Do you know if you are in technology debt or investing at the right level in your nonprofit IT?

Senior Consultant Nura Aboki sat down with Carolyn Woodard recently and discussed his work as a senior consultant and the strategic responses he sees as the most successful across his clients. You can benefit from these tips no matter the size or technology comfort at your organization. Assessments can help you determine the IT maturity level of your nonprofit and help you invest accordingly.

IT maturity is not a judgment call. The chart below is a tool to help evaluate your needs and goals. Your organization may function best at a medium level of maturity – moving to a higher level would not be a wise investment, given your mission or staff size. However, no nonprofit does well at the lowest level of maturity – with failing systems, high cyber risks, or low staff morale around IT systems and training. We always advocate for well-managed IT that is appropriate, affordable, and strategic for your nonprofit.  

Listen to Nura’s insights into the importance of doing assessments at any size, and how the assessment can be geared toward your needs and budget. You need to know what you have.

When you have a good record of your IT systems and have committed to well-managed IT, you are ready to explore that question of the right IT maturity level for your business needs, and make investments accordingly. Sometimes an external consultant like Nura can be the easiest way to tackle this task, but often a nonprofit can be strategic at the executive level internally. For more on training up your IT leaders and practitioners, check out our webinar Nonprofit Digital Health Workshop.

For more from Nura on the need for foundational policies and governance, listen to this podcast.

Listen to Podcast

Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on AppleSpotifyGoogleStitcher, Pandora, and more. Or ask your smart speaker.


Nura Aboki assessments and IT maturity

Nura Aboki is a Senior Consultant at Community IT. In that role, he proactively oversees technology infrastructure for select clients, providing strategic IT advice, recommending IT solutions and solution design to meet business objectives, and then overseeing solution implementations. Nura provides leadership and guidance for strategic planning and solutions architecture with clients who have sophisticated technical and business requirements. He gathers core business, technical and IT service management requirements through a variety of activities including key stakeholder interviews, document review and technical assessments. 

Nura started his career at Community IT as a Network Administrator in 2009. In 2012, he was promoted to Network Engineer and assumed a supervisory role in IT service operations, then became an IT Business Manager (ITBM) with the creation of that team of advisors.

As an IT Business Manager, Nura guided some of our largest clients through complex implementation of effective technology investments and utilizing efficient IT services in direct support of their missions. 

Prior to joining Community IT Innovators, Nura served as a member of the technical support team at George Washington University where he provided incident management to over 20,000 end users on computer hardware, software, and networking issues. Nura also held a Network Specialist role at the Economic Community of West African States (ECOWAS) Parliament in Abuja, Nigeria. 

Nura holds a Bachelor of Science in Computer Engineering and Master of Science in Electrical Engineering, both from George Washington University. He continues development of his professional competence through continuing studies in Technology Management. He was happy to talk about assessments and IT maturity issues in this podcast.


This standard chart of IT Maturity is one we use frequently at Community IT.


Carolyn Woodard: Welcome everyone, to the Community IT Innovators’ podcast. My name is Carolyn Woodard and I’m the Outreach Director for Community IT. I’m here today with a Senior Consultant, Nura Aboki. 

I want to ask you Nura, what is one thing that you wish people knew about with regards to non-profit IT?

Nuradeen Aboki: Well, thank you for having me.

IT Maturity Level Self-Knowledge

One thing I wish people knew specifically has to do with their IT maturity level – the IT maturity level as it pertains to the organization. Understanding the organization’s IT maturity level has a number of effects that could lead to improvement in the way you achieve your mission. 

How do I know our maturity level? Maturity level, it can be a buzzword, but it’s something that one needs to know. Where are we right now? Do we have technology debt? What level are we at? Do we need assistance? Do we have good partners that work with us?

So, understanding maturity level is something I want people to know that would help them in understanding their needs for technology and then be able to make investments today to help them move to higher maturity levels or improve their IT. 

The standard is out there. A number of organizations have looked at IT maturity level standards and strive towards moving from a lower level where they have maybe zero maturity to higher levels.

It’s not a process that I would say, can I go from a zero to five in two years or in one year? It’s not necessarily that organizations will have to follow through that way. Some organizations like to stay in IT maturity level two for a variety of reasons. 

But in order for you to know your maturity level, there is a prerequisite that we highly recommend.

