Improving NGO cyber defenses: An interview with Ian Gottesman
5 min read
There are many non-governmental organizations (NGOs) that teach people and organizations how to protect themselves from cyber threats and stay safe online. A prime example is the Information Sharing and Analysis Center (NGO-ISAC) led by Ian Gottesman. By sharing knowledge and resources, this organization equips nonprofits and other NGOs across the US with essential tools and information to boost their cyber defenses.
We reached out to Ian Gottesman, a seasoned cybersecurity expert, to learn more about his organization. He shared interesting insights about the organization and the crucial role NGO-ISAC plays in the cybersecurity community, and discussed the future of NGOs in this field.
What inspired the founding of your organization?
I’ve been an IT leader for a long time in a series of different nonprofits for about the last 17 years. One of the more complicated things I’ve had to do is cybersecurity. We started NGO-ISAC as a group that initially met informally. Over time, we became more formal, and recently, we received funding so that we could have full-time staff. I’m the first member of staff.
Could you share some recent projects or initiatives your NGO has been involved in?
We’ve been collaborating with our US-based member organizations to improve their cybersecurity by providing them with webinars, assistance, and assessments of various tools they can use. Some of our partner members have assessments that we can guide them through to evaluate their cybersecurity maturity. We have an annual conference and a fairly large, active community online that’s working on this collaboratively — cybersecurity is a problem that we all face.
What are some of the biggest challenges your NGO faces in achieving its goals?
I think the biggest challenge for any NGO is that you have a limited amount of funds and an unlimited need to meet, like trying to secure a whole sector or the entire nonprofit sector, which is a lot. So the biggest challenge is trying to figure out how we can correctly use our resources.
How does digital privacy and security play a role in your organization’s operations?
Our organization is all about cybersecurity and improving our sector. Privacy and security are really important. We have member organizations that are working on things like human rights, peace, and disarmament, doing very complicated scientific research on diseases, and things like that. If they can’t do that privately or in a secure environment, then it makes their work much harder and nearly impossible.
How has the NordVPN subscription enhanced your organization’s digital privacy and security practices?
I know in my previous role, where I was an IT leader of a think tank, we would use the Nord subscriptions when staff traveled, especially to places like Ukraine or China where network security was much harder. NordVPN was a simple, low-cost, easy-to-use tool to offer to our staff when they were traveling. We’ve encouraged our members to take advantage of the grants that you guys offer, as well as sharing some of the information that you and others have shared with me about the services that Nord offers to the non-governmental, nonprofit sector.
What steps do you take to protect sensitive data and maintain confidentiality?
One of the things we do with our members is train them on how to handle privacy and other frameworks. Locally, we don’t have too much of this ourselves, but we do work on those tools. Things like the GDPR and HIPAA apply to nonprofits in the same way they do to for-profit companies. So you need to be very careful with data, especially if you’re a nonprofit that has data on vulnerable clients or medical or financial information. This data is particularly sensitive and goes beyond just simple PII (personally identifiable information), where you can identify someone by name or address.
What are your thoughts on the future of the NGO sector, particularly in terms of technology and cybersecurity?
That’s a good question. I think that the NGO sector is different from the for-profit sector in the sense that there’s no profit there to easily measure what’s effective and how things work. That’s the core difference. But it has a responsibility to make sure that the work it does is secure and private. In the past, the nonprofit sector has relied on doing good works as a form of protection. That’s not enough anymore. Cybersecurity was often seen as a cost that was neither required nor necessary, making it hard to justify. I think that needs to change and the nonprofit sector needs to get better at improving cybersecurity. Nonprofits were early adopters of things like cloud technologies because it was seen as a way to simplify team management and lower costs. But compared to the private sector, they’ve been slower to adopt some of these cybersecurity tools and rules. I think we as a sector need to improve that quickly and my organization is helping to do that.
How can individuals or other organizations support your cause?
Organizations like Nord and others that work in the cybersecurity field can work with us to help spread the tools and knowledge that they have. We’ve asked for volunteers to assist some of our nonprofit members. We’ve asked for tools and processes that they can assist with. And we have a community built around cybersecurity, and that community is only as strong as the members are. That community can include the nonprofit members that are under-resourced, but also partners that can help provide services or tools at an affordable cost or no cost.
What advice would you give to someone who is interested in starting or getting involved with an NGO?
Find something you’re passionate about. There are a million different things out there, a million different places that need help. So find something that you’re passionate about in your community locally or globally and give something. Depending on where you are in your career or in your life, giving can mean your time, money, goods, or services. Whatever it is, every day we wake up and see that the world is imperfect, but it should be your goal to make it a little better every night when you put your head down on the pillow. I think NGOs are a good way to do that.
Can you share any success stories or achievements that you are particularly proud of?
We’ve worked with 150 nonprofit organizations in the United States to improve their cybersecurity. We’ve helped discover things that have impacted our whole sector and large companies, such as zero-days, and other issues that have affected our members. We’ve worked with large organizations to get those fixed, and I think it’s important that we’ve created a community that works together as a team to secure our whole sector by sharing information. That’s something I’m very proud of and excited to continue improving on.
Is there anything else you would like to share with us?
We’re happy to have more members get involved, whether they’re nonprofits that want to be a part of our community or partners in the cybersecurity sector. We’re happy to have anyone who’s interested in helping protect this important sector of our economy.