steps, not 5 projects, 5 tools, 55 tools that you’re, you’re giving back to the community. I love that. I admire that. Thank you. I, I consider myself a member of the community. I’m, I’m not involved at all in project management. I have a one person company, so my projects are modest, uh, by scale and in terms of yours in comparison with yours, but. I can still say thanks for giving back to the community. That’s awesome, awesome. You’re very welcome and, and thank you for the same, you know, I think you, you clearly give a lot back to this community too, and it’s really what we’re all here for here to do at NTC. We’re all contributing. All right, uh, first, before we get into the 5, let’s define what what you mean by a project. So the, you know, technical formal definition of a project is a temporary endeavor that creates something new. So that is as opposed to operations, which is the ongoing work that makes up, you know, the, what we actually are doing. Regularly on a regular basis, but those things flow together, you know, and, and there’s overlap in a lot of cases, especially in smaller, you know, organizations like, you know, yourself a solo shop or small organizations that don’t have a formal culture of project management. Um, but I think that core of it’s a new thing we’ve never done, so we don’t already have a playbook for it, and it’s, uh, a temporary thing that at some point we will hopefully succeed and be done with it, um, or it will shift and become our operation. ongoing and so project management are those tools that help us with that newness and temporarineness to then hand over to a related but different set of skills for for optimizing the operations. OK, um, is it necessarily, uh. A tech related tech project? I mean, could it be a capital project? Could could these tools apply to that kind of project or absolutely these tools are, are project type agnostic. Um, I, most of the projects that I manage have something to do with tech. I work as a project manager in an enterprise project management office in a college and we rest. Inside the tech department, so just by virtue of that there’s usually tech involved, but we’re also doing organizational change projects we’re doing, you know, things that maybe only incidentally have tech, and a lot of what I’ve learned about project management, especially through the NTC goes back to work that I’ve done in my previous career in fundraising. So a fundraising appeal can be a project because it’s, you know, that appeal itself is a new thing that will end it goes into your operational flow of projects. So really anything, um, tech is, is just the, the, the hook here. Oh, that’s our, yeah, that’s our medium here. OK, cool, yeah, um, so let’s go. Into the tools. What, uh, what are they? All right, so the 5 tools that I brought, you know, they’re, they’re by no means the only tool I talked to a project manager. There’s hundreds, but the 5 that I think are, are a good head start for people who, you know, have, have not done this before and might apply to basically any project are the project charter, the stakeholder register, the communication plan, the meeting agenda, and the closing report. Um, and do you wanna go into reasons why I chose those, or yeah, yes, but would you say them one more time for me? Absolutely. The project charter, the stakeholder register, the meet, uh, communication plan, uh, meeting agenda. And a closing report. OK. Yeah, so let’s start with the project charter. Sure, uh, so the project charter is a document, you know, it can take a lot of forms. It’s less common in organizations that don’t have formal project management, um, but you can do it in a really lightweight way. It’s essentially a contract that sets out the basic terms of what are we doing, why are we doing it? Who has given us the authority, what kind of resources do we have, both financial and people and time, um. How will we know that we did it correctly? So, so like scope, like a, a, a scope of work, yep, it includes the scope of work. Um, it includes the, the mission and vision of the project. It includes, you know, the scope of work also crucially includes what’s out of scope, what are we not gonna do, um, and it also pulls together who is in the project team, who’s in the governance, who’s responsible for the project, budgeting as well as in here. The scope is gonna impact budget, obviously, clearly, OK. Um, all right, anything else on the, on the charter? I don’t wanna go through, I don’t wanna go through them too fast. I don’t want you to give short shrift to nonprofit radio listeners. No, I could tell you’re not doing that. The, the charter is one that’s really easy to skip because it seems intimidating, especially if you don’t have a project management office, so you’re not a project manager, but even just a single one page that says this is who said it’s OK to go ahead with this project. This is what we’re doing. This is what we’re not doing, and you know we have a budget. It came from this department or whatever, um, taking the time at the start of the project to have those discussions to identify so you don’t get six months into the project and realize, oh, turns out no one actually gave us permission for this, and now we’re getting a lot of pushback, that kind of thing or what we’re not clear what the budget, yeah, I can see. I mean, like a lot of things, the preparation and the planning are valuable even though they’re a time suck, but they’re gonna pay off in ways that you may never even learn through the, the remaining 44 tools, right? I mean you, you’re gonna get creep and uh yeah, accountability and authority issues and things like that that you’re gonna avoid if you’re intentional at the. Yeah, at the outset, OK, um, I, I got an interesting question from one of the participants, um, who was describing a situation where she’s, you know, new to a, a department in her Oregon is being tasked with picking up a project that has gone adrift because there was a lot of staff turnover. The people who were on it are no longer there. There’s uncertainty of what was done. Things are in some abandoned asana boards, and she was asking about what to do to move forward. And I really think that taking some time to write a new project charter and say like this is maybe the phase two of this project we’re starting over again we’re acknowledging what was done, but we’re not gonna be bound by like a contract that was maybe implicitly created even if it wasn’t written down by people who aren’t there anymore to carry out the terms of the contract, but that’s a proxy for the conversations that have to be had anyway and it’s the the the charter as a holder for that. And then the register, the stakeholder register, so you know, projects like operational work and anything else else we do in pro in nonprofits are actually all about people, you know, nothing is gonna happen. AI is, is not there yet. Um, I, I don’t think it ever will be, but that’s not our topic. Um, anything you do in a project involves people, and the lingo in project management for people is stakeholders. The formal definition of that is basically anyone who uh will be affected by your project’s outcomes or you know the the tech work it takes to do the project, um, anyone who can affect the project either affect the outcomes or affect the way that the project works, um, and anyone who can get in the way of the project or enable the project to move forward risks exactly. So, so some of your stakeholders are, are people who may be threats but also may be your greatest allies later. Uh, so the stakeholder register is really just a list of all those people, and I’ve provided a template that is, uh, you know, it’s a simple Google sheet that gives you some ideas of things that you wanna know about those people in order to get them to contribute as best they can to the project, hold yourself accountable to checking in with them. And um if they are people who may present threats or or be you know a potential challenge for your project, how to activate them and turn them into champions and assets for your project but it all comes down to in the first place you have to know who they are and that’s what the stakeholder register is all about. OK, OK, um. Yeah, the folks who are going to be impacted by the project, I mean, I hope they have influence in the project too, so it’s not foisted on them and, and assuring, you know, non-use. And that’s one of the things that is absolutely the responsibility of the project manager. It’s also the responsibility of everyone else in the project, but I, I see an important role of the project manager as being the communications hub for the project, the, the person who anyone can come to me and say, oh well, there’s this project going on. Adrianne’s involved. I’ll just ask her what’s going on, and then I give them all that. Information even if I already emailed them 3 times, I’m always happy to tell you again because the fact that you asked me matters but I’m also accountable, you know, if I had Tony on my list of users who’s gonna be affected by this change, I have to proactively reach out to you to understand, you know, if you’re, if you’re an core user to understand what your needs are, explain to you how things are gonna be changing. But even if you know you’re my user but you’re not in my org, you know, like I don’t know you, I have to understand as