Why the most useful security work doesn't start with a tool. Walk into any small organization and ask, "What's your biggest security risk right now?" The most common accurate answer is some version of "I'm not sure." That's not a failure of effort or competence. Most small organizations have done things. They've got antivirus running on their laptops. They've got a firewall. They've sent reminders about not clicking phishing links. Maybe they've had a vulnerability scan done
For nonprofit leaders who want their board to engage on security but don't know where to start. I've been in a handful of nonprofit board meetings where cybersecurity came up. The shape is usually the same: a bullet on the risk register, a brief mention, a nod, and on to the next agenda item. Sometimes there's a flurry of concern triggered by something in the news. Sometimes there's a question or two. Then the topic recedes for another six months. That's not anyone's fault. M
