Tag Archives: technology

Nonprofit Radio for October 30, 2023: CRM Selection & What To Ask Before Your New Website

 

Rubin SinghCRM Selection

Rubin Singh returns to help you focus on what matters in CRM selection. To keep you safe from a serious misstep, he also shares his thoughts on what else might be the problem, besides your CRM database. Rubin is CEO of One Tenth Consulting.

 

 

Marc PitmanWhat To Ask Before Your New Website

 Stephen Tidmore from Mighty Citizen built his first website in 1999, and hasn’t stopped. He shares the questions you need to ask up front, before you embark on a new website project.

These both originally aired on June 14, 2021.

 

Listen to the podcast

Get Nonprofit Radio insider alerts!

I love our sponsor!

Donorbox: Powerful fundraising features made refreshingly easy.

 

Apple Podcast button

 

 

 

We’re the #1 Podcast for Nonprofits, With 13,000+ Weekly Listeners

Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.

Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.
View Full Transcript

Transcript for 664_tony_martignetti_nonprofit_radio_20231030.mp3

Processed on: 2023-10-27T16:23:44.210Z
S3 bucket containing transcription results: transcript.results
Link to bucket: s3.console.aws.amazon.com/s3/buckets/transcript.results
Path to JSON: 2023…10…664_tony_martignetti_nonprofit_radio_20231030.mp3.397141536.json
Path to text: transcripts/2023/10/664_tony_martignetti_nonprofit_radio_20231030.txt

[00:01:04.26] spk_0:
Hello and welcome to tony-martignetti Nonprofit radio. Big nonprofit ideas for the other 95%. I am your aptly named host and the pod father. We’ll just start again with this take. Hello and welcome to tony-martignetti Nonprofit radio. Big nonprofit ideas for the other 95%. I am your aptly named host and the pod father of your favorite Hebdomadal podcast. Oh, I’m glad you’re with us. I’d come down with Hypo is Phoria. If I saw that you missed this week’s show, here’s our associate producer, Kate with what’s up this week?

[00:01:57.85] spk_1:
Hey, tony, this week it’s CRM selection. Ruben Singh returns to help you focus on what matters in CRM selection to keep you safe from a serious misstep. He also shares his thoughts on what else might be the problem besides your CRM database. Ruben is CEO of 1/10 consulting. Then what to ask before your new website, Steven Tidmore from Mighty Citizens built his first website in 1999 and hasn’t stopped. He shares the questions you need to ask up front before you embark on a new website project. These both originally aired on June 14th, 2021 on Tony’s Take two

[00:02:00.29] spk_0:
loving. The donors

[00:02:37.56] spk_1:
were sponsored by donor box, outdated donation forms blocking your supporters, generosity. This giving season donor box, the fast flexible and friendly fundraising platform for nonprofits donor box dot org and by Kela grow revenue, engage donors and increase efficiency with Kila. The fundraisers, CRM visit Kila dot co to join the thousands of fundraisers using Kila to exceed their goals. Here is CRM selection.

[00:02:42.65] spk_0:
Welcome to tony-martignetti nonprofit radio coverage of 21 NTC. You know what that is? It’s the 2021 nonprofit technology conference with me now is Ruben Singh CEO of 1/10 consulting Ruben. Welcome back to nonprofit radio.

[00:03:00.00] spk_2:
Hey, thanks so much, tony. Thanks

[00:03:40.48] spk_0:
for having me. My pleasure. My pleasure. Your topic this year is CRM selection. When you don’t know what you don’t know which is kind of related to what we did, uh talk about last year, which is don’t get played by the product demo that was listeners can go back to listen to that. That was uh when we talked about the uh the flash bang demo that doesn’t turn out to be so you, you can’t replicate the of which you cannot replicate the wizardry when you’re, when you’re posting sta it just doesn’t seem to fly, fly quite as fast as that product demo. So that was when we talked about last year. Um This year. What’s the trouble around CRM selection and these unknown unknowns?

[00:04:42.84] spk_2:
Yeah. Yeah. No, thanks. Tony and, and um uh yeah, this seemed like a good, good way to, to spring board off off of last year’s presentation with the demos because, uh still, you know, with all the organizations, with so many of the organizations that I work with, uh the selection process has just such a challenge. Uh And I even took the opportunity during the conference itself to ask, you know, what is it, what is it so challenging about these CRM selection processes? Is it that there’s just too many options in the market? Too few options? Is it uh you know, just uh confusion about the features they offer? Is it just, you know, if you right? No, or is it more on the internal side, you know, decision making as I suspected? II, I guess it is, it’s across the board there, there’s all kinds of reasons that people are really um struggling right now when it comes to selecting Cr MS. So, so that’s why we wanted to look at this top is, is really um try to unpack some of the reasons that make it so challenging and also give some advice on what can make the process go a little bit smoother.

[00:05:00.60] spk_0:
OK. The one thing that you ticked off that I, I imagine the problem is not, is that there’s too few Cr MS available? I don’t think that’s a problem. Is it?

[00:05:02.58] spk_2:
Uh Well, II, I think, yeah, I wouldn’t say there’s too few but then once you get into, you kind of dig in a little bit past the surface and really look at, you know, the types of functions that you need. So um you know,

[00:05:16.44] spk_0:
you might have a few options based on your specific

[00:05:25.98] spk_2:
exactly like, you know, everybody will have, you know, the the constituent management side of things and everybody will have, you know, basic activity management, donation management. So no, no shortage of solutions in the market there. But then you say, hey, you know, is there a solution out there in the market that does outbound funds management really well? OK. Well, now you’re down to like two. So, so I think so. So there is too few but yeah, there is a nuance there for sure,

[00:05:42.31] spk_0:
I understand. All right. So you know, how do you help folks? Where should we start with this? How do, how do you help folks make sense of this uh confounding landscape?

[00:07:45.53] spk_2:
Yeah, you know, there’s, there’s a few things I think that, that, that folks can do and, and the first and foremost is, is really uh when you have a selection process, uh you know, what I think you can do to make the most of it is, is first make sure that you have the right team internally. Um because uh you know, oftentimes I walk into situations like this where we do selections and, and you know, I I’m told, OK, you know, it is gonna make the decision here or leadership is gonna make the decision here and, and neither of those really work out particularly well. So I think really having a uh a cross functional team, not only in terms of where they sit in the organization, uh you know, across the organizational hierarchy, but also looking at the diversity of the team. And this is something that I, I personally feel is very important, you know, even even diversity in terms of race, ethnicity, age, you know, uh tech, technical, technical skill, capability, um ability, ee everything, you know, all those things are gonna matter, you know, even if you uh work with external constituents, uh perhaps even engage some of your uh program participants in the process, the more diverse that you can have your team, uh you’re really gonna have uh a solution in the end that that really represents what they need. So I, so I think really assembling a team, the the right team is, is a key part and often gets overlooked. Um Another thing is really just being honest with the, the expectations of the system. So, you know, I have some organizations that I work with that say, ah you know, well, we don’t have much budget and we don’t have any resources that can manage this system really ongoing. We need something that, that can, we can plug and play, it’s gonna work. So, so tell me about sales force or, or you know, tell me about razors edge and I’m like, wait, wait a second, you know, those are not the only, you know, two products in the market. There’s a lot of other tools that are out there that are more aligned for you that you can uh that is more plug and play. And then, you know, now granted you might be trading off some opportunities to, to, you know, it may not be as customizable or it may not be uh all the, the depth of functionality you need in certain areas. Um But uh going the other direction and having a highly customizable system that needs a lot of maintenance and, and when you don’t have the, the team and the resources and the budget to maintain it, it, it can really put you uh in a, in a tough spot. So, so those are kind of a couple of things I I have more but, but those are a couple of things that I think that often get overlooked is really starting in with those, those right expectations and having the right team to help make that decision.

[00:08:09.17] spk_0:
R unfortunately, you’re stuck with me as a lack of host. II. I should have asked you initially, how do you know if you need a new CRM before you even wade into these waters? Maybe CRM, maybe your CRM is not your problem. How do you make sure it’s, it’s AC RM. That is your problem and not not your processes or your leadership or something

[00:08:29.25] spk_2:
else. That, that’s a great question, tony. And, um I wish I had asked

[00:08:33.11] spk_0:
it five minutes ago.

[00:08:56.72] spk_2:
No, no, no problem. And, you know, it’s, uh I’ve worked for, um you know, product companies in the past where, you know, we have a specific methodology, specific product to, to come and solve your problem. And I’ll be honest with you, tony, you know, over the years I’ve, I’ve implemented CRM solutions. Uh you know, on time on budget, we’re sitting there after go live, everybody’s celebrating. And I, I walked out of those clients thinking to myself, this is not gonna end well, this is not, this is, they are not set up for the success and it really has nothing to do with the CRM. And you felt

[00:09:13.69] spk_0:
that way even on your champagne high after their champagne ate their hors d’oeuvres, you still, you still walk down, feeling, feeling

[00:10:28.25] spk_2:
unsatisfied. Well, I tell you walking to my car in the, in the parking lot. I sit there in the car and I’m like, oh boy, this, I’m gonna hear from these folks in, in two months and, and I don’t know what I could have done differently, you know, and, and it’s, it’s really for the things that you said that, that I i it’s uh it’s really making sure that uh do they have the right support ongoing? Do they have the right governance structure? Do they have good decision making, you know, uh uh processes when things come up. Um Do they have the right executive buy in? Um are the processes really well aligned to help them be successful in the new system or did they bring their own sort of broken promises into the new s uh sorry, broken uh broken processes into the new system? Uh or uh even their data, you know, oftentimes these, these projects kind of run overboard and then they just say, ah, well, let’s just, we don’t need to clean the data, let’s just push it into the new system and, and we’ll figure it out later. Uh These are not, these are things that are not going to uh lead you to success and, and oftentimes things go awry. It’s like, ah, you know, we shouldn’t have gone with this CRM or we shouldn’t have gone with this. And it’s really, uh you know, and that’s one thing at 1/10 we’ve, is really one of our key principles is it’s the people process and technology. Um It’s the strategy. It’s, it’s having everything aligned in order to make your technology successful. So it, it is, it is. Yeah, it’s, it’s a little bit science, a little bit art to make that, to make sure that balance is there.

[00:11:15.11] spk_1:
It’s time for a break. Are you looking to maximize your fundraising efforts and impact this giving season? Donor Box’s online donation platform is designed to help you reach your fundraising goals from customizable donation forms to far-reaching easy share, crowd funding and peer to peer options. Plus seamless in-person giving with donor box like kiosk. Donor box makes giving simple and fast for your donors and moves the needle on your mission visit donor box dot org and let donor box help you help others. Now back to CRM selection

[00:11:36.59] spk_0:
after an 18 month or maybe 24 month conversion, you know, the whole process of search and then narrowing down and you know, the thing, the things we talked about last year. Um And then, and then for it not to be the success that everybody is expecting. Um Let’s spend a little more time with this. What, what, what, where else should we look? You know, if we suspect our CRM is the problem but where else should we be looking? We, we’ve talked about processes, leadership buy in but, but be drill down a little bit, you know, you have the experience, what have you seen that? That is often the cause not the, it’s not the software.

[00:14:03.66] spk_2:
Yeah, you know, definitely the, the buy in is key. Um And that’s something that starts from the very beginning. Uh And, and I’ve see, I, you know, I, I don’t want to sound super negative here because I’ve seen, I’ve seen some organizations do this really well, you know where, you know, before they uh you know, let’s say they’ve made us, you know, they, they’re kind of getting close to a selection or they’re, they’re uh they’ve done sort of the initial vetting of solutions. Uh They really bring the leadership in uh and have them have, have a stake in the, in the, in the matter. I think that’s, that’s key, you know. So when I even talk about assembling a diverse team that also includes leadership and management, um you know, they, they’re not just, they shouldn’t just be Spectators of the process, they should be very engaged in the process. Uh Because that’s when I see things kind of fall off the rails a little bit is the moment something goes wrong and everybody just, you know, throws their hands up in the air and says, oh, well, you know, I never really, you know, subscribe to this or I, I told you you should have gone with, you know, such and such tool anyways. So that executive buy in is, is just super important and that really is, you know, it’s, it’s the project team sitting with leadership and making sure they understand what is the, the business this case for CRM in the first place? Uh What needs to make us successful. So if that means uh additional resources like we need a part time or full time administrator, uh or we need to have uh a, a tool to, you know, manage tickets and ongoing incidents. So we have a way of tracking things that we need to improve with the CRM or we need a governance process that we can make decisions uh um more effectively and, and I think tony that the governance is, is key. Um, because oftentimes like you, you go live and then sure enough as folks are using the system, uh there’s all kinds of requests, there’s, there’s bugs, there’s uh enhancement requests, there’s, you know, fundamental problems that need to be addressed. And oftentimes it’s like, ok, well, let’s just, you know, go to the person who’s, you know, you know, clamoring the loudest and, and solve their problem, but that’s not really the right way to do it. You want to be methodical and think about. Ok. Well, you know, let’s prioritize, let’s evaluate the, the urgency of the issues, the severity of the issues, let’s put together a road map. So everybody knows what’s coming when. Um, and, and so it, it sort of, you know, goes to that point that this, that CRM is not a project, it is definitely an ongoing journey. Uh And, and, and so, you know, when those kind of expectations are aligned, I see a lot more success. Uh So, so, so, yeah, the solution and that is completely solution. Agnostic.

[00:14:47.87] spk_0:
Yeah. Yeah. All right. Thank you for that digression. But I, I think it’s important. I think, I think there’s a lot of orgs that, that blame their software, but they have much more inherent problems that, as you said, no application is gonna solve because that’s not the pro those aren’t the problems, that’s not the problem. All right. Um, you mentioned prioritization. I want to get to that. I wanted to get to that because you, you, you alluded to different features and, you know, but how do you decide what you really need versus what you, you could, you could use but you don’t really need it, you know, to try to winnow down your, your alternatives in this vast landscape.

[00:15:15.54] spk_2:
Yeah, that’s a really important question, tony because um you know, especially as I’ve sat through as, as perhaps you have to just sat through so many demos of systems and I think often times, uh the organizations I work with, they are very impressed with the breadth of functionality. Um But you have

[00:15:16.61] spk_0:
the, well, I haven’t sat through as many as you have, but you also have the experience of having done the, done the

[00:15:21.44] spk_2:
demo. I’ve been on both sides,

[00:15:44.30] spk_0:
thousands, I think when we talked last year, you know, you’ve done thousands of these things and you were the Whizz Bang. You were the guy flying through the, flying, the cursor through and showing everybody how easy it was, how easy it’ll be for you. It’ll be just like this to your experience is gonna be identical to mine, you know, give yourself 24 hours with the system and then you’ll be as good as me. I’m making you out to be a, a huckster. You’re not.

[00:18:32.05] spk_2:
Well, I, I’ll tell you a little story, tony and I shared, I shared this with the folks at, at the NTC. Um, you know, a couple of years ago on my last trip to India, I, I went on a shopping trip with my wife and, uh, we went to this, um, garment store, clothing store and she, she walks in there and she says, I’m looking for something specific. I want this dress that is, uh, turquoise. And the, the shop owner said, oh, ok. Yeah, no problem. And then he starts showing, um, all these different dresses and it’s just like, you know, unpacking and, and showing and demonstrating. He has 23 assistants, unpacking different garments and showing different things. You know, some of them are light blue, some of them are dark blue. Some of them are shades of green. Some of them are teal and, uh, you know, you know, about maybe 30 40 different dresses into this II, I kind of figured what was going on here. And I whispered to my wife, I said, I think he’s gonna show you everything in the store before he tells you he doesn’t have a turquoise dress and, and I feel every time I, I sit in some of these system demos, I kind of think of the same thing that, you know, the, the, the, the, the, um, and no disrespect to the, the account executives out there. They’re, they’re doing their job and, and trying to present the best elements of the products they have. Um but they are gonna show you everything. Uh They’re gonna show you everything, whether there’s breadth or depth, it doesn’t really matter that they’re going to impress you with um with, with all the features and functionality that the system offers. So what I try to uh encourage uh my client and prospective clients to do is, you know, you, you kind of take control of the demo, say, say, you know, no, I’m I’m not really interested in, you know, I know all these solutions do fundraising. I know all these solutions, you know, can, can send out an email. I know all these solutions will track activities, but here are my three or four priorities. You know, I, I need to do long term case management because we’re a human services nonprofit or uh you know, we get grants that we re grant to other smaller nonprofits. So we want to do outbound re you know, re granting or, you know, we, we focus heavily on the social listening or the volunteer management. Pick those four or five areas that mean the most to you and you want to see the, the, the real depth in those systems there because I think once you do that, you’re gonna find there, there’s fewer options than you might have thought. Uh And, and really kind of, you know, rather than just getting into this demo, uh process uh demos are nice. But what you really want is a working session to say here are my use cases. Uh And, and, you know, show me how we can solve very specific problems in these four or five areas. And, and I, and, you know, there are some uh vendors that will say, oh, you know, I don’t have time for that. You know, I, I, I’ll give you my can demo. You know, that’s the best I can do and you probably don’t want to work with those partners. Uh You really, you know, there, there, there are other vendors that say, oh thank you. Like, thank you. I don’t have to waste my time on this can demo. Uh And we can really focus on the things that matter to you. There, there’s some that really, really thrive in that situation. So, so I think it’s really um looking at what are those three or four things, those five things that really matter to you. Um That, that is not only something that you need to maybe replace in your current process, but looking 3 to 5 years down the line, uh you know, you really want to get into program management or you really want to get into more direct mail. Uh You think about what those three or five things are and really focus the sales process on that.

[00:19:19.25] spk_0:
Is that hard to do? Focus on these 3 to 5 when you’ve got 10 people from an organization clamoring for, for their, there used to be a top priority. You know, the, the the the event folks are saying, well, we need better ticketing but it doesn’t feel like ticketing is really a priority, but we do ticketing. You know, how do you, how do you manage these internal battles?

[00:20:56.00] spk_2:
There are always, there’s always gonna be that battle, there’s always gonna be that healthy debate and contention intention there. So, uh you know what, what I tried to frame up is, you know, as an organization, you definitely have to prioritize uh you, you surely have to prioritize and I know everybody expects it, but they just don’t want to be beyond the, the losing end of, of that prior organization. So, so I, I think, you know what, what I try to encourage folk is uh even though you may not get everything you want to make sure that you’re selecting a tool that does not preclude you or do not prohibit you from getting the features that you want. So maybe event management is not a priority right now. Um But let’s pick a solution that if even if it doesn’t have very strong event management capabilities, perhaps it can integrate with other tools that are out there that have very strong uh event management capabilities. So, um so, so it’s uh so you definitely want to focus on the, the key priorities you have. Um But you also want to be, make sure that you’re selecting a tool 3 to 5 years out can still support what you need. Uh So, so that’s it, it’s a little tricky and, and, you know, it kind of goes to one of my, uh you know, I, I gave a lot of suggestions and a lot of, you know, tips and tricks on, on how to really make the selection process work for folks. But, you know, one of the last points I did is, is it may take AAA trusted advisor to help in this process because, you know, the non profit I work with, they’re, they’re very busy, you know, doing good for the world and, and, and uh don’t always have time to keep in completely aware of what all the, the latest technologies and trends are. So sometimes it takes, you know, bringing in a trusted advisor, whether that’s in a pro bono capacity or a paid consultant, uh who can really, you know, help get you through some of the fluff and say, all right. Well, you know, I I know that program management is not a key priority for you right now, but it is something you want to do in the future. And here’s three or four tools that might want, you might want to consider that can get you there at a later point.

[00:21:11.22] spk_0:
There’s also the importance of leadership that, that you stressed, you know, it’s, it’s incumbent on the CEO to decide what the priorities of the organization are.

[00:22:09.41] spk_2:
A absolutely. Absolutely. And, and, uh you know, when I was sort of working more on the vendor side and, you know, with specific products, I, I wasn’t, you didn’t really have the flexibility to have these discussions. But, you know, now, uh you know, running our own practice, we have the ability to, to kind of start start selection processes with very different questions. So, you know, the questions I’ll ask is OK. Well, let’s talk about your fundraising strategy. Well, you know, let’s talk about, you know, your organizational goals. Uh Let’s talk about where, where you are now and where you want to be 3 to 5 years from now. Um You know, what’s, what’s the, the, you know, what are the kind of decisions, let’s say, you know, to speaking to the executive director or the leadership team, you know, when you walk into work Monday morning and you, you turn your, uh you turn your computer on, you log into your CRM. What do you want to see on your dashboard? What, what is it, what are those key decisions or, or key insights that you need to help you make decisions for that day, for that week? Uh Let’s start there and then from there, we, we start figuring out um what are the right tools, what are the right solutions and all that? But, but, but really, you’re absolutely right. It starts with the strategy and it starts, starts from the top.

[00:22:33.70] spk_0:
You have some tools and, and resources to help folks make better decisions.

[00:23:36.63] spk_2:
Yeah, absolutely. Um You know, making better decisions just means uh means a lot to us at 1/10 you know, whether you work with us or not, we, we, we feel it’s, it’s best for the non profit sector and, and, and best for the non profit tech sector um to, for, for everyone to really have, be making informed decisions when they go for a solution. So, um on our website on uh uh uh 1 10 dot consulting, you will be able to see. Um you know, we have webinars, we have um uh blog post all to really help you uh in that process. Um Also on our social media, we do have um uh from time to time, we are either posting articles, sharing articles, other content that we think is are, is really gonna help people make good decisions. So I would, I would suggest and all our, our web um all our webinars all are, are all on demand free. Uh So we, we encourage folks to, to take a look at our website and, and really um take advantage of all the, the content that’s out there, you know, uh combined with, with uh myself and others that we work with. I mean, it’s many, many years of experience, good, the good, the bad, the ugly. So we, we try to put as much as we can in that content on our website to make it available to everyone.

[00:24:00.17] spk_0:
It’s 1/10 dot Consulting. That’s correct. All spelled out 1/10 dot Consulting. Ok. That’s right. Are you familiar with the, the Tech Impact reports? The, the, the surveys that they do across different systems, you know, they, they agnostically survey and, and study different, different elements of, of lots of different, uh, program uh, applications that can be valuable too. Right. That tech impact the survey.

[00:25:12.42] spk_2:
Absolutely. I think tech impact does a great job on that. And that’s one of the things that we, we often share around on our social media when, when it becomes available or new, new uh visions of that is posted. Uh I’m a big fan of their work. Um There’s just so much out there, like I said, and you really don’t, uh I don’t expect any of the nonprofits I work with to be knowledgeable about everything. That’s, that’s, that’s out there. So, so I really do like what temp tech impact puts out and it really gives you like a baseline of what are the different tools out there? What are the key, um you know, from, from a pricing perspective and, and all that. So, uh you know, strengths and weaknesses, pros and cons. So I think that’s like always a good place to start. Um And, and then, you know, sometimes when you need to get uh where it gets a little bit more complicated and is when you are like, so, so for example, if you are thinking about CRM or it’s, this is like a first step for you and you know, you want to move off of spreadsheets, you know, the tech impact, I might be all you need to, to kind of make a first decision. Um What gets more complicated oftentimes is if you’re switching from system A to system B uh and, and you want to kind of know how, what that migration might look like. That’s where the guide may not help you as much. And, and you might need to look at other resources that are, that are available.

[00:25:24.42] spk_0:
OK. OK. We say we leave it there, Ruben. Does that sound like we’ve hit this? Anything that we’ve omitted that you think is important?

[00:25:30.34] spk_2:
No, no, that, that sounds great. I think I enjoyed the, I enjoyed the conversation very much. Always appreciate the opportunity to speak with you, tony and uh have a chance to engage with the audience. So thank you so much for the time.

[00:25:40.60] spk_0:
My pleasure, Ruben Singh CEO at 1/10 consulting again, 1/10 dot consulting. And thanks so much for being with tony-martignetti nonprofit radio coverage of 21 NTC.

