What Is Getting In Your Way?
Carolyn Woodard sat down with Senior Consultant Nura Aboki recently and asked “What’s the most pressing question you are seeing from your mid-market clients around nonprofit IT needs?”
Nura quickly answered: Policies.
Astonishingly, many larger nonprofits he works with either don’t have basic IT policies for acceptable use (AUP) and business continuity, or they have outdated policies that don’t adequately cover our new hybrid environment, cybersecurity needs, or AI.
Some of the major blocks to creating or updating these policies are leadership challenges, issues of ownership of IT, and inertia. But inadequate acceptable use policies put your entire organization at risk and create a situation where your staff may inadvertently make security mistakes. And if that mistake is severe, a lack of a business continuity policy would hinder your organization’s ability to recover.
Listen to Nura’s insights into the importance of these foundational documents and policies, and hear his tips on how to address the barriers that are keeping you from updating those policies.
Community IT has created an Acceptable Use of AI Tools policy template; you can download it for free here. The Technology Association of Grantmakers has published a free framework for nonprofits using AI tools available here.
Listen to Podcast
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Nura Aboki is a Senior Consultant at Community IT. In that role, he proactively oversees technology infrastructure for select clients, providing strategic IT advice, recommending IT solutions and solution design to meet business objectives, and then overseeing solution implementations. Nura provides leadership and guidance for strategic planning and solutions architecture with clients who have sophisticated technical and business requirements. He gathers core business, technical and IT service management requirements through a variety of activities including key stakeholder interviews, document review and technical assessments.
Nura started his career at Community IT as a Network Administrator in 2009. In 2012, he was promoted to Network Engineer and assumed a supervisory role in IT service operations, then became an IT Business Manager (ITBM) with the creation of that team of advisors.
As an IT Business Manager, Nura guided some of our largest clients through complex implementation of effective technology investments and utilizing efficient IT services in direct support of their missions.
Prior to joining Community IT Innovators, Nura served as a member of the technical support team at George Washington University where he provided incident management to over 20,000 end users on computer hardware, software, and networking issues. Nura also held a Network Specialist role at the Economic Community of West African States (ECOWAS) Parliament in Abuja, Nigeria.
Nura holds a Bachelor of Science in Computer Engineering and Master of Science in Electrical Engineering, both from George Washington University. He continues development of his professional competence through continuing studies in Technology Management. He was happy to talk about creating and updating policies in this podcast.
Carolyn Woodard: Welcome everyone to the Community IT Innovators Technology Podcast. My name is Carolyn Woodard, and I’m the Outreach Director at Community IT. I’m here today with Nura Aboki, who is going to talk to us a little bit about some of the most pressing issues he sees with our clients as a strategic consultant.
Nura Aboki: Well, thank you, Carolyn. My name is Nura Aboki. I’m a Senior Consultant at Community IT, been here for about 14 years. And really, I’ve seen a variety of roles at Community IT, leading to the assistance that I provide to our clients in terms of IT planning, technology, architecting, sometimes even software selection, as well as technology assessments. So I’m really happy to be here to shed some light on some of the issues that we see, and some of the pressing questions that clients ask us about.
What are the most pressing issues that you’re seeing this year? Are there different things that are coming up, particularly now?
Nura Aboki: Yes. Since I moved into this senior consulting role, I’ve been involved with mid-market sized clients. They’re mostly 100 staff or higher and they may have an in-house IT team that I work with.
These clients do come with certain needs, and specifically what they’ve been asking for is IT policies and some directions around IT governance, because they’re large and they continue to grow. They have seen areas where without a policy, it’ll be very hard and difficult to govern.
And for them to be able to maintain a certain standard across the entire organization, they will need to put together IT policies, like acceptable use policies. It’s one of the most important policy documents that they have requested. They are requesting us to help them develop a policy, and developing a policy is a partnership between us and them. And then look at what the industry recommends in terms of standards and best practices.
Acceptable Use Policy
So to give you an example of an acceptable use policy, it will be a document that has what to do, and what not to do, when you use a company-owned device, meaning a laptop or a mobile device that they provide. [It will describe] what software to install on the machine, what software not to install, what sites are acceptable, and if there is any screening of sites. It will inform you in that policy document.
Many organizations actually don’t have this policy – or it’s very old. It’s part of an HR policy that has one paragraph that talks about technology. But with the advent and adoption of technology in our lives today, in our workplace, there’s a need for IT policy to have its own stack of documents with pages and pages explaining the different areas concerning technology for that organization.
So that’s one of the key pressing requests that we’ve had. Organizations are so eager to get some of these policies up and running.
Business Continuity Policy
I mentioned acceptable use policy, but business continuity plans and policies are something else that organizations are also thinking about, especially given that organizations are returning to a hybrid system. They want to be able to understand where their weaknesses are, and how they would ensure operations if they’re in a hybrid work environment [and there is a disruption.]
