If we stay focused, it just really aligns that if we stay focused on the mission and vision of a business. We can stay focused on what's important and prioritize it and then it all becomes a part of the business works. flow in a part of standard business operations instead of a technology add on, or something that's in the way of, you know, incredible employees and staff and volunteers, meeting needs. Those are things that tend to be controversial or not controversial, adversarial or conflict between leadership, executive staff, those kinds of things and program staff or implementation staff and that, that doesn't have to be the case.

Keeping your business secure can be tricky. Especially as you go from startup to a small team to a growing team. I've got tech and security expert Emi Baxter here to talk with you about things to think about when setting up your structure as your business grows.

 In this episode you'll learn:

→ What is a holistic approach to IT in your organization.
→ How to address security issues at the Phase One or Startup Phase of your business.
→ How to ensure that your organization keeps access to all the software sets you utilize from your website to your donor software etc.
→ As you grow, how you add to your tech stack and keep things integrated.
→ When you're ready to hire someone in house to handle your IT – there are a few things to look for.
→ Pay attention to regulations and compliance issues for your particular industry.

Want to skip ahead?  Here are some key takeaways:

[10:50] You've got an idea and you're just getting started. Pay attention to access and privilege levels for all the people involved in your organization. Having these systems in place at the beginning will really help you as you grow. Office 365 and Google Drive are great tools to accomplish this at a low cost or free.
[16:16] Keeping access to the software programs you use is critical. Especially when it comes to your donor software, website hosting and domain. Password managers are a great way to give people access and still hold tight to the things critical to run your business.
[23:58] As your organization grows, so will your team and your tech stack. Paying attention to the integrations of the programs you're working with is key. Cloud based apps are a great way to go. They typically cost less and are more secure than running everything on your internal server.
[30:50] In Phase Two it's also a great time to start to create you IT policies. It will continue to grow but it's a great time to get those systems in place in order to set the foundation and make less work for yourself in the future. This could be policies around work email, documents you access, how data is shared, etc.
[32:05] Once you go into Phase Three and you're ready to hire someone in house (or a contractor) to help you with your IT, it's important to think about the needs your business has. Every business is unique and you want to think about your tech stack and your policies when it comes to hiring someone. You'll also want to think about the compliance concerns you have and what regulatory items you need to consider.
[42:24] Prep for those emergencies and things you can't plan for. When you do this then it'll save you money in the long run. And having the right tech stack and support is really important here.

Resources

[Guide] 9 Ways for Non-Profits to Raise More Money Online
LastPass 
Google Drive
1 Password
Dashlane

Full Transcript

[INTRO] Hey there, Sami here with another episode of the Digital Marketing Therapy podcast ready to talk to you about keeping your organization and your nonprofit secure.

Now, we all have different phases of our business from when we're just starting up. and we're all volunteer-based working in somebody's kitchen table to when we're ready to start hiring and developing a full board to when we're actually ready to bring in somebody that can handle all of our IT. Across the board, there's always changes that are happening inside of our organizations. And with that different opportunities to make our organizations more vulnerable, vulnerable to people trying to steal our information, or for people to take information from our organization to create their own what I mean whatever it could be right copying, security, and then also just ensuring that our tech stack stays consistent and accurate and that we are not opening ourselves up to hackers and anything of that nature, especially if you're in a sensitive or regulated industry or if you're serving a population that might need a little additional sensitivity.

So, I have brought on this episode one of my dear business friends, Emi Baxter, she is a tech guru. And I am always asking her questions and she's always supporting me and figuring out how to kind of clean things up how to integrate everything what the best software that's out there. So we have a great conversation about different things to think about at three different stages that you might be in your business or as a nonprofit.

Emi is a long time Bendite committed to Central Oregon culture breathtaking views good beer, cider, wine and spirits, oh my and engaged people. She's known to others as a challenger, always asking questions creating ripples in the status quo and looking for a better way to thrive. In her business life and he is a technologist with a twist focusing on operational and technological insights and improvements aligned with businesses visions and goals to maximize efficiency and increase the profit, reduce the loss and ultimately make technology work for you.

She focuses on facilitating the acceptance of technology, and empowering users to apply it to modern day business or everyday life. Above and beyond her goal is to partner with users bringing technology in as a resource to fuel your fire.

And I love that so much because a lot of times technology is seen as a stressor and something that we have to figure out how to do and her approach just makes people feel so calm and comfortable. Her passion is people and she is quoted to say I love technology, but I but she believes in the people I'm sorry. She was quoted to say I love technology, but I believe in the people who use it, because she knows that maintaining our humanity, our connectedness in time of automation, and machine learning is more important than ever. And as technology continues to embed itself into our lives, it's up to us to give it roles and control the moments that we let technology live and do for us. In her free time me enjoy. board games hiking, reading beta testing new software and spending time with her tribe.

