The problem with buying security advice
The traditional consulting model delivers a report, an invoice, and a to-do list your team doesn't have the skills or hours to action. Twelve months later, the same findings reappear in the next report. Nonprofits — with small IT teams, volunteer workforces and every dollar accountable to donors — can least afford that cycle.
Maturity coaching breaks it. Instead of doing the work for you and leaving, we do the work with your team and leave the capability behind. Your people finish each session having configured a real control in your real environment — and knowing how to check it stays that way.
Coached, not consulted
Regular hands-on sessions with your IT staff or volunteers, working in your own Microsoft 365 tenant — not a slideware workshop or a report you file away.
Built on what you own
Most nonprofits already hold Microsoft 365 nonprofit-grant or discounted licensing with powerful security features switched off. We coach you to turn them on before you spend a cent on new tools.
Measurable maturity
Progress is tracked against the Cloud Security Alliance's CCM Lite, so your board — and your cyber insurer — can see maturity improving quarter on quarter.
Technology coaching — Microsoft 365 and Intune
We coach your team through configuring the Microsoft 365 security suite for improved security, including:
- Identity — Entra ID conditional access, multi-factor authentication for staff and volunteers, and locking down legacy authentication.
- Device management with Intune — enrolment of organisation and BYO devices, compliance policies, security baselines, application control and patch deployment.
- Email and collaboration security — Defender for Office 365, anti-phishing and safe attachments policies, and SPF/DKIM/DMARC for the domains your donors trust.
- Data protection — sensitivity labels, data loss prevention and retention for donor, member and student records, and sensible sharing settings for SharePoint, OneDrive and Teams.
- Monitoring and score-keeping — using Microsoft Secure Score and audit logging so your team can measure and maintain their own posture.
Governance coaching — CSA CCM Lite
Technology configuration without governance drifts. We coach your team to run a right-sized security governance program built on the Cloud Security Alliance's CCM Lite — a streamlined set of 91 foundational controls drawn from the Cloud Controls Matrix v4, designed for organisations of any size or maturity. It maps to more than 15 security standards including ISO, NIST and CIS, and ships with implementation guidance, so improvements keep paying off year after year.
- Selecting the controls that matter for your organisation and recording a statement of applicability.
- Writing the minimum viable policy set — clear enough for volunteers, strong enough for auditors and insurers.
- Learning to self-assess: evidence collection, sample sizes and control testing your team can repeat every quarter.
- Reporting maturity to your board and funders in plain language — risk posture, not raw statistics.
- Answering cyber insurance and grant due-diligence questionnaires accurately and defensibly, with evidence to back every answer.
How an engagement runs
| Phase | What happens | What your team walks away with |
|---|---|---|
| Baseline | A facilitated self-assessment of your Microsoft 365 tenant and governance against CCM Lite, done with your team so they learn the method. | A maturity baseline and a prioritised coaching plan your board can understand. |
| Coach | Regular hands-on sessions — configuring Entra ID, Intune, Defender and data protection controls in your tenant, one improvement at a time. | Controls actually implemented, plus the skills and runbooks to keep them that way. |
| Govern | Coaching your team to write policy, test controls and collect evidence against CCM Lite. | A living, right-sized ISMS your team owns — not a binder from a consultant. |
| Graduate | Sessions taper off as your team takes over. We remain available for the hard questions. | Self-sufficiency, a repeatable quarterly self-assessment, and a maturity story for insurers and funders. |
Pairs well with cyber insurance readiness
The same CCM Lite posture work that builds your maturity also answers your insurer's questionnaire. Many organisations combine maturity coaching with our cyber insurance readiness engagement to fund security improvement from premium savings.