[00:26:40.34] spk_1:
It’s time for a break. Keyla increased donations and foster collaborative teamwork with Kela. The fundraisers. CRM maximize your team’s productivity and spend more time building strong connections with donors through features that were built specifically for fundraisers. A fundraiser CRM goes beyond a data management platform. It’s designed with the unique needs of fundraisers in mind and aims to unify fundraising, communications and donor management tools into one single source of truth visit. Kila dot co to sign up for a coming group demo and explore how to exceed your fundraising goals. Like never before. It’s time for Tony’s take two.

[00:29:42.12] spk_0:
Thank you, Kate. I just had 10 days of donor meetings. I was in New York City, met with lots of donors and potential donors to a client there. And it, it just reminds me how much I love doing the donor meetings. Just the face to face. Some are in people’s homes, some are over lunches or coffee. Not too many breakfasts and dinners, uh, in, in planned giving the, the older folks, eighties and nineties. They don’t really wanna get out early in the morning for breakfast and they don’t really want to have dinner out either, especially in the winter and in the summer, summer time, you know, longer nights you might get more dinners, but, uh, not, not so many this time of year, not any actually for me. So lunches and coffees and meeting in people’s homes. But it’s just, it’s, it’s such a pleasure, you know, getting to know folks listening to their stories about, uh, their, well, in most cases it was their husbands who have died, uh, their Children, grandchildren. And of course, why they love the work of the non profit that I was representing while I was there. Uh It’s, you know, it’s, it’s moving. They’re, they’re just, they’re fun. The donor meetings are fun. You know, that’s the, that’s the beauty of fundraising is the meetings with the, with, with donors and potential donors. So thankfully, as a consultant, I don’t get bogged down in a lot of administration, there are not a lot of meetings, people want me to go to clients occasional but not so often. So I hope for you that you can or you have, you know, freed yourself from a lot of the administrative work that is not anywhere near as stimulating as the, the meetings, the face to face meetings with, with folks. I, I hope you can unburden yourself from administration and, and get to the heart of fundraising which around major giving or of course planned giving is meeting folks, meeting them and, and talking to them, getting to know their stories. I, I have a natural curiosity about people. Uh So I find these meetings just delightful and, and fun and fun. So I hope you can enjoy that part of fundraising, whether you’re a full time fundraiser or maybe you’re a CEO perhaps you’re on a board. I urge you to uh embrace that really fun part of fundraising that is Tony’s take two, associate producer, Kate.

[00:29:44.92] spk_1:
Well, it sounds like you had a very fun week and I’m sure the people that you met up with were having fun as well, you know, getting out, doing something, not being stuck in the home. So, it’s very sweet to, you know, go grab a cup of coffee with the old people, you know.

[00:30:14.79] spk_0:
Well, it’s ok. Yeah. So it’s a little more, a little more than grab a cup of coffee with old people. But, uh, II, I got you. Yes, it, it is. Some of them do like getting out. Um And I, I believe they enjoy our meetings too. At least, at least that’s what they say. We’ll, we’ll leave it at that. That’s what they all say.

[00:30:27.30] spk_1:
We’ve got buku but loads more time here is what to ask before your new website.

[00:30:34.87] spk_0:
Welcome to tony-martignetti Nonprofit radio coverage of 21 NTC, the 2021 nonprofit technology conference. My guest now is Steven Tidmore. He is VP of Technology at Mighty Citizen. Steven. Welcome to Nonprofit

[00:30:50.83] spk_3:
radio. Thanks so much for having me.

[00:31:01.44] spk_0:
Pleasure, pleasure. Your session topic is eight questions to ask before you start a new website, correct? And you, you, um you describe yourself as a technical savant.

[00:31:07.75] spk_3:
I don’t know if I describe myself as that. But um oh,

[00:31:11.71] spk_0:
that was that. It’s in your bio. That’s

[00:31:13.83] spk_3:
not our, our marketing folks may. That’s the

[00:31:17.12] spk_0:
marketing marketing phrase. OK. All right. I won’t ask you to define the technical.

[00:31:24.46] spk_3:
I would just say I’ve been involved in technology websites for um a long time, probably about 20 a little, well, over 20 years now of, um, experience building websites and for various size organizations.

[00:31:34.38] spk_0:
Yeah, indeed. Uh, that, that same market marketing team written bio says you built your first one in 1999?

[00:31:41.49] spk_3:
That’s cool. What

[00:31:42.46] spk_0:
did, what did websites look like in 1999? What, what did, what did it mean to build a website in 1999 or, or 2000? Oh,

[00:32:41.81] spk_3:
that’s, that’s a good question, I guess in some ways it was a lot simpler. Um Depending on the type of website you were building small websites. You know, you didn’t have to worry about all the um extra learning that comes these days from trying to figure out if you’re gonna build a single page application or if you’re gonna use this javascript framework or that javascript framework or, you know, really complex hosting setups. Um So that was simpler, but to do more complex things at times were a bit harder. Um I started at Dell um back in 1999 and I remember I kind of got into the web world because they were transitioning to the Dell dot com to a new technology. Um Well, not a new technology but a new build process using XML. And so coding back then was writing this whole custom XML um code that they had come up with that. Then Knightly would go through a big spider and spit out html and everything else. And so that was more complicated, I guess, in some ways then at least we have standards now and can do, uh, more dynamic things in a standards compliant way. Um, back then a lot of it was all custom

[00:32:58.63] spk_0:
was, that was, that was 1999 remind me, was that the, the, was that the years of, uh, dial up service where we hear that crackling

[00:33:23.49] spk_3:
it still existed? Um, but probably was a little more popular before that, you know, in the, in the late, in the, you know, a little bit earlier in the late nineties. Um but dial up still existed. I remember I still had dial up in 99 but a lot of people had already moved on to DS L or? That’s

[00:33:35.82] spk_0:
right. That was the follow on. Yes. Ok. Digital subscriber line, Ds L? Oh, that’s interesting. Ok. So you got eight questions to ask before you start a new website. Um Are these, are these internal questions that you should be asking before you go to maybe an outside provider? Because our, our listeners are small and mid size shops. So the likelihood of them having a development team, you know, uh I is small. So, so let’s assume that you use outside help for this. Are these internal questions you’re asking or you’re asking of the provider outside

[00:35:10.63] spk_3:
too either or so. So the goal really of the, the eight questions presentation was to just to get people thinking about some of these questions that we ask typically on a web project. So we’ve been doing lots of projects, you know, for a long time. And so we’ve gotten better about identifying these questions. We need to ask upfront on the technical side to avoid some pitfalls that we’ve seen on a lot of projects over the years. Um And so these questions are questions that you may have to go to, you know, if you have an it firm you work with or if you have uh you know, developers, either in house or partner, you know, partner agency like ourselves or other developers, you work with contract developers, you may have to talk to them about it. But some of the, the questions aren’t really that technical at all. Um Just, you know, a lot of the things that seem technical at 1st may be organizational questions around content. Um whether you’re gonna migrate content, who’s going to be in charge of publishing content. And um some of those could have a technical answer. But oftentimes we found that there may be organizational um processes in place that are causing some of the barriers more so than the technology itself. People tend to blame the C MS for, you know, it’s really hard to get content published on our website. And while the C MS could make that easier, most likely, um uh you know, turning to a new C MS immediately to solve that problem probably isn’t the first step. You need to figure out organizationally what you need to do in order to publish content and then find Ac MS that fits, you know, that need as opposed to trying to fit your process into something that C MS is gonna force you into.

[00:35:39.77] spk_0:
I’ve had other guests say the exact same thing uh as recently as earlier today. Oh, really? You know, uh software is often blamed for uh lackluster readership, poor processes. You know, people not understanding what the, what the limitations of the software are. So they look for something else that’s gonna have similar limitations, but they, they think it’s gonna be, you know, the grass is always greener and it’s gonna solve all their problems. And uh so it sounds like your, your eight questions. Let’s get into your questions because it sounds like some of them are gonna probe whether software, whether a new website is really gonna solve the problems that you’ve

[00:36:31.59] spk_3:
got. Yeah, I think just uh before you jump into mosaic questions, we um technology certainly can play a part and, and is to blame for a lot of issues I think in organizations. But um the way the way we look at it is, we, we try to, you know, figure out your organizational goals, publishing goals, um you know, technology goals, all that kind of all that kind of thing first and then find a technology solution that meets that. Um As opposed to just choosing a technology and trying to force your entire organization to use it when it, you know, you could build, like you said, a new website on a new content management system and still have the exact same problems if you haven’t figured out what your goals are first for your organization and, and um your, your visitors and you know, your members or whatever else it is.

[00:36:58.22] spk_0:
So, should we get into our, our questions knowing we just have a couple of minutes to spend on each one? Where, where do you like to start?

[00:37:07.03] spk_3:
What’s, what’s our first? Uh The first question we had in the presentation was do we need to migrate content? And if so what content, why

[00:37:14.10] spk_0:
is this important to know

[00:39:03.22] spk_3:
upfront? Well, so uh I’ve seen this come up on a lot of projects is that people automatically assume oftentimes that all of their content is going to move 1 to 1 into a new website. They may say, OK, we want a new website, we want it to look different and perform different, but we want to just move all of our content over. So you don’t have to rewrite anything. Um And that often case that that doesn’t happen most of the time there may not be, you know, a 1 to 1 fit. So during our, we go through a fairly robust information architecture and discovery phase and we don’t want our information architects to be held back from architecting a page or an experience that um meets your goals simply because they know they have this content that has to fit into the new architecture. And so you may end up with um you know, an events calendar that has new content on it, that you have to go in and add, you may have to add categories or something like that. So we can do fancy filtering and javascript filtering um or um you know, the content may not need to exist anymore. Uh So there is, you know, we see cases a lot where the it does make sense to migrate content, particularly with content that’s already structured. Well, like press releases or blog posts, that kind of thing, usually we’ll have more or less a 1 to 1 fit. Um But there’s lots of content that maybe it’s just in one big Wizz wig field, you know, which is what you see is what you get. I’m, I’m sure you’re familiar with that term, but it’s just basically like a word document or formatting inside a content management system. But now on a new site, there’s a bunch of structured content for a team page that has like your title and your um the department you work under and your phone number and your email address. And so you know, that content can’t migrate easily. So it’s something that we, we talked about way at the beginning and try to figure out does it even make sense to migrate content or do we really need to kind of take a fresh look and, and intercon, um, like

[00:39:05.23] spk_0:
this is like moving your home, you know, changing. Exactly. You need to bring everything with you, you know, maybe, maybe you don’t

[00:40:51.16] spk_3:
or you, yeah, you had three living rooms in your old house. So you have three sofas in your new house. You only have one. So, what, what do we do with those? You’re gonna try to shove them into the, the same one living room or are you gonna get rid of what’s next? Uh The next question is about hosting, just where will the site be hosted? Um So there’s some technical things you have to look at and our recommendation was if you don’t know the answer to questions about just some, you know, basic questions about your, your analytics hard drive space on your current web host ra MC PU bandwidth um that you need to talk to either your web host or your it vendor or someone to figure out those questions. Um But the, the important thing with hosting is that you want to make sure you don’t take into account just your regular activity, you need to look for any traffic spikes. So maybe your organization once or twice a year puts out a controversial press release or something happens that just causes the traffic to jump up. Um You wanna choose a web host that’s robust enough to handle that traffic. But ideally, you don’t want to pay for all the resources to handle that traffic throughout the entire year. Um So, you know, you wanna look for something that’s scalable, ideally where the resources can scale up and the resources you can think about it, just like your computer, you know, you add more ra M or you add more hard drive space. You know, there’s, there’s web hosting setups where they can kind of automatically add those resources whenever the traffic increases and that’s a great solution. Um So you’re not paying for that all the time. Um And then just make sure you’re finding a, a host that supports the technology you’re working with um you know, some hosts specialize in one type of technology versus another. So don’t want to get stuck with a host that doesn’t know your technology. And then if you are working with a, a web um vendor, maybe someone who’s building your website, then you need to make sure you have um an agreement between that web vendor and your host about who’s supporting which pieces of the website in the web hosting environment. You don’t want to get into a situation where the site goes down and the web host says, talk to your website vendor and the website vendor says talk to the web host and everyone looks,

[00:41:10.16] spk_0:
yeah, the finger, the finger pointing.

[00:41:12.30] spk_3:
Yeah. So you wanna, you wanna work that out in advance. It’s very

[00:41:15.18] spk_0:
frustrating for the person

[00:41:17.11] spk_3:
in the middle, for sure. Yeah, it’s not their fault, you

[00:41:19.08] spk_0:
know, who’s lying and who’s telling the truth or both? Half. Right. You know. All right. Um What else?

[00:41:26.88] spk_3:
Um So the third question and I could do, I could go in deeper into hosting, but I’ll pro I’ll just, we’ll go to the rest. We don’t, we,

[00:41:34.99] spk_0:
we, we need, yeah, we only have a couple of minutes to spend on each one. So

[00:43:30.23] spk_3:
OK, the third question is how does content get published? Um And this is one kind of like what I was talking about earlier where you really first wanna consider your organizational goals and your existing procedures for publishing that content. First. Um One thing we recommend is just, just ask is your content up to date and relevant now and if it’s not, then why is it, is it really a limitation in the content management system or your technology or is it an organizational issue that is causing that? Um So that’s the first question and oftentimes it is an organizational issue or content governance issue. Um And then we recommend you think pretty strongly about an approval work flow built into your content management system. What I mean by that is you want to force people to um have to log into the C MS and then post content and then, but they can’t actually publish it that goes to someone else to approve it, maybe it goes to someone else after that to approve it and then it gets published. Do you want to build that process into your C MS or do you want to leave that outside of the C MS? We have um built sites before where it was a requirement to have an approval work flow built in the C MS. But then, you know, we find out halfway through the project that the person who’s actually going to prove the content doesn’t want to do it in the C MS, they want someone to email them and they want uh they don’t want to have to log in and manage that. So, you know, you don’t want to get stuck paying for something or building in something that you don’t need. Um as well as oftentimes, you know, non profit organizations and a lot of organizations, other organizations may have time sensitive content that, that needs to get out there. And if you have a forced approval work flow and one person is the bottleneck and you have to post this content immediately and that person is out of the office, then that can cause issues where you’ve kind of roped yourself into not being able to, to uh publish timely content. And so those are just considerations that we start talking about at the beginning of a project. OK. Um We also talk about along with content. Um you know, you want to talk about the few at the beginning, if you’re ever gonna need Multilingual content in the future because you don’t want to get stuck with a platform that makes that hard. Um So is your, is your website going to need to be translated into multiple languages? And if so choose a platform now that makes that uh pretty similar. Uh I mean, sorry, pretty simple.

[00:43:53.99] spk_0:
Move us, move us to number four, get us halfway home.

[00:45:11.94] spk_3:
What third party systems you need to integrate with. And so this is a big technical question. Um Your website is most likely not an island. It is a um part of an ecosystem that involves lots of other third party tools. Um And this, these can be things like, you know, an event management system, a membership management system, a donor management system, a um mailing list, you know, product, um whatever that is, there’s tons and all those have to be taken into account. And um the first step really is just to sit down and make a list of every third party system or tool that is going to interact with your website. Um And you know, just think about how you handle lead forms and tracking code and social feeds and newsletter, sign ups and events and payments and all that kind of thing and just make a list. And then after you have that list, look at each of those and think about what type of integration do you need. And again, this may need a little bit of technical help um from either someone outside or someone on your team. But there’s, you know, sometimes people think it’s gonna be a complex integration where oh, we have to integrate this third party donor management system with our website. But really all you need is a link or you need some piece of embed code that they give you, you know, for a donation form and you just block that embed code on. That’s a pretty simple integration and then it can start to get more and more complex. Where do you actually need to send data back and forth through PD systems? Do you need to hire a developer to, you know, program, how that’s gonna happen? Does your event system need to send data into your website? So you can publish that in a different way? Um So third party systems are a big part of our technology discoveries we do now, they

[00:45:41.61] spk_0:
are right. There’s a lot, I mean, all the things you ticked off finance and events and uh uh yeah, petitions and things. All right. All

[00:46:40.59] spk_3:
right. Yeah, it can be a big list. What’s next? And then the fifth question is related is if you do have third party systems, um do any of those have websites that your visitors are going to interact with that need to be skinned and by skinned? Um What I mean is that, you know, you can often customize a third party site with design elements like logos or colors or graphics um to make them match your brand and, and we call that process skinning. And so you want to think about all the third party websites that exist that someone, you know your visitors, your website, visitors are going to need to interact with. And if they can interact with those, you want to see can you skin that to make it match your, either your new or current website? Um And if so great, uh you wanna, you wanna try to do that? Um But you want to figure out what the limits are. Some third party sites may just allow you to change the color. Some may allow you just to add a logo. Some may give you full control over fonts and um you know, a bunch of a bunch of styles. Um And if you can do that, then you need to figure out the responsibility. Uh Is that something that third party provider is gonna handle? Is that something you have to handle? And when does that need to happen in your project process? So we start talking about talking about that at the beginning because you don’t want to get to the end of a project and realize, oh, there’s this major third party website and now it doesn’t look anything like our new website, we’re gonna hold up launch so we can take the time to, to make that match.

[00:47:07.31] spk_0:
Um we’re five races of the way through and before we get to, uh, three quarters, uh, I wanna ask you about your six year journey around the world.

[00:47:16.23] spk_3:
Yeah. What

[00:47:17.22] spk_0:
was that? You told me? You bought a one way ticket to somewhere? Was it Portugal? Spain?

[00:47:21.80] spk_3:
Uh It was Spain. Yes. All right.

[00:47:28.00] spk_0:
And so how, how does, uh, how does AAA technologist benefit from seeing other countries for

[00:49:24.51] spk_3:
six years? That’s a great question, I think. Um, so I spent my last semester in college on this program called semester at sea where I had the amazing opportunity of traveling around on a big ship around the world. And um after that immediately, I started working at Dell here in Austin, Texas um on Round Rock technically, but Austin and um ended up working there for three years and um really got a lot out of experience, but I was kind of craving that, that travel. Uh Again, I got the travel bug and um I was young and didn’t have a whole lot of, you know, responsibility and things tying me here. So I bought a one way ticket to Spain and quit my job and had saved up just a little bit of money. And um that led to six years of kind of working my way around the world and various jobs, um lived in Spain for a while. Um lived in the British Virgin Islands, lived in Belize and Nicaragua worked on some native American reservations up in, up in Montana. Um and, uh, you know, bounced around Costa Rica a bunch and had an amazing time. I think, you know, the thing that it gave me, if, if we’re kind of applying it to technology and, um, more of a traditional working world, I think it’s just perspective um on, you know, how technology fits into the, the broader world. Um, there, I think it’s really easy to get stuck or hung up on. Um something that maybe, you know, maybe isn’t super important in the grand scheme of things that maybe seems really important for a week or a day or two. And so I think I have a little bit better perspective on just um the world as a whole and the importance of tasks that we um end up working on. Um And I think uh just the opportunity to live in other cultures. Um I’d recommend it for anyone because it does give, uh well, it gave me, I’ll say, um just insight into how other people live and what’s important to them. And, um you know, I think I, I got a small taste of that. I wouldn’t claim at all, but I’m an expert in all those cultures that I lived in by any means. Um But just a small taste of how people around the world are, are different and um ultimately how they’re all similar and have the same needs.

[00:49:50.92] spk_0:
Thanks perspective and it’s a big world out there.

[00:49:53.87] spk_3:
It is a big world.

[00:49:55.16] spk_0:
We’re not the center of the universe. I like to say that I am the center of the universe personally. But, but our nation is not the center of the universe, the

[00:50:01.56] spk_3:
universe.

[00:50:14.36] spk_0:
I could say it that way. Well, no, but I like to say the universe, I get carried away with some narcissism. Um, let’s, we just have a couple of minutes left. So let’s um, but do me a favor, le let’s do it this way. Just read off. Uh just uh questions 67 and eight and then we’ll come back, go into a little more

[00:50:38.53] spk_3:
detail, but we can do it pretty quick. So I think question six is, um, are you going to need single sign on question seven is how are you going to handle site, search? So, searching inside your website and then question eight is what standards are you required to follow? Um So I can hit this pretty quickly. The single sign on question is just basically, yeah. Yeah, we do. We have time to do this. Why,

[00:50:46.77] spk_0:
why do we need to know this in advance?

[00:52:40.96] spk_3:
Yeah. So the single sign on question is, is a big one. So do you have, um do you already have a system that holds records for, you know, members or visitors or whatever they are that people currently sign into in order to manage their account or do something else? And if So do people also need to sign in to your, your either current website or new, new website in order to do to do something. Um Most of the time that will be something like gated content where content on your site is only available to members. Um And so if you have that, you have to have those member accounts that allow you to access that content. And if so you need to know where those member accounts are stored. And so single sign on basically is a configuration that can allow someone to sign on to multiple different websites or web applications without having to have different accounts for all of them. Um And there’s some standard technologies that you can use that make that fairly easy. But um you just, you just need to start by asking if you need it. And if so do those member accounts exist anywhere now that you can hook into um to, to allow your website to um let people sign in to them using the same accounts. OK. Site search could do, we could talk for a long time about site search. But um you know, the the search on your website is super important. Um And you want to start by asking, you know, where does the data live? Is it in multiple systems? Do you need the site search engine to pull data from a third party site as well as from your website? Do you need a a search engine that’s going to search through the content of files like PDF files. Um Do you need to have a search engine that indexes content that’s only available to logged in users or members? Um And if so, you know, you want to start thinking about search solutions, there’s a lot of great third party search solutions out there. Um That can do a lot of advanced things while at the same time giving non technical users the ability to configure the search. You know, if someone types in a certain search term, these a lot of these third party solutions have a a dashboard where non technical people can say, OK, with this search term, I want this result to appear at the top no matter what. And then the rest of them are ranked by uh relevance. Um Some of the third party search solutions we’ve used that are great. Um Funnel back Pluto a search and swift type are just a few I’d recommend looking into. Um They do have a cost but they offer a fantastic solution.

[00:53:02.92] spk_0:
All right. So search is important. And then our last question

[00:55:03.44] spk_3:
standards, what standards are you required to follow? Um This is something you just want to find out upfront. You may not have specific standards in your organization, especially if you’re a smaller nonprofit. Um But you want to find out things like what browsers does your website need to be compatible with. You’ll have to look at historical data to see, you know, are people still coming to your website using old browsers like internet explorer 11 or can you ditch that and, and move on to more modern coding standards? Do you have any specific security requirements or policies in place? You know, maybe you, you do work with federal government and you have to, um, to adhere to their security standards. You want to know that upfront and then privacy laws are, are pretty big. Um now as they should be. Um things like H IP A which is the um health Insurance Portability and Accountability Act or GDPR, which applies to um eu citizens. Maybe you do some business with EU citizens or the newer one here in the States is called the C CPA, the California Consumer Privacy Act. I’m not a lawyer. I won’t get into the details of all of those. Um But you know, you want to find out upfront if you need to um do anything different on your website to meet those standards. And then you want to think about accessibility from the get go. So what accessibility standards do you need to follow? Um most likely um you need to follow wick a AA. And what that means is um basically, if you’re not familiar uh which I’m sure you probably are, but basic accessibility is making websites, tools and technologies that um people with disabilities can use so anyone can use them regardless of their disability. And WC A is a set of very accepted guidelines um that define how you can make technology accessible. Um more or less at a high level. And there’s a, a level in there called WC AA that the federal government points to now and most other organizations point to. And so you want to be thinking about that from the beginning of your project because if you wait till the end to just run an automated scan, um It’s gonna take a lot to get your website um to be uh compatible with those guidelines. If you’re not thinking about it from the beginning,

[00:55:07.78] spk_0:
we have at least one session from NTC on accessibility.