much as I can about you to be sensitive to that and so sometimes you might be on my list of stakeholders, you don’t even know the project is happening, but it matters to me that it happens in a way that works for you so all of these things, um, again it just comes back to knowing. Who we’re thinking about in these projects, I could see that’s an important part of your work because you’re, you’re a big university, well, college, whatever, but a big organization. I mean big enough that it has a project management team that you’re on, so you don’t know a lot of the people unless you made projects with them before, but throughout the college, you may not know a lot of the stakeholders because you, you work in a, you work in a project management team serving the whole college. So getting to know folks, buying, getting their buy-in. I mean, I would think that’s a big part of your work as a project management. Expert team member, absolutely. Anytime I’m starting up a new project, I’m, I’m just about 2 years into my current role, so I’m just now starting to get my feet under me and understanding where all the offices are and when people use acronyms, I think I know what that that is and. At this point now I’m starting new projects that that involve people that I knew before, but it’s still my first task to say, OK, what are all the offices and people that are gonna be involved? What are the groups of students that might be affected or faculty, sometimes community members outside the college, some of those, it’s groups, you know, so maybe it’s all of the students in one, you know, area of the academic area or sometimes it’s all of the staff members in, you know, the library. Um, and so I have that group, but then I start dialing in and saying how do I learn more about that group as individuals? And then when I have actual individuals, how do I use the networking tools that I have available to me inside the organization to say, hey, like I haven’t met Mike before. What can you tell me about him? How do I, how do I talk to him in a way that makes sense to him and then introduce myself as, as the project manager, um, and help them see how they can interact. Because I, you know, you never want a project to get too far along and end up being a surprise to somebody who needs to actually be involved. Yeah, yeah, that’s, yeah, that’s poor. That’s, that’s the, that’s the, uh, antithesis of. Smart project management. Uh, number 3 is your communications plan. All right, so like how are we gonna keep in touch with all these stakeholders that we identified in the, in the, uh, register? Absolutely, yeah, and that’s they, they go hand in hand and personally I actually like to use a single spreadsheet with multiple tabs, one for my stakeholder register and one for my communication plan. I can just tab back and forth and see, OK, for each of these stakeholders, some of them individuals sometimes groups, those are audiences that I need to communicate with what can I put on the communication plan as far as one on one conversations or, you know, road show presentations or, you know, email blasts or however I can communicate but then as I’m writing out the communication. And I think of other things that I might wish to communicate and think about the audience and then if that audience isn’t in the stakeholder register, I scurry back over to that tab and add new lines. Both of those are are living documents that keep going through the whole course of the project as I learn more about the project, I learn more about the needs and the people and build it together and then next time I do a project that’s similar, I can go back and sort of take some of that information and, and start, uh, the next project. OK. Go ahead with 4, our agenda meeting agenda. So this one is a meeting agenda meeting agenda, yeah, it’s, it’s, it’s the simplest one. I, I don’t belabor it in my presentation, but it’s so important and something that is so easy to ignore. Um, I’m not an anti-meetings person, you know. I think that meetings are an important communication tool. I put them on my communication plan. Um, you know, sometimes a, a week-long email chain could have been a meeting, um. But it’s a sort of a sacred trust to ask people to come to a meeting. You’re asking them for their time. You’re asking them to put themselves out there and hopefully feel that they’re actually contributing in this case to the project, and part of that is the agenda. You need to have a goal for the meeting. You need to understand who’s invited, who of your stakeholders are invited. You need to understand what are you, uh, attempting to discuss, accomplish, what decisions do you need. But also you need everyone who’s coming to the meeting to have access to that information up front. If I just call, you know, you and, and Amy and, and 3 other people into a meeting, but I don’t tell you what’s happening, you’re coming in puzzled, annoyed with me, not ready to engage. You might just like say no at the last minute. But if I send out the agenda and say like, here is the importance of this meeting, here’s why you, Tony, are coming. And if you can’t come, I need you to delegate somebody from your team because we need this decision. sharing that information up front helps to level the playing field, make sure we have everybody in line and really get value from that meeting. So what kind of meeting cadence do we need that varies by project and we have like an 18 month project. Yeah, um, that’s something that I like to negotiate with each project. Uh, very commonly I’ll have a core team that’s usually like, you know, between 4 and 6 people who are steering the project and maybe, you know, they’re doing hands on tech work and I’ll do a weekly check-in with them and we know it’ll be sometimes a half hour just to say here’s what we’re doing. Um, which we’re ready to cancel if nothing new has happened and so that’s a big part of the agenda is like check in a few days beforehand. Can we cancel this or do a asynchronous check-in. Then I like to do sometimes like either biweekly or monthly meeting with more of a steering committee that are people that have decision making authority or who are very, uh, concerned stakeholders but maybe not doing the actual work of the project. And then I’ll often, especially in a longer project like an 18 month or a 2 year project, I’ll have subareas within where we’ll have, you know, meetings once a week for 2 months for a sub team that’s working on something really heavily in that 2 months, but it’s only the people that are actually doing that heavy work like I, I had a project where we. We’re doing um some compliance uh regulatory changes that needed some technical updates but also needed quite a bit of um information sharing and communication to bring the whole college community along because it involves some somewhat significant business process changes to meet our new state regulations. So we had a communications subproject that involved doing a lot of website updates because you know for a large institution getting all the approvals to update the website and just the mechanical work of that is a lot so we had a, a little communications strike team of of 3 people and we were meeting once a month or once a week for a short period of time while the overall project team was meeting at a different cadence. OK, so it’s uh that’s part of setting up the agenda is if it’s a recurring meeting, getting everyone to agree on the cadence and then revisiting that. I, I also like to revisit a meeting cadence about every 6 months and say, or in, in higher ed I’ll do it on a semester basis like, so you know, for spring semester we met this regularly. Do we need to do that for the summer? And on our closing report, so the closing report, you know, it’s, um, brings us back to that definition of a project that by definition it’s a temporary endeavor that means it has to end, but this is a thing that really trips a lot of us up, especially those of us that don’t, you know, currently I, I work in a place that has very defined policies around closing projects for budgetary reasons, but at my previous roles, um, it is very common, and I know a lot of people that this is very common that a project will just keep going. You know, maybe you weren’t able to accomplish what you thought you were going to or you had some staff turnover and no one’s quite sure what’s happening or like, you know, a grant got pulled so you had to put it on the back burner but you didn’t actually close it because maybe that’s admitting defeat or you’re not quite ready to declare victory and it’s just there. And then it becomes a major, you know, psychic and time weight on everyone who was involved with it because even if you’re not working on it day to day it’s in the back of your brain and you remember, oh yeah, you know that that refresh on the website that we decided not to do. I’m still gonna think about it every couple of weeks and so having a way to close a project, um, by, you know, policy and will of your organization but also a practice and a template to do that. Whether it’s because you finished the project successfully and you’re gonna celebrate it, it’s wonderful, or we’re acknowledging, you know what, having this project open no longer meets our needs, so we’re gonna just close it down and we’ll have lessons learned, no blame, it’s just, it’s OK. Um, having a template