Cultural Firewalls Bridging the Gap Between Nonprofits and Cybersecurity - Denise Zubizarreta

Congratulations on two talks. You must have a lot of wisdom and knowledge. We're going to get uh laptops switched out and get the new slides up here before I introduce our next speaker. Just a quick survey question of the room. Does anyone here work at or for a nonprofit? A few people. Does anyone volunteer for nonprofits? Few more people. Does anybody work in city government, state government for nonprofits? Right. You don't make any money. I mean, some agencies might, but So, this next speaker is going to be talking about the intersection of nonprofits and cyber security, which is a topic very near and dear to my heart. Chili is uh kind of branching out and

evolving into a nonprofit. We're going to set up something called Citra, New Mexico Citra. That stands for Cyber Security Intelligence Threat Response Alliance. And you can think of it like an ISAL, but it's regional and very directed toward what we're doing here in New Mexico. So check out nmitra.org on the web and uh stay tuned as to what's going to come there. All right, good deal. We got got everything all hooked up. Okay, great. So, like I mentioned, um our speaker is going to talk about cyber security and nonprofits. We have Denise Oh gosh, I'm gonna get it right. Denise Zumi Zeta. >> Please welcome to the stage Denise.

>> What is up, Bides? >> I know you guys are ready for lunch, but we could get a little bit more enthusiastic. What's up, Bides? >> There we go. You can tell I did stand up for 10 years before I started speaking. My name is Denise Sisarata. I am a cultural operations strategist. Who knows what that is? Good, because I made it up. Um, I speak to nonprofit organizations and arts organizations about a whole laundry list of different things because I'm also an artist, a journalist, and a research scholar because I don't have enough things to do in a day. And part of what ended up happening is through my wonderful relationship with a partner

who is in cyber security that has far too many acronyms after their name for me to list. This ended up becoming a passion and I'm going to explain to you why. Who remembers this? Show of hands. I figured, right? If you're not in the arts community, you probably didn't care that this happened. So when gallery system Did I shut down?

I can't project because I'm a Latina from South Florida and New York. So when gallery systems got hacked in 2024, the art industry freaked out and rightfully so because most people don't freak out until What a lot of people didn't realize about this hack because most people said to themselves, "Why do I care that all that crappy digital art got hacked?" It wasn't just the digital art. It was the archives of where priceless pieces of artwork were hiding all over the country. That's right. If you got this information, you knew where the Mona Lisa was taking a nap and where works that are worth billions of dollars to the art market were sitting all over the

world. And the problem with Gallery Systems Breach wasn't just that it was breached. It was that gallery systems is the only gallery system. I break everything. It's just my presence.

gallery system. They are the only ones who store all of this sensitive information

throughout the United States. Can anybody tell me what the problem with that is? >> Lot of eggs in one basket. >> A lot of eggs in one basket. Who thought this up? I don't know. But they were making pretty good money until all this >> fabulous. I'm also a Navy veteran, so I have a sailor mouth and it's hard to control. >> So what is the problem with this entire situation for nonprofits, right? We are the soft tender underbelly of the internet, right? We have staffed teams, outdated systems, sensitive community data, and no cyber security budget. I have worked for multiple arts organizations and museums. And guess how many IT people we have? >> Zero, but so close.

And when I talk to them about cyber security and what we're doing to protect ourselves, they say, "Well, we have passwords." And I say, "What is wrong with you?" That is enough. Okay. I even argued with my boss last week about why there is not two factor authent

or as a whole. We are silent. Nobody talks to you about what I need. You don't talk to me about what you need. And guess what? Nobody gets anything done and we get paged, right? And so arts are also attacks on civil society, right? Arts don't just make up people who like paintings, right, and digital art or sculpture. We're talking about nonprofits within the press, which as we know right now throughout this administration is a quite intense space to be which is where I also work right now. So I work at a nonprofit called the New Mexico local news and we fund all sorts of different press organizations throughout the state to keep them alive

and all sorts of other structures. We also help journalists become journalists. That's part of what we do. Our information is not as secure as you would think. Though I would love for it to be, but I don't know how to do what you do. And I can't afford what my husband does. Okay? Cultural institutions are always at the forefront of truth, right? Whether it be a truth that you like or not, doesn't matter. We're part of this larger ecos. So when our data and information is left up for grabs, a whole slew of other problems can occur because you definitely don't want people who don't like you knowing who donates money to. And you definitely