I really think you guys are going to enjoy this episode. Lots of good resources and tools for you here lots of good ways to take a look at where your organization is at and maybe some things you haven't been doing yet, and things that you can implement with ease.

But before we get into this, this episode is brought to you by my guide, “9 Ways for Non-Profits to Make More Money Online.” In this time of a global pandemic, and even though things are starting to open up, we still are finding that fundraising is a challenging thing. So how can we get out there, get in front of new people get in front of our current people, and raise more money for our organizations to continue to provide the services that are making such a big impact on your communities. So, nine ways to raise more money online, you can get this guide at https://www.thefirstclick.net/fundraise.  For now let's get to it.

[CANNED INTRODUCTION] You're listening to the digital Marketing Therapy Podcast. I'm your host, Sami Bedell-Mulhern. And each week, I bring you tips from myself and other experts, as well as hot seats with small business owners and entrepreneurs to demystify digital marketing and get you on your way to generating more leads and growing your business.

[SAMI BEDELL-MULHERN] Hi, Emi, welcome to the podcast.

[EMI BAXTER] Thanks for having me Sami.

[SAMI BEDELL-MULHERN] So I've been wanting to have you on for a really, really long time. And I'm so thankful that we waited because now that I am kind of supporting nonprofits in a different way. I mean, that's something that you and I share a passion behind because you're on several nonprofit well, I should say several, but you're on nonprofit board and you, you know, support several nonprofits in our community. And so I'm really excited that you're here to kind of focus on that with me.

[EMI BAXTER] Awesome, thank you so much. Yeah. I definitely have a huge passion for the nonprofit world, and specifically how security and technology fits there because they bring, you know, a unique service that generally two or more vulnerable populations or areas of need. And so there's a lot to be mindful of about, just from the top data approach, what nonprofits are thinking about fundraising, how to keep their services in line, and then, you know, rounding it out with technology and security.

And most of the time people are coming from a place of lack of knowledge.

[SAMI BEDELL-MULHERN] Yeah. Right. Patch working together.

[EMI BAXTER] Yep, exactly. And we see it in other industries, where experts have come out where you might hire a marketing expert, I see nonprofits all the time are working, you know, with social media specifically, or like yourself, someone who's super knowledgeable at marketing content and strategy to get their vision across. And so that's happening in other areas, and it's pretty new to have it happen. In that technology standpoint. Direct executive directors and boards are just expected to know what decisions to make.

[SAMI BEDELL-MULHERN] Mm hmm. Well, and before we jump into because, you know, we're gonna break it down. into the thick, three kinds of growth pain points that nonprofits go through. And I know that's oversimplified. But that's what we're doing. Why is it important for you just in general in your business, as you're supporting clients to kind of take a holistic look at health as opposed to coming in and doing more traditional, what somebody would see as IT or tech support?

[EMI BAXTER] Yeah. I really take that holistic approach, because I think, and I see that technology is no longer a unique facet of our lives. It's fully integrated into everything we do, whether it's sending a message to our staff, reaching out to get documentation signed, providing services during this time being able to provide remote services to your client base. And so it's no longer you know, my business has a goal and technology is this tiny subset, it's that if you have a mission and vision for your business, technology has to be a part of that because if your vision is accessibility, you know, technology has to be accessible. That doesn't mean only running really graphics-heavy websites that take a long time to load that maybe someone in a very slow internet environment wouldn't have access to it means having you know, accessible websites, something you've run into, I think a lot. But it just means that it's no longer like a subset of our, our society. It's a part of our businesses everywhere, as well as our individual lives. So everything we practice in our businesses are actually things we take home in practice, to keep ourselves safe and keep our kids secure and our friends, because I really, I fall back on the idea that we're all linked, you know, by up to six degrees of separation, that that's how closely we know someone or could find someone that we know in any situation. And so we look at that in a technology and data information perspective. It's really cool and really scary. Because that means, you know, if I share something about maybe you Sami, let's say I share it in a different circle of friends. But someone there also knows you and it has a negative impact. Maybe you lose your job, because in a time right now, where there's a lot of politically charged language and stuff like that, even those pieces come into play to, how are we protecting ourselves and those around us. And so I view it as this holistic perspective of our information and data belongs to us and the technologies that make it usable and shareable need to honor and protect that the same way that we would if we were dealing with, you know, physical things.