If the internet is down, for instance, in the head office, what should staff do? Is the infrastructure in the head office ready for that business continuity to occur? Or do they have to rely on other things? So they’re taking a deeper look if they had a plan before, but most organizations don’t have a business continuity plan. So partnering with MSPs like Community IT and other technology partners that do have the experience will help organizations develop those IT policies.
Carolyn Woodard: I’m fascinated, because in every webinar that we do, we always talk about “You need to have acceptable use policies, and business continuity policies are a good thing to have as well.” So I’m really fascinated that some organizations, even large ones, don’t have that. Or like you said, the policy is very old. So it’s pre-pandemic, pre-hybrid work, and things have changed so much in the meantime.
What would you say are the main reasons that those organizations don’t update or have those policies? What are the barriers that are keeping them from doing that?
Nura Aboki: Yes. That’s also a question I ask myself: “Why is this not happening?” This is something that should be a priority for leadership at the organization. And it all comes back to leadership.
Oftentimes, organizations in the nonprofit sector are focused on their mission. And they want to raise funds to help them achieve their mission. They want to get more donors. They’re mission-driven. So IT tends to fall behind.
And there are times when the leaders themselves, even if they don’t have a comprehensive understanding of how technology impacts their mission, may not see a reason to partner with an IT consultant or an MSP with experience to help them understand technology and their needs better. Leadership seems to be one element that either does not invest time and resources to put these policies together, or does not understand the value that these policies would bring to the overall mission that they have at the organization.
And there are times when an organization says, “I’m a nonprofit. I’m small. How am I going to be a target? Why should I worry about an IT security policy? I’m not a target, it will be the big corporations that make a lot of money that should be targeted.”
But we’ve seen situations where, yes, the big corporation might be the ultimate target, but the smaller nonprofit organization, because they are lacking in the standards, could be a conduit, an easy way for a bad actor to launch their attack on that larger organization. So being vigilant and having leadership buy-in on the importance of technology to their mission is important. That’s why getting a technology partner comes into play.
And larger organizations, the mid-market, may have someone that has experience in technology in the executive suite. The vice presidents or the chief executives of the organization, either in an advisory role, advising them on how to apply technology, how to think strategically with a technology mindset to have that competitive advantage and help them achieve their missions faster, quickly, more efficiently.
So those are the factors, [but] I still will say leadership, leadership, leadership.
Carolyn Woodard: You mentioned a couple of issues that I just want to ask you a little bit more about, because, for example, you said that often this policy lives under HR and staff might read it, or be given it to read on their first day, and then they never look at it again.
I think often HR don’t consider themselves in charge of IT, and the IT [team] as well, don’t consider themselves really part of HR. So then you have this gap of who’s responsible for these policies that staff need to know about?
I think a similar thing happens with Operations. If your leadership is thinking of IT really as only a function of Operations, in the old mindset of: we have an office; the office needs to have lights; it needs to have electricity; it needs to have IT. Thinking of IT just as [part of] Operations and not as something strategic that you invest in, and that gives you more time to do your mission because you can be more efficient in the way you’re handling your IT or finding opportunities in the way you can deliver your mission.
I found that very interesting. So do you run into that “who’s in charge?” kind of issue?
Who Owns IT?
Nura Aboki: Yes. Recently I’ve seen a few of the mid-market clients have leadership structure challenges where the operations director may have been responsible for operations which includes IT, but investments in IT are not actually made, because IT is just seen as some sort of a utility there. You know, we just pay the bill for the lights, and that’s about it.
When it comes to decision making, if there isn’t a representative for investment in IT there, “Oh, are we paying for the lights or are we paying for our internet?” If the internet isn’t working, then we have a problem. So Operations make sure the internet is working. But someone that is in this executive suite may ask more questions beyond just the internet working.
Do we have internet that is actually effective for our organization?
Given the changes that we’re going through, how are we going to maintain a network that is not just in one place, but everybody’s computer is a network because they’re working from a variety of locations?
Some leader has to be asking those tough questions, or even if they’re not asking it, they may be seeking advice from those that understand those tough questions and providing guidance. Those kinds of conversations are not happening at that level.
Organizations that have partnered with us, we do an assessment and evaluation. We look at their leadership structure and look at the gaps and help them restructure their teams to ensure that they have resources at all levels that guarantee success for the organization.
Carolyn Woodard: Well, I’m sure they’re very lucky to have you consulting with them and helping them think through these leadership challenges of who owns IT and who owns those policies, as you said.
So would that be your advice going forward? If someone is listening to this podcast and thinking, “Well, what’s the first thing I need to think about in my mid-market sized organization?” Figure out your policies?
Figure out your policies
Nura Aboki: Yes. Figure out your policies, and I agree with you a hundred percent. Who owns IT? And that person that owns IT, if there’s an individual or a team, those are the people that we want to understand their maturity level of understanding IT.
Make sure you understand what your IT policies are. If there are none, then you want to look for a partner that will help you develop those IT policies. And the policies are usually at the top level where leaders help develop the policy. Knowing who will be owning IT will be a key factor there. Yes.