[00:55:12.24] spk_3:
Yeah. Yeah, there were a number of them, which is great. I mean, the guidelines. Yeah. Yeah. Um And you cannot, you cannot say that your website meets with a AA standards just by running an automated stand. It’s impossible. It, it won’t, it’s impossible for it to check all the guidelines. And so it, it requires manual testing. So you want to plan for that?

[00:55:29.88] spk_0:
All right, we’re gonna leave it there. Great. All right, Steven. Thank you very much, Steve Steven Tidmore, Vice President of Technology at Mighty Citizen. Thank you, Steven.

[00:55:39.93] spk_3:
Thanks for your time. I appreciate

[00:55:41.04] spk_0:
it. All right, my pleasure. Thank you for being with nonprofit radio coverage of 21 NTC.

[00:55:52.68] spk_1:
Next week, tony is working on

[00:55:54.53] spk_0:
it. That’s true. I am. I swear

[00:55:59.13] spk_1:
if you missed any part of this week’s show,

[00:56:02.18] spk_0:
I beseech you to find it at tony-martignetti dot com

[00:56:41.86] spk_1:
or sponsored by donor box outdated donation forms blocking your supporters, generosity. This giving season donor box, the fast flexible and friendly fundraising platform for nonprofits donor box dot org and buy Kila grow revenue, engage donors and increase efficiency with Kila. The fundraisers CRM visit Kila dot co to join the thousands of fundraisers using Kila to exceed their goals. Our creative producer is Claire Meyerhoff. I’m your associate producer, Kate martignetti. The show’s social media is by Susan Chavez. Mark Silverman is our web guy and this music is by Scott Stein.

[00:57:09.71] spk_0:
Thank you for that affirmation. Scotty be with us next week for nonprofit radio. Big nonprofit ideas for the other 95% go out and be great.

Nonprofit Radio for March 13, 2023: Beat Back Cyberattack

 

Michael EnosBeat Back Cyberattack

Cyberattacks against nonprofits are on the rise. While you cannot avoid them, you can make them a lot less likely to cost you big money, your data, your reputation, your donors, and your employees. Michael Enos from TechSoup helps us out.

 

 

Listen to the podcast

Get Nonprofit Radio insider alerts!

 

 

Apple Podcast button

 

 

 

We’re the #1 Podcast for Nonprofits, With 13,000+ Weekly Listeners

Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.

Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.
View Full Transcript

Transcript for 631_tony_martignetti_nonprofit_radio_20230313.mp3

Processed on: 2023-03-11T01:00:20.020Z
S3 bucket containing transcription results: transcript.results
Link to bucket: s3.console.aws.amazon.com/s3/buckets/transcript.results
Path to JSON: 2023…03…631_tony_martignetti_nonprofit_radio_20230313.mp3.38068433.json
Path to text: transcripts/2023/03/631_tony_martignetti_nonprofit_radio_20230313.txt

[00:01:26.42] spk_0:
And welcome to Tony-Martignetti non profit radio big, non profit ideas for the other 95%. I’m your Aptly named host of your favorite abdominal podcast. Oh, I’m glad you’re with me. I’d suffer the embarrassment of a phone. Yah. If I had to speak the words you missed this week’s show, beat back, cyber attack, cyberattacks against non profits are on the rise while you cannot avoid them, you can make them a lot less likely to cost you big money, your data, your reputation, your donors and your employees, Michael Enos from Techsoup Global helps us out on tony steak too. Get in people’s faces again. It’s a pleasure to welcome Michael Enos to non profit radio He is senior director of community and platform for Techsoup Global. He began his professional career in technology in 1996 and has since led team, tech teams at the national and individual office levels in increasing responsibilities on Mastodon. He’s at Michael underscore Enos at public good dot social and tech soup is where you’d expect them to be at techsoup dot org. Michael, welcome to non profit radio

[00:01:42.03] spk_1:
It’s great to be here. Tony Thank you for having me.

[00:01:46.69] spk_0:
My pleasure. My pleasure. Let’s please explain the work of tech soup. I think it’s so valuable, so many billions of dollars of software and hardware transferred to nonprofits. Make sure, let’s make sure everybody knows what techsoup is doing,

[00:02:52.57] spk_1:
you know? Absolutely. I mean, essentially our, our mission is to help civil society, organizations worldwide um better leverage technology to create impact in the missions um that they serve and to build communities. Um You know, that, that then can then foster that, that, that, that impact globally. Um We do that through a number of different ways. We do that by facilitating philanthropy from large tech donors. Um And you know, most of which are the ones that are just, you know, household names. Um We also do it through uh courses, services, consultations, um and through connecting organizations with each other and through also through engagements like this where we try to really uh to blogs, webinars and other facets where we help organizations understand how they could use tech um and protect their tech to uh enable uh and further have impact for their, their communities. They serve,

[00:03:17.12] spk_0:
I saw on tech soups website today, Microsoft Office or Microsoft 3 65 for a dollar. So

[00:03:18.55] spk_1:
that’s an example, right? And if you were to go to uh you know, Microsoft for nonprofits or Google for nonprofits, for example, um you know, the data validation platform that validates organizations worldwide is managed by Texas So, ultimately, we, we, we do many things but we’re also sort of a, I guess, data leading partner for, for a lot of these organizations that want to understand and make sure that their philanthropy is going into the right hands.

[00:03:48.25] spk_0:
You have, you have local uh connect groups to techsoup, connects groups.

[00:03:54.10] spk_1:
That’s great. That’s right.

[00:03:56.21] spk_0:
Yeah. You know, I know, I know you’re, well, you’re director of community and platform. So is that, is that part of your work

[00:04:42.76] spk_1:
director? I mean, you know, you know, I support that, that organization that we um we have, we have lots of different um areas and, you know, and, and in my role, I support them all um platform is a lot of the, you know, I oversee our enterprise, infrastructure and security as one of my fundamental sort of roles. I mean, obviously with the, with their expansive amount of technology that we have, that runs our platforms that, that consumes a lot of my time, but also the community side because of my background working in the tech for good space, you know, since, you know, for the length of my vocation, um you know, I have, I’ve accessed as a resource for a lot of other groups, including the connect group for when they need, you know, to understand, you know, how to, you know, for, for things like this and for, for other things um to help our communities um better leverage to the tech that they use. I mean, it’s one thing to, to uh provide the technology. It’s another thing to actually help people, you know, provide them the enablement to be able to use it and optimize it.

[00:05:08.91] spk_0:
Are there local meetups are the group’s going back

[00:05:50.06] spk_1:
to? Exactly. There are, there, there are, you know, communities within the regional and our, and that’s part of our connect program. Um And eli, the guy who runs that and, and the group that runs that are very, very energetic and it’s very community driven, which, which is fantastic and we’re sort of an enabler and facilitator in that work, which is wonderful. And that stems from the early days of us being part of the early groups that were involved with the, you know, tech for good space way back when technology was first getting launched, you know, and the internet was first launching different

[00:05:51.33] spk_0:
types of work. I mean, you know, n 10 doesn’t do consulting, which I wanted to ask you about very shortly. But, you know, they don’t do tech grants necessarily, but all, all very parallel with, with N 10.

[00:06:26.73] spk_1:
Yeah. Correct. And, and we, we have a close partner to put 10, 10 and, and we attend the events and such and we’ve long been sort of affiliated with that demand and other and other groups like like 10, 10. Um and we have partnerships that sort of expand throughout the different communities. Um And, and we try to be involved globally as well. You know, so there’s this sort of, you know, there’s the U S side of it, but then there’s also the everything that we’re doing outside of the U S and abroad because, you know, it’s um civil society is international and so, and tech soup is really involved with, with things not just within our own borders but, but outside of them um globally.

[00:06:50.58] spk_0:
Are you going to 23 NTCC the conference?

[00:06:51.42] spk_1:
Um myself. No, I’m not the, I know we have some, some other representatives that are there. I’ve been to many of those uh this year. I’m not specifically going, but we will have some representative from Texas there. I’m

[00:07:03.64] spk_0:
sure. Yeah. And non profit radio will be there as well. We’ll be on the exhibit floor.

[00:07:07.67] spk_1:
Excellent. That’s fantastic. Yeah. Yeah. Well, I’m sorry, I’m not going to be there to be in person to meet

[00:07:12.61] spk_0:
you. That’s all right. There. There are others every, every spring and

[00:07:17.31] spk_1:
virtually, by the way,

[00:07:18.97] spk_0:
that’s true. There is hybrid this year. That’s right. Um And, and texture is also consultants to consultants to nonprofits. Let’s make sure folks understand that too.

[00:08:46.84] spk_1:
Yeah, I mean, we, we provide, essentially, we help organizations connect with other organizations that then provide consultant services. We do some ourselves, but it’s very specific to some of the um because we, we provide a lot of, you know, what we’re doing to, to skills. So to speak what we, what we have is we’ve partnered with other organizations through our platforms to, to align organizations depending on exactly what type of consultation they need to inappropriate sort of resource for them. Um And that’s more uh our, our model in terms of we’re sort of a connector. So for example, if somebody needs, you know, specific sort of technology assessment uh for implementing uh Microsoft, we may do some, but then if it’s more advanced, we may work for them to, to impact or an organization that we partner with and then they provide that as a service to that organization. So, and we have other partners like that, who provide those similar sorts of services that are more hands on and direct than what tech soup can provide at this moment. And we may may expand that more and do some of that um more, more stuff ourselves and, and we are developing that and some of our customers success programs. Um and we do run a lot of sort of in the office programs where people could have webinars. And I’ve spoken in a few of those where we do it in in depth dive of a particular technology so that organizations can learn how to use them.

[00:09:00.19] spk_0:
I’ve always considered the big three to be Tech Soup N 10 and tech impact in terms of technology for nonprofits and, and all three of those of course, are nonprofits themselves. Right.

[00:09:12.87] spk_1:
Exactly. Yeah. All right,

[00:09:15.44] spk_0:
let’s talk about cyber attacks. Uh They are on the rise against nonprofits. What, what, what are you, what are you seeing? We’re going to get into the details, of course, but overall general, you know, kick us off. What are you seeing on this front?

[00:11:31.28] spk_1:
What, what we’re seeing is a lot more, um, targeted attacks, which, which is, which is unique because there’s, you know, speaking broadly about cyber activity, you know, there’s a lot of noise on the internet. There’s, you know, just all these robotic sort of in these bots that are flying around trying to find targets, right? And they’re sort of just, you know, you know, I guess, you know, they’re, they’re doing drive by sort of evaluations to see of anything, you know, just to see if there’s anything that they could get a finger in or, you know, just to explore and see if there’s sort of a, you know, something that they could find in there. What we’re seeing now is more targeted attacks, meaning there’s a specific purpose to it. Like somebody’s like, well, you know what we think that, you know, this is a, you know, a specific type of organization, they’re involved with a particular type of activity and we’re interested in knowing who’s donating to that activity and whether or not we could possibly have access to that information because that might be valuable or perhaps to the constituents that they’re serving because maybe that information is valuable as well, maybe for either financial reasons or, or, or or political reasons. And so we’re seeing a little bit more of that or, or perhaps because we really want to cause disruption in critical infrastructure. And one thing that um this is sort of a broader trend in cyber security around targets towards critical infrastructure and myself and and others in this space believe that civil society, organization data is part of critical infrastructure and critical infrastructure. So I mean, people are targeting things like, you know, we’ve we’ve heard about the target on power grids and uh gas pipelines and such. And you know, if you think about data that’s relative to communities that are specifically vulnerable in certain context or, or have access to information about others, then that’s critical infrastructure because we need these organizations to function in society. And so, you know, there could be other actors who say we want to disrupt that particular critical infrastructure for some reason and that reason could be varied just like it is for why people would disrupt any sort of critical infrastructure.

[00:12:55.08] spk_0:
I have an example that is pretty close to home. I I I own two homes in North Carolina. One of them was affected by that shooting at uh at the electrical substation in that was, that was in Moore County, North Carolina. Um And there’s a, there’s a possible correlation that, that that attack was to prevent a drag queen show from going on in the little town of Southern Pines, North Carolina, which is served by that substation that got shot at. Um So, I mean, it sounds like you’re saying, it’s not that far a leap like, you know, 11 cadre of bad actors uses guns. Another cadre of miscreants could be hackers that are looking for data at that maybe at that theater or, uh you know, among a nonprofit that may have been involved with

[00:13:45.30] spk_1:
maybe maybe the intent at the attendance list or the people who are donating to that event. And so, you know, this is the type of data and like I said, there’s, there’s different reasons why somebody might be targeting certain data. But this, these are the, this is, you know, this is like bingo on the nose, this is the kind of stuff that, that we’re seeing more and more and we’re very concerned about and why we’re really like soup is really sort of launching this um effort to help educate organizations on how to improve uh and understand what cyber security means in this space and how to prioritize it, but also how to um sort of get through the sort of complexity of it and, and, and find simple ways to knock off low hanging fruit to make it sort of actually, you know, doable for them with given their budgets and given their constraints that we a lot of smaller organizations in the, in the space you know, have, generally,

[00:14:39.67] spk_0:
it feels like in our polarized culture that there isn’t a nonprofit mission category that would be exempt from, from possible attack. I mean, you know, even feeding, feeding the hungry, you know, I could conceive of that being objectionable to some group of people that feels like why do those folks get food and, and I don’t get food or why are they entitled? And I’m not, or, you know, something that seems innocuous and purely beneficial. I, I can imagine, uh, another cadre of bad actors deciding that it’s, it’s, it’s worthless or worth worse than worthless. It’s detrimental to our culture for some reason and wanting to attack it. It doesn’t, it doesn’t feel like any particular mission would be more vulnerable or less than, than any other.

[00:15:59.15] spk_1:
Um, you’re correct. And one of the other things that is, has changed in, in this, in this sort of, you know, over time that I’ve seen is the availability of the tools to be able to perform exploits before you would actually have to be, you know, pretty well versed in hacking to be able to do any harm right now. It’s, you can, you can buy the service. I mean, you could just go to the market on the dark web and just say, hey, you know, I want to buy this, you know, uh, this hacking kit, you know, and, and, and, and there’s youtube tutorials on how to do it. I mean, it’s becoming, and, and these are, the tools are free and readily available. So what we’re seeing more of is not only just this trend of people wanting to and, you know, and maybe that hasn’t changed, it’s just that it’s more accessible, right? But, you know, people wanting to, you know, target communities and, and, and, and also try to find valuable data within these communities, but also their ability to do so it’s become easier and there, you know, and, and so you combine those things together and that’s why we’re seeing the trends we’re seeing. That’s one of the reasons

[00:16:21.11] spk_0:
you no longer have to be a sophisticated computer user. It doesn’t take a lot of study, you’re saying these things are available for cost or free to cause harm. All

[00:16:29.81] spk_1:
right.

[00:16:39.80] spk_0:
Alright. So how do we, how do we break this down for folks in small and mid sized nonprofits, you know, that, that they can sort of prioritize? I mean, is it as simple as let’s start having universal two factor authentication for everybody on your teams or maybe that’s passe maybe, maybe we’re past that now. I don’t know, how should

[00:19:30.66] spk_1:
we, you know, you, you make a good point. So for example, like the first thing I think people should do is, you know, or, or what you know, uh would be recommended and to think about it is to do the basics. Okay. What things like what you mentioned is like like multifactor authentication, um you know, anti malware on their clients, keeping things up to date and, and making sure you have backups of your data, these are sort of the basics, right? And so apart from the basics, though, you know, the next step above that is to then start looking at what we call privileged access management or role based security, not everybody needs to have access to everything, right? So, so, so let’s say, for example, a system was compromised with somebody’s permissions or credentials, depending on what they have access to, they could only do so much. And so there’s a, there’s a, there’s an important concept in cybersecurity that we call the privilege, the principle of least privilege. So, and that sort of dictates that a person really only needs access to the information that they need to do the role that they’re trained to do in their specific function. So if, if, if somebody is, you know, in I T, somebody who’s familiar with I T systems, uh they understand sort of the complexity involved and they may have access to privileged systems where they can perform things and have access to that sensitive data, but not the entire organization, right? And so we call that privileged access management. And sometimes, especially with today’s as we’ve moved into the cloud more when things get fired up and somebody spins up an app in the cloud, the cloud as well, generally have some basic role based permissions like the admin, you know, maybe a super user and then maybe some groups and then, and then just the regular users, right? You don’t want to give everybody admin rights. And so because then if somebody, if that just, that just provides more exposure and so these are small things that don’t take a lot of time or effort really to just sort of that, that’s a little bit beyond the basics though because um you know, and you know, for, you know, tech soup, for example, provides, you know, office 65 or 65 go for, for, for work space organizations. And once we, they provision, the next step is to really go in there and sort of harden them a little bit and lock them down and to go through that steps and understand what that looks like. So that um as people start doing things like maybe downloading spreadsheets that contain donor data or customer data that it’s not, somebody can’t accidentally just share that with somebody, you know, outside the organization or, or that becomes available on the general public internet.

[00:20:02.06] spk_0:
So how do we execute some of these things that are, that are more advanced, you know, beyond the backing up the multi factor authentication. Alright. So if you move into privileged access management, we need a, we, we either have a C T O which most listeners probably don’t or we need some outside help.

[00:21:13.19] spk_1:
No, actually, I think that a lot of these, you know, cloud based applications will provide guidance. The good news is is that they have an interest in protecting and wanting you as a, as a customer as well as, you know, the fact that it’s a shared data model. And so the the better that they do in terms of providing information about how this works, the better, you know, the, the the, you know, the people who use that product is going to benefit from it. And so generally in these, you know, you know, and these things aren’t if you have somebody who is at least responsible for the deployment of the technology and they don’t have to be an advanced, you know, computer scientists to do the work of the cloud app then. But somebody should be sort of designated within the organization to ensure some of the basics about the way data is handled. And, you know, getting to one of the export points, I wanted to bring up one of the most important things to understand for an organization is what data do they have? Where does it live and what is the value of it? And what is the value of Michael before we, before

[00:21:22.02] spk_0:
before we move to what, what’s our data inventory? I want to emphasize this, I wanna emphasize the value of being in the cloud. So there is there is value to using uh CRM databases that are cloud based versus server based at, in your office anymore.

[00:22:47.49] spk_1:
Correct. And for so many reasons and, you know, uh, and, and moving to that topic because a lot of the ways that systems are oftentimes breached is because what things we mentioned earlier, such as they’re not patched, there’s, um, not, not very good perimeter security on them. These things are taken care of for you, um, and they’re not backed up regularly. Um, those things, these things are taken care of for you in a sassy application. Um If it’s, if it’s a robust SAS application, like the kind that takes provides. And so when we, when we go to, you know, vet an offer that’s going to be in our marketplace, we we, we go through the list to ensure that this is gonna be a product that will serve the pole, the test of time and actually will, will be robust in, in the requirements necessary for our organization to protect their data. And so, and, and so that leads to, you know, also that making it more but maybe a little bit easier for organizations to then lock down their cybersecurity because they don’t have to have experts come into their closet or their data center and, and do this configuration and do all these updates are very technical on their firewalls and all the hardware and everything all the time in their own infrastructure, it can be managed within the cloud by people who are not necessarily have that sort of, you know, the Cisco CCN a sort of certification? Alright,

[00:23:07.85] spk_0:
thank you. I just, I wanted to drill down absolutely. Very

[00:23:11.75] spk_1:
good point.

[00:23:15.98] spk_0:
The value of from a security perspective, the value of the cloud. Alright, so let’s go to what you were, you were headed to what your data inventory, what what do you have? What what do we need to be? What do you want us to think about their?

[00:23:32.71] spk_1:
Yeah, so no data is not all data is not created equal, so to speak, right? So we have, we have data that it’s just things like, you know, my notes when I’m, you know, talking in a meeting or something like that. Okay. There’s nothing valuable with that. It’s, you know, generally not containing anything that’s sensitive. It’s sort of my notes from a meeting. Okay. Now, if that is something that, you know, maybe I don’t want to share, but it’s not something that, you know, if a hacker birds look at that so I can’t sell this and it doesn’t contain anything that’s gonna, I can do any harm with. Right.

[00:24:09.30] spk_0:
Well, it might depend, it might depend who’s leading the meeting. You might have different, you might have different sets of notes depending on who’s leading your meeting. You know, you might be commenting on the commenting on their uh I don’t know their, their capacity. I mean, not to suggest

[00:24:16.36] spk_1:
that people

[00:24:30.71] spk_0:
know, I’m actually, I’m actually having fun with you like, if somebody at tech soup was not a very good, not a very good speaker or supervisor, you know, then those notes you might not want in the public domain. But if the person is carrying their weight and they’re generally a good, good employee, you know, you have a brighter set of notes that you wouldn’t feel bad about getting exposed. That was my, my point. I guess I wasn’t, I wasn’t coming, I was coming across so dry. It was, it was desert, it was desert dry.

[00:27:18.46] spk_1:
No, I’m glad you brought into it. The, the, yeah, the types of data that you know, we think about when we think about the difference between data privacy and data protection to me, they’re very linked, right? So we, we have a responsibility to protect people’s data and the privacy of their data, but also to protect the security of that data. And so, you know, fundamentally speaking, generally in organizations in the sector, there’s gonna be some, you know, information that’s sensitive or may have some value and if we identify that and identify where that lives and then focus our energy on securing that, making sure that that data is backed up. Um and, and testing access to it, that’s, that’s, you know, if you have limited resources, that’s the place to really focus your attention. And then the other stuff is great. I mean, and use using robust tools like we provide um in our marketplace such as box for document repositories or even sharepoint, those can all be really configured for. So any type of theater, like even my notes from, you know that, you know, or my supervisor notes about me or your notes about me can be secured, you know, um you know, in a very robust way or shared. And one of the things we’re seeing, for example, especially the document collaboration software, it’s very easy to share things. They make it very easy to share with anybody, right? Just click and it always says like share with anybody with link, you know, you know, and so if you, if it’s something like, oh, you know, um uh oh somebody just sent me, you know, or they told me to put in my, you know, take a picture of my passport or something and, and stick it in here, right? And, and I, and the somebody has in the human resources once said, oh, I’m just gonna share this link and make it copied everybody. Now everybody has access to your past potential, everybody has access to your passport photo and I D so, you know, these are the things that we just have to sort of like start thinking twice, which brings me up to my next point. Um Security awareness within organizations, cybersecurity awareness, I cannot stress enough how important it is for organizations to have a cyber security awareness program within the organization. This these programs don’t cost a lot of money. They don’t take a lot of time and they go a long ways to prevent Uh an internal mistake that could lead to something 80% of cyber attacks happen from the inside.

[00:27:27.33] spk_0:
What does this cyber security awareness program look like?

[00:28:34.34] spk_1:
So essentially, so for example, um they’re usually conducted on point of like orientation for an employee that comes into an organization and they go through a video, you know, provided by a platform like no before which is in our marketplace. And, and what they do is they sort of go through this, this methodical sort of, you know, force to teach somebody about fishing about sensitive data about ways that people try to get access to information, either through cell phone, fishing through text fishing through um email phishing or through other means to or even on Slack to say, to try to fool you into providing some information um that they, that they can use a huge trend in this arena is what we call impersonation fishing. It’s a specifically targeted phishing email that looks like it’s coming from somebody within your organization such as your CEO, your CFO or uh the human resources director asking you to provide or update your banking information. And it’s very carefully crafted, crafted, it looks just like that and you really have to do a lot of due diligence to really go through there and say, oh, did this really come from our CEO having

[00:29:03.26] spk_0:
Haven’t there been cases where like a spoof email like this says, you know, wire $50,000 to this vendor account. You know, we’re, the payment is overdue. We need to wire this payment ASAP. And of course, it goes to the Bad Actors account. Isn’t there? Stuff like that? It looks like it’s like the treasurer saying, send a wire or the CEO saying, send, make a payment.