[SAMI BEDELL-MULHERN] Totally. It's Yeah, it's just a different way of managing all of your assets in your business.

And one of the things that I love and then we're gonna jump into but one of the things that I love about you and that I think you and I are in alignment with is where we find most businesses go sideways as they like to start going down the rabbit hole of like, okay, here's all the things that we need. Here's like, Oh, look at this cool new shiny software and, and instead of taking a look at what do I actually need? So going back to what you said, you know, what's my vision? What's my mission? And how can I get that across using technology? It's instead, what is what are the things that I need to get done? And how, what features what things must happen? How can I automate in order to make things move smoother, and then find the holistic approach to that as opposed to doing it the reverse, which I think is the way a lot of people do it?

[EMI BAXTER] Absolutely. You hit it on the head, and unfortunately, a lot of it's reactionary, and it's one of the most struggle points for me is when I hear people making reactionary technology decisions, because they tend to be painful and costly. If we stay focused, it just really aligns that if we stay focused on the mission and vision of a business. We can stay focused on what's important and prioritize it and then it all becomes a part of the business works. flow in a part of standard business operations instead of a technology add on, or something that's in the way of, you know, incredible employees and staff and volunteers, meeting needs. Those are things that tend to be controversial or not controversial adversarial or conflict between leadership, executive staff, those kinds of things and program staff or implementation staff and that, that doesn't have to be the case.

I really view it as an opportunity to say, let us elevate you let this technology elevate you to do the absolute best parts of your job and let go of the majority of the worst part.

[SAMI BEDELL-MULHERN] That's awesome. And I yes, I agree with all of that.

Okay, so let's start into what kind of I see as phase one, you've got an idea. You've decided to start a nonprofit, and or even a business. I mean, this could relate to any startup business, right and you have now maybe a handful of people that are helping you where you have you've kind of pulled together this volunteer board, but everybody's basically working for free. And so you've got, you know, passwords for things that are being shared all over the place, you've got, you know, you're probably not all necessarily on a secure network, you know, everybody's working from their own personal computers, like what are the biggest red flags that people might want to look at first, in order to keep all of that information that you're kind of pulling together at the beginning safe?

[EMI BAXTER] Absolutely. I think, really, from my perspective, the most important thing to look at is defining access and privilege levels.

So even when you're at a couple of people, what do they need to know? Or what you know, what access? What data do we have access to? What do we need to know and who needs to know it? Because in these times, you're generally dealing with one or two people who have copies on their physical computers, or devices, maybe even hard copies. And then are we sharing it from there? I'm not necessarily the person who's going to say, you know, instantly create a shared cloud drive. And, and get everyone involved, I think it's really important to start with, with the who's in whats. Not every nonprofit is dealing with data they have to be so worried about from a from,

[SAMI BEDELL-MULHERN] like a privacy, like it would be different if you were dealing with kids.

[EMI BAXTER] Regulatory standpoint, I guess is what I'm trying to say. But it's more just, we want to keep ourselves secure and safe. And so that's really becomes business best practices. And unfortunately, most of those are policy-based, or what I might call an administrative control. So those are things you train into people, not necessarily hard technologies that you implement.

But I would I would start with who needs to know what, what access is that and then how could we implement it based on what we have? I am a big fan of, you know, Google Drive or Office 365. I'm not necessarily going to pick one over another. All the cloud services are pretty comparable and it's depends into kinda your needs but I would set one of those up and have you know the executive director, even if it's at a volunteer level that person and the board because the board generally has has the right to have access to that where you're sharing that information and then kind of drill down from there as you get people who work who are working in and out. This is a time where you have to be really super dynamic. And it's hard to have structure. But if you can lay the foundation, it will make it a lot easier to transition to, you know, those phases two and three of a nonprofit where you're getting into bigger budgets, more staff, potentially paid staff, those kinds of things.

[SAMI BEDELL-MULHERN] Well, what I love I mean, I'm just going to talk about Google because I don't use Microsoft 365 personally, so I don't know it as well. But I mean, I'm sure it has all the same features. But what I think is great about the Google platform is that you know then you're not having to pay for additional software for things like Word, Excel or what have you. But it also really easily allows you to maintain permissions and remove people, so if somebody then does become not involved in the organization, it's not a matter of Okay, I need you to give me all of the files back. It's you just remove their access and moving forward. They don't see it anymore.