don't want as journalists for people to find out who the whistleblowers are that you talk to and why. Now for a bunch of different reasons, okay, Legacy Tech, I worked for a nonprofit that was still using an Apple. I don't know how it worked, but obviously the computer had far more energy than I do, right? You have a high level of staff turnover. There's a lot of museums. There's a lot of things to do. There's a lot of hands being shaken, right? You also have ADS, advanced resistant threats. Everybody knows what those are, right? >> Yeah. My husband told me that he was So for us right now in news and journalism our threats are vast but our also our

threats are from within. So how do we protect ourselves from our own government? We don't know. We also are public facing and we have a lot of visibility. some of the major nonprofits that make millions to billions of dollars a year that spend their money on all sorts of things that you probably don't even realize of are very very public and let's be honest art is everywhere you have been sitting in this room staring at art all day whether it be generated by AI or not art is all over the place it's how we interpret the world so we're connected to every single you do at every moment of the day, whether you think about it

or not. We've got very little IT funding because people say, "Why do we really need it? We just use our computer to send emails and, you know, receipts and stuff." And I'm like, "Well, you know, when you get funded for $1.5 million, you're going to kind of want people to secure those emails." And there's a dangerous belief that we're too small. Not all nonprofits in the arts are huge major multi-billion dollar corporations. The majority of us are small. We're community driven. We're focused on a community effort and talking to people one, right? And because we're so small, we don't have the funding to really look into these things or have these discussions. So what's holding us all back?

I swear to God if my husband says one more thing to me about his CIS, I'm going to lose my mind. Okay, I have no idea what it is that all day long, but I listen to it all day long and I have absorbed some of the information. But that jargon can be really difficult for us to start bridging these gaps with the community. I've talked to a lot of cyber security experts about this particular topic and they told me to call them just call us and hire us. It'll be fine. You can hire us for $45,000 a month. And I was like, most of the people who work here don't even make that any

crossing, right? There's no standards also tailored to nonprofits. What are we supposed to do? Nobody knows. Everybody kind of makes it up as they go along and every nonprofit is different. So, focus on different standards and things that we want to protect, but we still don't really know what the overarching goal is. And y'all don't speak our language. I could sit up here and talk to you about some of Brand's works and you would look at me like I had three heads and I sitting there probably giving the same look to other speakers, I have no idea. Right? So there is a loss of language, a generational just thought process of how we each other.

So, I'm calling on all of you and I don't know why a lot of the little images aren't showing up, but it doesn't matter. Okay? So, I need your help and as you start walking around these signs and start with other people, bring them into the call to action, right? I need you to figure out how we can translate your tools, right? How do we help build this bridge? How do we collaborate? And how do we think in color? Do you know what thinking in color means? Sweet. I'll explain it to you. It's a fun art thing that we talk about. When we talk about thinking in color, we don't want you to send us a wonderful

list of things that we need to do because most art people like myself are neurodyiverent as Okay? We cannot handle just a black and white list of things. hands training. We need something that makes more sense and that is brought down to the level as if you were trying to explain to your six-year-old what you do for a living. Security

of these already are what are the basic tools that we can actually use. Show hands. Just randomly give me some information. Thank you. What's another basic tool that we can use? >> Password. I should get my Anybody else? You know, two factor authentication, three factor authentication. Hell, if they let me do four, I need clear and simple emergency protocols. Right. This is something that anybody can do. organizations can write up and go, "Hey, are you a nonprofit and you don't have a whole lot of money? Here's some basic things that you can do for clear and simple emergency protocols, right? What do we do when the hits the bank?" Right? Anybody can tell me some

>> disaster recovery. >> Okay. Anything else? >> That is true.

>> Oh, is that what you said? So, there's options. You all know the options. Why aren't you sharing them with everyone else? I know you don't know them. And obviously, we need designated goto people, but how do we train the designated goto people? What is the basic minimal level of effort of education that you could give me so I could be the fake goto it cyber security person at my job right these are some of the things that we need and we can't bridge these gaps and it's not just about it right it's about who gets to control the narrative who gets to remember who gets erased right when cultural workers are targeted we We lose more than access. We lose the

truth. When journalists are targeted, we lose everything. Any single time that you've seen a whistleblower article, you thought to yourself, "Wow, isn't it fascinating that no one knows who this person is, you can thank a journalist for that and our own security protocols." But as now that we are connected to the worldwide web of the internet, right, all of those things can be snatched away. figured out and every single person that you thought was just totally safe and okay now has their head on the chopping. And currently during this particular time in our administration, more of those fears are jumping up, especially for nonprofits in the arts and journalism, right? We're afraid that every single thing that