Typically, it’s the technology assessment or review that is done by your IT partner or an auditor or someone outside that would come in and look at the overall technology status of your organization: 

The IT assessment review tends to have a very structured approach to it and methodology that it follows, where your staff are going to be interviewed and asked a variety of questions. Your IT leadership, if you have an IT leader, is also going to be interviewed to understand their perspective on technology. 

And then your process documents are also going to be reviewed if you have any documentation related to on-boarding, off-boarding of staff or on-boarding new technology, off-boarding of old technology. All of those process documents are going to be reviewed.

This would allow a holistic view of an outsider into your organization, just having an understanding of whether or not some of the processes that you currently use are mature enough to put you at a maturity level that is higher than the average or it’s weak and needs to be improved and your maturity level is lower. 

So, it’s a way to actually know where you are and then begin to think about how I can move up to be mature in my organization in terms of the use of technology.

Insider vs. Outsider Assessments

Carolyn Woodard: In your experience, it seems like it’s been important that this has to be done by an outsider. Is it something that if you’re within the organization, you’re too close to decisions that have been made and maybe internal attitudes that you have around IT? So, it’s hard to take that step back and actually do a neutral assessment, whereas an outsider can come in and have a clear-eyed look at where you’re at in your different systems and your attitudes toward IT?

Nuradeen Aboki: Exactly right. Giving this responsibility to a third party helps you recuse yourself because of your heavy involvement in the day-to-day engagement in your organization. So, it would give you an objective review to actually allow a third party to come in, without any bias, to critically look at your needs and provide a report that helps you look at ways to improve. 

We are always looking at organizations to improve, as technology advances so rapidly. IT transformation is happening at a very fast pace. Some organizations are reluctant to make investments because they are perhaps comfortable with the legacy systems that they have. Or perhaps they are unaware of what is out there.

If things are not broken, maybe they are comfortable. But technology moves so rapidly that if you are behind, catching up can also be a challenge. So, bringing in a consultant to take a good look at your organization’s technology, if there are indicators of technology debt, it’s worthwhile. You can understand where this technology debt is, in the infrastructure or maybe in the people that manage IT, or even the processes that are governing IT are lacking. That holistic report would help you make choices in terms of your investment and areas to improve.

Carolyn Woodard: I’m going to jump in and give a quick plug. We have an article on our website about technology debt within nonprofits specifically, some of the factors that can lead to being in technology debt, not having invested in your technology over time. Then when you’re trying to get up to current processes, it can take you longer and be more painful to get up to where you need to be. That article is on our site. People can read it there.

So, why is it so important to do an assessment? I know you work with larger clients, like 100 staff and higher who often have their own IT department and they’re partnering with us for either consulting or some of the MSP services that we provide. 

Size and Assessments

Is there a size at which it makes sense for an organization to do an assessment? 

And who should have an outsider come in and really dig into what the IT looks like at their organization? 

Nuradeen Aboki: That’s an excellent question and for every size organization, there is a level of assessment that can be done. 

We have multi-level assessments.

We can do a comprehensive technology assessment. For larger organizations that have complex infrastructures, bigger systems, that want to get a good sense of what they have, why they want to make those investments. 

Other assessment types are light. They focus on especially smaller clients that maybe tend to, 10 to 50 people that have most infrastructure in the cloud, meaning they don’t have any servers on the premises. Those organizations would be able to consider the light assessment, looking at their cloud infrastructure and evaluating what they would need to improve their cloud experience or cut costs in terms of running infrastructure in the cloud. 

Comprehensive assessments are for organizations that have 50, 100, to 1000 staff. Typically when we initiate our engagement with clients, through initial conversations, there will be indicators of which assessment we would recommend you do.

Oftentimes, the larger ones we see, a comprehensive one is better for them even if they have everything in the cloud, because it looks at the complex systems they have in the cloud and addresses any gaps that we find.

Carolyn Woodard:  I think that’s so fascinating because in my experience with IT at different sizes of organizations, it’s really easy for it to become very siloed. Different departments make decisions about the technology tools that they need without looking at the entire organization. There could be some synergies to use the same systems or places where it makes sense to keep a system to that department because it needs to be isolated in its security issue. So I really love the idea that every organization could use an assessment.

And I love that there’s this opportunity of a lighter assessment. That makes sense if you’re coming into the assessment without a lot of complex systems. But yeah, once you get up to a certain number of staff, it’s definitely going to be complex.

Nuradeen Aboki: Yes. And that’s what we’ve seen. 