[EMI BAXTER] Yep, absolutely, I am a big fan of those aspects. I prefer shared drives or recommend shared drives over people keeping copies on their computers. And love that about pushing people to use web applications. So I believe there are even versions of Office 365 now, where you can only use the web application as opposed to the downloaded software on your computer because that really helps protect businesses in those points. Not that people may be malicious, but they might be careless or unintentional. And so it gives up protection, you know, Google, I do personally use Google more extensively. And, and so it has fantastic features where you can turn off people from saving passwords you know, you can transfer all the documents from one user to another. If there are concerns, you can remove permissions, you can create different organizational unit levels within Google. So it's pretty easy at the top level to say, hey, these people deserve or get access to everything not deserve. They simply have a job role that requires that right everything. Versus these people really only need access to this. And setting really clear boundary lines on making it so that people don't even see what they don't need to see.

[SAMI BEDELL-MULHERN] Yeah. And so at this, I mean, if you're pretty much just starting up an organization, it's probably mostly like password sharing and document sharing. That is the biggest security risk. I think the other thing that I come across a lot, and it's obviously a website is something that will I say, obviously, because that's my world, but you, you know, I recommend having a website, even if it's just a simple landing page when you first get started. And so then that opens up the whole question of hosting and domain purchasing. I've seen a lot of organizations that get stuck because somebody leaves or volunteer does it And then you don't get the right access. So do you have recommendations on where all of that information should be held?

[EMI BAXTER] Absolutely, and I and that's happened so many times made it or tribal knowledge is kind of a detriment to technology and organizational stability. And I am a big fan of password managers. I will say I hate password-protected spreadsheets, please don't put your passwords in spreadsheets. Don't do it. It's, it's terrible. I don't care how big your password is to protect it. It's not a good practice. That requires that people be responsible for updating it and sets just so many opportunities for error. And, and for someone to gain access to that information and use it maliciously against your organization. We're in a timeframe where that can create irreparable damage. You know, reputation is everything in in a world of services that you're better, you know, better targeting people. populations and whatnot. So I'm a big fan of, I've used LastPass. I've used one password, I've used dashlane. I have used keeper, I have used, Password Manager.

Those, it comes down to ease of use. I'm a big fan of, you know, when you're the size. I hate saying sharing credentials is a good idea. But it can be hard or cost-ineffective to, you know, have three or four or five-user accounts for things like that. But even being willing to get a free or paid version, Password Manager to store everything is kind of that make or break difference from being able to transition info over, you know, knowing your wireless password. To the network.

I just worked with a nonprofit that I had to completely reset up their entire wireless network because they had no information around it. No credentials and the way it was set up was that without those credentials, the only option was to reset it completely. So it's a duplicate of efforts, which unfortunately, they then had to pay for. Right?  And that that's the stuff that it's just so painful on on the end of it to have to be in that situation that if you can take the time to have a password manager set up with a couple of folders to like hey shared IT  passwords, that's one of my favorite folders where you should be your website should be your hosting should be things like that, that are important that you might not access a lot.

I'm trying to think of what else should be in there. But really, I think password managers are super critical and important. They should be one of the first things that people are willing to invest in. Not just from the security perspective, but where it's maintained, but it also simplifies management and password usage. I'm going to push people to use 10 or 12 digit passwords. Ideally in my world, I'm saying 16 every time you add a couple of digits, you add potentially hundreds of years to the amount of time it would take a supercomputer or hacker to crack that password. When we get down to eight in 10 characters, we're talking about 90 days. And so having password manager that will also generate automated passwords for you, you can tell it you know, hey, I want it to be easy to read, or I want it to only use uppercase lower and lowercase numbers, or excuse me letters, you can kind of create rules around that and then just have it generate and it will automatically save for you. So it takes a lot of that thinking out of it. It takes whether we like to acknowledge it or not the pattern making that we naturally do out of it so that we can remember it and really creates that level of extra security because I think that the hardest thing about individually created passwords, is that if someone knows you, it's pretty easy to make some jumps about what your password may be. If I know someone and I they are really into flowers. I'm going to start with their favorite flower and the current year. Almost any favorite thing, or child's name, or pet's name and current year. I see it all the time. So it's like they're super easy ways that people don't. They think they're being unique. And it's very common.

[SAMI BEDELL-MULHERN] When that then makes that password manager all the more important because then you can create those complicated ones, you don't even have to think about it anymore.

[EMI BAXTER] Exactly. It's just a push of a button you say generate. So it enters it for you and say, and you hit save, adds it in and you're you know, you're all updated with pretty minimal thought on your side.

