Risk Management in Securing Your Data

There's been security breaches at both Convio and Salesforce of late, and it's got me thinking.

Regardless of these recent issues, I'm convinced that using outsourced vendors is a big improvement in infrastructure and security for most nonprofits over storing their data in-house. Many have very few security or backup procedures in place, and it's as likely or more likely that their data will be hacked or lost or corrupted if they store it in-house. But no method of storing your data is risk free. What's important is clearly thinking about what risks exist, and balancing those risks against other factors - like price, staff convenience, and such.

I'm not alone in thinking about this stuff - I had a great email conversation about this with Douglas Back, the Systems Manager from the Lower Manhattan Cultural Council. Douglas said:
"Security is all about minimizing risk - the only way to eliminate risk is to not do anything at all, and then we'd all be sitting around twiddling our thumbs. But one of the issues I see constantly is that security is put on the back burner in favor of convenience. To most people, security means inconvenience for the sake of inconvenience. Of course, the amount of risk is proportional to the size of the organization, both in terms of customer/constituents and staff. At some point, the costs of having a SecurID token-based VPN outweigh the benefits of the security it provides.

Security should be more of a consideration for anyone who uses a computer, especially workgroups that share information and resources. Non-IT people don't immediately see the benefits of having strong passwords, or limiting resource access. Those are two really small things that a small organization can do that can help secure their systems, and they're free! And there are more small things like that when combined can reduce the chances of a password-related security breach to near zero. But to someone who is looking to break into a system, they're going to seek out the weakest part and try to exploit it, be it poorly designed software, a weak password, or someone who falls for a phishing scheme. A gross oversimplification would be something like a golden triangle of security, stability, and functionality - somewhere in the middle is the right place to be. (Usability falls in there too, but who wants a golden square?)"
Like everything else, there's a tradeoff here. The key is to understand the risks, make sure you've done what you can easily do, and than weigh the tradeoffs that are left and make a decision you're comfortable with. And in fact, although it's hard to deal when it happens to you, the fact that an unlikely risk actually occurs doesn't mean that your risk mitigation strategy was bad. The fact that there's been a security breach at Convio and Salesforce doesn't suddenly change the tradeoffs between cost/ security/ functionality/ convenience for using an outsourced data vendor- unless you think they're part of a future pattern, and I don't personally see any reason to think that.

Upcoming Online Seminars

Just wanted to give you guys a heads up on the online seminars (webinars) we have coming up in November and December. Each of these is $40 per participant.

TOMORROW (THURS)! 10 Common Mistakes in Choosing a Donor Database
Thursday, November 8th, 1:00 - 2:30 EST
How do you choose a donor database that will support successful
fundraising? The software is only half the story. Fundraising
technology strategist Robert Weiner will walk through ten common
mistakes that can prevent you from selecting the right database
and managing it effectively.

Choosing a Low Cost Constituent Database
Thursday, November 15th, 1:00 -2:30 ES
There are a number of solid and affordable options to track your
volunteers, donors, partners, and other constituents. What should
a small organization look for? What tools are available? Database
expert Eric Leland will walk through everything you need to know
to pick the right database for your organization, and consider
the pros and cons of commonly used databases such as GiftWorks,
Metrix, eTapestry, Salesforce, DonorPerfect, and Democracy In

Choosing eNewsletter Software
Thursday, November 29th, 1:00 - 2:30 EST
Email newsletters are a great way to stay in touch with and grow your
audience, but it can be complex to send and track thousands of emails.
We'll walk through what you need to know in order to setup, send, and
track eNewsletters effectively, and talk about some of the reliable and
affordable tools most commonly used for mass emailing, such as EmailNow,
ConstantContact, NPOGroups, CampaignMonitor, Emma, Topica, and more.

NEW! Creating the Constiuent-Centric Nonprofit: Nonprofit CRM
Thursday, December 6th, 1:00 - 2:30 EST
If you're storing data about your constituents in many different places,
it's costing you in time, lost revenue and decreased impact. Paul Hagen,
who's helped organizations such as Goodwill, VolunteerMatch and Jewish
Teen Alliance develop their Constituent Relationship Management (CRM)
strategy, will talk through the practical steps, processes, and software
that can help you to get a better handle on managing and building your
relationship with each constituent.

