Let's start with the scale. There are over 10 million nonprofits and NGOs operating worldwide, with an estimated 1.5 to 1.8 million registered in the United States alone as reported in 2022 - imagine the growth in the past four years. The U.S. nonprofit sector contributes roughly $1.5 trillion to the economy and represents the third-largest workforce in the nation.¹ This isn't a niche corner of the economy. It's a major pillar of it, and one that cybersecurity has chronically underserved, but this we know already.
In cybersecurity, we're good at segmenting. We talk about SMBs differently than enterprises. We approach healthcare differently than retail. We understand that industry, size, and data sensitivity shape risk, and we build frameworks to work across all at once.
So why do we still treat nonprofits as one bucket?
The answer isn't that the sector is too complex to segment. It's actually the opposite. The infrastructure to do this well already exists — mission taxonomies, IRS classification codes, funder frameworks, national network data. Nonprofits are among the most transparently documented organizations in the country. We just haven't applied that lens to security yet.
More from Kelley Misata:
Bill Brenner
Bill Brenner
Bill Brenner
And the gap it creates is real.
Consider what's actually inside that single "nonprofit" label – take our furry friends first. There are an estimated 54,000 animal-focused nonprofits in the U.S. alone, ranging from small-town pet shelters with a modest digital footprint to large regional rescues managing donor databases, volunteer platforms, and increasingly, AI-enabled intake tools.² Their security needs are real, but bounded. Proportionate guidance goes a long way.
Now put that next to the domestic violence services nonprofits. According to the National Network to End Domestic Violence, more than 6,500 direct service organizations receive federal funding to provide lifesaving services, with roughly 2,327 specialized shelters operating nationally and the sector collectively managing over $4 billion in annual revenue.³ These organizations aren't just handling sensitive data; they are actively targeted by malicious actors who want to disrupt their operations. Why would we think that a generic checklist would be sufficient?
And healthcare adds yet another layer. According to the American Hospital Association, nearly 3,000 nongovernment not-for-profit hospitals operate across the U.S., that is roughly half of all hospital facilities nationwide.⁴ That's before you count nonprofit community health centers, behavioral health organizations, and hospices.
Same tax status. Still nonprofit. Wildly different risk reality.
Completely different threat landscape, no matter how you look at it.
What's funny is that we, as a security industry, don't even recognize that segmentation already exists. We are just taking the time to pay attention. Funders segment nonprofits. Grant-makers segment them. Program officers and capacity builders all learned long ago that a pet shelter in rural Kansas and a trafficking intervention organization in Los Angeles don't need the same conversation or, really, the same checklist. Security just hasn't caught up.
What would it look like if it did? It starts with mission-first thinking. Treating the work an organization does as the primary lens for understanding their risk profile, not an afterthought. Honestly, I've been sitting with this question for a long time. It was at the heart of my dissertation research, when I proposed studying the entire nonprofit sector, only to be told to narrow my focus. "Get the Ph.D. first, then go save the world," was the response by my committee chair. That stayed with me. At Sightline, this is the work we've been leaning into ever since, and the more we do it, the clearer it becomes that this isn't a niche approach. It's a necessary one.
The nonprofit sector isn't one story. It's thousands of them. And security in the nonprofits sector can't be a standard checklist; it has to start with learning who they are, what they do, and who they serve. We haven't even gotten to what each of those organizations is actually responsible for protecting.
That's where we're going next. Are you ready to think differently about nonprofits?
¹ Sources: Human Rights Careers; WikiCharities; 501c3.org; GlobalGiving; Zippia Nonprofit Statistics. ² Source: Shelter Animals Count; IRS 990 data via Candid/GuideStar. ³ Source: National Network to End Domestic Violence (NNEDV). ⁴ Source: American Hospital Association, 2024 Annual Survey.