[SAMI BEDELL-MULHERN] And then the last thing I'm going to just well last two things I want to touch on on the website thing and then we're going to move on but um, and not just for websites, but any platform that you have. It allows you to create multiple users that's always better than just like saying like for WordPress login. Like you wouldn't want to just create admin with a password and then share that with everybody, right? Like take advantage of the fact that they can create multiple users because then saying you can remove people.

[EMI BAXTER] Yep, exactly. So ideally, whenever it is not absolutely cost-prohibitive, I only put that caveat in there is just because some companies will just kill you for per-user licenses. But as long as it's not cost-prohibitive, you always want to have a standard practice of making each individual their own account. That's best practice for everyone. It provides great logging, and allows you to remove them as an individual like you said, if they depart or anything like that, as opposed to having to inconvenience everyone to update the password or unfortunately run the risk of being that organization that chooses not to, and just hope that person that left you know, has the best intentions at heart which, unfortunately, sometimes they don't. I've definitely been involved in instances where we had to do pretty extensive log reviews and data analysis to determine that there were malicious actors who had access to shared passwords that hadn't been updated. And who'd taken actions.

[SAMI BEDELL-MULHERN] Especially in the startup where all parties go in assuming something's going in one direction, and if things start to change and maneuver in a different way, because I mean, as businesses grow, like, you know, things evolve. Sometimes feelings get hurt and people that you wouldn't think would be malicious. Like you said, may be because they got, you know, emote ego and all that stuff comes to play.

[EMI BAXTER] Yep, emotion. I think the instantaneousness of digital technology sometimes allows us to react to those intense emotions in ways that maybe we wouldn't expect people to do so. And so creating barriers that remind people of space or simply don't give them that privilege, and benefit both parties. I kind of try to relate it to the idea that clear is kind unclear is unkind. So, technology is a form of protective barrier for both parties involved, those that will really all parties, so those that are served, employees and staff and also donors.

[EMI BAXTER]  Mm hmm.

Yeah. Okay. And I just want to be clear about one thing, if I'm speaking on this when you purchase your website domain, and I think you'll agree with this, make sure that the organization purchases that domain wherever possible, so that again, you don't run into a situation where there's a lapse and somebody doesn't renew it, and then you lose a lot of money. It takes you so much longer to fix all of that.

[EMI BAXTER] Yep, completely agree with you, wherever possible, those things that I would call proprietary, which mostly is your domain, those kinds of things you want to have under the organization and record clearly documented or recorded so that it can carry carry on.

[SAMI BEDELL-MULHERN] Okay, so let's say you've moved past the startup phase, you've gotten your funding, you're ready to hire staff and really make a bigger impact. I think a lot of the things that you said in the startup phase are going to remain true as far as like the password protection and permissions users, right? You're just going to have more of them as people start to add, and this isn't necessarily a security question, but as people start to add on to their tech stack, so maybe they're now hiring, adding a donor CRM, and maybe they're adding like QuickBooks or financial software, what kinds of things as far as integration go? I guess, like, you know, just integration and how things connect should be a big part of that conversation when adding your tech stack, right?

[EMI BAXTER] Yep, absolutely. I mean, we live in a really cool cloud based world today. There are still a lot of what I call hybrid environments that have physical hardware on site or a lot of physical components that are individually invested in and owned in collaboration with cloud environments that meet the need, but really, for most smaller businesses, start up in second seat kind of second phase growth businesses, primarily cloud-based environments are going to be the ideal situations because and it's the forward way of technology, it's really hard to invest in robust hardware that would support these types of integrations. Right? It was we're talking about QuickBooks, but potentially a donor CRM, and pre-existing email and things like that. If an organization is handling that all, on the server-side, and physicality side becomes almost impossible.

[SAMI BEDELL-MULHERN] So what would you say to people that are like, well, the cloud doesn't like if it's in the cloud, I'm going to lose it more likely, or it's not as secure. Like how how, how do you explain that to people about like your internal server versus the cloud, and that they are just a safe if not safer, probably in the cloud than in their own internal server?

[EMI BAXTER] Well, that's actually one of the things I kind of talked to people about is I asked them questions about what they've ever touched their internal server when they've done updates to it, or what types of security they have on it. And most people don't know they, there's kind of this, this natural impression of security because it's physically in our presence. And even though realistically, the risks are actually higher, you know, most businesses aren't necessarily alarmed in a way or especially nonprofits that are alarmed in a way but if I broke in and stole their server, that I might even be caught. So it's it's kind of this balancing act of we know and trust, we trust what we know and what we're capable of. And then realizing and kind of talking about the fact that cloud infrastructures are built by the most advanced, knowledgeable individuals in the security industry today, worldwide. That's not just in our nation that's in our in our entire globe with intention and goals, specifically around security, and they practice the same approaches. I'm talking about, access of least privilege. You know, a person who works on AWS or Azure, Microsoft Azure, or Google Cloud services, they don't see access to that data. They don't necessarily get into anything they see beneath your data behind it below it around it everywhere, but within it. And so it's almost like, to me it's more like hiring a specialist to do the work and putting trust in that, then viewing that as a lessening of security.

