techcafeteria

Terry Childs is Guilty.

In mid-2008, Terry Childs, the (then) System Administrator for the City of San Francisco, was called into a meeting with the COO (his boss); the CIO of the SF Police Department; a Human Resources representative; and, unbeknownst to Terry, by phone, a few of the engineers he managed. He was ordered to share the system passwords for the network. He made them up. Subsequently challenged with this fact, he refused to reveal the passwords, ending up in a city jail cell.

Close to two years later, Childs has been found guilty of felonious computer tampering and faces up to five years in prison (he’ll likely be let off in two, with his racked time counting toward the total).

Open and shut, right?  The city claims, and the court found it believable, that Childs’ obstinate refusal to provide passwords resulted in over $200,000 lost city revenue.  He lied to his employer.  He held the city ransom.

Childs’ defense has always been that he was protecting the city’s network.  He wasn’t going to share sensitive passwords with people who, in his estimation, wouldn’t respect the sensitivity of those passwords, and would likely share them other employees and contractors.

To my mind, while that’s a valid concern, it doesn’t clear him.  He still works for the person who was asking for the passwords, and he was obligated to provide them.

The real crime here, though, is not that Childs’ hoarded the keys to the system. It’s that the meeting occurred at all, and the reasons that it came to the point of a stand-off are all too criminally common.  Was Childs guilty? Sure! But others shared guilt in bringing it to that point.  Consider:

• The System Administrator reported to the COO.  No CIO? No VPIT? No IT Director?  This means that there was a gap between the absolute tech and the non-technical businessperson, and that’s a critical layer, particularly for an organization as large as the government of a major U.S. city.


• There were no policies governing use of system passwords. The fact that Childs was allowed to be the sole keeper of the entire network was a lapse in operations that never should have been allowed.


• Childs was a city employee for ten years.  If there were concerns about his trustworthiness or reliability, shouldn’t they have been addressed earlier in that decade?

All too often, IT departments are isolated from the organizations they serve.  Part of this is due to the nature of technology work and techies—we speak a language of our own; enjoy working with the tools that many people find obstructive and confusing; and the majority of us are not very good at casual socializing. More of it is due to the fact that most people—including the CEOs and VPs—don’t get technology, and don’t know how to integrate technology tools and purveyors into the organization.

But that lack of comprehension shouldn’t be a license for persecution.  Everyone’s a loser here, most personally Childs, but the city suffered from a situation they created by not investing properly in technology.  And, by investing, I don’t just mean hiring the right amount of staff and equipment—I mean that CEOs, COOs and everyone up the chain has to step out of their comfort zone and either learn more; hire staff and consultants to vet and translate; or, optimally, both.  The CEO doesn’t have to be as knowledgeable as Bill Gates, but they have to have educated oversight on how IT is run that “gets” what IT is about and how the technology practitioners operate.

As much as Terry Childs is guilty of a crime, he’s tenfold a victim of one, and it’s a cautionary tale for any of us who work in environments where management is happy to let us build a big, isolated kingdom.

What drove Terry Childs to commit a felony was a crime unto itself.

We’re all back from the Nonprofit Technology Conference, where nine of the ten Idealware bloggers congregated, along with some 1,440 of our peers in the nptech community. What a gas! NTC, as we call the conference, is what high school would have been like if everyone had been a member of the popular clique. The combination of peer education and celebration of our common interest in saving the world with heart and technology make for an exuberant occasion. And I can’t say enough about the awe and appreciation I have for Holly, Anna, Annaliese, Brett, Sarah and Karl, and the amazing event that they recreate year after year for us.

But, enough gushing. One of my (many) rants regards my concern that, although the biggest group of people that we call “nptechies” are the ones who support technology in their organizations, our biggest nptech conferences focus heavily on social media and the web (NTC, Netsquared, and now SXSW). It is true that the advent of social media and the interactive web is spawning a revolution in the way that we do advocacy and fundraising. But there is no less of a revolution in our server rooms, where virtualization, cloud computing and wireless devices are changing the entire way that we manage and deliver applications.