ready to go that you know at the start of the project, um, you know, would help you sort of write your charter to say how will we know that we’re done preparing yourself to then close it, I think can help lessen that pressure of just having these projects that just don’t stop. It’s uh yeah it’s a boundary like we know this is completed good hopefully not bad let’s say just good or indifferent it’s it’s wrapped up you know we’re all moving on. OK, it’s time absolutely and then the report itself can live in your organizational files if you have a PMO. It lives in your PMO, but then it’s there for re, uh sorry, project management organization, and that’s the group that I that I work in. Um, but there are organizations that have what they call a PMO, but it’s just one person who holds all the templates and the records that, that can be a PMO. But your, your way of doing projects, and maybe it’s just a file in your OneDrive, um, but if you have those records of all these past projects, then when you do a new project and you’re gonna charter a new project that’s somewhat similar, pull out the closing report from the old ones that were similar and say, what do we learn on this project about how we operate. Great things we did that ended up not being productive for us, things that were really great, um, you know, and that will make your next charter and your next set of meetings and everything else much easier and, and better for the next time. Where do we document changes, uh, uh, process changes, maybe staff changes that are that have been made? We’ve been doing it this way at the college for many, many years and now that the. Our project has closed. Uh, Business processes have changed. Maybe reporting responsibility or who’s responsible for different things that changed? Where do we document all these these organizational changes? Oh, that’s a really good point. So that’s part of the closing report is. Acknowledging that you did the handover to operations and so the closing report should document the decisions that you made, the changes that you made, but just because it’s in the closing report of a project doesn’t mean it actually happened I think is what you’re, you’re, uh, implying, uh, or or alluding to and so, um, that’s where the like projects shaking hands with operations really comes in is you’re saying OK, this project made this happen. But then some team, you know, some operational team or department or person has to take responsibility for that, so you can’t actually close the project until you’ve done the handover. So, you know, oh, I’m, I’m, you know, did this project where I, you know, helped you implement your new scheduling system for your, uh, podcast guests, um, until I hand it over and you say, OK, I acknowledge that I have this new process and it’s, it’s in my area. I can’t say my project is done because you didn’t actually take it on and agree to do it. Um, do we have a ceremony or what is there a ribbon cutting? I mean, if it’s a physical project that could, but still, even so, that’s ceremony, that’s not operational continuation. Mhm, um, yeah, so you can have, I, I highly recommend having, you know, a, uh, some sort of a ceremony to close the project, a final meeting or a pizza party or something, but that sort of that handover of the new. Things I like the idea of it having to be some sort of a pomp or circumstance to make it happen um but the recording of the new policies should be done in whatever way you are recording your policies so like however you had it written before you change and put it in now if the project was to set up a change in tracking system for your things then you’ll have it. OK interesting all right um what else, what else did you talk about in your session that we haven’t talked about with our listeners. So one of the things, and, and you know I can share with you the link to the templates, um, yeah, actually, would you do that you email me the link and then I’ll include it in the show notes. Absolutely I can do that and, and I really encourage anyone to, to take a look. They’re all um. You know, the just Google Docs and Google Sheets. Anybody can download them, brand them yourself, use them, you know, fully free. I have a little CCB license on it, but really I assume you’re gonna be changing them enough that it’s your own work if you use it, so it’s my interest to get it out there. But in each of those, um, areas. As people who work in nonprofits and mission based institutions, I think each of these tools is an opportunity for us to like express and forward our values, um, so in the project charter you should be writing your project vision or project mission in line with your vision and mission of your organization. You should be expressing your values in your stakeholder registry. You should be expressing your values based on who you are targeting as your stakeholders that you know it’s not just like you. Googled and saw, OK, who should be a stakeholder for a website change it’s, you know, your people and your people who matter to you on a deep level as an organization, go for that. Um, there are some really useful things around accessibility that you can do in a stakeholder register. You can note, you know, are there people who have specific accessibility needs like do they need a wheelchair accessible meeting room, um, so you make sure that you have that for them or you have live. Optioning so that you don’t have to keep asking people the same questions in order to make sure that they are able to be in the room with you. Same thing with your communications every project communication you send out should be an expression of your organizational values, um, and that’s gonna play out differently depending on the project, but, um, I, I think if we keep this in mind and make sure that, you know, we’re, we’re not ignoring that aspect of it just to drive a project through we’re all gonna end up with better outcomes in the end. That’s a great place to end. That’s perfect and with values. Absolutely. Adrian Figgis, project manager at Madison College, Madison, Wisconsin, thanks very much. Thank you for sharing. Well, thank you, Tony. This has been lovely. Thanks and thank you for being with Tony Martignetti nonprofit radio coverage of the 2026 nonprofit Technology conference. It’s time for a break. We are sponsored by the Bridge Conference, produced by AFP DC and DMAW July 29 to 31 at the Gaylord National Resort and Convention Center in National Harbor, Maryland. More than 2400 professionals will gather at bridge. Tony will be with them. The question is, will you? Thought leaders from nonprofits, associations, foundations, hospitals, higher ed, faith-based, and mission-driven causes across the country come to Bridge to discover new ideas, solve real challenges, and connect with smart people shaping the future of our industry. From 125+ educational sessions and hands-on pre-conference workshops to bridge tech, the faith and fundraising forum. And inspiring keynote speakers, Bridge offers something for every mission and every role. The conversations happening at Bridge will shape strategies, careers, and organizations long after the conference ends. Don’t hear about it afterward. Be in the room. Register at bridge.org. Now it’s time for cybersecurity on a shoestring. Welcome back to Tony Martignetti Nonprofit Radio coverage of the 26 NTC. That’s the 2026 nonprofit Technology Conference where we are all gathered together in technology community in Detroit. My guests now are Edward Wilson, principal at Arch Tech, and Ellen Samuel, COO at Just Tech. Edward, Ellen, welcome to Nonprofit Radio. Thank you for having us. I’m very glad you’re with us. Your topic is cybersecurity on a shoestring, safeguarding nonprofits in the age of AI. Um, Ellen, could you do, uh, just give us a 30,000 ft view of the topic before we go into the details? Sure. So we wanted to make sure that nonprofits understand the importance of, uh, cybersecurity and securing their technology and their. Staff and the client information and data and we went through how we can do this, uh, affordably or as affordably as we can. So, um, we went through the importance of why, why, um, nonprofits are at risk and how they are attacked and then, uh, some, uh, list of things that nonprofits can do. Relatively cheaply in order to maintain their security. And then we had a bit of a dive into business and compromise and wrap things up at the end with some amazing questions from the audience. OK, well, we’re, we’re gonna talk about all that and uh maybe even some of the questions. We’ll see. So we’re gonna, we’re gonna go into some details. So thank you very much for uh giving a high level view. Um, why are we, uh, Edward, let’s turn to you. Why are we, uh, nonprofits at risk? How are we at risk? That’s a great question. One of the things that we run into with most of our nonprofits is that there is more demand for their service than there is budget to help them meet that demand, and that leads to a lot of difficult decisions along the way. Nonprofits are actually the number 2 target these days for cyber criminals because they’re aware that there’s some weakness in that area where we haven’t strengthened the whole picture. We underinvest in cybersecurity because we’re more devoted to mission and programs. Yes, and sometimes I think there’s that, again, it’s an education thing, right? So