[SAMI BEDELL-MULHERN] Well, they're, I mean, they have professional hackers on their team that are constantly trying to break into their own.

[EMI BAXTER] Oh, yeah. And there's, there's a huge population of of white hat hat, white hat hackers, which are ethical hackers, both volunteer and paid that attack the most common like Google, Apple, Microsoft all employed them. There are huge conferences around again, the globe, and where these attacks are practiced, are put given feedback to these organizations, and they patch them pretty quickly, they're able to put out patches and invest resources on, on into mitigating risk at levels that no individual business can and definitely not a nonprofit. Right?

[SAMI BEDELL-MULHERN] Well, and from a cost perspective, you know, cloud based applications are generally less expensive as well then then the internal software that you would need in the data systems in order to keep it local.

[EMI BAXTER] Yep. So it tends to be cost effective. It tends to also enable, especially as we talked about, you know, the last three months with a pandemic specifically in other instances, the idea of enabling remote work. I had the pleasure of last year I worked with a nonprofit where we did all of the work last year just for them to be able to work remotely even though they didn't have any need. And because of that, when COVID hit, they did not have a single day that they were closed and not providing services to their client base. And that part of that is cloud based services.

And that when you are a mission based organization, that becomes really critical. And I think it's powerful in a way that that is cost-effective. It can be scary and feel scary, but I think it it really is about forward-thinking or re re-evaluating back to that vision and going, what is our core goal? Our core goal is to provide services, what are the ways we can make that happen?

[SAMI BEDELL-MULHERN] I worked for a company previously, and we ran like all of our stuff on SAP, and it was not cloud based. And so we had like the I don't even know what it was like some local host thing that we had to log into in order to get access to the back end if we were at home and it was painfully slow and really hard to maneuver through. So I'm with you there cloud-based, all the way just makes it so much easier. You're all parties involved, and integrations are usually a lot easier as well.

[EMI BAXTER] yep, I mean, we live in the software world, there are hundreds of thousands, if not millions of software options. And so the developers who plan integrations do unfortunately have to plan them and cater to those that rise to the top. So that is part of it. That what you see kind of succeed and out there is because there wasn't some significant investment into making it usable and accessible to a greater population group. 

[SAMI BEDELL-MULHERN] Okay, yeah, that makes a lot of sense. Anything else that I'm missing to ask about kind of that middle area of you know, like, we're starting to hire staff, we have a team we might have an office.

[EMI BAXTER] I think the only other thing that I really like to see happen in this middle area is going to be an add on you know, in step one, I talked a little bit about defining that access and privilege level. And in in that second phase of growing, adding some stuff on it. be starting to define your IT policies and not that it's super rigid or that they have to be finalized. But they should start to be documented. And you should start to say things like, email is used only for work purposes. You use your organization based email when you communicate with clients, because this is where we get into the phase that we would start to get more up against those regulatory compliance components. And starting to, to really need to evaluate not just how are we acting today, but what what happens with this stuff?

[SAMI BEDELL-MULHERN] And how are we protecting the data of our donors? How are we protecting the data of the those that we serve?

[EMI BAXTER] Yep, retention policies. Again, I call them administrative controls versus technical controls this, this two-fold multi-layer dynamic of that we have to train and define what's okay so that people know and then provide putting technology to support that.

[SAMI BEDELL-MULHERN] Okay, that's a very good point. And so kind of the last phase. And this isn't the last phase because obviously, we're always growing, but kind of the next step up I see is, okay, so now we've been trucking along for a few years, our budgets are increasing. And it's time for us to bring somebody internal to help us manage because as you add more and more and more to your tech stack, as you add more services, as you're reaching a larger audience, it becomes at a certain point, it becomes beneficial to have somebody in an IT role in house or at least on a regular contracted retainer.

And so what kinds of things as you start to put that together for your organization, what kinds of things might you want to think about in that person in that role? What what kind of questions might you want to ask, you know, to find that right fit?

[EMI BAXTER] That's a really good question.

Finding the right technology fit is super challenging and super important. for a couple of reasons.