Our System Administrators, Support Specialists and Accidental Techies need to share in the peer support that can inform their efforts and help them feel more connected, both to their missions and the broader community. This year, in deference to a throat getting hoarse from ranting, I took a first stab at addressing this gap.

The Tech Track

The tech track was conceived as a six session “mini” track; five of the proposed sessions made the cut. The topics went from the basics to the broad overview:

• Tech Track 1: Working Without a Wire (But With a Net): Dealing with Wireless Networks, Laptops, and Cell Phones


• Tech Track 2: Proper Plumbing: Virtualization and Networking Technologies


• Tech Track 3: Earth to Cloud: When, Why and How to Outsource Applications


• Tech Track 4: Budget vs Benefits: Providing Top Class Technology in Constrained Resource Environments


• Tech Track 5: Articulating Tech: How to Win Friends and Influence Luddites.

Joining me in these sessions were fellow blogger Johanna Bates of OpenIssue, Matt Eshleman of CITIDC, Tracy Kronzak of Applied Research Center, John Merritt of the San Diego YMCA, Michelle Murrain of OpenIssue, Michael Sola of National Wildlife Federation and Thomas Taylor of the Greater Philadelphia Cultural Alliance.

Subject Matter

Instead of doing the usual Powerpoint presentations and talking to the crowd, we pulled the chairs into circles for these sessions and put the session agenda up for grabs, asking each group what issues, related to the session topic, were foremost in their minds. The conversation was rich, and served as a healthy catalogue of the challenges facing nonprofit technology practitioners. Some highlights:

• Supporting remote laptop use in a western state with very little wireless bandwidth available


• Securing our networks while making network data accessible on mobile devices


• Supporting use of and crafting fair policies to address the boom in mobile devices


• Understanding the risks and benefits of virtualizing servers and desktops


• Knowing how and when to virtualize, and how Storage Area Networks fit in the big picture


• Weighing the risk of cloud computing, which also entails weighing the risks of our non-cloud networks


• Knowing what to ask a cloud provider to insure that data is safe, even in the case of the provider going out of business


• Assessing the cost of owned vs service-provided applications


• Assessing the readiness of Cloud Computing, and moving large, complex server rooms to the cloud


• Chickens and eggs: what to do when IT is asked to budget, but is not part of the planning process prior?


• What strategies can be applied to provide good technology with limited budgets?


• What tools and resources are available to help with the budgeting process?


• How can we engage our users when we roll out new technology?


• How do we get them to attend training?

Next week, I’ll follow this up with some of the answers we came up with for these questions.

Domain Name Management: not a very sexy topic. This will be a rare post for me that won’t mention popular search engines, the latest “superphone“, content management or rumored tablets. But I hope I can provide a good glossary on a geeky subject that anyone with a web site sporting their organization’s name has to deal with.

You have a web site and you have a domain, and as long as the web site is up and running, everything is fine. But what happens if your domain is hijacked? What if you need to make changes to your domain registration, or register a new one, and your registrar is simply disinterested? What if they go out of business? Your domain name is a valuable property, and you should keep it in pro-active and trustworthy hands.

How Domain Registration Works

Domain registrars provide the service of keeping your domain name mapped with current information so that it can be found on the web. Domain names are meaningful aliases for numeric IP addresses, and aren’t technically required in order to host a web site. But, the internet would be hard to navigate if we could only find things by their numeric addresses.

The primary thing that a registrar does is to keep your contact (whois) data maintained; point your domain to the appropriate name servers; and allow you to move your domain to another registrar if you choose to.

Domain Services

In addition to domain registration, most registrars offer additional services, such as:

Things to Look For in a New Registrar

1. Are they accredited? ICANN, the organization that oversees domain management , accredits registrars. If they aren’t on ICANN’s list, they aren’t trustworthy.


2. Do they add a year to the existing expiration date, or charge you for a full year as of engagement? They should do the former.


3. Do they offer automated access to all functions (via web forms), including locking/unlocking domains, retrieval of authorization (EPP) codes, and modification of all whois records? (Some registrars prefer to list themselves as the technical contact. It should be up to you whether they can have an official name on your domain, not them).


