Cybersecurity isn’t just firewalls and tech jargon—it’s people, habits, and everyday choices. Kicking off National Cybersecurity Awareness Month, we bring together two voices who live this every day: Michael Nouguier, Partner, Cybersecurity Services at Richey May, and Tony Rehmer, Senior VP of IT at Children’s Miracle Network Hospitals (CMN Hospitals). Their message is clear: strong security starts with culture.

Tony sets the tone early: “We take a major part, but it is everyone.” In other words, security isn’t a back-office task—it’s a shared responsibility. With hospitals, HIPAA, and multi-state operations in the mix, CMN Hospitals treats staff as the front line. That means training that actually sticks: shorter, “microlearning” nudges delivered through internal channels, real examples, and peer-to-peer conversations. As Tony puts it, “We never, ever shame a person.” Instead, they use supportive coaching after incidents to encourage fast reporting and continuous learning.

Michael maps the big picture. Attacks have matured, and wishful thinking won’t cut it. “Hope has then become a liability when it’s your only defense.” The antidote? Make security part of the mission—top-down and day-to-day. That looks like updating mission statements (“do the work securely”), enabling multifactor for everyone (leaders included), and building a culture where staff quickly raise their hand when something feels off. He provides memorable visual: “Everybody needs a pitchfork… so they can do what they need to do to protect your organization.”

The conversation gets real with a story from CMN Hospitals at the start of COVID-19. Threat actors bought credentials on the dark web, slipped into a mailbox, swapped a message body for malware, and re-sent it. Because staff had been invited into the security effort, the team was alerted within five minutes. That fast reporting changed the outcome. Culture wasn’t a slogan; it was the safety net.

Both guests agree: this is ongoing work. Threats keep shifting—from credit cards to ransomware and data theft—so messaging, training, and audience targeting must evolve too. Practically, that means appointing security champions, aligning IT with communications pros who can translate across departments, and weaving security into leadership conversations and board funding decisions.

Takeaways you can use: treat people as partners, keep learning in snackable moments, celebrate fast reporting, and put “securely” in your strategy—not just in your tech stack.

Find us Live daily on YouTube!

Find us Live daily on LinkedIn!

Find us Live daily on X: @Nonprofit_Show

Our national co-hosts and amazing guests discuss management, money and missions of nonprofits!
12:30pm ET 11:30am CT 10:30am MT 9:30am PT

Send us your ideas for Show Guests or Topics: HelpDesk@AmericanNonprofitAcademy.com
Visit us on the web:The Nonprofit Show