One of them of course, being the tech itself and the reliability of that access for your organization. But twofold because technology isn't just implementation. And it's a lot of training, and coaching and interacting problem solving, troubleshooting those things. It has to be a person who can also align with your mission and vision. And we're an organization that can align with your mission and vision because if they don't see value in it, it will be really hard to have a comfortable relationship of support.

So some of the things that I think about I really try to recommend that organizations start with an internal form of risk assessment. So talking with your board and saying what are the areas we're concerned about? Most executive directors should have access to resources where they know what regulatory compliance issues they have. So if you're dealing with people, HIPAA, PII, PR, so HIPAA is health protected data PII is personally identifiable information FR which is like school formation. Hopefully you're using a good donor CRM and payment processor where you're not dealing with the payment card industry or the PCI data. But this is where you have to start saying, Okay, what regulatory compliance issues do we have? And not that we're going to take them all into account, but we have to be aware of what kind of legally our expectations are. And then you take that and compare that to your business and say, what does that mean, in comparison to our services, and much like a financial audit, there are going to be things that you say, ideally, we would do this, but it's so cost-prohibitive, or the risk is so low that we're simply willing to absorb it. So you just look at your organization and say, you know, whatever our risks from a technology standpoint, could we survive this?

And I recommend a tabletop situation of what would we do if our building burned down? How quickly would we be in backup for services? What types of hardware would we have to replace what I mean, that's on the technology side, it can help the organization generally as well just to know what program supplies they would need to replace or XYZ. And to take that approach, then take that and say what are the top priorities we have? Pick those because it's not going to be everything into those in ideally into your strategic plan, or whatever type of plan you work with your board on. And to then try to find a person that or organization and consulting organization that aligns with that and can help bring that to life.

It's really a multi-year tends to be a multi-year process and commitment. So finding that good relationship and under having them understand that it's a longer term vision sets both organizations up for success.

[SAMI BEDELL-MULHERN] And so so I guess, the other pieces so then yes, from the secure or from the beam, being able to fix things perspective, and that's one piece and then the other piece to me is is it important for them to really understand all of the tech, the tech pieces that you use, so they can also help you with the customization.

So like, let's say, you've been using your donor CRM for a while, and it's been working well for you. But now you're ready to really kind of go in and take it, like, take the extra features that maybe nobody else on the team is able to implement or do some additional customization like, you know, is that the same person? Or is that almost like a different set of skills?

[EMI BAXTER] Um, that's a really, that's a tough one, because it can be. I don't have a single answer for that a lot of the time, it's not necessarily the same person, especially if you go with an organization that commits to a specific software set or approach if that makes sense. There's nothing wrong with having a specific line that you support but being completely agnostic tends to make you hyper comfortable and hyper familiar with working in interfaces, even if you've never worked in it before.

So I would say that, you know, an organization that comes in and says, we really want to implement Office 365. And these and this and this are probably going to be really great from a support perspective, but maybe not the right fit to say. And, you know, we work with in our donor CRM and in currently doesn't do any of our automated emailing, we like manually email that wouldn't necessarily, and that's not the hardest thing, but that wouldn't necessarily sometimes be the right organization. And that's where that can be a struggle fit where if you have someone that's more focused on strategy, or you find an individual that's a little bit more focused on strategy and that back to that holistic picture in approach, they can be a little bit more effective and helping guide you and how you might maximize your usage of an existing tool.

And a lot of times that comes from my perspective in there's a little bit of difference. Between a managed services provider, which is what I would call someone who has a contract like that, and provides support generally, and like a technology consultant, in the sense that a technology consultant is generally going to come in and ask you a bunch of questions to try and figure out what you don't know that you don't know what your organization isn't doing.

So like I might ask a nonprofit, how do you send emails? How many times a month? Do you touch your donors? What ways does that happen? Is it manual? Is it verbal? You know, do you send text messages, things that other people that an MSP a managed service provider wouldn't get into or necessarily think about. But that creates that opportunity to say, Oh, you guys aren't doing that. And you use this donor CRM, CRM, you could implement these three things and potentially increase your reach by 500 people.

[SAMI BEDELL-MULHERN] So maybe what I'm hearing then is, you know, when you step back when you're in the phase of maybe just starting to hire people, and starting to build your tech stack, that's a great time to have somebody come in and as a tech consultant and help you build that, so that you do start with the right tech. And then as you get into the phase where you're really wanting to bring an IT type person in house, putting those all of those needs in place so that you can hire the right person to support what your biggest areas of risk and or need are, will vary between departments, but if you know or between organizations, but if you already know that your tech stack is for the most part solid I think a lot of times, especially with, you know, people in their mid-20s to I don't know I'm going this is a gross generalization, but like a lot of those software programs have training programs as well and you could potentially just train the employee that is going to be diving deeper into that and keep your it as really like, let me help make sure everything is secure. Nothing's breaking. We're following, like the technology best practices and and making sure that our business is secure.