4. Do they list a telephone number, and is it promptly answered during business hours?


5. Do they respond promptly to emails and support requests? The ability to communicate with your registrar is rarely needed, but, when it is, it’s critical – you don’t want them out of the loop if your domain is subject to an attempted hijack.


6. Do they offer the ability to manage DNS for mail servers and subdomains? While this is an added feature, it’s common enough to be worth expecting.


7. Do they have any additional services (examples above)? While these supplemental services are far from critical, they are convenient. More to the point, a company that is engaging in a robust suite of services is more likely to be focused on their business. The truth is that anyone can be a domain registrar, if they make the proper investment, but whether it’s a going concern or a neglected piece of extra income for them is a question you’ll want to ask.

Next week: Safely transferring domains and a word on web hosting completes the topic.

Last week, I reported that Nonprofit assessors like Charity Navigator and Guidestar will be moving to a model of judging effectiveness (as opposed to thriftiness). The title of my post drew some criticism. People far more knowledgeable than I am on these topics questioned my description of this as a “sea change”, and I certainly get their point.  Sure, the intention to do a fair job of judging Nonprofits is sincere; but the task is daunting.  As with many such efforts, we might well wind up with something that isn’t a sea change at all, but, rather, a modified version of what we have today that includes some info about mission effectiveness, but still boils down to a financial assessment.

Why would this happen? Simple. Because metrics are numbers: ratios, averages, totals. It’s easy to make metrics from financial data.  It’s very difficult to make them out of less quantifiable things, such as measuring how successfully one organization changed the world; protected the planet; or stopped the spread of a deadly disease.

I used to work for an org whose mission was to end poverty in the San Francisco Bay Area. And, sure enough, at the time, poverty was becoming far less prevalent in San Francisco. So could we be judged as successful?  Could we grab the 2005 versus 2000 poverty statistics and claim the advances as our outcomes? Of course not. The reduction in poverty had far more to do with gentrification during the dotcom and real estate booms than our efforts.  Poverty wasn’t reduced at all; it was just displaced. And our mission wasn’t to move all of the urban poor to the suburbs; it was to bring them out of poverty.

So the announcement that our ratings will now factor in mission effectiveness and outcomes could herald something worse than we have today. The dangerous scenario goes like this:

• Charity Navigator, Guidestar, et al, determine what additional info they need to request from nonprofits in order to measure outcomes.


• They make that a requirement; nonprofits now have to jump through those hoops.


• The data they collect is far too generalized and subjective to mean much; they draw conclusions anyway, based more on how easy it is to call something a metric than how accurate or valuable that metric is.


• NPOs now have more reporting requirements and no better representation.

So, my amended title: “We Need A Sea Change In The Way That Our Organizations Are Assessed”.

I’m harping on this topic because I consider it a call to action; a chance to make sure that this self-assessment by the assessors is an opportunity for us, not a threat. We have to get the right people at the table to develop standardized outcome measurements that the assessing organizations can use.  They can’t develop these by themselves. And we need to use our influence in the nonprofit software development community to make sure that NPOs have software that can generate these reports.

The good news? Holly Ross of NTEN got right back to me with some ideas on how to get both of these actions going.  That’s a powerful start. We’ll need the whole community in on this.

Last week, GuideStar, Charity Navigator, and three other nonprofit assessment and reporting organizations made a huge announcement: the metrics that they track are about to change.  Instead of scoring organizations on an “overhead bad!” scale, they will scrap the traditional metrics and replace them with ones that measure an organization’s effectiveness.

The new metrics will assess:

• Financial health and sustainability;
• Accountability, governance and transparency; and
• Outcomes.

This is very good news. That overhead metric has hamstrung serious efforts to do bold things and have higher impact. An assessment that is based solely on annualized budgetary efficiency precludes many options to make long-term investments in major strategies.  For most nonprofits, taking a year to staff up and prepare for a major initiative would generate a poor Charity Navigator score. A poor score that is prominently displayed to potential donors.

