May 8, 2020

By: Melissa Musser, CPA, CITP, CISA, Risk & Advisory Services Principal, and Darren Hulem, IT and Risk Analyst

The COVID-19 crisis, with a new reliance on working from home and an overburdened healthcare system, has opened a new door for cybercriminals. New tactics include malicious emails claiming the recipient was exposed COVID-19, to attacks on VPNs and remote desktop software. Experts agree that now is more important than any other time in history to consider your information security.

Recent data security mandates and ongoing budget pressure had already pushed many nonprofits and associations to change their traditional business model to leverage a suite of cloud providers, creating a new, distributed data environment. These organizations are also unable to dedicate full time, in-house resources to address their increasing information security challenges, often resulting in complacency in addressing critical information security issues. Small- to medium-sized nonprofits and associations are particularly at risk, and many are now employing an outsourced Chief Information Security Officer (CISO), also known as a Virtual CISO (vCISO), as part of their cybersecurity best practices.

Perhaps due to widespread media coverage of high-profile security breaches, many small- and medium-sized nonprofits and associations still believe they are not at risk because hackers typically focus on large organizations. Unfortunately, Verizon’s 2018 Data Breach report finds that 58% of security breaches were in fact against small businesses. Their reluctance to focus on IT security leaves many small- and medium-sized organizations susceptible to attacks, but a vCISO can provide the strategy needed to develop the appropriate security framework.

The vCISO function should not be confused with the outsourced IT provider you may already have in place. The vCISO provides an essential function in an organization by serving as a source of security knowledge. This includes integrating security concepts within the organization’s business processes through to the distributed network of third-party vendors holding its data. Outsourced IT providers oftentimes only focus on the day-to-day operations of the organization such as end-user support requests and IT infrastructure. Outsourced IT departments are typically concerned with their ticket counts and metrics, which typically precludes them from being involved in privacy-related matters such as updating the organization’s privacy policy and conducting data map assessments of sensitive or personally identifiable information (PII) held by the organization. Engaging a vCISO is becoming a more common model because nonprofit organizations often have difficulty establishing and retaining the necessary in-depth knowledge about the type of data held, data movement to third parties, and related security measures. This vCISO model not only offers flexibility over time as the organization changes, providers are also able to deliver a wide range of specialized expertise depending on the client’s needs.

The vCISO offers a number of advantages to small- and medium-sized organizations and should be part of every nonprofit’s or association’s risk management practices. If you have questions about your organization’s cybersecurity practices or the benefits of vCISO services, please contact Melissa Musser, CPA, CITP, CISA, Risk & Advisory Services Principal at 301-951-9090 or