we’ve seen nonprofits who have spent a lot of money potentially covering one small space of what they need to work on. But leaving other picked areas of the business not covered. And so our goal was to help them get that 360 degree coverage for less than they might spend on one fancy tool on a shoestring, or cybersecurity on a shoestring. By the way, I love we have like some symmetry. Edward Nellen, Archtech Just Tech, uh, it all, it all seems to fit together very well. I wish he had the same. I wish you had the same initials, your last initial. Maybe you could change your name to Samuel. Edward, maybe you could change your name to Samuel. Yeah, Samuel’s, yeah, Ellen Samuel. It’s cool, like Ellen Samuel, Edward Samuel, Arch Tech, Just Tech. OK, we’ll, we’ll, we’ll work with, work with what we have, you know, it doesn’t say he’s, he’s, he’s open to the idea, but he’s not about to run out and do it, so change his name. So, all right. Yeah, all right, all right. So we’ll stick with the, uh, I like the architectch just tech. All right. Um, so, I don’t know, should we just do like do ping pong? Like you have 10 essential, oh, let me, uh, I do have a threshold question, um, from your session description, 10 essential security measures every nonprofit IT team can implement right now, do we have to have an IT team? To do a lot of these 10 essential security measures, or can we do it if we don’t have an IT team? Maybe would outsource IT vendor helping us. Is that OK? Or do we need to have an internal team? Absolutely we understand that most, a lot of nonprofits don’t have probably most our listeners are small and mid-sized nonprofits. We’re the other 95, we’re the other 95%. So exactly. So we have one person who is the IT team and they’re not trained in that. Um, that’s one of the services that we as new service providers provide more affordably to nonprofits is we can give them those services and that expertise without having to hire a full time. OK, OK, so we can still take advantage. Of the 10 essential security measures that every nonprofit can implement right now without breaking the bank, we can still take advantage of these. Absolutely. Otherwise the mics are going off and we’re done. We’re done in fewer than 5 minutes. All right, that’s good. Whether they have an in-house team or they’re using an external team, that list of top 10 items is a great checklist to walk through. And say, am I covering all of these things with our in-house or external team? So for decision makers, really important. All right, let’s get into the, let’s get into the 10s, kick us off. Give us numbers 1 and 2 because we’re not going to go 1 Samuel, I mean 1 Edward, 2 Ellen, Edward, Ellen, Edward. So let’s do like 2 or 3 at a time. Edward, give us our top 2. Sure, the first thing we say is that you need to identify where all of your information systems actually are. People store information in a lot more places than they think. They may think a server or an email system, but you’ve got your accounting platforms, your HR platforms, your telecommunication platforms, your backup platforms, backup email, online giving, making sure that you understand all the places that you need to protect, controlling what we call the information system boundary. And then we want to protect access to that by protecting the users who access it with things like MFA passwords, and so on, and even protecting the devices that access that where we can. OK, is that 1 and 2? That is 1 and 2. OK, so number 2 is the protection of the data once you identify where it all is, protecting that access. Absolutely. OK, protecting access. All right. Ellen, it’s your turn. So one of the highest ROI things that police can do or organizations can do is implement MFA multi-factor authentication. And this, for anyone who doesn’t know, is a way of logging into systems. Using both a password and something else. So a token, um, a text message, we all know about this using from our bank, um, other systems. It is one of the the best ways that you can protect your users from being Attacked or or people giving up their credentials to your system and it’s usually free or easily to easy to implement and uh we see a surprising amount of organizations that just don’t have it turned on. They just haven’t checked the button and we need to do it. OK, so number 3 is do MFA.A. It’s just, it’s just an extra step. I mean. Uh, I, I think initially maybe it was annoying, but now it seems like it’s just, OK, I’ll, I’ll get the text. I don’t know. Maybe this is true on Android phones. I know on iPhones you get the text and you don’t even have to put the numbers in. If you’re on, if you’re on the phone, it just says use, use from text. Put the numbers, yes, tap that and it fills in the 5 or 6 numbers. So you don’t even have 5 or 6 keystrokes that you have to do, key taps, I should say. So, all right, do MFA number 3. All right, what else? What else for? Talk about also changing your default credentials to your hardware that you get. So you get um a camera that comes with uh default credentials that are open and available. That information’s on the internet. And anybody can come in and log into those systems and do kind of nefarious things with those. And it’s really easy and cheap. It’s free to go in and change that information on your routers, on your Internet of things devices. Just go in and change those things so that people can’t come in and look at your video or get into your system because they’re because they’re standard format defaults, right? It’s like, yeah, I just right. I just learned one, you know, on WordPress, the admin, the admin URL is standard like WordPress slash admin hyphenWP or something like that, or WP hyphen admin like, so everybody knows that and, and it’s easy for a bot to, to. To exploit it, OK. And that also, that, that also applies at home, like your, your ring, your ring system, your refrigerator, whatever, you know, whatever, like you, you mentioned the internet of things. I’m just, I’m just drilling down. Whatever you’ve got, it came with some default admin password. Your, your home, well, home as well as office, um. Um, internet access, Internet, right? It’s like Ocean 307 is your Spectrum router default, yeah, change, yeah, Ocean 307. That’s not mine, right? That’s not mine. That’s not mine. That’s not mine. Yeah, mine is 307 Ocean. I’m very savvy about, I’m very savvy about passwords. Yeah, yeah, that’s it. No, no, don’t do that. That’s bad advice. Don’t follow that. Don’t, I don’t want anybody saying I did that, and he said it was a good idea. All right. All right, so number 4, change your default configurations on all your devices. OK. All right, Edward. Edward Wilson is up. I like the next one. Update your infrastructure. So I’ve actually got a story about this one from yesterday. One of the things we do is free security and incident response for nonprofits. They can just call us and we’ll help them out if they run into a security incident. And our most recent call came in yesterday from somebody who had had their router hacked, and they were using an old Ocean Ocean’s 307. It works. It works. You use that everywhere. That they were using a Cisco router that had been installed in 2014 and had gone end of life in 2020 with no additional security updates, and the interesting thing was as we got into this and we looked at it, the last time that it had been updated, the firmware on that was in 2014. Well, they hadn’t even done the updates from 2014 to 2020 we’re 12 years behind on updates for this, and that’s one example of just needing to keep that infrastructure up to date. On our laptops it’s our Windows OS updates. It’s our third party software patching, which a lot of people don’t think about. The browsers that we run, Adobe, keeping all those other programs that are on our computers up to date, so you just click the automatic, just tap the automatic updates option. A lot of times that’s going to take care of Windows, but it might not take care of everything else, so IT teams want to be conscious of that. OK, OK. Update the infrastructures. All right, that’s incredible. So they even, I mean, so the, right, the product had been no longer um supported since 2020. But even before that, from 2014 to 2020, they hadn’t done any updates. Missing six years of so, yeah, right, like 2015, it was out of date for the, and, and, OK, that’s a bad situation. Honestly, we were a little surprised it took so long for them to get hacked given that you’ve been lucky all these years and you should be, you should be thankful. But we do these um technical assessments, both our organizations do where we’ll go in and we’ll look at organizations and one of my very favorite standards for us to look at is the HIPAA compliance standard, the HICP that the government publishes and puts out there for free. And the smallest one that’s designed for physicians’ offices of less than 10 physicians, the average score on that is about 50%. So this is common in the nonprofit world. All right, you have one more, Edward. We’re doing 2 at a time. Got it. I like using the firewall, making sure that we’ve got that set up. We used to be very complex in our firewall setups, and now that we’re more cloud-based, that becomes less important. We want to secure the user and device no matter where they are. But firewalls still have great tools to help protect us at the office. And