Cybersecurity as a Strategic Investment

Safeguarding your mission in a digital world

Cyber risks are always changing, and Christian nonprofits face increasing challenges. While cybersecurity may not always feel like a top priority compared to mission-focused work, forward-thinking leaders recognize that embracing new technology while safeguarding data and systems is essential to sustaining mission impact.

By viewing cybersecurity as a strategic investment, organizations can reduce their risk and help ensure continuity, even in the face of evolving threats.

The practical steps below can help strengthen your organization’s cyber resilience.

Focus on Your People

Ensuring adequate cybersecurity investment and buy-in is a “people” issue. Unless leadership views cybersecurity as a business risk, teams will struggle to secure funding for enhanced controls, staff, and tools to help them manage and mitigate cyber threats. Even when investments are approved, implementation will falter if your users don’t understand the “why” behind the investment.

Create a culture of cybersecurity awareness.

Create a culture of cybersecurity awareness. Information security must extend beyond the IT department and involve everyone across your organization. Here are ways you can help leaders and employees understand their vital role in protecting your data, donors, and mission:

• Involve leadership in IT discussions. Many organizations create information security committees that discuss major issues, key controls, and required changes. Help departmental leaders become advocates, driving buy-in and adoption within their teams, by including them and helping them understand the reasoning behind certain security-related investments and initiatives.
• Provide ongoing employee cybersecurity awareness training. Advanced technology won’t fully protect your organization if users fall for a phishing scam, intentionally or unintentionally disclose information, or otherwise jeopardize the controls you have implemented. Empower your employees to be effective cybersecurity champions by equipping them to recognize threats and understand their role in safeguarding your organization and your constituents.

Focus on Your Vendors

Many nonprofits rely on vendors to provide key operational functions and services. If your organization uses third parties, it’s vital to understand how this expands your risk. Vendors often rely on their own vendors, and a breach at one of these third or fourth parties could expose your data, disrupt operations, and damage trust, even if the failure wasn’t yours.

Fortunately, you don’t have to be at the mercy of your vendors. As with many areas of cybersecurity, awareness and understanding of the risks is key. You can gain this by:

• Assessing vendor security. Review your service provider’s security documentation and ask how data is stored and protected. Ensure the vendor has capabilities to support high uptime and data availability, as well as a strong incident response plan that includes notifying you of a breach.
• Understanding risk mitigation. How does your vendor mitigate evolving threats, such as ransomware and other malware? What systems ensure uptime and data availability?
• Evaluating gaps. Determine what vendors your vendor relies on, so you understand the vendor chain and where potential breakdowns exist.

Awareness and proactive oversight are essential.

Performing vendor due diligence will help you understand how well your data and systems are protected and whether you need to implement additional controls, either internally or with the vendor. Awareness and proactive oversight are essential.

Focus on the Future

Organizations must implement controls and technologies to mitigate today’s threats as well as future unknowns. While it is impossible to know how bad actors will operate in the future, what malware will be most prevalent, or what tools and technologies will be available to hackers, you can make strategic investments to protect your organization now and enable flexibility to meet future challenges.

Many organizations are embracing artificial intelligence (AI) and continuous monitoring tools to detect both known threats and suspicious patterns of behavior or anomalous activities that indicate emerging threats. Organizations and individuals are also using AI-powered tools to unlock unprecedented opportunities for efficiency, innovation, and growth.

However, this rapid integration also brings a unique set of challenges that organizations must carefully consider to ensure responsible and ethical use.

AI Integration Challenges

• Misinformation (hallucinations) – AI systems can generate incorrect or fabricated information that appears plausible. Decisions based on inaccurate data can harm operations. The danger lies in the confidence with which AI presents these errors, making them harder to detect without rigorous verification processes.
• Data privacy – AI models are trained on vast datasets that may include sensitive personal or organizational information. If these datasets are not properly anonymized, there is a risk that private details could surface in AI-generated outputs. There are also ethical considerations around consent and the use of proprietary data during model training. If your organization uses AI, it is crucial to implement robust data governance policies and comply with privacy regulations to mitigate these risks.
• Biased decision-making – AI systems reflect any biases in the data they learn from, and unfortunately, real-world data often reflects societal inequalities and prejudices. If these biases are not addressed during training, AI can perpetuate or even exacerbate discriminatory practices in areas such as hiring or lending. Achieving clean, balanced datasets is challenging but essential for fair and equitable AI outcomes.
• The black box dilemma – Many advanced AI models, particularly deep-learning systems, operate as “black boxes,” meaning their internal logic is difficult to interpret. This opacity makes it hard for users to understand why a particular decision was made. And, it undermines accountability and trust.
• Malicious use – AI is not just a tool for progress. Bad actors are leveraging AI to create sophisticated cyberattacks, autonomous hacking systems, and realistic deepfakes that can spread misinformation and damage reputations. These threats highlight the need for robust cybersecurity measures and international collaboration to prevent misuse.

Creating a Culture of Responsible Innovation

AI can help your organization strengthen your cybersecurity defenses and provide significant operational efficiencies. However, it should be accompanied by a clear understanding of the risks outlined above and the potential impact on ethical standards and societal trust. You can proactively address these challenges by prioritizing transparency, fairness, and security while fostering a culture of responsible innovation.

Safeguarding Your Mission in an Increasingly Digital World

For Christian nonprofits, protecting data and operations is integral to stewarding resources and sustaining mission. Organizations must be intentional about the investments they make in adopting emerging technology, addressing current risks, and ensuring they can effectively meet evolving risks.

By prioritizing employee awareness and buy-in, vendor security, and future-focused strategies, leaders can help protect their mission and build trust with donors and constituents.

###

Allison Ward is a partner at CapinCrouse (Capin Crouse, LLC and CRI Capin Crouse Advisors, LLC) and CRI Advisors, LLC. Allison provides information security assessment and consulting services for nonprofit organizations, financial institutions, health facilities, educational institutions, and a variety of other organizations. Lindsey Whinnery is a partner at CapinCrouse (CRI Capin Crouse Advisors, LLC) and CRI Advisors, LLC. Lindsey has 25 years of experience in information technology and information security, as well as significant experience in designing and maintaining robust database structures, ensuring data integrity, and data analytics.