An Accidental CIO’s Journey Through a Cyber Attack

When Crisis Strikes: A CIO's First 60 Days.

The call came just 60 days into my tenure as CIO. 'What I'm about to tell you is completely confidential,' the head of legal began. 'We've been attacked. Sensitive data has been stolen, and if we don't pay a ransom, it will be released on the Dark Web.' At that moment, I was leading a nonprofit's technology division, and my responsibilities suddenly became much more real.

I listened for any clues as to what was hacked, how we were hacked, and who might be impacted. He gave no clues—and, more notably, he didn't ask me anything about how we should respond.

While I was officially the top technology leader in the organization and our head of information security reported to me – there was no discussion. Instead, he made a direct request: He needed me to connect him to the ONE solution engineer on my team who had technical knowledge of a 30-year-old proprietary technology.

Holy crap! There was a clue. I quickly realized what system the cybercriminals were claiming to have gained access to. It was a legacy system housing data on children, partners, and staff. In fact, it was the key system for matching children's data with donors so we could keep donors informed about the child they were sponsoring.

It seems that while we were rolling out upgrades and long-needed improvements to the system in different country offices, there was a breach in the system. Just while we were attempting to make an old technology safer, it was attacked.

We potentially had a breach of our most sensitive data – personally identifiable information on children receiving our services. We were told the data had been stolen and would soon be released to the highest bidders on the Dark Web if we did not pay the requested ransom amount. If this were true --- it would be a major reputational risk for the organization. We would be responsible for child data getting leaked to the dark web – AND due to our failure to secure that data appropriately.

Prepared but Not Ready.

Now, I want to start off by saying that we were prepared. In fact, our technology leadership team had just finalized our annual work plan, and information security, including cybersecurity and data protection, became the #1 priority in our divisional plan. Why? Every member of our new technology leadership team had already experienced some form of cyber-attack and breach at our prior organization. Five different executives were coming from five different nonprofits, and all of us had experienced a breach in the past five years.

For me, a ransomware attack in the early days of the Pandemic shut down a 20-year-old legacy grant management system.

As technology leaders, we made some critical moves to prepare for a cyber-attack:

1. We transitioned one of our team members to a new role - our first dedicated CISO (aka Head of Information Security).

2. We instituted an incident response plan in case of a cyberattack or data breach.

3. We established an ISO 27001 and NIST Cybersecurity Framework-informed action plan to transition the organization from a high-risk cybersecurity posture to low risk.

   
   

Navigating Chaos.

Yet, when the breach occurred, it felt like we were navigating chaos. It was during the crisis that I learned how the best-laid information security plans can go awry.

As CIO, what did I do… well, we had a plan, so I communicated it to the head of legal.

• I mentioned the Incident Response Plan signed off by the Senior Leadership Team.

• I explained that the CISO, as the head of our cybersecurity efforts, would be the appropriate person to coordinate with and lead the incident response.

• I indicated that we would need to secure other systems and look for other potential breaches.

• I suggested we pull together an incident response team under the CISO.

• I recommended informing law enforcement as part of our protocol, as they might already know about this situation and can be on the lookout for similar attacks.

  
  

The head of legal’s response? Well, I had never been yelled at by a peer with quite the intensity of that day. Maybe I am a special snowflake, but I am not used to being yelled at (and quite honestly berated like an idiot) for suggesting we use our agreed-upon Cybersecurity Protocol and Incident Response Plan.

I was told to do nothing, that no other members of my leadership team needed to be involved, and that the incident would be handled directly by the head of legal under the direct command of the CEO. All I needed to do was get him in touch with the solution engineer.

The Impact on our Staff

And then nothing. Quite frankly, we entered a period of intense secrecy and a void without clearly communicated information or action. The lawyers (and I mean lawyers with PR/Brand Risk expertise) took over. The entire process was a black box; communication was tightly controlled, and although staff and program participant data – children’s data – may have been stolen and was at risk of being revealed – there was minimal communication about how to prepare and protect us. This lack of transparent and effective communication exacerbated the fear and anxiety among staff.

Lessons Put into Action

In the end, our talented solution expert audited the system data to see if we could identify the data breached. He, with others, instituted improved security protocols, such as multi-factor authentication (MFA) and scanning the system endpoints for unusual activity. In the end, I do not believe we ever knew what data might have been breached. The really good news is that no data related to children, partners, staff or donors was released on the dark web.

In the coming months, the CEO and others at the executive level became fixated on our need to buy expensive 24/7/365 detection and remediation services. A peer CIO saw this as an opportunity to promote investment in cybersecurity tech, telling me not to waste a good crisis to get more budget.

My team and I took very different actions. We focused on building the resilience of our team and our staff to act in the face of what is likely to be more efforts to access our sensitive data. We continued to execute our plan, which we called the Path to Low-Risk.

We were brutally honest about the primary threats to our security—our people and our overall culture of safety and security. Making us safe was not about expensive high-tech solutions but about the daily practices we took as staff and technologists that kept us safe and less vulnerable to cyberattacks.

The Path to Low-Risk Action Plan.

• We implemented a Cyber Awareness Program and worked to change staff behaviors. We made staff familiar with tactics like phishing, spoofing, and doxxing (oh my!). Then, we tested them with simulations where they passed or failed.

• We were serious about the threat from third-party Vendors and instituted more controls in partnership with our procurement team. No vendors or suppliers could enter our architecture without meeting current security requirements.

• We delivered Simulations and Active Incident Response Drills. We also drilled not as a one-off exercise but as using our incident response protocol to respond to all critical incidents so everyone knew how to respond to issues big and small.

• We built new Strategic Business Partnerships – starting with the legal team. We embedded our Path to Low-Risk action plan in the legal teams reporting to the CEO and Board. We shared both ownership and, therefore, shared action.

  
  

A Call to Action: Beyond Technology to Resilience

This experience transformed our nonprofit security protocols and my entire philosophy as a technology leader and executive. I've made three commitments that I challenge every nonprofit technology leader to make:

1. Prioritize dedicated information security leadership - I will never again lead a tech team without a dedicated CISO, whether full-time or fractional. For resource-constrained nonprofits, this might seem like a luxury. Still, I now view it as essential infrastructure—like insurance you hope never to use but can't afford to be without.

2. Invest in people before platforms - The most sophisticated security tools are worthless without staff who understand and value information and data security. Allocate resources to build a security-conscious culture through regular training, simulations, and open discussions about threats. No threat is too small. Explain how protecting our sensitive data means protecting the people we serve.

3. Bridge the leadership divide – In the face of growing cyber sophistication and threats, the technology and legal teams must work together as partners. I now hold quarterly alignment sessions with our legal and communications teams to ensure we're unified in our approach to potential crises.

   
   

The nonprofit sector faces a particular vulnerability: We hold sensitive data about vulnerable populations while often operating with limited resources. This combination makes us attractive targets. But our greatest strength remains our mission-driven focus—we understand the human impact of our work better than anyone.

As nonprofit leaders, we have an ethical obligation to protect the data entrusted to us by the communities we serve. My experience showed me that resilience isn't built through expensive technology alone but through persistent attention to organizational culture, cross-departmental collaboration, and continuous learning.

Please share your own experiences of becoming cyber resilient or reach out directly if you'd like to discuss how these approaches might work for your organization. Together, we can build a more secure nonprofit sector—one organization at a time.