we've done, every single person we've ever contacted is going to get their at any point in time and we can't do anything about it. But that's not true. We can use y'all to help us make sure that we can secure that information to the best of our ability, right? And that's how we move forward. So awareness and action awareness then to the culture shift then we can create infrastructure. So we have to move through this awareness space and part of what I'm doing now is I do give a lot of I will be doing this again in front of press forward a giant core of press and journalists trying to figure out how to survive right and so we have to shift

their culture and as a cultural operation strategist I can't even say that's what I do I teach organizations how to shift their company culture not only to be functional and equable but also to be more in depth into what they to secure themselves in the current market. And this is part of that culture. But if these organizations don't have that awareness and you don't have the awareness that we need your help, there's really nothing that we are moving right along. Congratulate yourself. You sat through this. It's so exciting. So that's so messed up. That beautiful icon that I designed by myself is not even there. But it's okay. There's a bridge here, right? And it's like a little artist on

one side and he's like this and then another dude who's like, "Oh, I'm running." And then in the middle everybody's together. They're like, "Yay, this is so great." And then, you know, opposing on the opposite side. That's right. So, just to give you the, you know, we need cyber right to play a role in protecting this level of civil society which is hard to do but we can't afford to make newspapers and other things affordable to figure out how to make this affordable for small I want you to know that some art nonprofits run $8,000 a year. That's what I make. That's my yearly salary, right? And that art nonprofit will employ three people. Usually an

intern, usually an executive director, right? Odds and

I'm not talking about the Smithsonian because they have the money and they messed it up themselves. Okay, they knew exactly what they were doing when they jumped into gallery systems. They have the money to create this infrastructure internally, but guess what? They still don't do it because they would rather pay for digital art at the billions, right? And that's because we're trying to collect culture, trying to have culture for us to share, but if we don't have access to any of it and we're locked out of our own things, we can't really share anything. How rude. There is a QR code there. I swear. And it was not malicious. I promise. But you'll just have to come up to me and

get my business card like the old lady that I am. So, I just want you to walk away from this conversation thinking, what can I do for the greater good of culture? And what does that mean? And when we talk about culture, what is our culture? What is the culture of the business that I work for? Are we here to share? Are we here to truly protect? And if that is our ultimate goal, how do we make sure that that protection is afforded to every single person and every organization that requires it? Who do you have to talk to? How do we bridge it? How do we open up these silos? And as I go to press forward with my husband

who will in no doubt be doing the majority of the talking right, we will be discussing the same thing. He will be talking from your side. I will be talking from the side that they understand and translating his techy English. Okay? And when we do that, we're starting to open that door. But I need all of you to also be part of that process. Do you have any questions, burning desires or concerns? Please raise your hand. Yes. >> How do you address?

>> Yes. And so that's what I mean by we need aated person and these organizations have to come to terms with the fact that someone has to take charge of this. This is a necessity. This is not 1997 anymore, right? We need this. And if we have that designated person, usually somebody in my role at a nonprofit, so somebody who's in charge of communications or or development will take on that role. And we will then find that space to do so because it's part of a need, not a want. Um, nonprofits are actually really good about acknowledging when they have a need and diversifying that into a bunch of different roles or letting people take it on in separate

stages so that we're aware of what we can do. Um unfortunately because there is some organizational growth issues that's going to have to add on to somebody else's role. So it has to be easy, right? It has to be something that makes sense for them. We're not going to try to train them on the entire back end of what cyber security is. We just want to train them enough so that they know how to protect what they do have, especially donor information right now is very sensitive. Um, and so those concerns are where are you keeping your donor information? Is that in a CRM? What CRM are you using? How do you get into the CRM? Are you logging into your

CRM using Google? If you are, do you have two factor authentication? Right? Like these are the basics that they kind of need. And to be fair, everyone within that organization should be trained that way. It shouldn't just be up to one person to be that responsible person. We need to spread that wealth. Does that answer? Anybody else?