Assuming that these new metrics will be more tolerant of varying operational approaches and philosophies, justified by the outcomes, this will give organizations a chance to be recognized for their work, as opposed to their cost-cutting talents.  But it puts a burden on those same organizations to effectively represent that work.  I’ve blogged before (and will blog again) on our need to improve our outcome reporting and benchmark with our peers.  Now, there’s a very real danger that neglecting to represent your success stories with proper data will threaten your ability to muster financial support.  You don’t want to be great at what you do, but have no way to show it.

More to the point, the metrics that value social organizational effectiveness need to be developed by a broad community, not a small group or segment of that community. The move by Charity Navigator and their peers is bold, but it’s also complicated.  Nonprofit effectiveness is a subjective thing. When I worked for a workforce development agency, we had big questions about whether our mission was served by placing a client in a job, or if that wasn’t an outcome as much as an output, and the real metric was tied to the individual’s long-term sustainability and recovery from the conditions that had put them in poverty.

Certainly, a donor, a watchdog, a funder a, nonprofit executive and a nonprofit client are all going to value the work of a nonprofit differently. Whose interests will be represented in these valuations?

So here’s what’s clear to me:

– Developing standardized metrics, with broad input from the entire community, will benefit everyone. – Determining what those metrics are and should be will require improvements in data management and reporting systems. It’s a bit of a chicken and egg problem, as collecting the data wis a precedent to determining how to assess it, but standardizing the data will assist in developing the data systems. – We have to share our outcomes and compare them in order to develop actual standards.  And there are real opportunities available to us if we do compare our methodologies and results.

This isn’t easy. This will require that NPO’s who have have never had the wherewith-all to invest in technology systems to assess performance do so.  But, I maintain, if the world is going to start rating your effectiveness on more than the 990, that’s a threat that you need to turn into an opportunity.  You can’t afford not to.

And I look to my nptech community, including Idealware, NTEN, Techsoup, Aspiration and many others—the associations, formal, informal, incorporated or not, who advocate for and support technology in the nonprofit sector—to lead this effort.  We have the data systems expertise and the aligned missions to lead the project of defining shared outcome metrics.  We’re looking into having initial sessions on this topic at the 2010 Nonprofit Technology Conference.

As the world starts holding nonprofits up to higher standards, we need a common language that describes those standards.  It hasn’t been written yet.  Without it, we’ll escape the limited, Form 990 assessments to something that might equally fail to reflect our best efforts and outcomes.

The traditional project planning method starts with a Project Manager, who plays a role that fluctuates between implementation guru, data entry clerk and your nagging Mom when you’re late for school.  The PM, as we’ll call her or him, gathers all of the projected dates, people, budget, and materials, then builds the house of cards that we call the plan.  The plan will detail how the HR Director will spend 15% of her time on a series of scheduled tasks that, if they slip, will impact the Marketing Coordinator and the Database Manager’s tasks and timelines.  So the PM has to be able to quickly, intelligently, rewrite the plan when the HR Director is pulled away for a personnel matter, skewering those assumptions.

My take is that this methodology doesn’t work in environments like ours, where reduced overhead, high turnover and unanticipated priorities are the norm.  We need a less granular methodology; one that will bend easily with our flexible work conditions.  Mind you, when you give up the detailed plan, you give up the certainty that every “i” will be dotted, every “t” crossed, and every outcome accomplished on schedule.  But it’s possible to still keep sight of the important things while sacrificing some of the structural integrity.

First, keep what is critical: clear goals, communication, engagement and feedback.  The biggest risk in any project no matter how well planned, is that you’ll end up with something that has little relation to what you were trying to get.  You need clearly understood goals, shared by all internal and external parties. Each step taken must factor in those goals and be made in light of them.  All parties who have a stake in the project should have a role and a voice in the plan, from the CEO to the data entry clerk.  And everyone’s opinion matters.

Read up on agile project management, a collaborative approach that is more focused on the outcomes than  the steps and timeline to get there.  Offload the project management by focusing on expectation management.  The clearer the participants are about their roles and accountability for their contributions, the less they need to be managed.  Take a look at the Cult of Done (their manifesto is at the top of this article).  Sound insane? Maybe.  More insane than spending thousands of dollars and hours on an over-planned project that never yields results? For some perspective, read The Mythical Man Month (or, at least, this Wikipedia article on it), a book that clearly illustrates how the best laid plans can go horribly wrong.