Comparing Open Source CMSs: Joomla, Drupal, and Plone
Thursday, December 13th, 1:00 - 2:30 EST
Open source content management systems (CMS) are particularly attractive
to the nonprofit community because of their cost-efficiency, but what
do these systems actually do? And what are the differences between the
most common CMSs? We'll compare Joomla, Drupal, and Plone for typical
nonprofit needs, and then experts in each of the systems - Ryan Ozimek,
David Geilhufe, and Patrick Shaw - will demo the systems and answer your

January seminars are also posted.

And don't forget that recordings of past seminars are also available for sale on the website, for only $20 each.

New Article: Six Views of Project Management Software

When we took on an article about project management software, I didn’t realize it was going to be such a rabbit hole. Everyone I talked to seemed to have a different definition of what project management was, and what software was needed to support it.

But I’ve tried to wrangle all that disparate information into some sort of useful overview. You can see the result in our new article Six Views of Project Management Software. The article walks through a number of different things you might want to use software for in the project management realm, and a number of different software tools that can be useful.

New Tag to Help the Resource Roundup

I previously posted about our troubles in trying to keep the Resource Roundup going – thanks to everyone for their thoughts and comments about we can best continue! Several of you mentioned that an Idealware tag would help everyone in the Idealware community to highlight articles and other resources that might be of particular interest to rest of the community.

So let’s do it! Can you help, by tagging Idealware relevant resources in with an “idealware” tag? (I think it makes sense to consolidate in right now, so we can all see all the links without the investment and complication of aggregation…).

You can see the things that we’ve collected at (I’ve seeded it with a few things, but hope to see lots of stuff there soon!)

I'm hoping we can use this tag to share high quality resources that:
  • Review, compare or list software of interest to nonprofits
  • Provide guidance as to whether a certain kind of software makes sense for you
  • Help people assess what features they need in a particular kind of software
  • Give detailed case studies of nonprofits using or choosing software
  • Cover areas that aren’t web 2.0. Big brownie points for good old web 1.0 stuff!
  • Otherwise give people guidance in choosing software (Idealware is focused on choosing software specifically)
Are there other things that you’d like to see included in an Idealware tag stream?

If you tag it, I will look at it, and if it’s about choosing software, I will link to it from the blog. And then I’ll round up the most pertinent stuff for our eNews. The full collection of everything that anyone has tagged will be available at

So – please tag anything that seems Idealware relevant with an Idealware tag in! And spread the word!

Resource Roundup: Online PPT slides, data visualization

Okay, while we're talking about the best way to rigorously roundup resources (more on that soon), here's a few that have hit my eye this weekend:

Software for Sharing Powerpoint Slides (ForumOne Influence)
Nice look at online tools, especially SlideShare, that allow you to post your PowerPoint slides for easy viewing (and audio) without a presenter.

Tools for Online Data Visualization (Center for American Progress)
A great list of online data visualization tools (maps, timelines, charts, etc), with links to examples of them in action, from the Center for American Progress' Annie Schutte. There's not a lot of context in the list, but it's a really fun browse (tip of the hat to the ePolitics blog)

Ask Idealware: How Does Typo3 Compare with Other CMSs?

Thad asks: I am in the middle of an evaluation now and a number of people have suggested that I look at TYPO 3, versus Joomla, Drupal and Plone. Was it not in your comparison for a particular reason? Any thoughts?

Laura says: Typo3 is a large, complex open source content management system with a strong user base in Europe. We didn't include it in our Comparison of Joomla, Drupal, and Plone because Typo3 doesn't have nearly as strong a user base in the United States, and particularly in the nonprofit sector, as those three. But we asked Dean Matsueda, who's implemented Typo3 as well as Plone and Textpattern, what he thought of it. Update 10/30: Jason Lefkowitz of Change to Win weighed in with some serious CMS comparison kung-fu, so his thoughts are now included below as well.

Dean Matsueda of Business for Social Responsibility, says:
Typo3 works well for managing largely static-content web sites, but has a high learning curve to setup a site – as high or higher as than for Plone. Once it was up and running, users loved it - it's very easy to add and edit content, and to create new pages and sections within the site.