[00:29:40.35] spk_1:
That’s right. Exactly. And, and, and we’ve, um, and if you have an organization and people haven’t been trained to recognize that, you know, if somebody’s asking you for something and it’s something of value, double check it, you know, and, and to contact that individual in a different channel and say, did you really need me to send $50,000 in this wire transfer? I just want to check is this actually came from you? There’s other ways that they teach you in these orientation platforms or in these um security awareness platforms to check the email headers and, and the simple things, but essentially that’s the gist of it. And that’s why security awareness training is so important. So, so people are on their toes when they’re actually doing their work,

[00:30:03.43] spk_0:
do you recommend then ongoing training? You talked about orientation,

[00:30:51.51] spk_1:
there’s, there’s an orientation training and then, you know, most organizations will have it mandatory that they do an annual training and, and this just as a refresher course and also things change. So, you know, the space changes. Sometimes people are doing it now because of the trends more often like every six months. And then specifically for people who are in jobs where they’re doing data handling for, let’s say they’re doing data processing, they work in the donor uh services program or something where they’re managing sensitive data all day long. They’ll be specialized courses for people who are, are actually dealing with data on a day to day basis. So that’s a little bit more involved in terms of actually how to understand and, and that goes into things like, don’t download, you know, a C S V file on your computer and stick it onto a, you know, um, a thumb drive on your computer or transported or, you know, don’t, you know, send out, you know, via email to, to a coworker and, and these sorts of things that are specific to handling sensitive data.

[00:31:04.59] spk_0:
Okay. Interesting. Yeah. So even, even just emailing internally from employee to employee can be risky,

[00:31:37.20] spk_1:
yes, it can be stiff. It’s, and, and there’s because, for example, if, because that’s actually it’s going to stay within that email store wherever that is located. And it’s, um, if it’s unencrypted, it’s gonna be, it’s gonna be encrypted during transit, for example. Um, and, and encrypted at rest. But if somebody else had access to that access to your email server or a privileged access in your system, they could potentially go in and, you know, take over that account, log in as the CEO and have access to the deed and actually browse emails for, you know, and actually do queries and look for credit card information or, or look for email addresses and then they could potentially find information about donors or, or, or, or constituents that sensitive.

[00:35:08.08] spk_0:
It’s time for Tony’s take two. It’s time to get back in people’s faces. Again. Last month, I did a in person live face to face in person training on Long Island. I was in New York City for several days. What a joy. What a pleasure. What a difference, an improvement, you know, over virtual trainings. I mean, look zoom is, I’m all flustered. Zoom is, is necessary and I’m not saying necessary evil. It’s, it’s, it’s a part of the culture, whether it’s zoom or teams or Google meet, you know, whatever virtual meetings, they’re just a part of our lives now. No question about it. But don’t make those the default if you have the option to get back in front of people in person, I urge you choose that option. Uh You know, I could have passed on the opportunity to do the in person training, but I didn’t want to, I didn’t want to donor meetings to while I was in the city face to face meetings again, coffee lunches. It’s just so much better, so much more real than anything virtual can offer. Um I had a meeting, lunch meeting just about 10 days ago or so with someone from Heller consulting, which is gonna be Team Heller. They’re going to be our 23 NTC sponsors at the nonprofit technology conference coming up in Denver And the woman who works for Heller happens to live within 45 minutes of where I live in North Carolina. So we got together for a, a real lunch. We had lunch together over the same table. Remarkable. You know, it’s yeah, more real authentic. I urge you if you can meet someone in person instead of virtual, do it, do it. It makes the world of difference. It’s time to get back in people’s faces again. Don’t make virtual your your default. If there’s another way first, I urge you to do it. That is Tony’s take two. We’ve got Boo Koo but loads more time for beat back cyber attack with Michael Enos. Talk about not preserving data that you don’t need to preserve. Like credit card numbers, full numbers for instance, or dates of birth or other things that aren’t necessary for you to preserve. Isn’t there, isn’t there value in trimming down sensitive data that you don’t really need?

[00:35:40.17] spk_1:
Yes. And and one of the principal aspects of data handling is an optimization of data. So you know, there’s there’s transactional data that happens. And oftentimes, for example, with credit card things are processed nowadays, you’ll usually use a payment processor. So, you know, hopefully you’re not actually you know that server that actually storing that information is not on your box anymore because there’s, you know, you know, you can use an API and a web site and then it happened somewhere else and they take care of all that stuff for you. So, if your systems were hacked, they wouldn’t have access to the credit card data

[00:35:55.19] spk_0:
or,

[00:39:00.73] spk_1:
or Braintree or one of these sorts of services, you know? Exactly. And, and, and so those go to those payment processors and they manage all that, um, which is great because then you, it reduces the amount of exposure on your e commerce site or fundraising donor donation site. And if you’re using a donation software program, like, you know, donor perfect or one of these sites, that’s what they’re doing as well. You know. So they, you know, because, because they, they want to use because that you really have to have the best of breed technology to be able to make sure that that stuff gets that, that’s really super secure and they have higher standards and compliance standards by which they attest to the. Um, and so however though, let’s say you’re, you’re doing an email list to your constituents, right? Um You know, you’re gonna need some marketing data, you’re gonna, you know who to send this, this information to, but you don’t need everything about that individual. You don’t need things like that really. I mean, you may need the basics but you should be using a marketing provider that is secure and you should, you should transfer, get that information to them in a secure way and you should ensure that if that individual wants to opt out. Um and they, all these things should be an organization’s privacy policy so that people understand how their data is being used if they sign up for a newsletter or things of that nature. However, you know, I think your point specifically um oftentimes reports about, you know, activities, engagement, you know, that go into reports for executive or for things that are put into a PDF or in another format, the data should be anonymized. So the only thing that’s there is, you know, aggregated information about, you know, the engagement and not all they shouldn’t be able to drill down and see, oh who is this exact individual? Now if they need to know if it, if they want a donor report about, you know, I want to know exactly to see who um are the top donors and, and such, you know, there should only be limited people within the organization who have access to that data, to be able to see that information that goes back to my other point about um privileged access management. There are gonna be some, there’s gonna be some reason why people aren’t gonna wanna know specifically about, you know, who’s engaging with the community. And also oftentimes on the client level, we need to know that the people who are providing services to communities need to know exactly who these individuals are and more sense of information. And that’s why I was talking about earlier about, you know, understanding where that data lives and, and only having as much as you need to fulfill the function of that, you know, whatever you’re doing. Um and, and having that, you know, and making sure that’s really locked down when I worked in the food down. When I worked in the food and security sector, we had people going out in the communities and helping sign them up for, you know, um cal fresh, you know, essentially benefits, you know, for people to get, you know, you know, government assistance and they had to collect really sensitive information. But what they did is they had ways to you securely transmit that information to the local human resources agencies so that it was all encrypted, it was protected and then once we transmitted that we didn’t have access to it,

[00:39:44.68] spk_0:
what about vetting vendors? You know, if, if you’re offices using a male house, uh you know, some of the data that you just talked about for, for mailing? Um I can’t, I can’t think of other examples of vendors that could be. Well, events, events could have, could event management might have some sensitive data. What, how do you vet your vendors to make sure that they’re taking appropriate actions to prevent theft, fishing, you know, to, to defeat defeat, or at least you can’t defeat them, but at least minimize the threats. How do you, how do you check these third parties that you’re working

[00:41:16.80] spk_1:
with? Well, you know, that’s a big part of my roller tech soup. So whenever we, whenever we work with, with, whenever we’re going to be using a new product or app or something like that, it’s my job to go in and actually check and organizations, these, you know, these application providers will provide um on their site or they should and if they don’t, you shouldn’t use them, but most of them will provide on their site access to their information security program and what they do where their data is located, what they do to protect it, their compliance levels, their certification levels, um whether they do audits, whether or not they do penetration tests And what type of and, and, and everything to that order and that should be vetted by, by somebody before they onboard an aunt. And we do this all the time. We use a lot of different apps to Texas north of 100. And so we, every time we were on board one for some utility within the organization, we make sure that they meet this standard. There’s, and we actually, since we’re a third party vendor for other people, they have the same for us so that a lot of the work I do as well as to, you know, report out periodically to all the people who are using our, our platform to facilitate their data to organizations and you know, what sex, what tech soups information security program like. So this is, you know, because creates transparency, but it also helps people understand what the risks are, which helps when you’re in a situation where I needed to go and advocate for resources to institute a cybersecurity program.

[00:41:47.96] spk_0:
I want to ask you about the board’s role in all this. But, but is there anything more that you want before we get to the board? Anything more you want to talk about threat minimization policies? Anything we haven’t covered that you want folks to know about?

[00:44:14.11] spk_1:
Yeah, I think that one of the things that is, you know, that we haven’t mentioned yet is preparedness for an incident, essentially a security incident, incident response plan. This, you know, is another thing in that sort of list of five that an organization should understand. Um if you have a situation where your data’s been um breached. And, and one thing I do want to do is to describe quickly, even this kind of a dry topic is there is a difference between a security incident and a security data breach. A security incident is could be something as innocuous as somebody just knocking off your website and taking it down with a DDOS attack. Now that sounds in Oculus because it’s just, it doesn’t sound innocuous because it’s disruptive because nobody can get your website, but nobody’s taking the data. And as soon as that denial of service attack is stopped, your website maybe still functioning. Um But that’s an incident and a data breach is different because now you’ve got to do a couple different things. You’ve got to number one, find out how the breach occurred, which you should also do in case of the DDOS attack. Um But above that, you also need to then understand how to respond to, you know, what data was breached. What’s the scope of that data and who are the individuals and, and what’s our plan to reach out to those individuals and notify them about the breach? And was our policy around that? And who do we have to include in terms of communications internally and legally and, and to provide that transparency because for a number of different reasons, number one, it’s the right thing to do. Um and number two, because it actually helps build trust within, within communities because if people understand that, you know, these things happen and they happen to some very, very large organizations, right? We, we know about these, these really large breaches, but the more transparent they are the more the consumers or the constituents who used those products. Think gosh, they really responded well to this and they acted immediately, they communicated appropriately and they remediated, you know what happened and, and that was the responsible thing to do and you don’t wanna be doing that in the middle of a breach. So, having a plan up front helps during that process because otherwise it’s just too much at one time, everything and

[00:44:21.00] spk_0:
the plan is gonna lay out who’s in charge, who makes, what kinds of decisions, um,

[00:44:27.43] spk_1:
notify. Right. And what’s the playbook essentially? Yeah.

[00:44:52.19] spk_0:
Like, I mean, it could even, it could even break down to needing a remote place to work. I mean, go go that far or because we’re because we’re hopefully in the cloud we don’t like like if our physical infrastructure gets um compromised, do we need to go off site? And, and what’s the technology, the technology capabilities in our, in our off site work location?

[00:45:17.93] spk_1:
Well, that’s actually a little different. Um so we usually talk about that in terms of business continuity plan. So and, and that would be the same sort of plan you would enact case of a natural disaster or something like that. I mean, is a business continuity and, and that’s far exceeding the scope of what we can discussed today, although I’d be happy to discuss that. Let’s not let’s not

[00:45:22.65] spk_0:
I don’t want to panic folks. Okay. Alright.

[00:45:25.60] spk_1:
Alright. Alright,

[00:45:27.20] spk_0:
you got me focused on, you got me focused on like I don’t know, natural disasters and terrorism. All right, let’s

[00:48:44.52] spk_1:
go to the board. Okay. Alright. So, so one of the things that boards were all right. So organizations nowadays are let’s put cybersecurity is becoming and, and is becoming as important as sort of financial security with an organization. The two are becoming linked together An organization. And so for many years, as we all know, uh 501 C3 organizations in the us are generally bound to having a financial audit annually. Right. And then they report to the board and the board will make sure that, you know, there’s a financial audit to ensure that the funds are used judiciously. Um there’s oversight and governance over these matters. Cyber security is becoming as important as financial security because the two are linked together. If there’s a because it could affect it. If you have a ransomware attack, it could affect the viability and the business sustainability of an organization. So it’s a very serious matter. It’s becoming a very, very serious matter for organizations to then think about cybersecurity as a compliance issue, not just nice to have. And so helping the board’s understand that this has shifted from a situation where, oh, well, you know, there’s nobody’s going to attack a nonprofit and uh you know, and if they do, you know, it’s, our data isn’t very important. Um It’s things have shifted, right. So I think recently there was a community, um it’s one of these cities, for example, was an entire city was, has been locked down for days because our grants were attacked and so nothing can function within the city because, you know, um that’s going to affect everything within the city, not just their continuity and safety of people, but also um it’s gonna have a financial impact. So cyber security is becoming more like a compliance issue and a governance issue. And so I think if boards understood that, then they would understand the need to prioritize and to provide funding and resources for those within the organization. Whether that if a small organization that the CFO or the C 00 or even the CEO to then say, look, we need to carve out some resources to be able to understand our risk and the best way to do that would be to do a third party risk assessment and with, with somebody to come in and actually do an evaluation and say, because they’ll come in and do, you know and come in and say, hey, look, these are the, you know, we come in and, and these people are vetted, their, this is their job and you know, they’re safe to work with and go in and say this is where you really need to. These are the critical things, these are, you know, not important things and these are the nice to have and they’ll, they’ll lay it out for you and then you can develop as part of your strategic plan as an organization just like it should be part of your business plan and should be linked to the business plan because the strategic plan for the organization and then the funding, the budget resources, the resource planning and all these things should be baked into the operational strategic plan for an organization. That’s where we’re going in the sector.

[00:49:03.09] spk_0:
Okay. It belongs as part of your strategic plan, your business plan. Alright.

[00:49:50.46] spk_1:
Yeah, and, and that’s where I think that it’s um uh it’s just like I said, I think where a board comes in is to helps understand that so that they could then authorize and, and oversee and ensure that an organization is doing this work and it’s hard work because, you know, you may have limited resources where we’re gonna carve where we’re gonna carve this out. And however, the good news is that there are people who want to fund this, there are grantmakers who are super would be super happy to be able to say, look, I’m gonna help, I’m gonna capacity impact um grant to this organization to help improve their cybersecurity because of these trends that we’re seeing. And so, and then you can use that as a mechanism to possibly help fundraise to offset some of the funny. So it doesn’t have to come out necessarily of your operational costs.

[00:50:23.28] spk_0:
Okay. There are foundations that will fund fund this. Yeah. Alright. All right, we’re gonna leave it there, Michael. Thank you, Michael from Montana, Michael Eno’s Senior Director of Community.

[00:50:26.28] spk_1:
And it’s

[00:51:30.65] spk_0:
my pleasure to thank you, senior director of Community and platform for Techsoup Global he’s on Mastodon at Michael underscore Eno’s at public Good dot Social and Tech soup where you’d expect them to be techsoup dot org. Next week, I’m working on it. Uh, and I assure you that there will be a show next week because this is show number 630. And I’ve been producing a show every week for 13 years close to. So I assure you there will be a show next week. I just don’t know what it’ll be about, but don’t bet against me because there is gonna be a show. You know, you’re gonna lose if you bet against there being a show next week. If you missed any part of this week’s show, I beseech you find it at tony-martignetti dot com. Our creative producer is Claire Meyerhoff shows. Social media is by Susan Chavez, Mark Silverman is our web guy and this music is by Scott Stein. Thank you for that affirmation. Scotty B with me next week for nonprofit radio big nonprofit ideas for the other 95% go out and be great.

Nonprofit Radio for August 29, 2022: Your Tech Problem Is Actually A People Problem

 

Ananda Robie & Sam Dorman: Your Tech Problem Is Actually A People Problem

Wrapping up our #22NTC coverage, Ananda Robie and Sam Dorman sort out why your nonprofit’s technology problem is very likely a people problem. And they share their roadmap to better technology tomorrow. Ananda is with the Center for Action and Contemplation and Sam is from The Build Tank.

 

 

 

 

Listen to the podcast

Get Nonprofit Radio insider alerts!

I love our sponsors!

Turn Two Communications: PR and content for nonprofits. Your story is our mission.

Fourth Dimension Technologies: IT Infra In a Box. The Affordable Tech Solution for Nonprofits.

Apple Podcast button

 

 

 

We’re the #1 Podcast for Nonprofits, With 13,000+ Weekly Listeners

Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.

Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.
View Full Transcript

Transcript for 606_tony_martignetti_nonprofit_radio_20220829.mp3

Processed on: 2022-08-26T19:11:13.159Z
S3 bucket containing transcription results: transcript.results
Link to bucket: s3.console.aws.amazon.com/s3/buckets/transcript.results
Path to JSON: 2022…08…606_tony_martignetti_nonprofit_radio_20220829.mp3.463558328.json
Path to text: transcripts/2022/08/606_tony_martignetti_nonprofit_radio_20220829.txt

[00:02:02.70] spk_0:
and welcome to tony-martignetti non profit radio big non profit ideas for the other 95%. I’m your aptly named host of your favorite abdominal podcast. Oh I’m glad you’re with me. I’d be stricken with cause Elijah if you burned me up with the idea that you missed this week’s show your tech problem is actually a people problem wrapping up our 22 Ntc coverage. Ananda roby and Sam dorman sort out why you’re nonprofits. Technology problem is very likely a people problem and they share their roadmap to better technology tomorrow. Ananda is with the Center for Action and Contemplation and SAM is from the build tank on Tony’s take to wrapping up national make a will month we’re sponsored by turn to communications pr and content for nonprofits. Your story is their mission turn hyphen two dot c o. And by fourth dimension technologies I. T. Infra in a box. The affordable tech solution for nonprofits. tony-dot-M.A.-slash-Pursuant D Just like 3D but they go one dimension deeper. Here is your tech problem is actually a people problem. Welcome to tony-martignetti non profit radio coverage of 22 N. T. C. You know what that is by now through all the interviews we’ve been doing, it’s the 2022 nonprofit technology conference and you know that it’s hosted by N 10. The smart folks who help you use technology as you’re doing your important work with me now are Ananda robi and SAm dorman. Ananda is digital Managing Director of digital products at center for Action and contemplation Sam dorman is co founder At the build tank Ananda Sam welcome to nonprofit radio

[00:02:23.64] spk_1:
Thanks tony

[00:02:24.87] spk_2:
Yeah, thank you so much for having us.

[00:02:36.99] spk_0:
The pleasure. Pleasure to have both of you. Your session topic is your technology problem is actually a people problem. Sam can you, can you give us an overview of what folks are often, uh, misconstruing about the real problem perhaps at at their smaller, mid sized non profit

[00:03:30.65] spk_1:
Yeah, absolutely. Yeah. My partner chris and I, we, you know, founded the bill tank to try to help organizations resolve their pervasive technology pain, which is, um, which is really common. It’s just about every organization is struggling under these, these same restrictions where they just don’t have the technology that allows them to do what they want to do and it’s holding everybody back and it’s creating all all kinds of pain points. And so what I think that people don’t realize is so often it’s not actually a problem with the technology, the symptoms, you know, feel like their problems with technology, but it’s a gap in a certain kind of technology capacity. Um, and it’s about actually getting the right internal team doing the right types of things, which is sometimes not what people expect it should be. And Ananda is a perfect example of that kind of person. And the team she has built at C A C is a perfect example of what it looks like to go from those sorts of pervasive technology Pain points to actually really using leveraging technology to its potential to help increase the organization’s impact

[00:03:58.76] spk_0:
ananda what are some of the symptoms that you were you were feeling at center for action and contemplation?

[00:04:54.00] spk_2:
Yeah. Well, luckily I was so blessed that by the time I came to the C a C, they had already met chris and SAm and gotten bought in on the digital product team model and investing in structuring technology Well. But prior to coming to see a C in previous roles, I’ve had, I did experience that other nonprofits or in higher ed, which has been my kind of career path. That really what’s most common is you hire folks to do a job and then technology is treated like off the side of their desk. So you might hire a development director who’s responsible for fundraising for your organization, but then they’re also responsible for, you know, keeping the donation platform up and running and troubleshooting issues or if you need a new platform going and finding it and uh, you know, putting it into place. And so it’s just means that people a have too much work on their plate. So their workload is too much and then you don’t have the right people with the right kind of interests and skills doing the work. And so there’s a whole model for how we kind of have distributed ownership and break down the ownership between content folks and technology folks.

[00:05:10.36] spk_0:
Okay. You say there’s a whole model, Is that, is that part of what your your session was about?

[00:05:51.03] spk_1:
Yeah, exactly. So, so, we, you know, we pulled together this thing called the road map to a better technology tomorrow. So chris and I were always trying to share everything we can as resources. We can work with some organizations like the CDC, but we can’t work with every organization. But it also feels like a lot of these things, once you understand the concepts there not that hard, they’re pretty based on common sense. They’re definitely not common practice, but uh, we try to share everything freely. So we put together this roadmap with just sort of six key steps about, here’s how you go from where you’re, where you are now to building this kind of capacity that’s gonna be able to supercharge you. So, in the, in, in the session, we just walked through those six steps.

[00:05:54.01] spk_0:
Okay. And this is the road map to better technology tomorrow. Like something from the 1950s,

[00:06:01.43] spk_1:
your

[00:06:02.85] spk_0:
new electric stove is the the kitchen of tomorrow for the happy homemaker.

[00:06:09.47] spk_1:
We kinda did. It’s a little bit tongue in cheek. We, we like to have a lot of fun with the work that we do. And so we sort of, it felt a little bit like it was like mad men branding the road to a better technology. Yeah,

[00:06:37.24] spk_0:
that’s what I think of it immediately, but before we All right. So, we’ll go through the roadmap Sounds, uh, sounds very exploratory what sam, but why why are we defaulting to blaming, uh, faulting technology? Is that, is that because it’s easier than looking introspectively at our team and our skills and gaps there in? Well,

[00:06:44.52] spk_1:
it’s hard to

[00:06:45.16] spk_0:
blame technology.

[00:07:49.02] spk_1:
Well, it’s understandable. That’s where you feel in the pain. So people just don’t have the basic tools that they need. If you’re trying to accomplish anything, you’re trying to, you know, not to use the example of a fundraiser. You’re trying to raise money if you’re a communicator, if you’re a program person, if you’re an executive trying to understand what things are working, the pain point is focused on. We don’t have a system that helps us track our donors well, or understand their journeys with us. Or a lot of pain is felt with websites, you know, like everybody needs to use the website as a key. It’s like your front door. It’s also your engagement pathways. It’s a key property. And very rarely do organizations have it where everybody who has needs with those properties, with those, with those technology platforms, is actually getting those needs addressed. And so, you know, they, that’s where you feel the pain. But what people don’t understand is it’s because there’s a lack of ownership and lack of stewardship and it’s not a highly technical kind of lack of ownership and stewardship that’s missing. It’s a highly strategic, highly communication based set of skills that needed to steward these platforms and make sure that everybody’s getting what they need out of them and have sort of a long term oriented view. It’s exactly the kind of stuff that Ananda is so strong at.

[00:08:08.05] spk_0:
Okay, okay, so it sounds like the shortcomings uh manifest themselves in people’s performance because we don’t have the kind of tools we need, you know, the things you ticked off saying that you’re you’re more eloquent in describing that I’m going than I would be, so I’m not gonna bother, but I’ll just say it’s everything you just said, but it manifests itself in poor performance or overworked or

[00:08:57.22] spk_1:
Yeah. And I’ll just say, you know, it’s sort of like you have, you you you you wanna you get great people around you in an organization, you have a really inspiring um mission and you get great people around you and it’s like getting a bunch of expert chefs in your kitchen and then all you give them is a bunch of wooden spoons and you say cook a gourmet meal, they just don’t have the tools, they need to make their amazing, you know, and so what you wanna do is you want a situation where you have someone whose job it is to just make const consistently enable their colleagues to do better and greater work via those sort of technology systems. So promise of technology is just not commonly realized for most organizations, it’s just paying up and down the up and down the books

[00:09:06.58] spk_0:
because the people at that dining table are gonna say these chefs suck

[00:09:10.08] spk_1:
right?