Are IT policies difficult to write?
It seems like there must be templates out there of the sorts of things that everybody needs to have in their acceptable use policy. [Here is a link to the SANS.org website with some standard free templates we recommend.]
Nura Aboki: Yes. There are several templates from organizations that are charged with building standards. They do the research and development, they look at a variety of needs of corporations and different organizations. They have built standards and templates. So we’re not building it from scratch. We are not reinventing the wheel.
We have to tailor the template to meet the strategic objective of the organization, the mission of the organization, and ensure that best practices are covered in that IT policy. [Organizations need to] strike a balance between just taking a template and saying, “we’re going to adapt this,” without understanding the implications, the impact to staff and whether there will be adherence or how will we even enforce this policy? You need a partner that can help you tailor it to your needs.
Carolyn Woodard: Okay. Last question, and it’s maybe a loaded question.
Do you have clients coming to you asking about AI policies?
Nura Aboki: Yes. So it’s beginning, I would say maybe since the summer, when we ran a webinar series around AI and clients. I was in a meeting and I was sharing my screen and suddenly the reminder popped up to prepare for a webinar on AI. So that triggered a question in that meeting [with the client] and they asked, “Oh, do you have a template for us on AI governance?”
Community IT has created an
Acceptable Use of AI Tools policy template; you can download it for free here.
The Technology Association of Grantmakers has published a
free framework for nonprofits using AI tools available here.
The proliferation of AI, I think AI itself, it’s been such a buzzword that continues to grow.
What we are seeing today with our clients is a majority of them have Microsoft 365 products. Microsoft is pushing its Copilot technology solution that is right there for the workplace. The reason why I’m picking on Microsoft is because if your files are already in the Microsoft ecosystem, your emails in the Microsoft ecosystem, research that you do is all saved within Microsoft systems. Then the AI can help you organize and find things easily and also provide some recommendations on who to interact with when you’re looking to do a project or design a program.
So the [for-profit] investment AI has continued to grow, and organizations have seen improvement in the models. In the past, maybe if you asked AI to rewrite a sentence for you, it may have missed a thing or two, but now it’s almost natural when you see it compose an email. It may be difficult for you to detect unless you know the writing of that individual. AI can nearly mimic the exact writing of anybody.
We’re seeing improvement [of the technology tools] and clients are worried about not having a policy or governance that will guide the use of AI in their workplace. Someone can be asked to design a program and then they ask Chat GPT, one of the AI tools publicly available, do a search – Or ask Google to put it together, not knowing that this is the intellectual property of another organization that was published on the web.
And also AI has this weird thing that’s happening where it actually hallucinates. Meaning if you ask AI to design a program for you it may design it, but it may not use references that actually exist. It will make up things and it’ll be so real, unless you fact check it, you may not even know that you’re propagating false information or misinformation.
So organizations are beginning to think of the [ethical] impact of that as well. Two of my larger clients have asked for an AI policy, and Community IT is updating its own AI policy, so it can be a template to be shared with organizations when they ask for it, or even bring it in proactively to have those conversations.
Leaders are also concerned about how to leverage AI. That’s another aspect of it. But internally, what is our AI policy for the use of AI? We want people to be productive, not to just automate things, but use it productively, and we want to make sure they’re using it in the right way without causing harm to the organization or to themselves.
Carolyn Woodard: I’ll put in a quick little plug that we are working on some content for January or February around AI policy templates. So hopefully we’ll have something then. I think I’ve been poking around online too, and a lot of the templates that you can find are very generic.
So we’re going to hopefully have something to present fairly soon, because we are getting that question a lot. I think it’s kind of a question of how staff are using AI, and as you said, to not cause harm to your organization, but also there’s such potential for AI to really create a lot of efficiencies. Efficiencies in IT, efficiencies provided by AI, to allow nonprofit organizations to do more of their mission. So I think it’s something that we’re all going to be dealing with over the next year, for sure.
Nura Aboki: Absolutely.
Carolyn Woodard: Well, thank you so much, Nura, for, for talking with me today about the most pressing questions you’re hearing from your clients, and I really appreciate it. Thanks again.
Nura Aboki: Well, thank you for having me. It’s a pleasure.
Ready to get strategic about your IT?
Community IT has been serving nonprofits exclusively for over twenty years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. And our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap if you don’t have an in-house IT Director. And our Senior Consultant Nura Aboki is available to advise on strategic planning, implementation, and change management for complex clients.
We constantly research and evaluate new technology to ensure that you get cutting-edge solutions that are tailored to your organization, using standard industry tech tools that don’t lock you into a single vendor or consultant. And we don’t treat any aspect of nonprofit IT as if it is too complicated for you to understand.
We think your IT vendor should be able to explain everything without jargon or lingo. If you can’t understand your IT management strategy to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you for well-managed IT.
If you’re ready to gain peace of mind about your IT support, let’s talk.