I’ve often heard vendor leaders and salespeople complain about leads from nonprofits because “they don’t focus on cybersecurity.” Dr. Kelley Misata, Ph.D., CEO and founder of Sightline Security, has proven every single one of them wrong.
Sightline Security is a nonprofit organization dedicated to truly understanding the priorities of nonprofits and, while they are mission-driven first, they absolutely do care about securing their sometimes life-saving missions. According to Misata, this is an important part of cybersecurity that too often gets overlooked or approached incorrectly because one cannot engage a nonprofit about security in a way that one would approach an enterprise.
To lift a Misata quote from the Sightline website, “Cyber and information security in the nonprofit sector is being overlooked and ignored – putting critical services, organizations, and missions at risk.” Sightline provides nonprofits of all sizes with the resources and expertise needed to put cybersecurity into practice, empowering them to carry out their missions securely and with confidence.
While this article focuses on Sightline, many may recognize Misata’s name as she is also the president and executive director of Open Information Security Foundation (OISF) and its Suricata project. Needless to say: she knows nonprofits. Read on to learn more.
Q. One of the reasons I wanted to interview you is your founding of and work on Sightline Security, which actively supports nonprofits in their sometimes cost-prohibitive yet critical need for protection. Please share more about this in your words–including why you created it.
A. Sightline Security was built from my dissertation research in 2016. At the time, some argued, “nonprofits don’t care about cybersecurity,” but my research told a very different story — with over 50% response rate and powerful insights. When I finished, my mentor and friend Becky Bace said, “You can’t just leave this on a shelf — you need to move this forward.”
It wasn’t just about telling nonprofits what to do; it was about giving them a way to measure where they are, as a first step. I wrestled with whether Sightline should be for-profit or nonprofit, and realized that for it to succeed, we had to be like them — nonprofits told me again and again that security people didn’t understand their operations or pain points. So Sightline became a nonprofit — intentionally — because we’re not standing on the shore telling them what to do; we’re in the same waters, swimming alongside them.
On a personal note, when I was cyberstalked, I turned to organizations for help. Many didn’t know what to do with digital threats, and it made me wonder: were they prepared for cyberattacks at all? My lived experience, new view on technology and privacy, and academic research collided, and Sightline was the answer to help make an impact.
Q. How can someone like me or others who have ranges of cybersecurity skills from business to deep tech get involved to help support Sightline?
A. We have a newly updated Partners Program where solution providers can directly help fill the security gaps we identify with nonprofits.
We’re also building a C-Suite guide: “So you sit on a nonprofit board and you want to help, what do you actually do?” to give leaders a real path to make a difference beyond just good intentions.
Right now, we’re growing in two big areas: our KickStart program, which helps nonprofits take that critical first step toward cybersecurity readiness, and our upcoming Insight Report, built from years of ground-truth data collected directly from nonprofits. Sponsoring either helps protect the missions we all depend on and gives you a firsthand look at the impact you can make.
We’re also actively looking for solution partners whose products and services fit the real needs of nonprofits. It’s a partnership where we help you learn the operating nuances of nonprofits (and their language) and we align your solution with our KickStart program.
But most importantly, if you’re passionate about securing nonprofits and supporting the missions they protect, reach out to me. There’s room for everyone to contribute. I’d love to find a meaningful way for you to be part of this work.
Q. What can both businesses and individuals do to support nonprofits trying to secure their sometimes life-saving missions?
A. First — leave the superhero cape at the door.
Go in with humility. Yes, you bring technical knowledge they may not have but you know nothing about their mission or operations. And honestly, that’s one of the best parts; you’ll learn a lot about their work while helping them strengthen it.
You’ll probably see a million scary gaps and opportunities to “fix” things but resist the urge to overhaul them. Guide them toward improvements they feel ready to succeed at.
Lend a hand. Write a check. Respect that nonprofits know their business — and they are fierce about protecting their missions.
And of course, we’d love for people to get involved with Sightline! Sponsor a KickStart. Help spread the word about our work. Bring your solutions — and your heart — to this fight.
We’re also happy to come to your organization and share what we’ve learned. If your teams are already volunteering with nonprofits, we can help them do it even better — giving them practical, respectful ways to make a real cybersecurity impact in the communities they care about.
Q. Who are some of the partners you work with through Sightline and how do they best help support you on your mission?
A. Right now, Sightline is in a building phase and I’m proud to say that everything we’ve accomplished so far has been without major corporate sponsorship.
We have an incredible group of advisors and board members who bring not just expertise but real heart to our mission. They’ve been instrumental in helping us navigate the unique challenges of working at the intersection of cybersecurity and nonprofits.
One of our big goals for this year is to grow new partnerships with companies and solution providers who believe that protecting nonprofits is critical. There’s so much opportunity ahead, and we’re excited to find the right partners to help us scale the impact we know is possible.
Q. Beyond what you’ve already shared in the “why,” what are some of the unique cyber challenges that nonprofits face?
A. There are a lot of myths and misconceptions about nonprofits. Ask any security professional, and you’ll hear the usual: they’re poor, they don’t care, they’re ripe for attack.
What we don’t talk about is how nonprofits operate — their business models are often similar to for-profits, but with nuances many overlook, especially around data and technology. The language we use in security doesn’t always land. If you walk into a nonprofit and say, “Do you have your assets inventoried?” they’ll look at you like you have two heads.
They’re also facing big challenges like third-party risk (even if they don’t call it that) and the pressure to embrace technologies like artificial intelligence (AI) without enough guidance.
And honestly, we lump all nonprofits together. No one talks about cybersecurity challenges by mission type or size, and that’s a huge miss.