so just making sure that we’ve implemented many of our vendor best practices. It’s the same among most brands, not using some of those default configurations, making sure that the admin access to the firewalls is MFA protected, goes back to the story I just told. Change that default, make sure you change the default admin on the firewall. Yeah, but firewalls are so annoying. Yeah, they’re going to prevent content from, they’re going to prevent pop-up windows. Sometimes I need the pop-up window because I do want to subscribe to the, to the, to the nonprofits newsletters. I want the. The firewalls are radio programs and podcasts. We don’t have, we don’t use pop-up. Yeah, we don’t even, we don’t even pop, we’re not even that sophisticated. But no, all right, so how do I overcome the objection in the firewall, uh, it’s so annoying. I have to load the content directly or I’m, I’m missing out on pop-ups. I’m getting warnings from some sites. How do I overcome? How do we, how do you two at, uh, Just Tech and Arch Tech overcome these? Naysayer objections. I think that leads nicely into one of our other top 10s, which is to train your users and explain why we’re doing these things, why they’re important, what the risks are, and what these systems do. We find that our organizations really do not put the time and effort into training the people at the organization. About how to use their technology safely and efficiently and effectively and a lot of those concerns, a lot of those issues you can handle in those trainings and talking and explaining, yeah, this might make it a little more difficult for you to do your day to day work, but it’s important because we don’t want other people getting into our system. We have really important client information that we are protecting, so. You need to make sure that you’re training, training people on technology and safety and security. OK, can we call that number 7 then? Training, training in it. OK, training, train the users. You get another one. Go ahead, Ellen. OK. Another really important thing is that when people leave your organization, you need to make sure that you are completely off boarding a lot of. Organizations just kind of missed this step. They don’t lock people out of systems. They don’t clear their computers. They, um, they don’t make sure that people don’t have access to their systems anymore, and it is a huge security risk regardless of who it is. If it’s an intern or volunteers in particular, you know, they just kind of set up. Forget about them, but people can do a lot of damage and the systems can be opened and hacked if people are not properly. OK, so it’s more than just taking back the ID card. There might be a code for entry. They might have a personal code for entry into the office. You got to disable that code. You don’t want these people coming back. You just, you just perp walk them out. Let’s not have them come back on Saturday. Using their their personal code to enter the building. Another thing that we recommend is using a password manager because a lot of our organizations, even though they shouldn’t share passwords among their staff, and for example, we do use a, we, um, work with a lot of law firms and sometimes there’s court passwords and court system passwords that you have to. Share, um, and giving those out to people and having them save them themselves is really a risk. So having that in a company provided password manager that can better protect that information as well so that when somebody leaves they don’t have access to that. Oh, that’s interesting. OK, so there are some that have to be shared. OK, yeah, Edward, one that would be really interesting, I think, for your users is to realize that when they’re on that company device and they’re saving passwords to their browser, we’ve seen people do things like log in with their personal Gmail account. Not only is this problematic in terms of saving their passwords to their personal Gmail account, but when they leave the organization and they give the laptop back to IT, there’s the potential to get in and access that information. And this will lead users to support the adoption of company password managers. Highly recommended. OK, Edward, thank you. That’s a good one. That reminds me of a story I heard. The organization provided company phones. But uh I recently. Dismissed employee. Didn’t use the company phone. All her personal info was on her own phone, and all her company info was on her own personal phone. They took the personal phone, or, or maybe it was the other way around. She, she had all her personal info on the company phone. That’s what it was. She lost all her contacts because they took back, that’s what it was. She had everything on the company phone, they took back the company phone. They took it. She lost, like she had to ask for permission, you know, can I call my husband to let her, let him know that I, I don’t, I’m not employed anymore. Um, yeah, I mean, she lost everything, all her, all her personal contacts gone because it was on the company phone. Big mistake. If your company’s giving you a phone, you gotta, you gotta use it just for company info because if, even if you’re, you know, you don’t necessarily have to be perp walked out. You might, you might resign. You might go to another job when you’re surrendering your company phone, you’re surrendering everything that’s on it. Very risky, very risky. All right, that’s a good one. OK, so off board completely, that was kind of we spun off from offboard completely. So I think we have 2 left. Is that, does that sound right? One of my favorites is to separate admin and user accounts, and this goes out to the IT staff who are logging in as an administrator every day on their systems. If you’re logged in as an administrator and somebody compromises you, then they are the administrator, right? And so it’s really important that we have a daily use account and that we keep those admin credentials separate for only admin purposes. Don’t don’t share the admin credentials because it’s easier. OK, just use this, just use this and you’ll be able to change your desktop. Never. Share admin credentials, but also if I’m an IT administrator, I need to have an account that I’m using for daily work that does not have administrative privileges. The only nonprofit I’ve ever seen truly go under from a cybersecurity personally that I’ve seen go under from a cybersecurity incident happened because the IT director was just using their admin account for regular work all day long. They hit the wrong link. They ransomware the entire organization. I see. Oh, using, OK, using their admin account for day to day. All right, now I see the implication because now the attacker had admin privilege, had admin, right, right, right. They hacked the admin account, not just the user level account. OK, that’s an excellent one. You love these. I can tell you, Edward, Edward’s like smiling. He loves all these. I mean, Ellen is smiling too, but Edward’s OK, gleeful. Edward’s like gleeful. Ellen is just smiling. All right, passionate about making affordable cybersecurity a reality for folks because sometimes these are things we don’t work, work through or think about. All right, that’s why we’re cybersecurity on the shoestring here. All right, you have one more left. Are you? Deferring to Ellen for the final. OK, OK, because by right this would be Edwards because we’re doing 2 by 2, but he’s surrendering. Chivalry is not dead. Chivalry has not died. It’s, it’s embodied here in this seat. That’s right. So it’s a trade-off. Yeah, yeah. OK, go. So another thing that organizations really need to do is have a disaster recovery and business continuity. We see again organizations this is something that you don’t need to hire somebody for, uh, but you can, um, but you need to make sure that you have a plan in place if and when you are compromised um a lot of times we hear it’s not uh a matter of if you’re gonna be compromised, it’s when, and a lot of places actually don’t even know that they are currently compromised. And there’s people in their systems you can if you get ransomware then you get locked out of your system that’s not the time you wanna figure out what are we, who am I supposed to contact? Who’s our cybersecurity insurance provider? Who are my IT people? What is the cell phone number of the IT person, right? Like these things that you need to have worked on, have written out. I even recommend printing them out like old. School having a physical printed copy because when you’re locked out of your systems, you’re not going to be able to get in there and look at the documents. You’re the, you’re the second guest here at NTC to say print your disaster recovery. She, she and I were talking about disaster recovery and incident recovery, and she was making a distinction between the two, but she and, and the business continuity plan have these things printed because when you’re locked out of the cloud. You’re locked out, so you can’t get the, you can’t get the IT cell number, so print the things and keep them in your office and and keep them at home too, keep them at home too, because a disaster might be in your office. You might have a fire or flood or some emergency that you’re not allowed in. So you go back home and there’s your printed plan and do practice runs. Because, you know, you, you don’t know where your weaknesses are, you