Decades ago, I was a non-technical manager in charge of cybersecurity for a massive government SAP implementation with a project team of about 200 people.
One of my “extra duties” on the project was overseeing the IT administration team. Included in this new hat was cybersecurity risk mitigation.
With two business degrees in hand, this was the first IT project I had ever worked on, and I was obviously underqualified to manage the IT team. Nevertheless, the Program Manager felt confident I could handle the job.
As a non-technical manager now managing IT, I did what most people would do in my role…
I told them, “Let me know if you need anything.” Then, I buried my head and refocused on my “safe space” duties.
Essentially, I didn’t manage anything. I attended a few meetings and asked some questions, but I “trusted” the team.
Not too long later, we had a serious cybersecurity breach where the hacker accessed data migration test data for the project, which included privacy information.
Yikes!
Fortunately, I wasn’t fired, but the IT manager was.
If I could be a non-technical manager in charge of cybersecurity again
If I could do it all over again, I would do 3 things differently:
- Write down the options and get senior approval. We were moving so fast that many decisions on the project were made verbally in meetings. I didn’t want to slow down the project by adding bureaucratic processes, but this time, I should have because the risks were too high.
- Ask more questions. I asked questions in meetings, but I didn’t ask enough questions. Instead, I trusted the judgement of my team.
- Trust my instincts. My instincts were screaming at me, but I ignored them because I wasn’t the expert in the room. I’ve seen this with the non-technical executives I work with today. In fact, sometimes, IT people take advantage of this lack of knowledge and throw up bogus responses to questions to get you to walk away from a decision they prefer to make.
What you should learn from my cybersecurity failings
Today, most Not for Profits depend on Managed Service Providers and cloud solutions for their IT infrastructure.
That doesn’t remove your responsibility to the organisation to keep your data safe. In fact, it often makes it harder because there is less visibility into these third-party providers.
Still, that means you shouldn’t trust them blindly. Instead, have them write things down to prove they are doing the right things, ask more questions and trust your instincts.
I regularly help Not for Profits ask hard questions and manage cybersecurity risks. Let me know if you need some help.
P.S. If you found this article helpful, you might want to read these too:
- Is your Not for Profit compliant with the Privacy Act changes?
- Why cybersecurity is making it riskier to be NFP Executives & Directors
Tammy Ven Dange is a former charity CEO, Association President, Not for Profit Board Member and IT Executive. Today, she helps NFPs with strategic IT decisions, especially around investments.