Finally, my advocacy for less stringent forms of project management should not be read as permission to do it haphazardly.  Engagement in and attention to the project can’t be minimized.  I’m suggesting that we can take a more creative, less traditional approach in environments where the traditional approach might be a bad fit, and for projects that don’t require it.  There are a lot of judgment calls involved, and the real challenge, as always, is keeping your eye on the goals and the team accountable for delivering them.

Last week, I shared a lengthy piece that could be summed up as:

“in a world where everyone can broadcast anything, there is no privacy, so transparency is your best defense.”

(Mind you, we’d be dropping a number of nuanced points to do that!)

Transparency, it turns out, has been a bit of a meme in nonprofit blogging circles lately. I was particularly excited by this post by Marnie Webb, one of the many CEO’s at the uber-resource provider and support organization Techsoup Global.

Marnie makes a series of points:

I’ve made the case before for shared outcomes reporting, which is a big piece of this. Sharing and transparency aren’t traditional approaches to our work. Historically, we’ve siloed our efforts, even to the point where membership-based organizations are guarded about sharing with other members.

The reason that technologists like Marnie and I end up jumping on this bandwagon is that the tech industry has modeled the disfunction of a siloed approach better than most. early computing was an exercise in cognitive dissonance. If you regularly used Lotus 123, Wordperfect and dBase (three of the most popular business applications circa 1989) on your MS-DOS PC, then hitting “/“, F7 or “.” were the things you needed to know in order to close those applications respectively. For most of my career, I stuck with PCs for home use because I needed compatibility with work, and the Mac operating system, prior to OSX, just couldn’t easily provide that.

The tech industry has slowly and painfully progressed towards a model that competes on the sales and services level, but cooperates on the platform side. Applications, across manufacturers and computing platforms, function with similar menus and command sequences. Data formats are more commonly shared. Options are available for saving in popular, often competitive formats (as in Word’s “Save As” offering Wordperfect and Lotus formats). The underlying protocols that fuel modern operating systems and applications are far more standardized. Windows, Linux and MacOS all use the same technologies to manage users and directories, network systems and communicate with the world. Microsoft, Google, Apple and others in the software world are embracing open standards and interoperability. This makes me, the customer, much less of an innocent bystander who is constantly sniped by their competitive strategies.

So how does this translate to our social service, advocacy and educational organizations? Far too often, we frame cooperation as the antithesis to competition. That’s a common, but crippling mistake. The two can and do coexist in almost every corner of our lives. We need to adopt a “rising tide” philosophy that values the work that we can all do together over the work that we do alone, and have some faith that the sustainable model is an open, collaborative one. Looking at each opportunity to collaborate from the perspective of how it will enhance our ability to accomplish our public-serving goals. And trusting that this won’t result in the similarly-focused NGO down the street siphoning off our grants or constituents.

As Marnie is proposing, we need to start discussing and developing data standards that will enable us to interoperate on the level where we can articulate and quantify the needs that our mission-focused organizations address. By jointly assessing and learning from the wealth of information that we, as a community of practice collect, we can be far more effective. We need to use that data to determine our key strategies and best practices. And we have to understand that, as long as we’re treating information as competitive data; as long as we’re keeping it close to our vests and looking at our peers as strictly competitors, the fallout of this cold war is landing on the people that we’re trying to serve. We owe it to them to be better stewards of the information that lifts them out of their disadvantaged conditions.

Idealware’s blog is not the best place for me to talk about my kid.  There’s Facebook and Flickr for that sort of thing. But I want to talk about him anyway, and open a discussion, if possible, about children and the nptech community.

My career is in nonprofit technology (nptech). My plan is to continue working for nonprofits (or, if for profit, a for profit with a mission and a socially beneficial bottom line) until I retire or expire.  While my ten year old boy’s stated goal is to become a NASA engineer, and that’s great, I want him to understand why I chose my path of purposeful work and understand what’s involved in it, should he, at age 15 or 25, decide that NASA isn’t the only option.