don’t know how it’s gonna go until you’ve practiced and gone through the information with everybody on the team who needs to know that information. So do it a few times a year. It’s, it’s always more things that people have to do, but it really is gonna save you time and money and the safety of your information when you get hit. Awesome. I love this. The uh Ellen Edward show. Ellen and Edward show. We have our own Arch Tech, just architectch, Just Tech, Edward Ellen. OK. Um, so there’s our 10. We’ve, we’ve, uh, enumerated our 10 and gone into some detail on each. You mentioned business email, something about business email. Don’t hold back. You talked about it in your session. You got to share it with nonprofit radio listeners. What is it about business email that we need to know? So we’ve been doing free security and incident response for nonprofits for about 5 years now, and we’ve only seen one incident that wasn’t compromised email in some way or another, and there are two main categories of that. The first is financial compromise, and it’s not an IT item. It’s actually for the finance team. Never change a payment method or process without picking up the phone and calling somebody. We’ve seen vendors get hacked and the vendor submits an invoice and says, please pay this invoice over here, and it looks completely authentic. They pay the invoice only to find out that they paid to the wrong account, the wrong person. That money is no longer recoverable. That’s a finance issue. But even on the IT side, there’s a lot that we can do in order to protect email. And in our session we went through how to get that number to close to 0. All right, let’s do it. We’re not just going to talk about what we talked about in the session. We’re going to talk about the substance here. Excellent. What do we do? There are front end and back end protections in email. OK. Front-end protections involve products like Proofpoint, Mimcast. They scan our incoming email to find bad things and make sure you don’t click those. You can actually do a lot of this for free in Google and 365 without even using those products, and I don’t know how to tell our listeners to download things, but if you put our contact info in, they can reach out. We distributed a step by step how-to for all of the attendees to harden those email systems, and I’m happy to send that out to. OK, what you should do is give me the URL. For where that where that is, and I’ll include the URL in the show notes. Perfect. OK, we’ve got you got to make sure you do it. Somebody has to email me and then when your show is going to be aired in your episodes show notes, I’ll include the URL. Excellent. OK, OK, so we can get we’ve got several downloads in there for you. All right, all right, but we’re going to walk them through how to protect that email account and get the odds of their being compromised as close to zero as we possibly can in this technical environment, and a lot of it involves backend protection. Eventually, no matter how good your front end protections are, an email is going to get through. The user is going to click a link. They’re going to enter in their credentials, their MFA, and they’re going to give that MFA token that access to a threat actor who now has access to the email account, and our ability to detect that, respond, and to shut them out automatically becomes key. OK, OK, Ellen, is there more we can talk about around? Business email safeguards. Just to echo what Edward said, nearly every attack that we’ve seen has come in through email and somebody giving away their credentials. So you’ve got the email issue, right? If those emails never come in, that’s great. But then you also, again, have MFA. That’s if, if an email does come through and somebody tries to give away their credentials, that MFA can stop the, the bad actor from getting it. All right. Business email, very, very common method of exploiting. Nonprofits, I would guess it’s in the 99%. You said everyone, everyone, everyone except one, yeah, in a, in a test that you did or in our experience where we have nonprofits calling us and saying we’ve been compromised. What do we do, right? And we try to help them through that process along the way. It’s been email every time but one, in the last 5 years. All right, I’ll tell you what, Edward, you’re so gleeful about this, passionate, I’m passionate about it. Why don’t you take us out since Ellen gave us the overview. You could take us out with, uh, you know, inspiration and empowerment, why cybersecurity on a shoestring is so important. I want to emphasize to our audience that we want to solve the problem with one expensive fancy tool, but usually that only covers a small amount of our attack surface. We want to look 360 degrees at the whole picture, and there are two open source sources that I would like to refer people to that are free and available online. One is the HIPAA standard, the HICP. They can start with Volume One. It is simple. It is approachable. It is designed for mom and pop doctors’ offices with less than 10 physicians. It’s written in clear, clean language and we’ll give them a checklist to start walking through. OK, so it’s valuable for nonprofits even though we’re not a doctor’s office, even though you’re not a doctor’s office. Every time it says PHI, protected health information, just insert my sensitive and protected information. And you’ll be fine. Excellent. OK. And number 2, number 2 are the CIS controls, the Critical Information Security controls, and that also is open source. It’s available to everyone. I prefer the HICP because I think it’s more approachable and a bunch of really smart people sat down at the table and said, how are we actually being compromised and wrote a list on that. To protect healthcare providers and number 1 is email. All right. And the second resource was CIS, the CIS controls. And what does CIS stand for? Critical Information Security Controls. But somebody may have to test me on that acronym later. CIS controls. The CIS controls version 8. If you Google it, it’ll come right up at the top. OK, but your preferred is the H. The HIC HICP, and this is actually HIPAA, yeah, it’s put out by the Department of Health and Human Services. It’s available online. It’s a free download, HICP Volume One. Outstanding. That’s Edward Wilson, principal at Arch Tech. It’s named Arch Tech because they’re in Missouri. The Arch. Ellen told me that before. It actually was supposed to have a play on the word architecture because we believe good design can solve most of your problems in advance. OK, I thought about that possibility, but then when she said it’s arch tech, it’s not, it’s not architect. So is it, is it architect or architect? To be fair, how do you want to say? How do you want it said? We call it Arch Tech. I started pronouncing it Arc Tech, but we’re in St. Louis, so the point applies. About 6 months in, I realized it was going to be Arch Tech forever because of the St. Louis Arch. I see. All right, so it’s, it’s evolved into it is Arch Tech, so I said it correctly. All right. Can you say? I think that is pretty easy to say. Yeah, just. Just, just tech. J U S T T E C H. That’s Ellen Samuel. She’s the COO at J U S T T E C H. Just tech with a hyphen in between. Well, if you’re typing it, you, you don’t want me to say just hyphen tech. The company is just hyphen tech. No. Oh, well, all right, well, they, they’re gonna Google Ellen Samuel too, uh, but the website does have a hyphen if, if you need that. OK. Edward, Ellen, thank you very much. Great fun and value. Thank you. Thank you for the value. Thank you for sharing. Thank you. Thank you, and thank you, listener, for being with Tony Martignetti nonprofit radio coverage of the 2026 nonprofit Technology Conference. It’s time for Tony’s take 2. Thank you, Kate. Thank you and 10. This is our final show from the 2026 nonprofit Technology conference where we were all together, as you, as you hear, episode after episode in uh Detroit, Michigan. I’m just grateful for the partnership. They take good care of us. They appreciate the value that we bring to the conference, promoting it for months after the conference. Amplifying their speakers to our, our complete audience, way beyond just the folks who attend the conference. So, and I appreciate the, the value that they bring. They give us, Accessibility and, and exposure for the show. And I appreciate the, the partnership and the collaboration for N10 year after year. This year was our 13th. Next year, I’m already looking forward to it. It’s in Portland, Oregon. It’s in March of 2027, and we’ll be there for our 14th. NTC So, looking forward to that. Thank you very much again, and 10. I’m grateful. Listeners, again, I apologize about the audio. It was. It was your lackluster host. I’ll make sure, uh, well, I mean, I’ll do everything I can to make sure it doesn’t happen again. Thanks, thanks for understanding. Kate, Are we coming up on episode 800? We most certainly are. This is episode number 798. 