But it's not at all easy to configure. It has the complexity of Plone but without the elegance or well thought out architecture. I found that the way you build custom pages or data types in Plone made a lot more sense for me than the way things worked with Typo3. The templating system was also difficult to customize beyond very simple changes. It felt over-engineered – it tries to do too much and is by no means a light-weight system. For my money, it's overkill for what it does best, managing static content.

Jason Lefkowitz of Change to Win says:
Let's get this out of the way right off the bat - everything you've heard about TYPO3 is true. It's hard to learn. It needs a good bit of server horsepower (el cheapo shared hosting plans need not apply). And while it's popular in Europe, TYPO3 gurus here in North America are thin on the ground.

And yet, for all that, I believe it's the best open-source CMS available today. Why?

I've been working with content management for more than a decade now -- first as a consultant specializing in CMS selection and deployment, and now as the online manager for an advocacy organization. I've had the chance to work with CMS software ranging from amateur open-source bedroom projects to commercial Big Iron costing more than my car.

So what have I learned? Primarily this: there is no "good" CMS that can be recommended for everybody. There's only "good-for-you" CMSes -- products whose strengths speak to your needs, and whose weaknesses are in areas that won't affect you.

To be blunt, every CMS sucks. It's just a question of finding the one that, for your purposes, sucks the least.

The things that suck about TYPO3 are well known; they've been written about in this space before. So let's take some time instead to talk about the things that DON'T suck about it -- the things that make it stand out in comparison to every other open-source CMS on the market (and a lot of commercial ones, too).
  • Internationalization: If you need to publish content in more than one language, there is simply no better option available than TYPO3. TYPO3 offers internationalization on both the front end and the back end. On the back end, you can download language packs from that will translate the application's user interface into just about any language you'll ever need. And on the front end, TYPO3 offers an elegant method for adding different language versions of any content item on your site; and once you have those different versions in the system, you can set your site to automatically hide content that isn't available in the reader's language - including removing it from navigational elements. If you publish multilingual content and don't want to get stuck maintaining different sites for each language, TYPO3 is what you need.
  • Customization: Drupal is a decent CMS. But nine times out of ten, you can tell that a site is running Drupal just by looking at it; its template system tends to force Drupal sites to look a lot alike. TYPO3, by contrast, offers complete flexibility in templating; any layout your designers can dream up can be converted into a TYPO3 template. And you can create TYPO3 templates directly from (X)HTML files - meaning you can take a template directly from your designers (assuming they speak HTML, which they should) into the CMS with just a few clicks. There's no need to teach your designers anything new.
  • Manageability. If you need to run multiple sites on your CMS, TYPO3 has important benefits. One example is that TYPO3's architecture is organized so that everything specific to your site is in its own folder, separate from the core CMS code. That means that you can easily have as many sites as you like - one, ten, a hundred -- all running off one single installation of TYPO3. And when new versions of TYPO3 are released, all you have to do is upgrade that core code and all your sites are up to date. Additionally, if you need to give different users different roles in the publishing process, TYPO3 has a powerful permissions system that lets you delegate as much or as little control as you want - right down to hiding elements of the administrative interface to avoid user confusion.
  • Standardization. Some systems offer a lot of the advanced features that you can find in TYPO3, but at the cost of having to learn and support a whole new world of specialized software. With Plone, for example, you have to learn the Zope application framework, which comes with its own Web server and object database; that makes it hard to find hosting options and experienced people to provide support. TYPO3, by contrast, works with the most standard tools on the market today: Apache, PHP, and MySQL. If you're already working with the LAMP stack, your systems administrators won't have to learn anything new to add TYPO3 to your servers, or to keep it running at peak performance.
TYPO3 is not for everybody. If you need something to build a basic site with a minimum of hassle, there are better options out there. But if your needs go beyond that -- if you are finding yourself running into the constraints that are imposed by the tradeoffs other CMSes make -- TYPO3 may be just what you need. (And if you need help getting started with it, feel free to drop me a line at jason AT jasonlefkowitz DOT net)

The Ask Idealware posts take on some of the questions that you send us at Have a great option to suggest for this question? Hate our respo nses? Help us out by entering your own answer as a comment below.