[EMI BAXTER] Yep, yep, you hit on the head, I think a lot of awesome software providers now are assuming or at least pushing for the idea that it's really expensive and difficult to have specialists in every software set. Like you said, you mentioned SAP, that's one of the hard with that, like people are paid specifically because they have a skill set and knowledge base there. It's that's hard to maintain in the world we live in today. So there's a ton of value in making something that can be set up and implemented. And that might be something where you need a specialist, but then can be transitioned to the staff or to that team to really work with on on the daily or the regular because I know you would say specifically with website, Sami, those should be living they should get updated regularly. So it's not super awesome, you know, if I only touch their account once every six months or something like that, as opposed to maybe training them, hey, you can update this section here. By adding new text in once a month. Maybe they add a blurb because you you set it up in that way. And social media, I just think there's a lot of examples like that where it doesn't, once it's set up, there's a lot of ability to interact with it and make minor modifications and changes to still maximize impact and maximum maximize effectiveness of those tools. Without having to pay an extra specialist or pull someone completely outside from the outside into the organization.

[SAMI BEDELL-MULHERN] When I love the that you mentioned, you know, the tech consultant, you know, or even it could be a marketing consultant and a tech consultant combined that would come in and ask the questions like, how often are you emailing is that you know, like, all of that whole series of questions that you brought up is so important to long term growth of a business, but also to the technology that you're using and the priority like if you're only emailing once every six months, and you have a list of 10 people like don't pay for email marketing software, and then you don't have to worry about that integration, right? Yep. I do think you don't know what you don't know. And that's why this conversation and and we've only scratched the surface, right? But that's why this conversation I think is so important for people to think about because I do think the IT piece is sort of an afterthought until it's blown up in your face and all of a sudden you're scrambling,

[EMI BAXTER] Yep. And emergencies cost money, I don't care what type of emergency definitely technology related, but right if a house burns down, it's really expensive. And so I really kind of stressed the idea that if we could shift to preemptively thinking about it, it would actually cost us less to implement technology, align it with our mission and really see a huge return on our investment in it.

It's something that I believe can can quell finance, finance, people who you know, are always focused on that pocketbook in the bank account and what does that say it can support executive directors that are wearing eight hats. It helps fundraising like I said right now, technology is making it so that staff or program staff can connect with whatever their clients may be, and provide services. So to me it is that you can't really have your mission without it anymore. Right? So it's a matter of do you willingly in do you create intention around how you're going to implement it and how you're going to use it to elevate your organization? Or are you going to be controlled by by those reactions?

[SAMI BEDELL-MULHERN] Right. And I think that's, I mean, a great way to sum it up and and end this episode, there's so many good things that you drop in great tools, and I will make sure that we include all of those in the show notes for this episode. Emi, thank you so much for joining me on this episode. And if people want to learn more Avant Tech, which is your amazing tech business, how can they How can they find you?

[EMI BAXTER] Um, they can email me, me emi@theavanttech.com but my website should also be up which is https://theavanttech.com 

[SAMI BEDELL-MULHERN] Yep. And we'll put all those links in the show notes as well. I appreciate you coming on and sharing all of this with everybody.

[EMI BAXTER] Thanks so much, Sami, I really appreciate the opportunity. And I'm really excited to just get get to share a little bit about this, I think you and I have a lot of overlap because you're in in that marketing and technology space. And I view just the collaborative interactions between technology and all of the other entities that make up a business or a nonprofit, to be really cool. It's really exciting and fun to see these types of interactions come together and see organizations elevated because they get more for their for the value than historically

[SAMI BEDELL-MULHERN] so much more for the value in way less stress once it's all done. Yep. Yeah. Thank you so much Emi.

[EMI BAXTER] Thanks, Sami.

[CLOSING] I am so thankful that Emi joined me on this episode. It was so much fun to do. She and I live in the same area. We are working and collaborating on our businesses together all the time. And so I'm very thankful to have had her come on and share all of the knowledge bombs that she shares me all the time with you. So I hope you enjoyed this episode. If you did, please subscribe wherever you listen to so you don't miss out on a single episode. Check out the show notes at https://www.thefirstclick.net/podcast and I look forward to seeing you in the next one.