After enduring seven years of relentless cyberstalking, an experience that infiltrated every corner of her life, Kelley Misata went on offense.
She pursued a PhD in cybersecurity, determined to understand the systems being used against her and reclaim control. That decision exposed a much bigger problem, one the security industry still struggles to grasp.
Today, as CEO of Sightline Security, Misata focuses on one of the most overlooked segments in cybersecurity: nonprofits. But her mission isn’t about charity, it’s about closing a systemic gap in how the industry thinks about risk, language, and access.
Hear Kelley Misata's full CYBR.SEC.CAST conversation with Michael Farnum and Sam Van Ryder:
Bill Brenner
“There’s this assumption that nonprofits are poor, under-resourced, and less capable,” Misata explains. “That’s not what I’ve found at all.”
Instead, what she uncovered through her doctoral research—and now through her work in the field—is a fundamental disconnect between security practitioners and mission-driven organizations. Nonprofits aren’t ignoring cybersecurity. They’re being alienated by it.
The problem starts with language.
In one early research exercise, nonprofit leaders were asked a basic question: do you maintain an inventory of hardware and software? Security professionals saw it as table stakes. Nonprofits saw confusion.
“What do you mean by inventory?” they asked.
That gap between assumed knowledge and actual understanding is where security efforts begin to fail. And it’s a failure that scales.
Misata’s work shows that nonprofits span the same spectrum as any commercial sector, from small, volunteer-run teams to massive, federated organizations with enterprise-level infrastructure. Some resemble SMBs with outsourced IT. Others rival Fortune 100 environments in complexity. The difference isn’t capability, but context.
“Nonprofit is just an IRS designation,” she says. “It doesn’t define how the business operates.”
Yet security vendors and practitioners continue to approach them with one-size-fits-all frameworks, overloaded with jargon and assumptions. The result: organizations disengage before they even begin.
That’s where Sightline Security steps in.
Rather than selling tools or remediation services, Sightline focuses on assessment and alignment. Its “Kickstart” program — built on the NIST Cybersecurity Framework but translated into plain business language — helps organizations understand where they are, what matters most, and what to prioritize next.
The output isn’t a 50-point remediation list, but two or three actionable priorities, grounded in the organization’s mission and reality.
“We’re not there to fix everything,” Misata says. “We’re there to help them make sense of it.”
That distinction matters, because for many nonprofits, cybersecurity isn’t just about protecting systems. It's about protecting people. Victims of domestic violence. Survivors of human trafficking. Communities already at risk.
And yet, many still operate under a dangerous assumption: they’re too small to be targeted. Misata has heard it firsthand, leaders openly daring ransomware attackers to “come get us,” believing obscurity is protection.
What Misata’s journey ultimately reveals is that cybersecurity’s biggest blind spot isn’t technology but empathy. The industry has built its models, frameworks, and messaging for itself, not for the organizations it claims to protect.
Fixing that starts with meeting people where they are.