A few year’s back, former NTEN CEO and current MobileActive CEO Katrin Verclas suggested adding a program for teenagers at the annual nonprofit technology conference. This is a brilliant idea. We have a great opportunity to educate children in the work we do: advocating for social justice and good; raising funds and resources in order to act effectively and independently; and collaborating in a  supportive community to accomplish our varied, but sympathetic goals.  Whatever our children end up doing with their lives, we have something worthwhile to teach them.

When I was a teenager, I was active in a youth group called Liberal Religious Youth (LRY). LRY was an independent group affiliated with the Unitarian Universalist Association, but it was not a particularly religious group. The themes were more along the lines of addressing social concerns and building community. At ages sixteen and seventeen, I was creating flyers, renting facilities, giving presentations, leading sessions, planning menus and taking a leadership role that prepared me far better for my current career than high school actually did.

When I look at our nptech community, I see a similar environment, where our commitment and excitement regarding our work is bolstered by a natural adoption of supportive camaraderie and peer development. We definitely model something of value to our high school age kids who will face career choices and challenges like ours. We can develop a mentoring program that passes on our expertise in resource management, activism, fundraising, community building, nonprofit technology and social media as a social activism tool. This would provide them with an early introduction to the skills that will be needed when we retire to continue the important work that we do. As much as a grant, donation, or volunteer effort, this is an investment in our work and our world that we should be making.

I want my son to develop his skills and community with socially-conscious peers and mentors.  I want his generation to be more effective than we are at solving problems like poverty, pollution and social injustice. It’s not enough for us to try and save the world. We should be prepping the next generation to keep it protected.

Who’s with me?

The credit card industry is doing the right thing by consumers and enforcing proper security measures regarding the handling of credit card information.  You might have heard about this – a number of the popular vendors of donor databases are recommending upgrades based on their compliance with these regulations. The “Payment Card Industry Data Security Standard”, commonly known as PCIDSS, is a set of guidelines for securely handling credit card information.  The standard has been around for about four years, but early enforcement efforts focused on companies with a high volume of credit card transactions.  Now that they’re all in compliance, they’ve set their sites on smaller businesses and nonprofits. So, what does this mean? Here’s the simplest F.A.Q. that you’re likely to find on the topic:

• Do you ever process online, phoned in, or mailed-in credit card donations in-house? e.g., do you maintain the credit card number, expiration date and name of a donor?

If no, you don’t have to worry about this.

• If yes, do you have more than 20,000 such transactions annually?

Well, if you do, congratulations!  Most nonprofits don’t, so they qualify for level 4 of the PCI Compliance scale. That results in a Self Assessment Questionnaire (SAQ) Validation type of “4”.  Higher validation types are subject to stricter security standards.

The Self-Assessment Questionnaire will ask you all sorts of technical questions about your network and security procedures.  Do you have a firewall?  Are all of your transactions encrypted?  Do you use anti-virus software?  Is credit card information properly restricted to authorized staff?

Depending on your network, you might already comply with a lot of the requirements.  If you don’t, then it might require a significant investment to get there.

• What will happen if I ignore this?

This isn’t government regulation (although your state might have laws in place that do mandate some similar response). participation is mandatory.  But, should your security be breached, two things will happen:

1. The compliance requirements for your organization will be reassessed to level one or two, and they’ll be much more costly and complicated to meet.  The credit card companies might decline to do business with you if you don’t comply.  Can you afford to not take Visa?

2. You will likely be indirectly fined for non-compliance.  The credit card companies will hold your bank liable for losses due to credit card theft in situations where your security was substandard.  Your bank will likely pass that fine on to you.

• So what’s the easiest way to deal with this?

Simple: don’t handle credit cards.  There are a number of services that, for a price, will do this for you, from Paypal and Google Checkout to CharityWeb and Blackbaud’s BBNow. Outsourced ECRM software (NetCommunity, Convio, Democracy in Action, etc.) will also handle it. The cost is likely not as significant as that of maintaining compliance or suffering the consequences of a non-compliant breach.