0, 2 more. Absolutely. We’ve got just about a buttload more time. Here is make confident tech decisions, finishing our 26 NTC coverage. Welcome back to Tony Martignetti nonprofit radio coverage of the 2026 nonprofit Technology Conference. We’re all gathered in Detroit, Michigan. This is the final day. With me today is Simone Carvalho, with me right now today, Simone Carvalho and Rebecca Kaplan. Simone is principal consultant at Skeleton Key. strategies and Rebecca Kaplan is senior director of member grants strategy and operations. That’s member grants strategy, not member grants, strategy and operations. She only has two things, not 3. Rebecca Kaplan is senior director of member grants strategy and operations, so operations modifies the grant strategy and the member modifies the grant strategy. So it’s a member grant strategy and operation. No, it’s quite simple. No, no, member grant strategy. And operations at Feeding America. OK. Welcome. Welcome, Simone, Rebecca. Thank you. Good to have you both. Thanks for having us. Pleasure. It’s a pleasure. Simone, would you do an overview? Give us like a, you know, a high level view of the topic to kick us off, please? Sure. Um, so Becca’s here with me today, and we’re at non, uh, the nonprofit tech conference to talk about competent tech decisions, um, and we specifically talked about the tech assessment framework. So a technology assessment, um, is a structured evaluation of an organization’s current technology, the underlying processes, and the capacity, um, within it. Um, and we walked through, and I’ll probably we’re going to do it here, yeah, yeah, yeah, I’ll walk through in detail. We’re not going to just talk about the session here. We’re going to talk about the topic here, yeah, um, the phases of the tech assessment, when to like anticipate or when you should really consider having your own tech assessment, whether or not you should involve consultants, um, and then ultimately like what are the potential outcomes on the benefits of conducting a tech assessment. OK, thank you, and I should have said that the topic is. Assess, don’t guess, a framework for confident tech decisions. All right, all right, so thank you very much, Simone, for getting us started. You can take off your little uh Mini Mike. OK, so we have uh the the opening threshold question. Let’s turn to you, uh, do you go Rebecca or Becca, do you prefer? Either Either is fine. You go by Becca, can I call you Becca? Is that all right? OK, OK. And then at the end I’ll say Rebecca Kaplan again, keep it formal for people who want to connect with you on LinkedIn. OK, Becca. So how do we know whether we should or we are ripe for an audit, an assessment of our uh tech stack? Yeah, so I can talk about Feeding America’s experiences. We think about it as internal triggers that might indicate your needs, something like this, or external triggers. Um, so that’s when you hear people say things like, oh, I’d rather look at this in my spreadsheet, or there’s workarounds, right? So those are some common links. And for us, um, we were deep in the workaround. So, for example, I do grant making, so getting funds out to a few things. And in order to pay our grants, we needed to download payments from our grants management system, reformat them in Excel, email multiple spreadsheets, when appropriate opportunity to our finance department for finance to upload in their system. OK, like it’s 45 different steps, and a lot of it manual or it’s all manual, right? And then we had no good record of our payments. They were in email, they were in spreadsheets. Finance had them, but they weren’t connected to our brands. So that was his workaround, his back side. The other was staff morale. So our system was a legacy system. I’ve been using it over 10 years. For close to 10 years rather, and it was slow. We had permits issues and staff morale was suffering and we knew that formally from our engagement survey. OK, OK. Things look bad and lots of, lots of multi-step processes that humans are involved in and employee satisfaction was low or mediocre. We were just frustrated by the technology and so are our grantees and so when it was also affecting our network partners, that was another trigger. OK, uh, Simone, sound like, looked like you may want to add something. Yeah, yeah, I can talk about, uh, so when Becca mentioned like external and internal triggers and goals, I’m borrowing that framework actually from change management. So change, uh, management theory often talks about like organizations change basically when they’re forced to, um, and External triggers. So Becca talked about like the specific scenario of Feeding America that initiated her tech assessment, but other organizations might hear whispers of a hedge fund has purchased your product and you’re gonna be sunsetting it, or, you know, they’re going to suddenly hike up the prices. So there’s external factors that are pushing you. Um, or perhaps like an external, that would be an external trigger. An external goal would be something like we want to aspirationally just be better serving our clients. We’re expanding our geographies internal, same thing, there’s internal triggers and internal goals where it’s coming from inside the house. Um, perhaps there’s a change in leadership, like employee dissatisfaction. Employee dissatisfaction was a great one. Um, that was like super interesting to learn that it came up in like her employee surveys, um. It could be the change in leadership or you could just simply find that like the processing is taking 3 days and 6 months. OK, all right, these are troubling symptoms, but, uh, but we have a, we have a therapy, we have a treatment. It’s a, it’s a tech, tech audit. Uh, I’m going to tick through some. I, I think these are your, your, your, your phases or your processes. I want to make sure for an audit that you’re looking at there’s a discovery, analysis, prioritization, and a roadmap. OK, and you’re including your people processes and your strategy. OK, let’s talk through these. That’s, that’s a great overview, but that’s all I can do, uh, like tick through. Let’s let’s talk about who the, who the folks are and what the processes are that should be involved in your, in your, your tech audit. Um, so, taking like one step back really quickly, uh, the reason why our tech assessments aren’t just about the technology is that, um, we often think about Technology as like one leg of a three-legged stool where it’s technology, people, and process all supporting strategy. So if one of the legs of the stool is a little bit wobbly, you know, you could potentially top it over. So our tech assessments aren’t just looking at purely the technologies and the systems itself. We always in our discovery and all these phases think about the underlying processes and the capacity and the folks. So, the first phase discovery is pretty self-explanatory. It’s lots of interviews, group discussions. It’s trying to glean as much information as possible. Um, and we often Uh, are pulled in because consultants don’t always have to be involved in it, but can be helpful when you find that perhaps you don’t have the internal trust or buy-in from folks and they need like an objective third party because I think that’s the thing consultants can bring more than experience is there’s a neutral third party that folks might feel uncomfortable discussing their, you know, system secrets with, uh, so that’s discovery. You’re gleaning as much information as possible and perhaps you would have a survey in there. Um, I should also say before all of these phases, there is scope definition. Um, the one thing that I think we really pressed upon was the like the essential need to document and define the scope of the tech assessment, um, because we often find folks are really not lied about what is a tech assessment and what’s included in the tech assessment, and scope creep like just explodes, yeah. Um, so knowing definitively because we want to go deep rather than wide explicitly what systems or departments or processes are involved or are not. Let’s just turn to Becca for a second. So more than 1 2nd, even more than 1 2nd. Becca. So what was the experience at this phase for Feeding America, discovery phase? Like, were there people who wanted to participate, who shouldn’t be, or people who didn’t want to, who should be involved, and you know, how did that discovery phase go for Feeding America? Great question. So Skelton Key did probably over 50. Interviews with stakeholders across many departments. So if you think about grant making, it’s touching finance, it’s touching development, it’s touching the teams that are, um, programmatically overseeing the grants. So we were lucky that folks are really invested and interested. Helping us define the processes of understandings and responsibilities. So the discovery was exciting for us because we had a lot of feelings about our system, um, and the mostly negative. Mostly and also dreams but about potential too, good feelings about potential, but frustration in the in the moment. Exactly. So we’re excited to come through like it would be really cool if those sorts of ideas, um. So I think there’s a lot of buying in the discovery of this in America. Yeah, cool. All right, all right, um. Should we, can we move to analysis? Is that all right? So we’re in our analysis phase. Analysis is taking the blobs of information and doing something with it. So, that’s when we start like actually combing through what we’ve collected through documentation and interviews and discussions, surveys, and we’ve compiled. There’s a couple of different outputs. It ultimately depends on like, you know, back in the discovery phase and when you’re defining your scope and the, the thing that has to be clearly