At Sightline, we don’t just “train” or “talk at” nonprofits — we meet them where they are, in their own language, and prioritize solutions that work within their existing operations and resources. It takes time and patience and a whole lot of listening. But at Sightline we have seen nonprofits integrate cybersecurity; not as an extra burden, but by weaving it into their DNA, step-by-step.
Q. For nonprofits in general, as their commercial peers use their resources to invest more in people, expertise and solutions, what can they do to reduce risk and keep up?
A. First, figure out what risk really matters to you. Nonprofits operate mission-first, always. Even when cybersecurity is important, it’s competing with dozens of other urgent priorities for time, attention, and funding. To make real progress, you have to understand where your gaps are — and which ones actually put your mission at risk.
Trying to chase every new technology trend isn’t realistic. Staying grounded in your mission will help you make better choices about where to invest your limited resources.
Keeping up with advances like AI will always be a challenge. I recently wrote a whitepaper on the impact of AI on nonprofits, and I’m expanding that research every time I talk to nonprofit leaders. It’s not about rushing to adopt every new tool; it’s about staying curious, cautious, and clear about what truly serves your mission.
That clarity is what keeps nonprofits resilient, even as the tech landscape keeps shifting.
Q. If I am the head of a nonprofit worried about my security initiatives and resources, what’s the best first step and how do I best get involved with Sightline?
A. Reach out. Seriously.
Our KickStart program is the perfect first step, It’s not a heavy lift on your time or resources. We partner side-by-side with nonprofits to help them understand cybersecurity basics through the lens of their mission, not just a checklist.
We help assess where you are today, aligned to the cybersecurity framework but we translate it so it actually makes sense. We spotlight immediate actions you can take without spending extra money or hiring new staff.
Cybersecurity shouldn’t feel like “one more thing.” It should weave naturally into how you already work. That’s why moving at your pace, using your language, and respecting your priorities is built into everything we do.
And you shouldn’t have to wait for funding to get started. Reach out and we’ll find a way to welcome you into the Sightline family.
Helping nonprofits isn’t just about giving advice — it’s about sticking with you for the long haul.
Q. Attacks against nonprofits don’t make a lot of headlines but that doesn’t mean they are at less risk. Should the media be paying more attention to the needs of the nonprofit?
A. Absolutely.
Think about it — a suicide hotline, a food bank, an afterschool program. If any of those services were shut down even for a day, the ripple effect would be devastating.
You see volunteers from nonprofits everywhere — in disaster zones, handing out food, water, shelter, even just hope.
If nonprofits don’t start integrating cybersecurity into their work, attacks won’t just disrupt them — they could shut their doors forever. Communities would lose critical lifelines.
That said, while I believe the media should spotlight these vulnerabilities, I worry that sensational coverage could actually make nonprofits bigger targets.
What we really need is insightful reporting and sharing the real stories and challenges nonprofits face, directly from them. Not just after something goes terribly wrong, but through ongoing conversations grounded in data, reality, and respect.
Q. What can cyber vendors, especially the goliaths who have resources or community or social action groups, do to help improve and protect the efforts of nonprofits?
A. There’s so much they can do — but they have to show up differently.
There are over 2 million nonprofits in the U.S. and over 10 million worldwide. They are everywhere, woven into the fabric of our lives.
Tech companies already sponsor nonprofits, donate, sit on boards but when it comes to security, they often stop at writing a check or tossing free software over the fence.
What nonprofits really need is help assessing their cybersecurity risks from the start. They need trusted communities they can turn to for advice, not just another tool they don’t know how to use.
Since I founded Sightline, I’m still hearing the same thing from nonprofits: “We’re overwhelmed. We want help. We don’t know where to start.”
It’s time to do better.
Q. If you were speaking to a commercial organization that says, “We don’t have nonprofits as an Ideal Customer Profile (ICP) because they don’t have a budget,” what would you say in response?
A. My first response? They do have money — you just have to talk to them differently.
Nonprofits prioritize spending differently than commercial companies. Every dollar they spend has to connect directly to their mission.
If your solution helps protect, sustain, and strengthen that mission, it’s valuable to them. Working with nonprofits isn’t charity; it’s a viable, often overlooked business channel. But you have to be willing to translate your solutions into their world.
At Sightline, I’ve spent years learning how nonprofits operate, how they allocate funds, and how to meet them where they are. It’s not impossible, it just takes a little more heart, a little more creativity, and a lot more listening.
Q. Is Sightline actively fundraising? If so, tell people how to help.
A. At Sightline, we urgently need sponsors to help nonprofits through our KickStart program and to fund our upcoming Insight Report. If you’re already supporting a nonprofit or sitting on a nonprofit board, consider sponsoring a KickStart alongside your donation — it’s a way to directly strengthen their cybersecurity.
We’re also looking for strategic partners who want to invest not just in cybersecurity, but in protecting the futures of organizations doing the world’s most critical work.
There’s a way for every person and every company to get involved, whether through financial support, technical collaboration, or simply showing up to help sustain open source and nonprofit security for the long haul.
Q. What’s the hardest lesson you’ve learned in this journey and what advice would you give to other folks wanting to start a nonprofit to support cyber today?
A. Honestly? I’m not as good at fundraising as I wish I were.
I’m great at evangelizing, at doing the work, and at building for the future — but fundraising has been one of the hardest parts. I worry about Sightline’s mission because I know how much support is needed to scale our KickStart program and get our Insight Report into the world.
Sometimes people ask why I didn’t set up Sightline as a for-profit. I think about those early nonprofits who told me, “Security people don’t understand us.”
I don’t regret the choice. But some days, I pause.
Because building something different — something that truly meets nonprofits where they are — isn’t easy. But it’s absolutely worth it. If you’re thinking about starting a nonprofit to support cybersecurity, know this: it takes vision, resilience, and a willingness to stick with the hard work, even when it feels uphill. And it’s one of the most meaningful things you can do.