[00:09:10.81] spk_0:
Yeah, you’re gonna say something

[00:09:12.73] spk_1:
back.

[00:09:13.80] spk_0:
I’m sorry. But

[00:09:15.34] spk_2:
no, I was just gonna say, I think um

[00:09:17.99] spk_0:
when

[00:10:12.60] spk_2:
we say it’s a people problem, it’s that’s not to be misconstrued that it’s a problem with the people currently in the organization having a deficit or something. It’s usually a people problem because the right staffing to steward your technology has not been put in place. So it’s really a people problem often in terms of a gap in people for the technology. So it’s a misconstrued notion that, you know, when you get technology, it would be false to think that good technology is just plug and play, you get it off the shelf, you plug it in, you play, it works for your org forever more. Um, that’s not the case for anything. Your organization is growing and developing and adapting and evolving. Um your technology needs to do so as well. But in order to stay on top of that, you have to have the staffing of the folks like me who are responsible for treating that technology almost like a product. So we’re gonna make sure it stays up to date, it gets um serviced and updated and replaced as needed. So I just want to make sure no one is hearing this as it’s a people problem within your org. I’m sure the people within existing orders are phenomenal and they likely have too much to do and a full time job in addition to potentially looking and focusing on technology, you should have a specific stripe within your org that is focused on the technology much like you have stripes focused on your programs.

[00:10:40.30] spk_0:
Okay, thank you. Alright, banana. Are you, are you familiar enough with this too to launch our journey on the, on the road map to a better technology tomorrow?

[00:10:45.91] spk_2:
Well I’ve had the benefit of truly like working under chris and SAm’s mentorship for the last six years. So I like to think that I’m very familiar

[00:10:53.79] spk_0:
with it.

[00:10:54.46] spk_2:
Yeah, SAm and I have kind of been on a little bit of a publicity tour lately. I feel like where Sam you know because he and chris is brilliant minds are what came up with the kind of road map and then I get to offer a bit of the color commentary about what it looks like in like implementation and actuality versus

[00:12:51.20] spk_0:
theory. Turn to communications media relationships and thought leadership. First comes the relationships then comes the leaderships leadership but I couldn’t pass up the rhyme. You gotta have the relationships before you can get the leadership the thought leadership because you need those relationships so that when an opportunity for thought leadership emerges either because there’s some big news hook or you just have something that is compelling that you need folks to hear. You gotta have uh you gotta have the journalists and the other content creators in a position where they’re gonna pick up the phone when you call, they’re gonna reply when you email. That takes relationships turn to knows how to build those relationships. So you gotta have the relationships, then you can get heard. Then you become a thought leader in your field, turn to communications, they can help you build those relationships. And while you’re working on your messaging, that can help you craft that also so that you become the thought leader, you ought to be, you deserve to be turn to communications. Your story is their mission turned hyphen two dot c o. Now, back to your tech problem is actually a people problem. And what about buying leadership by in Ananda? Was was was was C A C beyond that. When you got there, you said they had already bought in. So, had you, like, had you passed that phase, Is that something you didn’t have to deal with?

[00:13:32.75] spk_2:
I mean, I think it’s always ongoing. I’m always telling the stories that it takes to make sure we’re investing in technology properly from a capacity and funding in time perspective. But I really was fortunate when I joined the Sea a sea, that our executive director, Michael Michael Poffenberger had attended one of chris and SAm’s talks and really just connected with their approach to technology and wanted them to support the C A c is really up upping our game when it came to tech. Um but one of chris and SAM’s requirements was that if you want to partner with them, you’ve got to have internal staffing to kind of fill that gap that is all too common when it comes to tech. Um, so hiring my position was basically the organization’s response to this is the direction we’re gonna head when it comes to structuring our technology and this is the first position we’re gonna hire to make that happen.

[00:15:11.64] spk_1:
tony maybe I’ll add. It’s also really important to note that a non as part of the leadership team now at C A. C as the chief of this team and that’s one of the things that we really emphasize is important. You know, the actually the first step in the road map we were going to talk about is you must be willing to invest and it’s about investing, not only resources, but time and care and focus. If technology is not part of what your leadership knows and understands, then you’re making decisions sort of devoid of what you can actually do in the world. You know, it’s like technology nowadays as your arms and legs to do almost anything in the world as an organization. And so if you have a bunch of people at leadership level, making decisions about programs and what you’re capable of or timelines or anything like that without that strong back and forth communication with those arms and legs and you have an organization that sort of lurches forward and can’t walk straight. And so it really makes a huge difference when you see a situation like CSC where nana is there as part of the leadership team, able to say yes organization. This is what we’re capable of. And also, um yeah, we can we can do these tradeoffs that we’re talking about at a leadership level, but here’s what we’re gonna have to dip prioritize and here’s what we’re going to prioritize. So it’s just sort of a whole different approach of, of investing in technology is a key skill set for the organization.

[00:15:17.61] spk_0:
Okay. And you said that’s our first, our first of the six steps is investing, but not only in the technology, but also in in the organization the people

[00:15:48.39] spk_1:
well. And that’s why we start with saying, you have to invest as, you know, you have to be willing to to hire people in this certain type of uh, you know, a certain type of capability and that means salary and that means head count and that’s one of the most expensive things. There are, so a lot of times we say, you know, that’s, you got to hear the bad news first, which is, it’s gonna cost a lot, most organizations are woefully under invested in internally internal technology capacity. And that’s just the truth of it. So when, when people come to us and say, you know, is there an affordable way we can do a B and C. We say no. If you want to be good with your technology and good good meaningful impactful outputs, you have to invest in terms of resources in terms of development, in terms of external experts and in terms of your internal team

[00:16:13.51] spk_0:
ananda what what’s the annual budget at Center for Action and Contemplation and and how many employees?

[00:16:20.30] spk_2:
Yeah. Great question. I believe our annual budget is close to about nine million and we have about 55 employees.

[00:16:35.89] spk_0:
Okay. All right. I want listeners to understand the context of what investment means. Why is at the center for action and shouldn’t contemplation come first and then comes action after you’ve given after you’ve thought about what it is you might be acting on, you

[00:16:51.54] spk_2:
know, one of my favorite things that our founder father Richard moore says is that actually the most important word in our title is the word. And because what is good action without sufficient contemplation? And what is the point of contemplation if it doesn’t result in good action? So and is the most important regardless of which order? Those words come in.

[00:17:08.97] spk_0:
Okay. All right, thank you. And thank you Father Also. Alright. All right. So, um Sam is there a place for folks who have you know have a smaller organization like uh suppose it’s like half the size of of C a C s annual budget like it’s 4, 4.5 5 million

[00:17:22.95] spk_1:
dollars is still

[00:17:24.56] spk_0:
a place that that they can improve their relationship. I’m gonna say their relationship with technology.

[00:17:31.79] spk_1:
It’s a great question. You know we have done this with very large sort of

[00:17:38.48] spk_0:
two great questions in a row. It’s all downhill. Yeah

[00:17:39.66] spk_1:
pretty much

[00:17:41.58] spk_0:
batting

[00:18:54.94] spk_1:
average, batting average is solid so far that we’ve done some very large sort of enterprise scale organizations. We’ve done it with tiny organizations and people ask me that often like well you have to be a certain size and I think the answer is no you don’t have to be a certain size. So I used to work out of an office where there was social enterprises that were being incubated. And so like people starting uh you know, triple bottom line businesses as they used to call them. And what they would do is either the founder uh would be someone with great technical sort of oversight capability or your first hire was sort of a C. T. O. Or a technical co founder. And so nowadays it scales down to I think the size of two, if your organization has a headcount to half of that capacity is probably focused on your technology because anyone starting an organization today understands how essential that is to be able to do anything in the modern day world. The problem is a lot of old organizations are trying to get away from this really old model of like the tech person in the back corner who just thinks of all things tech and everything. Tech goes through that person. We often say that’s like having a department of paper where everything on paper goes through one person in the back room. It just doesn’t make any sense. Everything is technology at these days and you have to be more sophisticated about what who you’re putting on what there’s a lot of different skill sets that you need at the table. Most organizations have their traditional I. T. Covered. Most organizations have their super users of technology covered. And almost no organizations have this particular gap which is technology stewardship

[00:19:15.10] spk_0:
Amanda. What were your credentials before you came to see A. C.

[00:19:55.68] spk_2:
Yeah so I um I actually studied film in college and I think that’s really comes from, I had an inkling towards technology. I really loved editing, I loved editing software and afterwards I went to work for a nonprofit. My goal was to actually be in the creative team. But but as a part of working there, a part of my job was using salesforce. Um And I was kind of what is traditionally called an accidental admin. So using salesforce for a couple of years they’re like, hey you’re really good at this, Would you be interested in doing this more full time learning more, taking on more responsibility. Um And I said yes and I think it’s one of the best decisions I ever made. Unfortunately our nonprofit went through a pretty massive downsizing. Um So they kind of kept on people who were like the jack of all trades and could do a lot. So I was kept on kept on as primarily the technologist but I’ve been working in Salesforce now for about

[00:20:16.08] spk_0:
12

[00:20:16.66] spk_2:
years. Uh So now certified Salesforce admin and focus on our digital product team. So I oversee our Crm Web and I. T. Teams for the C. A.

[00:20:24.93] spk_0:
C.

[00:21:30.54] spk_1:
Maybe tony I might add that. It’s like a perfect background. So you know one of the things we say is when you’re looking for technology people a lot of people think that means oh we gotta we gotta hire a bunch of developers um And that’s usually the worst thing you can do. Usually development is something that’s not easy um to hire for to manage to to evaluate the quality of work. And it’s one of the best things that you can outsource because there are firms that that’s their job, that’s what they do, that’s what their specialty is. But this sort of this sort of skill set that Ananda is such a master of this sort of like this communication based sort of ally ship based strategic layer of technology stewardship that comes from all all kinds of backgrounds and so oftentimes in an organization, people already have people like this that could be amazing stewards of their technology but they’re just not tapped for that, They’re not put in the right roles. So it really is, it really opens the floodgates for who can come in and help as opposed to sort of competing for the same highly technical, um, you know, people with, with, with depth in a, in a technical area. You’re really looking for people who are just, you know, great communicators and understanding of the big picture and allies, natural allies and uh for for their colleagues to help them do everything they do better.

[00:21:55.43] spk_0:
I think big picture big picture technologist is is valuable the way you, the way you described it. Let’s let’s move on to our let’s continue on our journey. Sam what you and your partner have, uh, what’s your next, what our next stop? What’s our next stop on the

[00:22:40.26] spk_1:
journey? We’ve already been hopping around in a few of these and you can, you can see them on on the road map. But I’ll mention one piece that Ananda referred to earlier, which is this, this we have this model of trying to separate out the just because of a chart we we created long ago, it was the Blue team and the gold team. The Blue team was this sort of tool. Optimizers like Ananda and the gold team was the people who are trying to use their tools to accomplish their work. So most, most of the people on our chart an organization, they might be like fundraisers communicators, program. People, executives, any number of things. They need tools but they need them to accomplish their work. And like said what often happens is they don’t have the tools they need. So they sort of finally go out and they’re like, I’m gonna build a Crm or I’m gonna build us a new website

[00:22:49.66] spk_0:
and

[00:23:02.20] spk_1:
now they’re on the phone with developers and talking about platforms and all the stuff that pulls them out of what their strength is instead of work focusing on their areas of expertise, which could be fundraising or anything else. And you’ve got these other people like who are just natural tool optimizers who can sit down with those people here, what they’re trying to do and say, okay, I can go figure out how we do that in technology land. Let me spend all my time on all these crazy paths that that takes. And then we come back together, have a meeting and I can tell you the three options and we go from there. So it’s it allows people to focus on their areas of expertise and and when you see that all of a sudden the machine really starts humming a lot more.

[00:23:32.29] spk_0:
So uh summarize the second stop for us. How would you, I mean if if the first one was invest, nothing has to be a single word. I don’t

[00:23:59.21] spk_1:
know that’s fine. The second one is differentiate three key areas of technology. So that’s where I was talking about, not just the sort of everything goes through tech but you’ve got traditional I. T. Which is something else which is setting up your computer’s security and software and hardware and all that. That’s a different set of skills. You’ve got your content users, your your super users and then you’ve got the the team that Ananda leads which is actually your your tool optimizer team, your digital product team

[00:24:09.47] spk_0:
stewardship to you call technology stewardship

[00:24:12.73] spk_1:
technology stewardship. Exactly.

[00:24:14.58] spk_0:
Alright.

[00:24:45.49] spk_2:
Yeah. I think one of the um you know chris and SAm have a great one liner that I always love to mention when we’re talking about this part of the road map which is that everyone likes to geek out somewhere. And I think that’s the importance here is like are the folks that you have hired within your organization able to focus the majority of their job on what they were hired to do that they’re likely experts and excellent in or are they getting distracted by having to work on tech or technical people having to contribute more to content. So the idea is making sure that folks who like to geek out on development or marketing or creative customer service program execution really get a partner that then is responsible for making sure that we find and build and train on, allowing them to have the best tools possible to do their jobs well. Um and that will just alleviate a lot of dysfunction and a lot of missed opportunity for um, just prioritizing capacity.

[00:28:50.81] spk_0:
It’s time for a break. 4th dimension technologies. They still have the free offer exclusively for nonprofit radio listeners. You get the complimentary 24/7 monitoring of your IT assets. It lasts for three months. They’ll be monitoring your servers, your network and your cloud performance. They’ll monitor your backup performance as well all 24 7. If there are any issues, they will let you know ASAP at the end of the three months, you’ll get a comprehensive report telling you how all of this is doing against different benchmarks that are standard. You know, you want to know how you’re, how you’re faring compared to where you ought to be faring. And they promised to throw in a few surprises as well. It’s all complementary. It’s on the listener landing page, tony-dot-M.A.-slash-Pursuant D just like three D. But they go one dimension deeper. It’s time for Tony to take two national maker will month is coming to an end. So sad. But I am celebrating to the bitter end. We’re not letting any of national make a will month go away, leave us without full celebration. And to that end I’ve got more ideas, more reasons really. They’re not just there. They are. My ideas, they’re my thinking. But these are, these are reasons, this is not in the abstract reasons why wills are the place to start your plan to giving, I’ve done 13 through 15 already. I’m gonna do 15 through 13 through 15 already. I’m gonna do 16, 17 and 18, the last week of August and you can see the compendium of reasons at linkedin so far. Eventually they’ll be on my blog. But right now you go to linkedin through the month of august, you will see the cornucopia of reasons why planned giving should be started with Will’s simple charitable bequests. So go to my linkedin and you will see the vast array of reasons That is Tony’s take two. We’ve got just about a butt load more time for your tech problem is actually a people problem with ananda roby and sam dorman. I’m thinking about fundraising, which is what I do. I do plan giving fundraising consulting and thinking about how the supplies and fundraising, like there are people who are great at relationships but not so good about the simple, the simple, very simple user task of documenting the relationships and the activity and the steps and things. So, you know, like for them, if there could be some smoother way, like maybe they could dictate instead of having to type or you know, maybe give them a portable device, you know, they can, they can do it on a, on a on a pad or a service, you know, instead of having to carry their laptop or feel like they have to go back to their desktop to to preserve things like that. I think that’s a simple example. It’s a

[00:29:20.61] spk_2:
simple example but it’s perfect. I mean that’s the epitome of my job is like what do you need to do in order to do your job well and if one of those things is documenting your interactions and there seems to be a roadblock to doing that well let’s find out why is it like that you are constantly maybe out in the field doing your work and there’s not a good mobile app in order to complete that. So you’re having to wait till you get back to your desk is the platform, you’re using the UX UI really clunky to use are you just not trained? Have we now not provided the reporting that then shows the return on your investment. So you have this incentive to see how all of your work is paying off. There’s not necessarily a single or simple answer. So the trick is understanding the need and the reason and the why behind that need, understanding what the roadblock is and then alleviating that and that’s different for different people, some people that might be a technology use equal issue and other people that might be not understanding the need or the reward behind doing it

[00:29:49.06] spk_0:
well

[00:30:16.31] spk_1:
so well said and you know when you hear a non to talk, you can just imagine the power of having a colleague like that who’s just sort of a heat seeking missile for problem solving and knocking knocking hurdles out of people’s way. It’s completely flips the sort of traditional dynamic that you have for technology which is if you got a problem submit a ticket and we’ll get to it when we can, you know, that’s like the opposite of what anna and her team are doing. They’re out there being like tony your we you know, you’re out there trying to fundraise for us. We want you to succeed your our colleague, your ally. Like how can we help you do that better? And what you find is that once people realize they have that kind of a team on board, those sort of that kind of allies in place. The ideas just come fast and furious and then the R. O. I. Just sort of spikes where all of a sudden everybody is more powerful and more effective with the hours in their day, the R. O. I. And it’s just unbelievable. But it starts with that upfront investment

[00:30:48.00] spk_0:
see all right, continue us on the road map.

[00:31:53.81] spk_1:
Well yeah, we’ve been getting a lot of this. So we differentiate those areas of technology, you build this team, a technology accelerator team or a digital product team like talked about and then it’s all about hiring the right kinds of people which we’ve talked about that sort of strategic stewardship level layer and then one thing we didn’t talk about is insourcing and outsourcing the right things. I did mention this idea that you don’t want to generally in source uh development, you want to hire, you want to work with external partners. Actually, the last step of our road map, we call make magic with external partners. And even though that’s sort of flowery language, we chose that on purpose because when you have the right dynamic, you have, you know, sort of a superhero internally, like Ananda working with a really skilled external developer or external firm giving sort of depth of strategic and technical expertise. Well that will take us on a certain, you know, certain type of work that they’re doing, but also for their, for their web work. They working with a terrific web firm and for their Crm work, they’re working with a terrific crm firm and not just, you know, the traditional thing is just handing the work out to somebody and then they do whatever they do and they deliver it and good luck. And on day one, you know, you figure out whether you can use it or not, it’s the opposite of that. It’s, it’s very much an ongoing partnership, just probably not to talk about this because that’s where you see a lot of the power, it’s not about building a team internally, that’s going to do everything, It’s about building a team that’s going to steward it, figure out who are the right players that you need on the field.

[00:33:53.49] spk_2:
Yeah, I think often like this part of what the roadmap that we talk about can be very surprising to folks, especially if you’re saying like, hey build a technology team and the first thing is maybe not to hire like an extra under the hood. Super incredible. 10 times certified developer. Um that’s not what we would look for as the first hire doesn’t mean you’re not going to grow and expand into meeting that kind of expertise within your org um but for me, technical knowledge is one of the easiest things to learn and like SaM said the contract for so yeah, what we want to ensure we’re not doing is outsourcing the brains because if you do that then you really risk making bad investments and bad prioritization so you might be doing the wrong work or not actually getting at the root of what’s needed because truly like no one has better knowledge of the needs and nuances and changes of your organization than someone internally. So you need someone internally who is truly tasked with owning and stewarding, you know, the strategy, technical work and investments for your platform. The way that we do that is like, you know, we do all of our own admin work inside and then we have a phenomenal partner for our sales force team that if we need any coding or high level development, there’s not enough of that work for us to need to staff a full time position, but we have a great partner that we can outsource that work to um but again, like sam saying it’s not just an outsourcing, we don’t have a partner that’s just an order taker. They’re not just like, yes, we’ll do it. They really come to the table and we expect and ask of them to bring their wisdom and their critical thinking and their partnership so that they up our game, so they’re just not execute ear’s, they’re actually asking questions and giving advice about how we’re investing in our technology as well. So we get an additional phenomenal external partner on our

[00:34:18.62] spk_0:
work. And I can see why you said earlier that you’re constantly making the case for a particular technology investment, you know, what’s the, what’s the return gonna be, how is this gonna improve our efficiency? You know, I can see how your regularly making this case these cases all

[00:34:47.30] spk_2:
the time. Yeah. You know, and we started with moving the air, creating a Crm team internally and advocating for this type of investment on crm structuring the team in this way, finding the external partners in, you know, replacing old platforms that were not performing well with newer technology. Um, and then a few years down the road, you know, went back to chris and SAm, I think our executive director went back and said, hey, we’re experiencing a lot of pain on the web, like what’s going on over here, and they’re like, it’s the same issue you’ve got to treat and staff your web technology like you have crm. So we’ve brought web into the fold and made the same kind of advocacy and same kind of investment for internal staffing, Internal stewardship and external partners.

[00:36:03.20] spk_1:
Yeah. And you know, Tony. I think you see the same sort of like when there’s pain, there’s turf penis because people are just fighting to get the basics of what they need to do their work. So they say, no, this is ours, we’re gonna hold on to this is, you know, I had to go build a new web site. So I’m gonna hold onto this with everything I got, once you have a team like Ananda hired this amazing uh, product manager for web jesse jones. Once Jessie’s in there, people are only too happy to sort of let go of control because they know that she is gonna look out for their needs and do it 10 times better than they could have done it themselves. And meanwhile they get to do their fundraising or communications or program work and focus on that. So it’s just this process of getting everybody optimized onto the skills that they are best suited for and the things they love to wake up in the morning and geek out on, you know, what better option is there, that one, you’ve got the tools all that, that you need and two, you get to do the work, you’re excited about with them. It’s, you know, a lot of it is common sense, but it’s about bringing the right types of people in

[00:36:28.82] spk_0:
ananda? What have we not talked about yet that you want folks to know about this the process or the investment maybe questions that came during your session that you think are were valuable.

[00:36:33.03] spk_2:
Yeah let’s see what have we not covered yet. We’ve covered a lot.

[00:36:38.04] spk_0:
Well non profit radio is a comprehensive podcast. I hope I hope you’re not surprised by that.

[00:36:43.06] spk_2:
I expected nothing less.

[00:36:44.64] spk_0:
Thank you very much. Thank you that’s the validation I’m looking for. Thank

[00:36:48.60] spk_1:
you very

[00:36:49.47] spk_0:
important to me it’s very important

[00:37:59.95] spk_2:
um I would just say I think the only other thing that um I have discovered in my work here that um is important is often people can start conflating um digital product team members with more like traditional I. T. And so one of the things that has become important about my role is really protecting my team’s time in their remit so often you know when you put these really ally oriented folks onto your staff and they start fixing all of these pain points or debacles and make things run smoothly and get improved and partner with your gold team members, your content members. Um you can start to develop a reputation as almost like a fixer and so one of the things is then all of a sudden you’re getting all kinds of questions like hey can you fix this printer, can you work on my computer, Can you do this? So I think you know we touched on it earlier about the three different areas of technology but really keeping that distinction and not letting you know I. T. And digital products kind of become one in people’s minds because then all of a sudden you have folks who re we have the potential to be force multipliers for your organization whose time ends up getting eaten up by you know fixing that are important but they’re not really what the remit of this

[00:38:14.17] spk_0:
exactly

[00:38:24.51] spk_2:
which is so important if you need to print that’s important to your job. But that’s not a force multiplication for the productive nous. And the mission of your organization said it’s a different skill set and they should be treated and maintained separately.

[00:38:34.04] spk_0:
Sam same question for you. Anything you’d like to uh I’d like to add that we haven’t talked about yet.

