In my last post, I made the case that nonprofits aren't one bucket – 1.5 to 1.8 million registered nonprofits in the U.S. alone (reported in 2022), the third-largest workforce in the nation, and $1.5 trillion in economic contribution. And we're treating them all the same.¹ Why?
What that scale actually means through a security lens: we're talking about 1.5 to 1.8 million distinct data environments, each shaped by a different mission, a different community, and a different set of consequences if something goes wrong.
That's the dimension of this problem nobody is talking about.
What a nonprofit collects, captures, manages, and is responsible for protecting isn't uniform. And in many cases, the sensitivity of that data maps directly back to their unique mission in ways that should fundamentally shape how we approach security for these organizations.
Think about it this way: A community food bank is managing donor records, volunteer schedules, and distribution logistics. Sensitive, yes, but the blast radius of a breach, while real, is relatively contained. Now consider a refugee services organization. They're holding immigration status, country of origin, family composition, and court-case information; data whose exposure could put lives at risk across international borders. Or a domestic violence survivor services organization where a breach doesn't just mean financial exposure. It means potentially revealing the location of someone who fled to stay safe.
The data these organizations hold isn't just operationally sensitive. For many of them, it's existentially sensitive. It is tied directly to the safety and dignity of the people they serve.
Healthcare nonprofits add another dimension entirely. Nearly 3,000 not-for-profit hospitals operate across the U.S., and that's before counting the community health centers, behavioral health organizations, and hospices that round out the sector.² These organizations are managing patient records, treatment histories, and clinical data at scale, often with security infrastructure that doesn't match the sensitivity of what they're holding.
And yet across all of these organizations, we hand them security frameworks designed for industries where data sensitivity means credit card numbers and PII. We're not just missing the mark. We're speaking a language they can't translate into their actual reality.
This is why mission-first security matters beyond optics. It matters because the nature of what's at stake changes everything: how you prioritize, where you invest limited resources, and what keeps leadership up at night. A nonprofit leader isn't thinking in terms of data classification tiers. They're thinking about their clients, their community, and what happens if something goes wrong for the people counting on them.
There's also a resource dimension that can't be ignored. A large nonprofit hospital system has compliance infrastructure, dedicated IT staff, and legal counsel. A small immigration services nonprofit in a mid-sized city may have a part-time IT volunteer and a shared cloud workspace. Both are holding sensitive data. Only one has been given security guidance that remotely matches their reality.
When you consider that 1.5 to 1.8 million registered nonprofits are operating across the U.S., each with its own data environment, the scale of what's being left underprotected becomes hard to ignore.
And once you start looking at it that way, the next logical question becomes: what does security that's actually built around the mission look like in practice?
That's what I'll dig into in the next post.