>> My questions

together

See if it works for you. >> Oh, hello. >> Wow. >> Okay. >> The mic is Yeah. Sorry. Um, so I was asking uh just if there's any sort of method or current organization that um brings together different nonprofits who all have this same desire to improve their cyber security posture um and you know maybe they can all pull their money together or grant money funding just to to try and do some sort of economy of scale to make it more affordable for all of them. >> The answer is no. Okay, I'm gonna explain. The answer is no. And then what ends up happen to be fair, you have me. This is it. Okay. So, teach me what you can. And

then I end up going to conferences and speaking at multiple conferences for different kinds of nonprofits and different kinds of arts organizations because of course they still silo themselves within these spaces, right? And I have this talk over and over and over and over again in nausea, which I'm sure y'all are also used to having to say this over and over and over again to people, right? Um, so right now there is nothing that exists. I wish something did exist. I wish there was a larger organization, especially in cyber security, who was like, hey, we want to do this and have these conversations with you that could kind of take that on. Um, but right now you have me

That's right. Hold on. Let me get to the first. Yes. >> Uh more of a comment. Are you aware of Tech Soup? >> Yes. >> Okay. Because they do have not the training aspect of that, but at least the reduced price for nonprofits and for everybody who's a nonprofit in the room of getting it services and stuff at a cheaper price just for nonprofits. I believe >> correct. And still some of those prices are too high for certain nonprofits in the sector. Um and that's why I think the training is more I can convince a nonprofit to spend some money on training and then everybody is aware and we can all work together and maybe have

somebody come in every once in a while and just check up and take a peek, right? It's harder to convince especially the smaller nonprofits to bring on something like that and just kind of push that money into that space when they already barely have funding and now right now their funding is getting cut from the government as well. So all that federal funding is gone and now they've gone into individual So it becomes even more tedious and difficult. So I think a training aspect is probably going to be the most optimal solution.

Yes. And I'm going to tell you right now, most of them don't even know that it exists, which is unfortunate. Most of them have no clue that it's there. They don't know how to utilize it. They're afraid they can't afford it. They don't understand why it's even beneficial. So, they kind of get stuck in that loop. The few who do know what it is are usually larger organations that are Right. So the smaller ones get left by the wayside and then they get trampled. >> Yes. >> Yeah. Uh somebody asked earlier nonprofits get together. I used to work for a nonprofit as a healthcare nonprofit and one of the biggest issues for nonprofits is Congress. I don't

think they've passed the budget in the last decade. They've been a bunch of continuing resolutions. So it makes it very difficult to get into contracts and the funding out greater than two to three years. Um I I used to work for the NPCA and you had a bunch of these rural healthcare organizations. They pulled their money together. We ran a community cloud so that they could bring records from the barn right into a digital format so people could go to press or whatever and have continuity of care. And so it's it's it's literally a multitude of things working against the nonprofit. First, like I said, Congress hasn't passed the budget. They keep passing these CRs. So they can't plan

for long term. And then the the second thing is technology moves so quickly by the time it gets on tech soup it's already >> yeah it's already obsolete. So it is a difficult space to be in for sure. And so a lot of nonprofits do rely on donors. Um you know they they are frequently up at the roundhouse here in New Mexico. um if you know like for example we had PCA day um primary care health day um the clinics would show up but it was more impactful when the constituents of those communities also showed up at the roundhouse and spoke to the legislators. So it's it's really about finding out when those events happened and showing up and advocating

for those organizations. >> Yeah, most of the times our grants are stabilized, right? So we only get a grant for a year or two years, right? very rare that we'll get a grant that exceeds a 2year time span. So, we're constantly having to refresh what our financial status is over and over and over and over again and then as federal funding gets cut and they start to shift through that funding, right? Um we end up in another position, right, where we're having to argue with legislators and things. So, nonprofits really sit in a very unique spot where we are constantly arguing with everyone just trying to be like the news. You know, it's the news. Don't you want it? Right.

So, it's it's a constant mess. And if we have something that we can go to for training wise, right, then that would be great. But like you were saying, right, technology is constantly shifting. So, we need something that can be easily accessible to everyone, that's easily understood, that gives them that feeling of like, okay, cool. I understand the basics here and I think that at least do the bare minimum level of effort, right? Because organizations and like museums like the Smithsonian or Met, right? They have so much money. They'll figure it out. If they fail, that's their problem, right? My main concern is the smaller boards that are also the most, right, who don't really know what they're doing

at all, right? And there's nowhere for them to have that conversation because they don't know anybody and nobody's talked to them. So, this has just been my goal, I guess, for the last, I don't know, six years to try to get out and to have these conversations. And so, I was just really excited today to get to have this conversation with y'all instead of with art people. Yay. And that was very helpful. So, I think that's it. So, thank you very much everybody. I hope you have a great afternoon. >> Thank you. Thank you very much.