[00:39:26.23] spk_1:
No it indeed it has been very comprehensive and I appreciate the time to talk about it. I guess I would just say um that the the this path is very possible. Organizations can make this transition and like we say it there’s no shortcut you have to put in the time to focus on the resources you have to care enough uh to really invest and to invest in all those ways but you can walk down this path that’s why we’ve tried to share these resources as as openly as we have. It’s all there like the bill tank dot com slash roadmap you can read through it. Um it’s just about the sort of common sense of things are not going to be great unless you have great people stewarding them, just like every area of your organization. So I guess the thing I want to, I just want to offer some hope to people who are struggling under the burden of systems that hold them back instead of supercharge them that it is possible, you know, it’s not possible without investment but with the right investment in the right structures it is possible that everybody has the tools they need to work more effectively to be more happy at their work, to be more effective at the end of the day and to have more impact

[00:39:46.44] spk_0:
and you’ll find the resource at the build tank dot com slash resource map source roadmap of course that’s roadmap. The build tank build tank dot com slash

[00:39:58.45] spk_1:
roadmap which

[00:40:00.13] spk_0:
is the roadmap to better technology tomorrow for our happy homemakers

[00:40:04.77] spk_1:
19

[00:40:11.24] spk_0:
50s. Alright, that’s Sam Dorman, he’s co founder at the build tank and also Ananda robi, managing Director of digital Products at Center for Action and Contemplation. Ananda SAm thank you very very much for sharing. Thanks

[00:40:22.10] spk_1:
tony

[00:40:24.06] spk_2:
pleasure,

[00:41:45.33] spk_0:
thank you and thank you listeners for being with tony-martignetti non profit radio coverage of 22 N. T. C. Next week. We now return to our regularly scheduled non 22 N. T. C. Programming principles of sustained fundraising with larry johnson. If you missed any part of this week’s show, I Beseech you find it at tony-martignetti dot com. We’re sponsored by turn to communications pr and content for nonprofits. Your story is their mission turn hyphen two dot C o and by fourth dimension technologies Yes, I Tion for in a box, the affordable tech solution for non profits but also get the free offer, the listener offer all of its at tony-dot-M.A.-slash-Pursuant four D. You know, just like three D. But they go one dimension deeper. Our creative producer is Claire Meyerhoff shows, social media is by Susan Chavez. Marc Silverman is our web guy and this music is by scott stein, thank you for that. Affirmation Scottie with me next week for nonprofit radio big non profit ideas for the other 95% go out and be great

Nonprofit Radio for January 17, 2022: Legal Outlook For 2022

Gene Takagi: Legal Outlook For 2022

Gene Takagi

Gene Takagi returns for a mix of checklist items and emerging trends. It’s a good time to look big picture at your HR investments, corporate docs and financials. Also, what to look out for in crowdfunding, donor disclosure, data protection, and more. Gene is principal of the Nonprofit & Exempt Organizations Law Group (NEO) and our legal contributor.

 

Listen to the podcast

Get Nonprofit Radio insider alerts!

 

Apple Podcast button

 

 

 

I love our sponsor!

Turn Two Communications: PR and content for nonprofits. Your story is our mission.

 

We’re the #1 Podcast for Nonprofits, With 13,000+ Weekly Listeners

Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.

Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.

View Full Transcript
Transcript for 574_tony_martignetti_nonprofit_radio_20220117.mp3

Processed on: 2022-01-17T01:38:56.677Z
S3 bucket containing transcription results: transcript.results
Link to bucket: s3.console.aws.amazon.com/s3/buckets/transcript.results
Path to JSON: 2022…01…574_tony_martignetti_nonprofit_radio_20220117.mp3.559147057.json
Path to text: transcripts/2022/01/574_tony_martignetti_nonprofit_radio_20220117.txt

[00:02:10.34] spk_0:
Hello and welcome to Tony-Martignetti non profit radio big nonprofit ideas for the other 95%. I’m your aptly named host of your favorite abdominal podcast. Oh, I’m glad you’re with me. I’d bear the pain of proto psychosis if you infected me with the idea that you missed this week’s show Legal Outlook for 2022, Gene Takagi returns for a mix of checklist items and emerging trends. It’s a good time to look at big picture items like your HR investments, corporate docs and financials also though what to look out for in crowdfunding donor disclosure, data protection and more, jean is principal of the nonprofit and exempt organizations law group Neo and our legal contributor On Tony’s take two 50% off planned giving accelerator. We’re sponsored by turn to communications pr and content for nonprofits. Your story is their mission turn hyphen two dot c o. It’s always my pleasure to welcome back Gene Takagi to the show. You know who he is. It’s almost it’s almost superfluous for me for me to do the intro. But but jeanne deserves it. He’s well credentialed and I want to make sure that he gets his due introduction. Gene Takagi are legal contributor and managing attorney of Neo, the nonprofit and exempt organizations law group in saN Francisco. He edits that wildly popular nonprofit law blog dot com, which you should be following and he is a part time lecturer at Columbia University. The firm is at neo law group dot com and he’s at jeanne, Welcome back.

[00:02:11.94] spk_1:
Great to be back. tony how are you?

[00:02:13.98] spk_0:
It’s always a pleasure. Thank you. I’m well happy New Year.

[00:02:17.99] spk_1:
Happy New Year.

[00:03:05.74] spk_0:
Thank you. And let’s, so let’s let’s talk about the new year. Um and just before we do I want to remind folks that not too long ago we have genes one, our legal audit which you might want to look back at. That was a sort of a condensed version of some of what we’re gonna talk about today. Although we have lots of new subjects to talk about today too. But there was the one our legal audit and also with jean recently Risk management Part one and then a different show. Risk Management Part two. So those are resources that you can look back at just from a couple of months ago and we’ll go into and and those go into more detail on some of what we’re gonna talk about today jean. Uh where would you like to start for the new year, throw it open, throw it, I throw it open to you. What would you like to start with?

[00:03:58.64] spk_1:
So it does seem like kind of this chance that restarting, getting reenergized and thinking about our organizations and where we wanted to go. Um Yes, we have to keep in mind some of those um risks that we talked about in previous shows but we also have to think about kind of where we want to go. What of our, what our dreams are um what our vision is for the organization? Had we properly captured it? Um, what is our mission? Is that sort of properly captured? Is everything because our environment seems to be changing week by week. It seems to be new stuff that comes up that we have to consider. Are we still on track with where we want to go? So having these sort of broader discussions. I like sending those organizational priorities for the new year.

[00:04:06.64] spk_0:
Okay. Okay. Um, what would you, what what priority would you like to start with?

[00:06:07.94] spk_1:
Sure. So, um, being the lawyer, I say, okay, let’s talk about legal compliance just to make sure we’ve got some systems in place, mission and values, which we’ve frequently emphasized them when we’ve had discussions about not just existing to further your mission, but to do it in a way that advances your values and if equity and inclusion of part of those values, then, you know, that’s something you should be thinking about as well, definitely considering some of the trends that are out there. And I know we’ll get into that a little bit later in the show, but also including kind of the times that we’re we live in and acknowledging that yes, we’re under the impact of Covid, which seems to be shifting constantly in both how it’s affecting us and how we might need to respond to it. The great resignation, which certainly isn’t completely unrelated to the Covid, but that is a huge trend and movement as we’re trying to figure out how do we keep our workers, are we burning them out? The mental health issues that are, you know, hitting pretty much all of us, um, from the isolation, remote, working from the uncertainties of health, from sick family members and loved ones and all of that and saying, well, are we going to be able to keep our team together? Should we be keeping our team together the way we’re working now? Do we need to shift our work practices? Do we need to shift what type of benefits for giving to them? All of those things have got to be sort of raised? And I would say raise at the board level, you know, together with the executives and senior management team. Let’s talk about it. Let’s brainstorm think about this and get what our organizational priorities are this year, because things can change rapidly and rapid change if you don’t have any plans um, to anticipate some of them don’t have contingency plans can force you into very, very stressful times where immediate actions are necessary and you can sometimes make bad decisions if you’re under that type of time stress. So

[00:06:18.63] spk_0:
then it because then it becomes a crisis

[00:06:20.30] spk_1:
right? Exactly.

[00:06:48.64] spk_0:
And and a crisis in staffing, especially knowing how hard it is to hire folks now, you know, you talked about, you know, keeping the team together or should we keep should we keep the team together? But, you know, I’m sure you’re seeing it with your clients. The difficulty in hiring, you know, you want to, that, that, that’s a, that’s a huge factor in, you know, do we have the right team? Well, putting the right team together, it’s gonna take a lot longer than it used to?

[00:08:01.94] spk_1:
Yeah, absolutely. And if you’re talking about retention, you got to figure out what are you going to invest in this? I know you want to, you know, provide as much as you can to your beneficiaries. But if you’re not really considering the team of people in, you know, on your team that are providing those services that are supporting those services, the whole thing can collapse. So just remember where your infrastructure and when your groundwork is and how important the human resources are in your organization to being able to deliver services and provide goods for your charitable missions. So really important not to neglect that. And that requires an investment both on retention and if you aren’t able to retain everybody and you need to recruit, you’re gonna have to be able to show what you’re going to invest in those new employees and give them time to learn. You can’t expect them to perform like experience people have, um, in the past. So it’s, you know, some patients, um, and definitely investment in education and training and orientation, um, and all the rest and again, um, to the extent that your executive is probably also overwhelmed with everything else going on. The board is really pivotal in trying to be able to come up with plans that help invest in their teams.

[00:08:10.44] spk_0:
This goes to legal audit the conversation we had a few months ago. You’d like to see a review of governing documents to.

[00:09:31.74] spk_1:
Yeah, I I always think that that’s a great thing to check out in the new year. Just even if you have somebody, you know, a higher up kind of a board member or where your executive or senior manager take a look At your articles and bylaws, even spending 30 minutes on it and saying is our mission really reflected in these documents or have we evolved into something else? And these documents are like stale and old and outdated now in that case those documents still rule. So if you have the I. R. S. Or a state regulator coming in audit you, if you’re not performing within that mission statement in your articles and bylaws, you could be acting completely out of compliance and worst case scenario, you can really threaten the organization through penalties, etcetera. So that’s something to take a look at. Also just take a look at a lot of organizations. I find out their their boards, they’re like, oh, you know, we forgot to elect them. You know, we, we, you know, we’ve had terms, you know of two years but they’ve been on for like 10 years and we’re happy with them. So we just don’t do elections that can be really, really harmful as well for multiple reasons. But you know, sit back, see what you’re doing and what you’re not doing consistent with your articles and bylaws. And if you need to change things determine that you have to change. And if you need the help of a lawyer, try to find somebody that can help you with that. And there are some good resources on the web as well.

[00:09:48.64] spk_0:
What’s, what’s one of the good resources?

[00:10:15.04] spk_1:
A little bit of a self plug because I’m a board member, but board source has excellent resources on board of directors, governance things of that nature. Stanford University also has excellent resources in terms of sort of template documents that are just a guide for nonprofits. It’s not one size fits all, but it just gives you a general idea about how some things operate. Um, so those are just too good resources to look at.

[00:10:18.35] spk_0:
And, and again, we, we talked about this extensively in the show called your one

[00:10:24.34] spk_1:
hour legal audit.

[00:10:30.14] spk_0:
You have some last one. You have some financial performance advice for the new year.

[00:13:04.74] spk_1:
Yeah. Well I think probably, um, most people take a look at their financials throughout the year on the board level and on the executive level. Um, but the new year, you’ve actually sort of completed your financials and they might not be, um, in final form yet, but you might have what some people call it pro form, a set of financials, um, sort of close to final, where you get to assess what you’ve done in the year, you know, for, for most organizations, this goes without saying, but you want to make sure that you’re performing in a way that you’re not becoming insolvent. So you want to make sure what your balance sheet looks like and whether you have net assets, um, if you don’t have net assets, that means that you are either insolvent or, you know, in the zone of insolvency, you have to think about how you’re going to address that very serious issue. And I would say you don’t have internal expertise on dealing with it, get outside help right away if that’s the case. But your, your statement of revenues and expenses as well, are you sort of operating what people call in the black so that there is, you know, some net income in there or are you operating in the red where you’re very concerned because you’re losing money, timing is always important. So it’s misleading to look at one year in isolation because sometimes grants are given in one year, but they’re actually uh received in another year. So the timing issue can pose different challenges about reading financials. So you want to be able to read it sort of collectively through a multi year period just to know where you stand. And again, if board members aren’t able to help an executive and the executive feels like they need some help with understanding financials, to reading financials invest in everybody’s training in this area and there are a lot of people, even pro bono, that, that are offering this training pro bono and a lot of resources on the web. So make sure you understand your financials and what they’re indicating. You don’t need to know every single financial ratio that you know, business people use, but just generally no. Are you healthy financially or are you trending bad? And if you have several years where you’re in the red, where you, where you’re not making money, it looks like you’re bleeding money, then that might be indicative of some change that’s necessary in order to make your organization sustainable on an ongoing basis. So again, you don’t want to hit crisis mode financially. So this is a good chance, take a look at your financials, not just last year, but over a multiyear period and see where you are, get help if you need it.

[00:15:08.54] spk_0:
We have a show that I replayed, oh, I think within the past six months, uh, the guest was Andy Robinson. So you could go to tony-martignetti dot com and just search his name Andy Robinson, but it was something like teaching your board basic financials and he wrote a book, I’m pretty sure it was published by charity channel, uh, with, with a title similar to that. So if you, and the show is a few years old, but reading financial statements and and balance sheets hasn’t changed much in probably 100 years. Um, so it’s just all in and out now now, it’s all in Excel. But uh, so if you’d like some help with that, there is a, there is a show where Andy Robinson was the guest talking about, you’re improving your boards, financial literacy. It’s time for a break. Turn to communications, your 2022 communications plan. Does it have lots of projects? Lots of writing projects? You can get the biggest projects off your plate and outsource them. Free up staff time to devote to the work that it’s not feasible to have others doing for you. Like the annual report, just because it’s been done in house in the past, doesn’t mean it has to be done in house this year. What about research reports, White papers, your other heavy lift pieces. Do you need help with writing projects in 2022, Turn to communications, your story is their mission turn hyphen two dot c o. Now, back to legal outlook for 2022 with Gene Takagi. Okay, so let’s talk about some trends then, jean, you have a, you have a case we haven’t talked about, we haven’t talked about an actual case for a while. Americans for prosperity.

[00:19:16.54] spk_1:
Yeah. So um that was a huge U. S. Supreme Court case at least huge for the nonprofit sector. Um, but with deeper implications for if I if I’m not over hyping it for democracy itself. So um so americans for prosperity, Foundation versus Banta, who was the California Attorney general basically it was about the schedule be disclosure of donors who donated more than $5000. So for nonprofits who know how to prepare their form 19 nineties, you’ll know that on schedule B of your form 1990. Eur actually disclosing to the I. R. S. It’s not public information. Um But it’s to the I. R. S. The name and address of your donors who donated more than $5000. Now that hasn’t changed, you still have to disclose it to the I. R. S. But certain states, including California where volunteers from as the attorney general um New york I believe New Jersey I believe Hawaii also included Um all asked for a copy of the 990 including an unredacted schedule B to be given to the state regulator because they also want to look at that information for state law compliance purposes. A lot of them are concerned about donors who give money but get something back in return that’s not being disclosed. So if they ever have to have an investigation of that, that information turns out to be very helpful to the state to be able to say ah they were giving money but they also took in this huge benefit, this huge contract for example, which you know, reap them millions of dollars. Um So there was a legal case um that went up through the courts um finally hit the U. S. Supreme Court and the A. G. Lost here, The California G. Um So the court decided and we know the court’s composition is fairly conservative right now. The court decided that uh the states don’t have this right. Um It was based on the fact finding of the lower courts which is a little bit unfortunate because if the higher court could have considered more facts, then it might have been decided a different way but based on kind of how how our legal system works and and and how the Supreme Court works and the composition of the Supreme Court. They held that, hey this is not disclosed able to the states essentially that’s the impact of it. The broader impact on why I said democracy might be uh issue here is because well what about sort of campaign finance disclosures? And what about the I. R. S. Should they be entitled to that information as well? So it’s really helpful in compliance. But the counter argument and why some organizations charities, we’re also um not in favor of the disclosures is because of the protection of the donor. And the old case cited um in this part of the argument was an N double A cp case that said, well, if we disclose our donors, the KKK had threatened to kill all of them. Um And you can see why privacy was important in that issue and this issue, it was nothing like this. I think it’s a Koch brothers, um, kind of funded charity. They wanted really to keep their identity, um, more hidden because they have desires to influence politics in many ways. And if it always gets associated with them, then the impact lessons. So if they can look like they’re ground swells of movements that are funding these things rather than individual donors, um, it looks better for for what they’re trying to do. So that’s, you know, that’s what’s at stake here is not only are the state’s not allowed to get this information that would really help them in state law enforcement of whether there’s diversion of charitable assets that benefit

[00:19:29.74] spk_0:
donors. But

[00:19:30.15] spk_1:
in the broader sense, are we going to allow more dark money to enter into our political systems without knowing that there are donors, heavy donors that back these, you know, politicians or political parties or political movements. So that’s the scary part about this decision.

[00:19:57.94] spk_0:
What’s the, I think infamous Supreme Court case that that allowed the allowed the dark money into, uh, into politics. United

[00:20:02.73] spk_1:
Citizens. United

[00:20:27.54] spk_0:
United. Yeah. Um, All right. All right. And so I just want to repeat this. So this case that Gene was just talking about is americans for prosperity Foundation V. Banta B. O. N. T. A. What about crowdfunding you, you point out that there’s a new crowdfunding law. Hope is this a little more optimistic? I hope?

[00:21:22.54] spk_1:
Uh, well, depending upon how you look at it. And I think in one sense it’s inevitable. Um, a lot of our laws that are developed regarding fundraising, um, don’t even, and never anticipated the internet, right, johnny. So, uh, you know, now crowdfunding platform is, you know, not just the internet, the use of the internet, but it’s a lot of different for profit companies getting involved, um, to enable charities and organizations and people who are not charities to raise funds that look like they could be for charitable purposes, Right? So you want to help victims of a fire, but you want to help them directly, because some individuals said, I want to start a Go fund Me campaign, right? And say, well, you know, chip in 50 bucks and let’s try to get these people some help doesn’t, that doesn’t go through a charity. Often it just goes to this person, right, who promises to give these other people money

[00:21:35.90] spk_0:
and go funding the person’s goodwill. Honestly, yeah,

[00:21:58.14] spk_1:
Go fund Me is, you know, reacted to this and they’re probably the biggest crowdfunding platforms. So they’ve reacted to this in terms of having their own internal policies to help prevent a check. But overall, there’s, you know, hundreds, if not thousands of crowdfunding platforms out there that do this to make a profit. Um, and they may not have those types of controls or checks to not to just, you know, prevent somebody from saying, let’s raise money to help fire victims and then just keeping it. Um, so,

[00:22:11.97] spk_0:
what, what, what is the import of the law for, for us?

[00:23:21.34] spk_1:
So I think the import of the law is, if you’re going to get on and decide, hey, we want to do crowdfunding, um, you’ve got to select your platform provider carefully and this law, which is in California, but is likely to spread across different states in various forms, says, well now, if you’re gonna do that, you’ve got to make sure that this crowdfunding platform is registered. Um, and they’re reporting and there are all sorts of rules involved. So if you have a contract with them, it should be subject to these rules that might say things like, well, if they collect money, they have to give the money to the charity within a certain time period. Right? So they couldn’t say, well, it takes this administration, so maybe a couple of years before you get that, you know, nobody’s gonna be happy with that, but without rules, why not? Um, so these are, this is why it’s important for charities to have rules. The actual details of the rules. So I can see why some people have some, some issue with them. And we haven’t had all of the regulations yet, they’re still in discussion. So this is very, Still very trending, but the crowdfunding law, the law, the general law that’s in place now will become effective in California in 2023, and the regulations are being developed right now,

[00:23:58.04] spk_0:
let’s turn to remote work, which is obviously so much more common now. Hybrid work, you know, return to work dates are being pushed off and off. Um What what are what are what are what trends are you seeing? What should be on, will you be on the lookout for with respect to uh remote work and employment law issues?

[00:25:10.84] spk_1:
Yeah, it’s, you know, this is a really tricky area. Um you know, for sure, Covid where people were suddenly not permitted to to go indoors in some cases for months. Um and who knows if, you know, we’re going to return to some of those scenarios with the omicron variant out there, We’re hoping that it’s less um severe in terms of its impact, even if it might be a more transmissible, but if we if we keep worrying about this and saying, you know, our workers aren’t comfortable coming to work, even if the law allows them to come to work. Um Maybe we’re going to let people work remotely, and many of us have gone full remote, some of us have gone back to partial returns, some have gone back to full returns and then gone back, you know out the other way and said, okay, you know, it’s at the workers discretion whether they want to come in or not. So what makes us a little bit tricky. Um is that you don’t control the work environment as the employer, if they’re working at home, right? Um but that becomes the work environment, if they’re doing work from home, that’s their work environment, and, you know, the employer is responsible for the work environment if they should get hurt, for example,

[00:25:22.94] spk_0:
um

[00:26:56.24] spk_1:
So it becomes a little bit tricky about, well, how do you, how do you handle that for workers comp reasons, for safety reasons, for OSHA reasons? Um and I think there’s an understanding by regulators that, you know, this is out of control of most small businesses, small charities and, you know, to to that extent, we’re not really gonna look to enforce things on that level, but there are other things that, that are also concerning, because not everybody goes when, when they decide to work remote, we work in the same city or in the same state, right. A lot of us um have decided to, you know, maybe move back with family, which might be in another state. In some cases it could be another country, or some of us have decided to travel and spend a little bit of time, you know, in different places. Um So how does allow treat that? And basically, you know, the old rules, which are the rules, many of us are stuck with. Um the old rules are, well, you have to comply with the laws where the worker is doing the work, so if you have a worker in new york who’s now working remotely and came out to florida, well, then all the employment rules regarding worker safety and wage and hour laws and salary, overtime, sick pay benefits, all the florida laws apply to that worker now. Um, and so now it’s like, well, you’ve got to work in florida, you’ve got to think about, are you qualified to do business in

[00:27:00.21] spk_0:
florida,

[00:27:36.94] spk_1:
charity registration in florida? Um, and you may have had no connection to florida before, but all of a sudden you have a worker working there. Um, so a few states, um, and they’re not very many, but a few states that said, well, you know, during covid, we’ve got these temporary rules where we’re relaxed, where you don’t have to do that. And there’s also state tax issues, right? State payroll taxes, and, and other times, all of those things, some states said, you don’t have to worry about it. A lot of organizations are simply not complying with, But,

[00:27:37.49] spk_0:
but you said it’s only a handful of states that said, we’re we’re we’re not enforcing

[00:27:42.14] spk_1:
right. Exactly.

[00:27:43.33] spk_0:
The majority of

[00:29:01.34] spk_1:
states are, Yeah, well, I shouldn’t say they’re enforcing, but they haven’t the old laws or the existing laws still apply. There are no transition laws, so you’re out of compliance. And if they do enforce, which might not be like a, you know, a regulator coming out to you and saying you haven’t done this, it may be your employee is unhappy with something you’ve done, who’s working there and said, hey florida law applies and you haven’t been complying with the florida sort of benefits laws that, that apply. And maybe I could give you more specific example because san Francisco, if you came out to California, your remote employee came out to California, san Francisco has mandatory six hours and not a lot, a lot of states don’t have sick our pay. Um, but all of a sudden if you’re not paying them and they get wind of that, hey, you were supposed to pay me for this and you haven’t been, it’s the employee who could launch the complaint. Um, so it’s just to be careful of these things and, and just as your strategy for charity registration, tony when you’re sort of fundraising all over the country to, to, you’re not going to be able to maybe do all 50 states at once, but just to make sure you’ve got a plan to attack this kind of the same thing here. Um, check out where your employees are, you should know exactly where they are and check each state in terms of how strictly, maybe in terms of enforcing this and start to slowly comply

[00:30:12.74] spk_0:
the implications of state law. Yeah. What about the technology remote work? I don’t know if that’s all been figured out yet and maybe there were, maybe there were stopgap measures during the, during the, the darkest part of the pandemic, but but going forward, you know, tech technology has to be, has to be upgraded. You know, are we gonna, we’re gonna continue providing work phones? Are we going to provide work laptops? What about paying for internet access over the long term? I mean, you know, the internet access can be costly. And if if work is taking up a lot of the bandwidth, isn’t it appropriate for an employer to be paying a portion? And then how do then how does the, how does the, what’s the mechanism for the employee verifying how much they pay and you know, and then what percentage are we gonna cover of that, all the all the technology issues around, around remote work.