Do You Miss the Resource Roundups?

Okay, I'm wracked with guilt. On this blog, and then summarized in our eNews, I used to round up articles from around the internet that I felt would be useful for nonprofits choosing software.

I really liked doing it - I thought it added great diversity to what was covered in our own articles, and I feel strongly that winnowing through the huge amount of stuff out there to find truly useful things is an important editorial service in of itself. And I don't know if anyone else noticed, but it meant that you could search the Idealware site and find many more articles than we have actually written.

But it's really, really time consuming - I was spending a solid 10 -15 hours or so a month on it, unpaid. In particular, you really need to go out of your way these days to find good coverage of anything other than Web 2.o tools. I stopped trying to systematically cover what's out there in August, as it just didn't seem to make sense - with an extra 10-15 hours, we could do another original article, for instance. We started the Ask Idealware series instead, which is considerably less time consuming for me, and also (hopefully!) adds good new content into the world.

But I really miss the article roundup, especially as part of our eNewsletter. I feel especially guilty as it means our eNews has closed down from being a roundup of the world of content to now focus almost exclusively on our own. Does anyone out there miss it too? If so, any thoughts on how we can carefully filter the world of content down to a useful summary in less time, or actually make money to cover that time?

The Wacky World of Grants Management

These days, I'm thinking a lot about software to manage grant making processes. We’re working on a large project – including a survey, many interviews, and vendor research – to create a “consumer’s guide” to grants management software and an overview of gaps and issues in the market.

(By the way, do you work for an organization that MAKES grants? Please take our survey, to help in the research:

One of the initial stages for us is to try to get a sense of what’s out there. There’s far more research to come, but here’s my initial impressions of what grant management software is out there. This software is designed to help foundations manage and review incoming grant applications, track reporting requirements and outgoing payments for grantees, and create the many communications and reports needed throughout the process.

MicroEdge GIFTS is the 800 lb gorilla in the space, with a huge majority of the market share among large foundations. There's several levels, but all are powerful, expensive and complex installed packages, designed for organizations that have dedicated grants management staff that do much of the data entry and reporting from the system.

There are several web-based tools, also geared towards the large foundation space. Cybergrants, Easygrants, and FoundationSource are all in this space, but these tools put together have only a small fraction of GIFTS’ market share.

It’s not as clear what’s available for smaller foundations. Bromelkamp offers several levels of their Pearl products, geared to suit a gamut of small to large foundations. These products are installed applications. PhilanTrack offers a small foundation solution, though they are very new, and it’s unclear how many foundations, if any, are using it. Community TechKnowledge (CTK) also offers a package in this realm, which has some uptake among United Ways.

Some of the packages cater to particular audiences. For instance, JK Group works with corporate grant makers (Cybergrants is mostly focused on this space as well).

Community foundations have a large set of additional needs, which means that most need specialized grants management software. In addition to paying out grants, community foundations need to fundraise themselves. Often, money raised is devoted to restricted funds, which makes for very complicated tracking and accounting requirements to manage both money in and money out of dozens or even hundreds of funds. There’s a set of packages geared towards these needs: MicroEdge makes FIMS (formerly NPOSolutions) and Foundation Power; Bromelkamp makes Community Pearl. I believe that FusionLab's GrantedGE is also geared towards community foundations.

There’s a few people beginning to use Salesforce in the grants management space. It’s an interesting fit – Salesforce is a fairly powerful hosted tool geared towards companies who manage sales to other companies. It’s quite configurable, however, and has gotten a substantial amount of traction in the nonprofit world (thanks in no small part to the fact that Salesforce donates up to 10 licenses for free to nonprofits). As grants management is, at least superficially, about managing data and workflow around organizations, just as corporate sales are, my initial instinct is that it might work very well. Foundations would need to customize it, but this would be offset by the lack of license fees.