Single Sign On/SSO

I wanted to mention one specific area for larger organizations, it’s the identity management solutions that they use. You may hear it called single sign-on or SSO.

Organizations that are much larger, because they have complex systems, have a number of applications, anywhere from 10 to 50 different applications across a variety of departments. They want to tie it all in one identity. So, every user has a single identity for them to log into a dashboard and the dashboard would show them the applications that they have access to. For organizations that are serious about their identity management, there are a number of vendors. Because we’re vendor agnostic, we also provide guidance around vendors that could be a good fit for your organization.

Where you have all these cloud services, each one of them would have a username and password that is separate. People having to track 10 different user names or 10 different credentials versus having just one credential that gives you access to all. Larger organizations love that idea. Oh, just one ID and that’s it? I don’t need to memorize all these passwords? So, we are beginning to see more and more organizations adopting single sign-on solutions to ensure that there’s security around all the cloud services that they use for work.

Cybersecurity Liability Insurance?

Carolyn Woodard: Are you finding that some of these concerns are driven by security concerns or particularly insurance? How often does that come up when you’re dealing with clients?

Nuradeen Aboki: Yes, I will see insurance companies asking organizations to ensure that they are aware and they mitigate or minimize, even avoid risks to their organizations in order to get cyber liability coverage. There are minimum requirements to ensure that you have good coverage for your cyber needs. Oftentimes, on the application forms, there will be questions around, does this organization have the basic security to protect their identity, for instance, multifactor authentication for all cloud applications?

If you were to follow that and implement it, you see you have 10 different cloud applications. It will mean that you would need to enable multifactor authentication in each one of those. You will have 10 authentication codes per staff to track. But if you take it a step further and say I’m going to deploy a single sign-on solution that integrates all of this so my staff will only need to have one authentication code to worry about, that simplifies the experience, meets the requirements and gives you enhanced security.

Carolyn Woodard: I imagine a lot of organizations haven’t thought they needed an audit or an assessment. Then they come to that question in their new cyber liability insurance asking if they have security on all of the cloud tools and applications that all of their staff are using and they don’t even know what staff are using.

At that point, it makes sense to work with an outsider, again, and do a deep dive. Do the assessment, find out what everyone is using and then implement that single sign-on and really make it so much simpler for everyone.

Nuradeen Aboki:  That’s exactly right. And usually, the cyberinsurance renewals happen every year and organizations are scrambling to meet those minimum requirements in order to get coverage. If there isn’t any attention provided by a third party, there are several technology partners out there that have experience that can assist in filling out those forms and ensuring the technology is implemented and enforced and can confirm that it is in place.

It’s really risky for one to fill out the form without knowledge, because one can be liable for false statements and misinformation. So, it’s always good advice to partner with technology. And my clients really have been good partners in terms of ensuring that we review the forms together and go through each technology that is required. Is it implemented? Okay, if it’s not, we plan in advance. We don’t wait until the last minute. We already started planning for next year’s renewal. It’s in our roadmap, it’s in our budget that we invest and improve our technology so we can ensure we are able to meet those requirements for renewal of our cyberinsurance.

Carolyn Woodard: I’m sure it’s so reassuring for our clients that work with you, to have someone helping them go through those forms and making sure that they are giving accurate information that the security is in place.

Nuradeen Aboki: Yes.

Final Tips: Assessments and IT Maturity

Carolyn Woodard: So, those are your tips going forward:

Nuradeen Aboki: Excellent. Thank you so much.

Carolyn Woodard: Thank you Nura, so much for chatting with me today. I really enjoyed talking with you. And thanks again for those tips.

Ready to get strategic about your IT?

Community IT has been serving nonprofits exclusively for over twenty years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. And our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap if you don’t have an in-house IT Director. And our Senior Consultant Nura Aboki is available to advise on strategic planning, implementation, and change management for complex clients.

We constantly research and evaluate new technology to ensure that you get cutting-edge solutions that are tailored to your organization, using standard industry tech tools that don’t lock you into a single vendor or consultant. And we don’t treat any aspect of nonprofit IT as if it is too complicated for you to understand. Our assessments and IT maturity measures help you be strategic at any level or size.

We think your IT vendor should be able to explain everything without jargon or lingo. If you can’t understand your IT management strategy to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you for well-managed IT.

If you’re ready to gain peace of mind about your IT support, let’s talk.