defined is like what question are we trying to answer for Feeding America, I’ll let Becca speak to that, but there was some big questions. So, Some of the key outputs of this um analysis is developing user stories. So these are like human centric requirements. Um, so as Becca mentioned, it was like very future facing and aspirational. As a grants manager, I wanted to XYZ in order to fulfill a specific business, uh, objective. There’s process maps, so visualizations beyond the grants of managers, the grantees, right? I’m sure you interviewed some grantees among those 50. And the aspirations for them. Oh my God, these emails that I get from Feeding America, I mean, I love having their support, but my goodness, it’s enough, enough is too much. It’s too much already. These are, these are Becca’s emails coming that they’re commenting on, but yeah, but among the grantees, right? Yeah, OK, OK. Um, and then there’s process mapping, which again is typically like aspirational and future facing and folks really like that because we are daydreaming about like what I want my pieces to look like in the future. Um, and then, as I mentioned, you just get lots of information and not all of that information is like specific to the technology and especially with New America, we just started compiling what we called a process improvements inventory because there was lots of things outside of the GMS, the grants management system, like ownership struggles, everyone owning a thing. that also needed to be addressed before we talked about the actual technology systems. OK, so there’s the processes, the people, and the technology as well. All right, cool. It sounds like you really need an outside. Facilitator, coordinator of this kind of audit, I mean, I don’t know, can an internal IT team do it now? You have to be, I’m asking you to be objective, Simone. I do actually do think so. The key question to ask or for someone to determine whether or not they can do it. Internally, there’s a couple of things. I think the first thing is capacity, because it’s, it can be done internally. It ultimately depends on what is your timeline. So if it’s an external trigger like, hey, we’re going to be sunsetting your system, you might not have the internal capacity and velocity to get it done in 6 weeks in the way you need to. Um, there is also just that, that question I raised earlier, which is, are your stakeholders going to be honest with you? Sometimes there’s like the benefit of relationships, or, I’ll say more to an outside consultant than I will to a colleague in the IT department. Sometimes we’re the therapist, the data department, yeah, OK, OK. For us it’s also leadership buy in. So we, one of the reasons we brought in a consultant was that in order to have the business case to invest in the system. They wanted the confidence that consultant. Ask members to make that decision. OK. Leadership buy-in is important for a project like this, right? Everybody’s got to be participating, uh, and that encouragement comes from the top, plus there’s the budget, the budget. Uh, I was thinking of conflict. I don’t know why I’m focused on conflict, like people who don’t want to participate that should, or I said people who should participate, don’t want to, I don’t know why I’m focused on the negative, uh, but there’s also, you know, there can be decisions to be made, like about the scope, which is going to impact the budget, the scope of the audit is going to determine how much we’re spending on this, this venture, right, OK. Yes, leadership buy-in. Thanks, Becca. Excellent. OK, um, prioritizing. Becca, can you lead with prioritizing? OK, let’s mix it up a little bit. Yeah, yeah, so we had a long list. OK, from the analysis phase, yes, right, from the analysis. Ths of the things that we wanted to do and accomplish through this transition and we used, um, Simone mentioned it, but, uh, basically a uh prioritization framework that allowed us to think about what was the effort and what was the. Where we’re going to be. Um, and we picked a mix of things on our prioritization list, some that would be the That we can actually confidently accomplish some that were going to be really difficult and really important and then some in the middle so it was a realistic mix it had to be everything, um, and that framework really helped us. You can actually accomplish. OK, you want to talk to the framework, Simone? Yeah, um, so it was a pretty simple one for Feeding America because they did have a really long list, and I think the thing I would emphasize here is, um, and as we talk about roadmap, there’s the low hanging fruit, but there was also things that needed to be immediately addressed regardless of the system. Um, that were pain points that like had to be addressed regardless of how long it took to go to from existing. OK. You might also be looking for maybe low lift and high impact or it affects a lot of people and this one is not going to be difficult to do. Boom, that’s obviously a top priority confidence and buy in into like, oh, this was worthwhile, right, like versus the other quadrant, the, the quadrant opposite that one which is high lift and low return. You probably had some of those. OK, so what happens to those? Do they, I mean, realistically, do they never get done? I mean, I hope, but that brings us to the roadmap roadmap and also the scope. I mean, there’s only so much, there’s only so much we can do together. There’s only so much Feeding America is willing to pay for, so some of these things are not going to get done this, like this year as part of this process. OK, I’m sorry, that brings us to what you say, the road mapping. OK. Oh well, well, even the lackluster host can provide a decent segue. OK, good. What’s the roadmap? Yeah, so it’s, you know, you. Collect all this information, we’ve analyzed it. You have all these artifacts, you have this list of prioritized things, but now it’s about putting it down on paper, assigning ownership and like actually planning some scenarios, allocating a budget, and putting it on. And we got asked this question a couple of times, but like, what, how big is a roadmap? Um, we tend to do like two versions of the roadmap. There’s the immediate needs roadmap, right? Like we mentioned, there’s typically things that are like immediate pain points that have to be addressed in order to like, help people and their morale while migrations take time. Um, so, you know, between choosing and actually migrating to a system that could be a little easier. And so there are things that just have to be addressed in that year. So, we usually do like a short version of the, the roadmap. So, it’s gonna be like 3 months, the next 3 months, you know, the immediate things you guys can do based on how much capacity or budget you have. And oftentimes, we’re actually not doing these activities, we’re giving it back to the client, um, and they can decide things. I know the key thing here is ownership, because nothing is, nothing’s going to get done if nobody owns it. Exactly. And nothing is more disappointing than like spending all this time and investment in a tech assessment, and it lands in a room full of people who have lots of opinions, but then there’s no one. To act on it, um, so that’s pretty critical. And then depending on again the size and the scope of the organization and the tech assessment and what they’re going through, it’s anywhere from like a 12 month roadmap to a 36 month road. And this also includes total cost of ownership as well, which is what does that mean, yeah, that, um, total cost of ownership. So in Feeding America’s scenario, I’ll let you speak to that, Becca, but like oftentimes the tech assessment comes on the heels of some external factor like we have to move off of the system. And leadership wants to know, OK, but going to this new system, scenario A, how much is it actually going to cost us? So it’s not just the licensing, you know, ongoing licensing, it’s the implementation and data migration, the training, the backfill of staff, the consultants, and then the ongoing costs like you’re going to have to change your staffing model and hire a new admin to help you support this product. So that’s the total cost of ownership. OK, that’s great, Rebecca Kaplan. Senior director of Member grants strategy and operations at Feeding America, and Simone Carvalho, principal consultant at Skeleton Key Strategies. Thank you very much, Simone, Rebecca, thanks very much for sharing. Thank you so much for having us. My pleasure and thank you for being with Tony Martignetti nonprofit radio coverage of the 2026 nonprofit Technology Conference. Next week, a wide ranging AI conversation with 3 experts. If you missed any part of this week’s show, I beseech you, find it at Tony Martignetti.com. We are sponsored by the Bridge Conference. Tony will be with more than 2400 nonprofit professionals at Bridge, July 29 to 31 in National Harbor, Maryland. Info and registration at bridge.org. Our creative producer is Claire Meyerhoff. I’m your associate producer Kate Martinetti. The show’s social media is by Susan Chavez. Mark Silverman is our web guy, and this music is by Scott Stein. Thank you for that affirmation, Scotty. Be with us next week for nonprofit radio. Big nonprofit ideas for the other 95%. Go out and be great.

Leave a Reply

Your email address will not be published. Required fields are marked *