[00:30:58.44] spk_1:
Yeah, def definitely. And and as an as an employer, I would say, beyond sort of any legal compliance issues, um, you’ve got a, I think an ethical issue to make sure you’re providing your employees with the tools to do their job. And if you’re allowing remote work, you should make sure that they have the tools. So if they need a computer to be able to access it, so they’re not, they’re not using their personal computer. Um then you should make sure that happens same thing with the telephone. And if, you know, if those are going to be dedicated to work, um it should be explicitly written out that way. But if you force them to use their personal things, there are some states that actually do have laws that say you must reimburse your your employees if they’re using the tools that they need um for for remote work, but just ethically. Yeah.

[00:31:18.74] spk_0:
But then that’s then that raises security issues too. Absolutely. They have any kind of HIPPA protected information on their personal laptop. That’s gonna be a big problem. That that’s I think that’s probably a mistake if you’re dealing with that kind of data. But um

[00:32:01.74] spk_1:
and don’t we probably all have that type of stuff on our personal computers, right? You know, sort of HIPPA protected? We may have had emails like that are saved onto our computers. Um Right. So if if the computer is also being used for work and there’s a work issue that causes that data to be taken or corrupted, like, you know, what’s the employer’s responsibility if they hadn’t provided an alternative, it’s a great point

[00:32:50.94] spk_0:
and and it’s not only hip hop data, but other other personalized data that that maybe on now the personals, the employee’s personal computer, desktop or laptop or phone, you know, how is that? How is that private private data protected? Do they have malware prevention on their on their personal devices so that so that company emails that they’re that they’re using on their personal device aren’t potentially compromised. I mean, the use of the personal equipment raises a lot of technology and and Legal privacy and ethical issues to your right. I mean, if the person is eight or 10 hours a day, they’re using their personal laptop, shouldn’t there be some compensation for that?

[00:34:46.94] spk_1:
Yeah. And I think minimally because no matter you know how much we encourage people to have sort of work dedicated computers provided by the workplace, people are going to use their personal phones. I mean we can go back to the politicians who have all been using their personal funds. So we know it happens regardless of what the best practices. But what can the employer do, they can pay for all of that data protection stuff that that computer should have. Right, tony because now it has much more sensitive information on there and the employer is partly responsible for some of the other information that could be on there and hack. So yeah, employers should help. And that kind of leads us to the whole data security issue as well that everybody’s got to be paying attention to now is really um nonprofits have important data in their system. Some of it is, you know, hipaa protected some of it is other privacy information. You may have employment reviews on there that you don’t want going out into the real world or client, you know, feedback which might be positive. Some of it might be negative sensitive communications, all sorts of stuff that you might find on a work computer and if it gets hacked and if that data gets stolen or if somebody holds the system which might run your programs or aspects of your programs if they cause your system to crash and say that they will only sort of fix it because they’ve hacked and caused the crash. If you pay a ransom, you’ve got all sorts of problems. Uh and maybe some of that may have been mitigated with some basic steps like you mean you’re not going to be, well even the U. S. Government can’t prevent all hackers. I think we we know that, but you can take reasonable steps based on your budget, whatever that might be to to control some of this. So it really is important to have some safeguards.

[00:34:55.74] spk_0:
Another potential category of data is the G. D. P. R. Data. If if if your nonprofit is implicated at all in in that european common law law then or the yeah then then you’ve got those concerns as well.

[00:35:08.94] spk_1:
Yeah, absolutely. So if you have european donors or you’re doing business with any european entities and you have data from those entities or persons be careful and again, remote working can trigger some of that. So if if they decided to, you know their home or or they want to travel to europe and do their work from there.

[00:35:28.74] spk_0:
Um,

[00:35:29.74] spk_1:
all sorts of implications.

[00:37:44.03] spk_0:
Yeah. Absolutely right. People very good point where where people are sitting and where they’re planted when they’re working, It’s time for Tony Take two We’ve got 50% off the tuition for planned giving accelerator. That’s because just last week A donor stepped up someone who believes very deeply in planned giving accelerator and he is offering to pay 50% of the tuition For the 1st 10 nonprofits that take him up on his offer. A couple have already done it as of the time I’m recording, but there are several spots left. So if you’ve been toying with the idea of planned giving accelerator, it’s never going to be cheaper than 50% off. What the way this will work is. You’ll pay the tuition in full, which is $1195 for the six month course. This donor will then make a gift to you of half of that. So you’ll have a new donor, he’ll pay half your tuition. So it ends up being 50% off the full tuition cost. I know the donor, it’s someone I trust you have my word. Your final cost will be half of the full tuition if you’d like to jump on this and be one of the members of what is now our february class. I want to give people enough time for this because it, it just came in last week. So I’m extending, we’re, we’re not gonna start the class until february if you’d like to be part of that february class At 50% off email and we’ll, we’ll talk about planned giving accelerator and whether it can help you launch your planned giving program. Mhm. tony at tony-martignetti dot com. That’s me. That is Tony’s take two, We’ve got boo koo but loads more time for legal outlook for 2022

[00:38:01.22] spk_1:
one and one of the tools to think about and I’m a little bit guilty of this as well um is be careful of public wifi um because that often is an entryway for a

[00:38:03.83] spk_0:
hacker. Yeah, that’s totally unsecured airports, airplanes,

[00:38:09.89] spk_1:
coffee shops,

[00:38:13.42] spk_0:
coffee shops, Starbucks, wherever those are, all unsecured networks.

[00:38:29.32] spk_1:
Right? Meaning that there is the potential for somebody in there who has some malicious intent if they want to be able to hack into to your computer through that public wifi. Unsecured wifi. And there are different systems um but maybe one of the simplest for for those of us who have smartphones, which I think is most of us is you could actually create a sort of a private wifi just

[00:38:52.92] spk_0:
for your smartphone, right? Hotspot? Hotspot and don’t use the unsecured wifi to connect to, you know, use the uh the four G or five G or the five GHZ et cetera.

[00:38:56.17] spk_1:
Right? And that’s something an employer could pay to make sure that the employee has significant data and data plan that can incorporate all the additional data that they may need in their plan because of the work. So again, that would be reasonable and and ethical for the nonprofit employer to pay for their employees to have a higher data plan. Um, if they’re going to to use that and insist as a policy that they do not use public wifi. If they’re using a work computer or a computer that contains work and sensitive information,

[00:39:36.52] spk_0:
all you need is to transmit an email on, on an unsecured wifi that that has a donors credit card number, maybe

[00:39:38.77] spk_1:
native

[00:39:58.12] spk_0:
birth address, name any, any two of those things together, uh, hacked could be very detrimental to that donor. And you know, whether it ever gets traced back to you is is uncertain, but you’ve, you’ve put your donors privacy at risk in a simple email that has any two of those pieces of information.

[00:40:04.31] spk_1:
And it appears to be a myth, um, when people have relied on, they’re not going to go after us because we’re nonprofits, people don’t go

[00:40:12.29] spk_0:
after. Oh, that’s bullshit. Oh, that’s ridiculous.

[00:40:14.57] spk_1:
Right?

[00:40:22.61] spk_0:
I’m working with a client now that, that is a, is in new york city that’s, that’s, um, victim of, of a malware, uh, ransomware, so brought me a ransomware attack.

[00:40:27.61] spk_1:
Yeah.

[00:40:40.41] spk_0:
And they’re keeping it quiet so I’m not permitted to say who it is. But um, yeah, they’ve, they’ve been, they’ve been hindered for weeks and weeks with data accessibility issues.

[00:40:42.71] spk_1:
Yeah. And it’s much more common than we think because organizations do want to keep it quiet because if there is a vulnerability, they don’t want to come and say other hackers come come and attack us, we’re vulnerable. So it may be much more pervasive than we think

[00:40:57.61] spk_0:
and that myth also breaks down along ideological

[00:41:00.04] spk_1:
lines.

[00:41:21.61] spk_0:
Some some person on the left may may attack an organization on the right. Some person on the right may attack an organization on the left just because of where the organization stands with respect to the person’s political and ideological beliefs that that that’s enough. It doesn’t matter that you’re a nonprofit. It’s it’s your ideology and your mission. It has nothing to do with your tax exempt status as to why somebody would or wouldn’t go after you.

[00:41:28.41] spk_1:
Yeah and um in these times that those ideological differences have been very um pronounced and. Yeah.

[00:41:41.11] spk_0:
Alright where else should we go? Gene with trends, trends for the new year. Come on.

[00:44:24.69] spk_1:
Um Let’s talk a little bit since we’re talking about technology and data security. Let’s talk a little bit about crypto currency because I find that pretty fascinating. Um There was an organization that came together and bid $40 million on a copy of the U. S. Constitution just a few weeks ago. Um That money the $40 million plus more I think about 47 or $48 million was raised for that purpose in less than two weeks. Um So um Cryptocurrency donors um often have made a ton of money because of the appreciation of cryptocurrencies like. Bitcoin for for those who aren’t super familiar with it. Um And if you donate Cryptocurrency, it’s like donating a non cash asset, meaning that if You bought crypto currency for $1,000 10 years ago and it’s worth now several million dollars, which if you bought the red Cryptocurrency, that might be the case if you sold it, uh you would have a lot of taxes to pay on that appreciation right? The several million dollars of appreciated income that would be subject to capital gains tax. Um So if you sold it and donated some of the proceeds, that would not be a very tax efficient way to donate. When if you donated the Cryptocurrency itself, what you do is you get to take a fair market value deduction of the several million dollars. So you gave several million. So potentially you could deduct that is a charitable contribution and pay no capital gains tax because he never sold it. Um So very tax efficient way of giving um And Cryptocurrency people, wealthy millionaires and others who decided that they wanted see some positive impact um from giving these gifts are are making gifts of Cryptocurrency now and that’s that’s partly why I am so many gathered together to say hey we’d like to fund a charity to buy a copy of the U. S. Constitution so that we can ensure that this constitution is always for the public’s benefit and on public viewership and not sitting in somebody’s house, you know for for their own prestige. Um But that really opens it up, cherish. Think about there’s a lot of these people who made quite a bit of money on Cryptocurrency and a lot of younger people are investing barely heavily in Cryptocurrency now. So it’s something to not sort of blow away if we’re um kind of our age or older, tony to say, Cryptocurrency, what is that? It’s it’s something to really embrace now because it’s it’s not just this exotic tool now, it’s part of regular investment portfolios.

[00:45:56.79] spk_0:
Absolutely, it’s it’s it’s coming and and jean this dovetails perfectly with Our November 15 show of 2021 Bitcoin in the future of fundraising with my guests who are an Connolly and Jason shim who wrote a book Bitcoin in the future of fundraising. So, um it’s do you it’s just more, more sage advice that crypto donations are coming. It’s not a matter of if it’s just when are you gonna get on board now or you’re gonna wait two more years and potentially be behind the curve. Um and as an and Jason pointed out today, there are so few organizations accepting crypto that a lot of people are just searching for. Where can I donate? Cryptocurrency and probably largely, Gene for the reasons you’re describing there, They’re looking for a direct crypto donation to help them with substantial capital gains. Are there specific legal implications of crypto donations that that we need to be aware of or or is it just, you know, you just want folks to know that this trend is, it’s in the middle, it’s happening right now.

[00:48:15.97] spk_1:
So I think, you know, one of the reasons why charities are afraid to take Kryptos because they don’t know what laws apply when they receive the crypto. They’re like, what do we do with this? Um, and there are ways to easily cash that out and turn it into us cash. And in fact, most charities that accept crypto and they’re not a lot, you’re right, tony but most carriers that accept them liquidate them immediately turned them into cash and deposited into fiat currency, like regular paper currency, um, in their bank accounts. Um, So they’re not holding onto the crypto very long at all. One of the reasons why that’s, that can be very important is because there are prudent investor rules for charities that don’t apply to for profits that basically say if you’ve got investment assets, charities, this is not just endowments, but just any sort of investment assets for reserves or for a capital fund or anything you can’t invest. It speculatively, you couldn’t just throw it all in like Apple stock, um that would be too speculative. You have to look at it, uh, through what financial professionals, investment professionals called portfolio theory, are you sufficiently um, have an investment portfolio diversified across several different asset classes? So if one bombs, you haven’t tanked all of your money. Um, and the board of directors have a fiduciary duty to live up to the prudent investment laws that also sort of follow this portfolio theory of how how have you actually divest? Sorry? Um diversify Yeah. Um your your funds across different investment classes to protect yourself and there are different considerations that go along with that. Um But that is one reason why you don’t want to get stuck with all of your investments being in crypto because crypto maybe one of the most volatile type of investments where it can double in a matter of days and it could tank and disappear in a matter of days as well. So depending upon what type of Cryptocurrency you have and there are hundreds if not thousands of crypto types of Cryptocurrency um that have evolved in a lot of people and organizations that are making new coins all the time. So new new forms of Cryptocurrency arising and while we talked about crypto as being a part of more investment portfolios as a normal part of of investments. Now it’s not every Cryptocurrency that would be in that it’s certainly one

[00:48:47.07] spk_0:
1000 right? Some of these thousands trade for thousands of pennies, Thousands Yeah thousands of pennies even you know .0001 three zeros and a one is you know is the value of the currency. Um So. Alright that’s perfect as I said, perfect dovetail to that to that uh that november show because you’re you’re raising the prudent investor rule and and uh portfolio theory.

[00:50:07.66] spk_1:
One more thing on this, tony the forms the I. R. S. Forms for when you get Non cash contributions of more than $500. And how quickly you sell them. Um Also applies to form 82 83 is what the donor needs to sign when they give a non cash contribution of over $500 of over $500. And if it’s over $5000 which many crypto gifts are, they have to get a qualified appraisal for this. So that’s really important. And the Dhoni which is the charity has to sign that form for the donor. And then if the donor the Dhoni, I’m sorry the charity sells it within three years, they have to sign a form 80 to 82. Yeah so that’s again it’s not terribly hard. It sounds like a lot of just legalese I’m blabbing out but it’s not too hard but just take a quick look at those. If you decide that you want to start getting Cryptocurrency and at worst you might ask your donor to find a donor advised fund that takes crypto turns it into cash and then disperses it to the charity. So there are donor advised funds that do that

[00:50:15.76] spk_0:
interesting. Okay so so a Cryptocurrency donation is a non cash donation

[00:50:19.90] spk_1:
correct?

[00:50:58.76] spk_0:
Okay and for non cash donations of $500 or more, That’s where your your donor has the implication of i. r. s. Form 82 83. And you as the charity if you sell it within three years which your advice is that they do because it’s of its volatility Then you’ve got the implication of i. r. s. Form 80 – 82. I always thought those were backwards. The donors should have 80 to 82 because that comes first. Then comes 82 83 from the don’t to the Dhoni first the donor has it. Then the charity should be 80 to 82 82 83. But it’s not It’s 82 83 for your donor and 80 – 82 for you.

[00:51:06.16] spk_1:
That sounds like larry david logic. But that’s how I think as well.

[00:51:10.58] spk_0:
Yeah. I’ve been accused of being larry David in lots of ways. Including my my hair when it’s long like it is

[00:51:16.23] spk_1:
now. I’ve

[00:51:33.46] spk_0:
been accused of looking like Larry David. But we’re not complaining, we’re helping. That’s all right. Um Alright let’s leave us with something else. Another trend for the new year that you want us to be thinking about gene. Um

[00:51:36.96] spk_1:
Let me talk a little bit about diversity equity and inclusion. Since we’ve we’ve talked about that in the

[00:51:42.21] spk_0:
past. You could search jean and I have talked about D. I a bunch of times. But

[00:53:46.05] spk_1:
yeah please. You know I think in combination when we talk about the great migration and how the pandemic might be affecting different populations in different ways that we start to think again about kind of? Well if our charity is doing some some mission and we might not think of that mission as being really reflective of of specific races or or anything like that. Um But could D. E. I. B. Important anyway. And I think that’s where we get to think about. Well if we had more perspectives in our organization, if if we’re lacking some of those perspectives now, for example not having a lot of latin thinks Hispanics or blacks or asian americans on the board or in the leadership group, maybe we’re not really thinking about how our services that we’re delivering are affecting different populations differently. Maybe we’re just sort of providing services but we’re focused on urban centers or urban centers where if we’re center based, our center based is in neighborhoods that are much more accessible to uh white populations versus other populations. So getting different perspectives, even if we think of ourselves as being race neutral, which is kind of a charged term. But I’ll just use it for for these purposes. If we think some of us think of ourselves as race neutral and therefore we don’t have to get involved in the D. E. I work. We want to say, well don’t we care about serving our population in a way that’s kind of fair and not just favoring one segment over other segments or just totally neglecting certain segments of the population because they don’t have the same type of access. Have we ever thought about those things and having diversity can help us think about those things. Um, but it has to be done obviously in an inclusive way, which we’ve talked about and I know we just have a few minutes here, but it’s

[00:54:03.34] spk_0:
sort of it’s touching on, you know, not knowing what you don’t know without without having the perspective of diverse populations on your board, in your leadership, then you don’t know how you’re not serving other non white populations. Yeah. And even when we were perceived by other by by non white populations.

[00:55:32.64] spk_1:
Yeah, exactly. And even when we say, well when we look at a group of people and we say diversity, you know, that has one meaning. But sometimes when we just look in our inside our own heads, uh, and when people go unconscious bias, for example, try to think about what that is. It’s like, well if we don’t have the benefit of having different perspectives are being exposed to that all of our lives and none of us have all of the perspectives in our lives. So we were all going to be guilty of some sort of unconscious bias because we just don’t know any better. We we haven’t had other information that would have help develop a sensitivity or understanding or just knowledge of some of the disparities that are out there. So, and and how our organization can be either helping those disparities or hindering them. So just getting a sense of where we’d like to go. I think that can improve employee retention. It can lead us to new areas of employee recruitment and it can make us more relevant as organizations in the future, where if we’re not addressing some of these things, we could find ourselves becoming irrelevant less attractive to future donors, especially younger donors who this is very important to. Um, and so that’s my, my closing thought. Mhm.

[00:55:48.24] spk_0:
All good thoughts for uh, for the new year for 2022, Gene Takagi are legal, legal contributor, Managing attorney of Neo. You’ll find him at nonprofit law blog dot com. He’s also at G attack and you’ll find the firm at neo law group dot com. Gene again, thank you very much. Happy New Year.

[00:55:57.39] spk_1:
Happy New Year. tony

[00:56:47.13] spk_0:
next week. I’m working on it very diligently. If you missed any part of this week’s show, I beseech you find it at tony-martignetti dot com. We’re sponsored by Turn to communications pr and content for nonprofits. Your story is their mission turn hyphen two dot c o. Do you need help with any of those ready projects in 2022? Get them off your plate. A creative producer is claire Meyerhoff. The shows social media is by Susan Chavez Marc Silverman is our web guy and this music is by scott stein. Mm hmm, thank you for that affirmation scotty Be with me next week for nonprofit radio big nonprofit ideas for the other 95%. Go out and be great.

Nonprofit Radio for January 10, 2022: Nonprofit Software Vulnerability With log4j

My Guest:

Joshua Peskay: Nonprofit Software Vulnerability With log4j

Happy New Year! There’s a software risk gaining attention and there’s a good chance you’ll need help diagnosing and repairing it. You don’t need to horde gas, cash and toilet paper. Just be aware and do the repair. Joshua Peskay, from RoundTable Technology, sorts it out.

 

 

 

 

 

 

 

 

 

Listen to the podcast

Get Nonprofit Radio insider alerts!

 

 

Apple Podcast button

 

 

 

I love our sponsor!

Turn Two Communications: PR and content for nonprofits. Your story is our mission.

 

We’re the #1 Podcast for Nonprofits, With 13,000+ Weekly Listeners

Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.

Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.
View Full Transcript

Transcript for 573_tony_martignetti_nonprofit_radio_20220110.mp3

Processed on: 2022-01-07T15:56:41.833Z
S3 bucket containing transcription results: transcript.results
Link to bucket: s3.console.aws.amazon.com/s3/buckets/transcript.results
Path to JSON: 2022…01…573_tony_martignetti_nonprofit_radio_20220110.mp3.687498576.json
Path to text: transcripts/2022/01/573_tony_martignetti_nonprofit_radio_20220110.txt

[00:00:10.04] spk_0:
Hello and welcome to tony-martignetti non profit radio

[00:01:11.84] spk_1:
Big nonprofit ideas for the other 95%. I’m your aptly named host of your favorite abdominal podcast. Oh, I’m glad you’re with me. I’d suffer with Producto Sigmoid itis if you inflamed me with the idea that you missed this week’s show, non profit software vulnerability with log four J Happy New Year. There’s a software risk gaining attention and there’s a good chance you’ll need help diagnosing and repairing it. You don’t need to hoard gas, cash and toilet paper, just be aware and do the repair Joshua pesky from roundtable technology, sorts it out And Tony’s take two. Thank you jean and Amy sponsored by turn to communications. Pr and content for nonprofits. Your story is their mission turn hyphen two dot c o.

[00:01:45.14] spk_2:
It’s a pleasure to welcome back Joshua pesky eh he has spent nearly three decades leading technology change for over 1000 nonprofits. It’s especially dedicated to improving cybersecurity in the nonprofit sector and works regularly with at risk organizations to address digital security challenges. He regularly presents and teachers on topics including technology strategy, cybersecurity project and Change management. You’ll find him at Joshua pesky a and the company is roundtable technology, Joshua. Welcome back to nonprofit

[00:01:54.14] spk_3:
radio It is an absolute pleasure to be here. tony Thank you so much for having me on.

[00:01:58.17] spk_2:
Oh, it’s it’s my pleasure to and it’s been the three years or some since, since 18. NTCC

[00:02:05.47] spk_3:
when you were Yeah, which was that the no that was the second to last in person in TC they did the 2019 1 and then it’s been virtual since Yeah,

[00:02:14.24] spk_2:
2nd the last yes

[00:02:16.74] spk_3:
and Happy New Year. Happy New Year to you as well. Happy holidays to you and all your listeners as well.

[00:02:26.24] spk_2:
They’re our listeners today. Not my listen, they’re ours share and share. That’s fair. Our listeners.

[00:02:30.24] spk_1:
Um all right.

[00:02:42.74] spk_2:
Log four J potential security vulnerability that uh, well it is a security vulnerability that nonprofits potentially have give us the, the the 30,000 ft view before we dive in. What, what is this log for? J?

[00:05:43.74] spk_3:
Yeah. So log four J. First of all, on a technical level is a java based, that means the programming language that it’s written in his java and it’s a logging utility that is used predominantly on servers on what are known as Apache servers which run just a huge amount of the things that run on the internet. And this logging utility um, is a little bit of code that developers used to log things that happen on the server and then generate reports or create actions to help them identify bugs or other things that would go on. So that’s what log four J is and it’s very, very widely used. Um, and unfortunately it was disclosed, I think around December 10 was when it became public knowledge that there’s a pretty rough vulnerability in it that allows an attacker to essentially take control of a server that is running log for J in an incredibly simple way. And the organizations like the center for Information security um and the cybersecurity and infrastructure security agency or cisa um they use this um terminology called si ves which is common vulnerabilities and exposures I think um I always forget what that stands for. Um yeah, common vulnerabilities and exposures are cbe, they have ratings of like 0 to 10 for how bad it is. So zero is like that’s not too bad. 10 is this is Armageddon and this is a 10 and the reason it’s a 10 okay, is twofold in the most simple way. One is that it’s a actually, I’ll say three. Okay, there’s three reasons. One is that it the vulnerability is the most, the worst thing possible that the exploit of the vulnerability allows complete takeover of the system that is exploited. So if your server is running this log four J utility and I can send it a single packet of data, I can take it over and now do anything I want on that system. So it’s really bad. Second is that at a rough estimate, uh this is running on something on the order of three billion devices um that are connected to the internet in some way. So it’s running on everything. And the third thing is that doing the exploit is incredibly easy. So a 12 year old can go download a little bit of code off the Internet and automate it and go out and find servers that are running along for J and take them over. So incredibly easy to exploit. And the combination of those three things is why all the security experts around the world started freaking out To varying degrees around December 10.

