The Home for Bewildered Beasts of Legend¶

A cluttered but warmly lit office. Whiteboards covered in post-its, a tangle of cables, a dog asleep under the desk. Someone has written WHERE IS THE ASSET REGISTER in red marker and circled it three times.

You are the first dedicated IT architect this place has ever had. Congratulations.

The organisation runs on goodwill, donor data, and a patchwork of tools acquired over the years by people who meant well and moved on. There are integrations nobody fully understands, a CRM that predates three governance cycles, and a Microsoft 365 tenant configured by whoever was available at the time. The volunteers are enthusiastic. The budget is not.

The stakes are real: 200,000 members, donors and supporters whose data you now help steward.

There is no SIEM. There is no security team. There is you, a mandate to do something about architecture and security, and a calendar already full of stakeholder meetings.

This section is for that situation: building a security foundation in a mid-sized non-profit, not from the top down, but from the ground up. Somewhere between a startup and an enterprise .

You cannot fix everything at once, so fix the right things first.

Not covered: audit compliance¶

The goal here is not a checkbox. ISO 27001 exists and may eventually be relevant, but a freshly hired architect in a resource-constrained non-profit does not start there. The goal is to reduce actual risk for actual people and animals: the care workers, the volunteers, the 200,000 members and donors whose trust funds your mission.

Evidence for auditors accumulates as a side effect of doing the work properly. Purple crossroads mark where the work intersects with frameworks, but the motive is protection, not compliance theatre.