I’ll share that, at the Goodwill where I used to work, outsourcing wasn’t an option, because we were both a charity and a retailer. Our frustration was not that we didn’t have good security in place.  It was that there were differences in how we had set up our security and the PCIDSS requirements.  So, while we had done a lot of work and made significant investments, we still had to reconfigure things and spend more in order to be compliant.  In addition to making our internal IT changes, we had to switch software programs in order to avoid storing credit cards unencrypted in our database, a typical problem.  We also engaged a consultant.  Once you are reasonably sure that you comply, then you must pay a security service to verify your efforts, another non-trivial expense.

Blackbaud has put together some good further reading on this topic (and they are one of the vendor’s whose latest software is compliant; ask your eCRM vendor!).

In 2000, after spending 15 years at corporate law firms, I made a personal choice to start working for organizations that promote social good by reducing poverty and protecting our planet. I understood that this career move would put some serious brakes on what was a fairly spiraling rise in compensation – my salary tripled from 1993 to 2000. And that was fine, because, as I see it, the privilege of being compensated for doing meaningful work is compensation in it’s own right.

We all know that we make less in this industry than we might in the commercial world, and we’re all pretty okay with that.  But how much, or how little, the discrepancy between “real world” and nonprofit salaries should be is a metric with little established thought behind it.  We don’t base our pay scales on any rationale other than what we determine others are paying and what we can afford. My concern is that, by not taking a strategic, reasoned approach to compensation, nonprofits are incurring far more unnecessary expense than they might, particularly when it comes to technology support, although these thoughts apply across the org chart.

The problem is that, when it comes to determining the market value of a nonprofit employee, we often go to nonprofit salary surveys, such as the one put out by NTEN and the Nonprofit times. But job seekers don’t read those surveys.  In San Francisco or New York, a good System Administrator can make $70-80k a year at a for-profit.  Even if they come in to your org understanding that they aren’t going to be offered the market pay ($75k), they have an expectation that they’ll either be on the low end of it ($70k), or within 10% of it ($67.5k).  The recent NTEN Staffing Survey puts the average nonprofit Sysadmin salary at $52k, which is about 75% of that market. So, given this scenario, here are my questions:

• How many excellent candidates are eliminated from consideration because they can’t afford to take a 25% pay cut?
• Of the ones who can afford that pay, how many can afford it because they aren’t qualified for the work required?
• How many can afford it because they have other primary income sources, and therefore can take a low paying job and not feel very committed to it?
• If a good Sysadmin takes a job at that rate, how long will it be before they decide that they need more money and leave?
• What is the impact of having a heavy rotation among the staff that maintain and upgrade your technology?
• What is the impact of having of having often empty critical IT positions?

But, let’s get really into this. Unless the IT people that are hired at the 75% rate are extremely mature, then they might have some of the common failings of immature Sysadmins:

• Many are often controlling and secretive. I’ve been in multiple situations where I’ve come into an organization and learned that the prior IT staff left with the key system passwords.  I’ve also seen numerous situations where the IT staff left en masse.
• Most Sysadmins are lousy about writing things down.  What is the ramp-up time for your new staff when they have to research and guess how everything works on arrival?
• The general instinct of a new IT person is to rip everything out and install their favorite things. Got Windows? They like Linux.  Got Word? They like Google Docs.  They don’t necessarily understand that one platform is much like another, but imposing massive change on an organization can be dangerously disruptive.

Technology candidates need to be assessed not only for their technical skills, but also for their attitude and maturity.  A very sharp tech, who can answer all of your Outlook questions, might have little patience for documenting his or her work or sharing knowledge with other technical staff. And those skills are the ones that will allow you to transition more smoothly when the tech leaves.

Mission is a motivator, and it has value that can be factored in to overall compensation, but not to the point where it’s so unattractive that it knocks the pool of candidates down to a pool of uncommitted or desperate ones.  The impact of paying poorly isn’t isolated to the salary bucket on the balance sheet.  In many cases, particularly with technology, it’s tied directly to the ability to operate.