There’s a lot of additional packages, but I don’t have a good sense yet as to how they fit into the space. For instance, there’s ChesterCAP, Foundant Technologies, PowerOFFICE, Bamboo Solutions, FreeBalance, and Grantium (formerly Infoterra)

This long list is particularly puzzling as a number of those we’ve interviewed have told us there are very few packages available – that MicroEdge (with GIFTS and FIMS) has nearly a monopoly hold on the market. Are many of these packages used by very few foundations (and if so, how are they still in business)? Or are there perhaps different silos of the foundation world that don’t have much software cross-pollination, and we’ve been talking to people within a single silo? There’s a lot more research yet to be done!

Do you have thoughts or insight into the world of grants management software? I’d love to hear from you, either in the comments here or at

New article: Comparing Google Apps to Microsoft Outlook

We have a new article for your software comparison pleasure: Comparing Google Apps to Microsoft Outlook. We took a look at Google Apps, and what it offers as a potential substitute for Microsoft Outlook's features. And I have to say, it looks pretty compelling.... though perhaps a bit more risky.

Ask Idealware: Considering Proprietary vs Open Source CMSs

Benita asks: We are in the process of redesigning our website (which is housed in a homegrown CMS) and plan to include a new CMS in the process. Our new IT staff members are concerned that the web staff is not investigating other commercial CMS systems that may be viable options. Seems most of the nonprofits are using open source or completely customized systems and our IT folks are wondering why we're not looking at products used in the business world. It seems like an overwhelming task to review everything and I'm not intent on reinventing the wheel. I'm sure other organizations have had to deal with this - do you have any knowledge you could share? Are we limiting solutions based upon the nonprofit community experience?

Jeff Herron of Beaconfire Consulting, says:
Good question! This is something that a number of organizations struggle with.

First off, you mention that it seems like most nonprofits are using open source or completely customized systems. I'm not certain that anyone knows how many nonprofits are using which type of CMS. Regardless, if in fact many are using open source, that doesn't mean that open source is necessarily the direction to go for you. The choice of what solution is right for your organization has to do with many factors, but likely not very much to do with the fact that you are a nonprofit in and of itself.

But it sounds like the crux of your question is whether you should look at commercial solutions as well as open source ones. My advice is that you should look at all types of solutions that seem to meet your requirements, including commercial solutions, nonprofit specific ASP tools and open source. I'm not sure why you would eliminate a category of tools from the get go unless you've got some preferences or other criteria that dictates this. It doesn't sound like that is the case for your organization if this question is being asked.

Step 1 in any process of selecting software is to document your needs. Beyond requirements, there are other factors that have a big impact on the decision. These include things like:
  • The availability and capability of technical skills at your organization.
  • The existing technologies or languages your team is familiar with.
  • What systems that your CMS will integrate with – do you have an eCRM package or ecommerce tool?
  • What sort of budget do you have? Think beyond the upfront license costs that come with commercial software, but also to the implementation, enhancement and support costs.
  • Ease of use – if you are asking non-technical content authors to enter/update content if it is too difficult, they won't regularly use it, defeating part of the point of a CMS.
It is very possible that based on these criteria, you can eliminate many tools including whole categories of them. Without specific criteria for your organization, however, it is hard to say you should not consider commercial tools outright. From your question, it seems open source tools are preferred by the Web team and commercial solutions by IT. I'm sure each perspective is based on at least one of the criteria identified above. On the surface, both perspectives have merit but the decision should be based on all the top criteria not a single one.

Given that budget is often initially one of the driving factors towards open source since there is often no licensing fee, let me suggest that there are an increasing number of low cost commercial solutions out there too. Ektron (~$11k) and Hot Banana (less than $20k) are two that offer a boat load of features for not a lot of money.

The reality is that it is not possible to review all systems, nor is that even necessary. Step 2 in the evaluation process includes doing some preliminary research with colleagues, other organizations, and experts like Idealware to help you get an idea the most prevalent tools. You can get pretty far by comparing these against your requirements to narrow your list. Focus on 4-6 solutions that generally meet your requirements, it shouldn't require too much time/effort to investigate them further as Step 3.

The Ask Idealware posts take on some of the questions that you send us at Have a great option to suggest for this question? Hate our responses? Help us out by entering your own answer as a comment below.
Syndicate content