[00:05:55.54] spk_2:
Okay. And and sister calls it a 10 out of 10. Yeah, this is all very interesting. I just saw the movie. Don’t look up with Leonardo Dicaprio jennifer Adams, Meryl Streep.

[00:06:00.49] spk_3:
Someone was just telling you about this movie. I have not seen it yet, but mixed things about it. But yeah,

[00:07:24.24] spk_2:
a comment is coming to earth. Uh, they this comment is categorized as a planet killer. Uh, and the President Meryl Streep is uh, not initially focused, you know, and she, in the first meeting with the two folks who have identified this comment and its trajectory right toward Earth. You know, she decides to sit tight and assess and, and their estimate is that the comment is gonna hit Earth within six months. And it’s a it’s a planet killer. It’ll it’ll make us extinct. But she takes a sit sit tight and assess approach. Yeah. Right. So, so I’m I’m tempted. Um, No, but I don’t wanna I don’t wanna be that like physical about it. Um, but I want to keep things in perspective too. So, but 10 out of 10, you know, from sister. That’s that’s significant that obviously. So. All right. And thank you for explaining why it’s called log four J and what a logging application is. I’ve I’ve sometimes looked at logs and it’s just thousands of lines of activity that could be incremental, like every every couple of seconds or something depending on what the, what the, what the, what the activity is that the log is logging. Um it mean it means nothing to me but

[00:08:14.94] spk_3:
to write essentially a bit of code that runs on servers. Um there’s a really funny XK C D cartoon. I can, I can send you if you want to include in the show notes. Um XK C D is a cartoon by a cartoonist named Randall munroe. And he created this cartoon like two years ago. That’s like uh you know, the entire internet infrastructure. And it’s like this giant kind of house of cards thing, you know that everything is on top of. And then at the very bottom there’s like this one thing that’s holding the whole thing up and it’s like, this is a bit of code written for free and maintained for free by some developer in a small town in Nebraska. And this was like two or three years ago that he wrote this because he’s kind of like noting how so much of the critical infrastructure of the internet are just open source free projects that people maintain in their free time. And this is, this is almost literally that like this is just a utility that someone made a long time ago that no one pays for that’s free to use that was useful and everybody used it. And then it was like, oh, this has a vulnerability. We we now have to fix it and it’s everywhere.

[00:08:29.53] spk_2:
Send me a link to that that drawing because I know the one you’re talking. Another one you’re talking about. I think I saw it on your linkedin.

[00:08:35.54] spk_3:
Yes, Yeah, yeah, yeah.

[00:08:37.35] spk_2:
But I want to include it. I’m gonna put it next

[00:08:39.11] spk_3:
to your headshot show in our show notes. Yes.

[00:09:35.04] spk_1:
It’s time for a break. Turn to communications Your 2022 communications plan, lots of projects on their, lots of writing. You can take the biggest projects off your plate and outsource them. Free up staff time to devote to the work. It’s not feasible to outsource the annual report does not need to be done in house just because it always has been, doesn’t mean it has to be. How about research reports, white papers, this stuff can be outsourced. Do you need help with your writing projects in 2022? Turn to communications, your story is their mission turn hyphen two dot c o Now back to nonprofit software vulnerability with Log four J and Joshua Pesky EH

[00:09:44.04] spk_2:
And you also said it’s on three billion devices now, potentially. So it’s not just server level. Right? This could be an

[00:12:36.74] spk_3:
individual works problem. Yeah. And so, so here’s where everybody’s gonna start panicking, right? Which is, they’re like, well, if there’s three billion devices go ahead. Yeah well we don’t wanna panic. Right. Right so so people are thinking oh gosh I must have one of those devices or or more more of them in my home. And so the first thing is just you know calm down take a breath. Um But it it’s the most critical things are you know from a prioritization standpoint are things that accept input from the internet. Now this might be something that non technical people would would have difficulty understanding. But the average computer that you’re using or the printer in your home most likely is not accepting input from the internet meaning someone from the internet can’t just go and communicate with your printer or your coffee maker or your amazon Alexa. Right? Because it’s not accepting input from the internet. The way most devices on most networks and in most homes work is it’s a kind of one way invitation traffic rule. So your computer can get data from the internet and in that respect accepts input because the data comes in. But the only way data comes in is when you request it. So when you type google dot com in your web browser your computer is essentially making a request out to the internet and saying I’d like this information sent to me and then the internet sends it. But the internet can’t on its own. No one out of the internet on their own can send data to your computer without you requesting it. Okay that’s most cases, most people wouldn’t know whether their network or their devices are set up to receive input from the internet or not. But mostly they wouldn’t be they would have to have done something specifically to put themselves in a state where their home devices would be accepting data from the internet. But if you have a server that you’re using for any reason in your organization that accepts input from the internet then that server is if that server has this vulnerability on it by the time you’re hearing this podcast, it’s probably compromised already. And the term that cisa and C. I. S. And other security agencies uses assume compromise and that’s the stance they’ve had for several weeks. Now we’re recording this in december 28th. If you’re listening to this, let’s say january 15th. You know you’re and you have a server or more servers that are X. That are accepting input from the internet that have this vulnerability and you’ve done nothing about it at this point. You would assume compromise and that means um you need help. You need someone who knows how to go look at your server and look for indications of compromise and remediate them meaning fix them and undo them so that your server is not compromised. Um You’ll need help at that point. Okay

[00:13:04.94] spk_2:
let’s start with the first of all, thank you for being a calm voice and and explaining things. So you keep yourself out of jargon jail, which I appreciate our listeners appreciate. I I hate to slap you into jargon jail so

[00:13:09.83] spk_3:
but keep me keep me honest on it, tony If I, if I say stuff that’s like, you know, if I’m either being condescending or you know, you know, saying things that you are not, you know, the folks aren’t gonna understand. Call me out all the time. I

[00:13:53.94] spk_2:
will well condescending, I’ll just shut off your mic and we’ll just end perfect. I don’t I don’t tolerate condescension but jargon that’s recoverable. So let’s start with the case. Uh, you know, our listeners are small and midsize nonprofits. Let’s start with the nonprofit that does not have a person devoted to I. T. Let alone a team or you know, doesn’t have a devoted consultant. Do they need a consultant? Can they what what what should the non I. T. Affiliated nonprofit?

[00:17:13.64] spk_3:
Sure. So let’s say you’re you know f 5 to 50 person nonprofit. Maybe even up to 100 staff. Okay. And you have no dedicated I. T. Person, maybe you have an accidental Tuckey maybe of like a you know joe or jane laptop that helps you out with stuff, you know, as a consultant or maybe you work with a small managed service provider. Um someone who helps you with your technical, but let’s say you don’t have any dedicated resource. Okay. Whether you’ll need help or not, depends on whether the directions that I’m going to give you now are something you could do or you have someone in your organization who could do this. So what you would need to do okay is I’m gonna use two big words and then I’ll explain them. Enumerate and remediate. Okay. These are the two most important things to do in order. Enumerate. All right. Or enumeration is the act of figuring out what are all the things we have that may be vulnerable to this exploit. Okay. So I’ll give you just a simple example. We know uh and there’s a link will give you in the resource because again, C I s has a resource of all of the software applications, products, devices that are known to have a log for j vulnerability in that. So let’s say for example, I’m a typical nonprofit and we’re we have out of our 10 staff. We have five of them that use tableau desktop because we purchased it from tech soup and we used Tableau to do some data visualizations. That’s a really common application that lots of nonprofits would have running on their desktop. They probably aren’t updating it that regularly. Could be an older version Tableau which is now owned by Salesforce. So it shows up under Salesforce is listed in this directory of all the vulnerable applications. So you need to if you know that I have Tableau, I need to go to this list I need to search for Tableau and then I need to follow the links to see if the versions of Tableau that I have are in fact vulnerable and if so what I’m supposed to do about that, which is usually going to be to run some patch that updates it. So you need to do that for everything that you have. So the enumeration part is figuring out what’s all the software and devices that we have. Our firewalls are wireless access points are the operating systems that run on our computers, the software that runs in our computers and for many organizations, you’re already saying we have no idea about any of those things. We don’t have that written down anywhere. We don’t and that’s a real problem. And that that problem, you know, when, when you go to best practices about how to govern technology, they’ll say have an inventory, have it current, you know, having automated, so you can just go look online and right, this is why this is one of the reasons why that’s really important. If you don’t have that, this job at this time becomes extremely difficult for you. But if you don’t do it, You have no idea what vulnerabilities you have. It’s like not going in to get a physical in your doctor’s office for 20 years. You know, when you finally do go in, you’re probably gonna find a bunch of things that you maybe would have wished you found out earlier.

[00:17:20.14] spk_2:
Alright. So even before we get to remediation. Enumeration sounds overwhelming.

[00:17:47.04] spk_3:
If that sounds overwhelming then you need help. If there’s some if you have your accidental tech in your organization, you play them that part of this interview and you asked them could you do that? Apologize for sirens coming by? I don’t know how my Yeah, sorry about that. But if that person listens to it and says yes, I can do that. Give me a day or two. I’m pretty sure I can do that. Hey then you can do it if you have them listen to that and they’re like, I absolutely can’t do that. That sounds totally. Then you need help.

[00:18:01.14] spk_2:
Okay, let’s go to remediation then. So once you found out where your potential vulnerabilities are,

[00:18:07.04] spk_3:
yes, we do this

[00:18:08.04] spk_2:
patching. It sounds like in

[00:19:46.94] spk_3:
most cases exactly. So we’re saying okay, we’ve got five people running Tableau desktop, this is the remediation that we need. This is the software that needs to be updated. This is the setting that needs to be changed. I just whatever the instruction says, I need to go do it and check it off my list. So let’s say we have a sonic wall firewall that’s in our office network and that’s still running and we still have people coming to the office. So we need that to work. I need to go to the C. I. S for the enumeration piece um go see if the model of Sonic wall and the software version that we have on it. That’s our firewall. Is that listed here? If it’s not? Yeah. See we’re good. I can check that off the list if it is listed now. I need to follow the link through and see what is the remediation that I’m supposed to do to fix the vulnerability. Right. The enumeration part is I now know it’s vulnerable because it showed up on the list and then I verified it’s and it’s part of why this is hard for non technical people is you know, sonic wall has I don’t know 100 different firewalls that are out there in the world. Maybe more than that. And they’re at all different software versions. Right? And firmware versions. Firmware is like software that sits on a hardware device so it’s typically called firmware. Alright? But it’s just like software, you update it just like any other software and so I need to both see what model of sonic while I have the software or form firmware version that I’m running on it verify whether that sonic wall and that software version are vulnerable. And if so what I need to do to remediated and I need to do that for everything that I have. All right.

[00:19:56.94] spk_2:
Let’s just let’s let’s just get help. You’re just gonna have to if you don’t have someone devoted who can do this like like Joshua said play it back for them. It sounds it sounds as far into them as it does to me. You need you need you need help. You need help. Alright.

[00:21:38.64] spk_3:
And the urgency is like if if you have again public internet facing stuff, if you have if you know or think you have a server that accepts input from the internet, right? Again, if you don’t understand how to even know that, then you need help. If you have no organization that can help you understand that. But if you do know that that is by far your top priority and again, by the time you’re listening to this, if you haven’t done it, assume compromise. It’s it’s probably it’s not that it’s too late but it’s but you’ve probably been compromised already. And so the question is what do we do from that point? Um and what you’d like to do is learn about it before you learn about it from a ransomware demand. Right? Because what’s what you’re worried about is that that compromise will eventually be exploited by what what Attackers are doing is exploiting systems and then putting in persistence meaning a way for them to stay connected to the environment. Once this vulnerability is patched. So if they’ve done that, once you patch the vulnerability, it doesn’t matter because their persistence is already there on the system. Right? So the next thing they do is exploit you by doing a ransomware attack or installing crypto miner software on your server or doing any of a dozen other things to leverage the resource that they have taken over and what you’d like to do is find out that they’re there and remove them before they notify you by sending you a ransom or notice.

[00:21:47.94] spk_2:
Okay, we need help.

[00:22:04.04] spk_1:
It’s time for Tony’s take two. Thank you. Gene Takagi and Amy sample Ward our contributors, you know them, I barely I don’t even have to say it right. You know, I have to honor them

[00:22:05.94] spk_2:
to give them tribute,

[00:22:20.34] spk_1:
but you don’t really need me to introduce them. You know that Jean is our legal contributor and that AMY is our technology and social media contributor, you know this and longstanding to boot

[00:22:22.64] spk_2:
jean.

[00:22:36.94] spk_1:
Gene has been with nonprofit radio and me Since the first several shows, it was 2010 kicked off the show in July 2010. And jean was on very soon

[00:22:40.44] spk_2:
after the very first show

[00:24:03.14] spk_1:
early, early early days, AMy sample ward joined at the 100th show. So that would have been July of 2012 50 shows a year. Mhm I’m grateful. You know, they take time each time they’re coming on. You know, they come up with the topics we we exchange messages about them talk a little bit sometimes, but you know, they’re doing the lion’s share of the work and then of course, you know, thinking about how best to explain it and then spending the time to explain it all valuable for you all great value for you. So I am grateful to them for so many years of contributing to nonprofit radio and helping you listeners. Our listeners thank you jean thank you amy That is Tony’s take two. We’ve got barely a butt load more time for nonprofit software vulnerability with Log four J. This week is short less time to get aware, more time to do the repair. And I’m gonna I’m gonna keep pushing this rhyme until I can’t stand to hear it anymore. Let’s continue.

[00:24:15.94] spk_2:
If you have an I. T. Devoted team, then certainly by the time that I’m playing this that that team must know that otherwise you need to fire your team and and get a new

[00:24:30.94] spk_3:
team if you have a if you have a cybersecurity, if you have someone who purports to be a professional information technology provider, right? Whether they are your own staff or whether they are an outsourced provider And they haven’t talked to you about log 4J. And what they’re doing about it then. I don’t believe that they’re serving you very well. I think that’s fair to say,

[00:24:40.54] spk_2:
okay, well we’ll leave it at that. Well let the ceo and executive directors deal with their C.

[00:24:47.85] spk_3:
IOS and

[00:25:13.64] spk_2:
uh I. T. I. T. Managers. Okay now I looked at the uh the cisa cisa again as the cybersecurity and infrastructure security agency. Um just for context. That’s that that’s the agency that Christopher Krebs came out of in the trump administration and said that 2020 presidential election was the most secure election in the nation’s history. That’s that’s

[00:25:16.31] spk_3:
system the cyber summarily fired but that’s a separate

[00:25:20.66] spk_2:
Yes, he was he was fired but he said yes,

[00:25:24.22] spk_1:
I’m trying to stay away from

[00:25:25.78] spk_3:
I’m a huge fan of So this is

[00:25:29.20] spk_2:
offered not for political purpose. This is offered for context.

[00:25:32.74] spk_3:
Yeah, for context. That is that is set to and there there I believe part of homeland security.

[00:26:13.94] spk_2:
Yes, they are part of the homeland Security agency. Yes. And they, you know, they’re the ones who said 10 out of 10. And in at a press release they said quote, this vulnerability poses a severe risk. They called it a severe risk, end quote. So you can go there, you can go to assistant dot gov and they have a page called Apache log four J vulnerability guidance. You can search that system dot gov. Apache log four J vulnerability guidance. Without me giving you full U R. L. Of the page. Just just search that and they have a couple of valuable links as

[00:26:16.37] spk_3:
well. And and we have links to all that from our website. So if you want to start at round table, just go to our website, search log four J. You’ll find our our blog which we update as we have updates and that has all the links in it as well

[00:26:34.34] spk_2:
and that is roundtable technology dot com if you want to follow Joshua, Joshua pes K.

[00:27:00.44] spk_3:
A. Y. Yeah. Although you’re better off following at round table I. T. I’m I’m not on social as a rule like a little thing but I really don’t touch twitter or facebook really. Ever so twitter or roundtables, twitter is at round table I. T. Um And that’s a better place to follow. That’s where you’ll that’s where you’ll get updates of things. You won’t get anything from following me because I don’t post to twitter hardly hell with Joshua pesky.

[00:27:03.63] spk_2:
Don’t follow at Joshua follow at round table I. T. If you’re following Joshua pesky unfollowed, you’re wasting your you’re hurting your follower,

[00:27:13.44] spk_3:
It’s a follower following it. And uh and I don’t I don’t even know if I get notifications if you try to dm me like that, you know if you want to contact me. It’s Joshua roundtable technology dot com. It’s very easy to find me that way.

[00:27:25.94] spk_2:
Alright. Don’t use twitter, you’re hurting your ratios unfollowed

[00:27:29.49] spk_3:
him. If you ever our apologies to all you social folks, I’m just not a social guy in that regard

[00:27:35.44] spk_2:
now you sound very sociable otherwise just

[00:27:37.52] spk_3:
not really. Yeah. In person on zoom over the phone incredibly social online. Unfortunately not so much.

[00:27:44.57] spk_2:
Okay. And humble as well,

[00:27:46.94] spk_1:
let’s go to

[00:27:52.64] spk_2:
Something that you have on January 27. You have a training coming up, tell us about

[00:30:09.64] spk_3:
that. Oh my gosh we have, it’s a mouthful. So I’ll spit it out the sixth, annual, best free one hour cyber security awareness training ever. My colleague Destiny Bowers, who is an absolute delight and also brilliant and who have worked with for a long time. She and I six years ago started doing awareness trainings with the goal of giving nonprofit organizations and small businesses an opportunity to get all of their staff cyber security awareness training at least once a year for free in a way that would be easily accessible for them, would be fun and would give them some incentives to for their staff to attend. So not only is the training free for literally your entire organization to attend, But we offer prizes over the course of our one hour training, so people have an opportunity to win up to $100. We give out typically $100 gift card, $50 gift card, $25 gift card and then we’ll give out other gift cards or, or prizes throughout the training. But at the end we do a quiz that is competitive. And so if you win the quiz, you have an opportunity to win $100. Uh and an amazon gift card is what we typically give out. And so you can tell your staff your, if you’re a nonprofit leader, hey everybody sign up for this, it’s gonna be a fun training Joshua and Destiny will try to make an entertaining, brisk and enjoyable and you have an opportunity to win prizes. And if you sign up with your organizational email, you know, uh, tony at my nonprofit dot org, then roundtable will actually send the organization a list of everybody that attended the training from their organization. So if you have a regulatory requirement that says, we have to train our staff, you know, with awareness training once a year, this can actually satisfy that regulatory requirement. If you’re in new york, new york shield law requires that you provide awareness training to your staff. So you can literally satisfy this regulatory requirement by having all of your staff attend this training, which again, is free and not only free, but you can tell your staff, hey, you can even win prizes by attending

[00:30:14.94] spk_2:
right. Win big prizes, free, epic, best ever training. More, more humility

[00:30:25.64] spk_3:
from Joshua, pesky. Yeah, again, the humility best ever. Yeah. And we say that every year because of course every year is is just a little bit better than the previous year. So it continues to be the best ever training until someone comes to us and says, you know, actually the training you guys did in 2019 was better than this one. So I don’t think this was the best ever, but no one you would, you

[00:30:47.74] spk_2:
would have the best you, they would be saying that you were one upped by yourself, there wouldn’t be any other,

[00:31:00.14] spk_3:
I I can’t conceive that there could possibly be any other training other than ourselves. I really feel like Myspace of best free one hour cyber security awareness training, I feel like we are really are our only competition. I

[00:31:12.04] spk_2:
hope you know what the word means. There’s a nod to, there’s a nod to Princess Bride inconceivable that there could be another another entity offering, offer anything offering anything comparable in cybersecurity. Alright, so where do we go for this damn thing?

[00:31:20.10] spk_3:
It is, I couldn’t make it any easier for you.

[00:31:22.87] spk_2:
It’s very simple.

[00:31:54.44] spk_3:
Go ahead. Best dot r t t as in roundtable technology dot N.Y.C. as in new york city doesn’t mean you have to be in new york city to attend anywhere in the world you can attend? So best dot r t t dot N.Y.C. If you go to that, you are l you’ll go right to our registration page and send it to all your staff again, have all of them sign up and you can all compete together and compete for prizes, have a good time getting awareness training and we, I love doing it, it’s sort of our gift to the nonprofit community to try to provide this training and make it fun and accessible for everybody and we’ve had so much fun, we keep doing it year after year.

[00:32:07.24] spk_2:
Is there a video, If folks cannot attend

[00:32:23.84] spk_3:
On January 27, sign up as with all things, then a recording will be sent to you the day after and you can take that recording and you can add it to your learning management system. If you have one too you know onboard your new staff whatever you want to do but of course you can’t win the prizes unless you attend the live strengthen

[00:32:28.84] spk_2:
you have to be like you have you must be must be present to

[00:32:32.14] spk_3:
win. Yeah

[00:32:32.67] spk_2:
win the big prizes in the in the epic best ever cyber security training. You’ll have to be present on january 27th 2022. At what time

[00:33:04.54] spk_3:
is one p.m. Eastern time? That’ll be 10 AM pacific time. That’ll be noon Central time if there is anyone out there on mountain time I don’t know where you’re at in regards to daylight savings. I forget if you’re on pacific time or Central time now so you figure that one out. If you’re on Mountain time, I’m sorry I wish I knew people

[00:33:12.74] spk_2:
will know people will be able to extrapolate hopefully from the Eastern time disclosure of of one p.m. eastern

[00:33:54.04] spk_3:
and we’ve even had organizations who we know nothing about you know who aren’t clients of ours reach out to us and say you know they found it on Youtube or whatever and they said can we you know use this recording for our on boarding package for our own staff or do we need to pay you or do you have rights or anything and then I’ll answer that question now for all of your listeners tony go ahead. Free take it, it’s yours. So if you sign up, you don’t attend live, you grab the recording, you chop it up and use it to onboard your new staff for the next year. That makes us super happy. Do it with our blessing. Don’t even have to tell us. Thank you. Okay,

[00:34:22.94] spk_2:
we’ve now spent as much time talking about the january 27th training as we have the subject of the podcast and the video, which is the log four j vulnerability for nonprofits. He’s Joshua pesky. They don’t follow him so I’m not going to repeat his, his twitter handle but follow roundtable at round table i. T. The company is at roundtable technology dot com. He’s Joshua pesky eh, thank you very much,

[00:34:23.61] spk_3:
Joshua tony thank you. It’s been an absolute pleasure,

[00:34:26.81] spk_2:
my pleasure as well. Thanks so much.

[00:34:54.64] spk_1:
Next week Legal Outlook for 2022 with our Gene Takagi. If you’re not aware, you cannot repair if you missed any part of this week’s show. I beseech you find it at tony-martignetti dot com. We’re sponsored by turn to communications pr and content for nonprofits. Your story is their mission turn hyphen two dot C. O. That’s the end of the aware repair rhyme scheme. It’s now ended

[00:35:31.84] spk_0:
our creative producer is Claire Meyerhoff shows social media is by Susan Chavez marc Silverman is our web guy and this music is by scott stein, thank you for that information scotty Be with me next week for nonprofit radio big nonprofit ideas for the other 95%. Go out and be great.