ARTICLES

A Woman Who Once Sought Their Protection Teaches Nonprofits How to Be Secure

Lots of people find themselves working in cyber security almost by accident, but few of their paths can match the improbable journey of Dr. Kelley Misata. She endured years of cyber stalking during which she sought assistance from various agencies, including nonprofits, only to find that they were ill-equipped to help. That painful realization turned into the inspiration that has guided her career. After her personal experiences had opened her eyes to the challenges, she founded Sightline Security, a startup that helps nonprofits assess, develop, and strengthen their cyber security.

The harassment began in 2007. Misata’s stalker used technology not only to track her, but to intrude on the lives of the people around her. He contacted her friends and family, and then their friends. And he persisted. The annoyance and fear of the people he contacted eventually turned to anger—and their anger then turned on Misata. What was going on? Why had she brought them into this situation? What would he do to them if they stayed in contact with her? As so many victims of do, she had already blamed herself. Now people whose support she could have used were also blaming her. That was the weight she carried.

A turning point stemmed from an event she attended in 2011. Andew Lewman, then the executive director of the Tor Project, well known for its open-source anonymizer software, was giving a presentation. Misata’s stalker had used Tor many times to cover his tracks, she told me. And Misata had actually called Lewman a couple of years earlier to ask for his help (though there was nothing he could do). But during his talk, it occurred to her that the technology may have facilitated the harassment, but it was not the harasser. And she considered the benefits it could afford users in conferring anonymity and preserving privacy. Maybe there was a way she could learn about Tor, and in learning, benefit herself.

She approached Lewman after his talk and surprised him with a request. “I need a job,” she blurted. She reminded him of their previous conversation, which he assured her he recalled. Then he paused. “Did you just ask for a job?” She was unemployed, and the harassment hadn’t stopped. “I need a safe place to work,” she explained. She had a master’s degree in marketing, and he needed someone to write an annual report. That was the connection that led her to spend two years as the communications director for The Tor Project.

It put her in an interesting position, to say the least. “As a victim of their technology,” she said, “I'm now defending and explaining it. And it was really an interesting process for me to go through, because it reinforced the fact that the technology was not the problem. It's the people. It's the person behind the technology that's the problem.”

That epiphany pointed her toward a career in this field. And a Ph.D. from Purdue University

in information security paved the way. It also helped her gain a sense of control over the subject. She remembers the days when she sought help from professionals, including law enforcement, who weren’t really prepared to respond. The laws themselves were woefully outdated. But that didn’t prevent some of the people trying to help her from growing irritated when she had trouble following their instructions.

There was a big benefit in remembering how that felt. She put it into words for me: “This really smart person's going to come and talk down to me and tell me a whole bunch of things I'm never going to understand. Then I'm going to spend hours Google searching.” It was almost a mission statement of what she wanted to avoid. When she was ready to help nonprofits with security, she was determined to take the fear out of the process, and make sure the information was accessible.

That’s what Sightline Security, founded in 2018, aims to do. Its members are nonprofits that seek its help. Misata, who is the CEO, starts with assessments to gauge the state of their security. She matches their controls against best practices like the NIST Cybersecurity Framework. Many of her members are short on resources, as are so many of the 1.5 million U.S. nonprofits, and grateful that she doesn’t charge for her services. Right now, Sightline’s main source of revenue is derived from early-stage fundraising, but Misata said she is building other channels to ensure its long-term sustainability.

These days, members are often overwhelmed by phishing attacks. Some wonder who is aiming at them, and why. Others don’t have time to pay attention. The executive director of a domestic violence shelter, for example, recently told Misata, "You know, Kelley, we've got hits on our website from countries all over the world. Thousands every single day. But I can't think about that, because someone needs a bed to sleep in tonight.” Misata spends a lot of time explaining that attacks are not necessarily targeted, and that raising staff awareness is a big part of the solution.

Sightline has added two additional components to its services. The first is a member forum it created in collaboration with the Global Cyber Alliance. They post relevant news items of interest to nonprofits. And most important, Misata said, there’s a discussion space where members can compare notes and learn from each other. Success is when someone posts a message that says: "Hey, we just got this email. This is what it looks like. Everybody be on the lookout." Like any good teacher, Misata celebrates when they take responsibility for their own security.

Finally, there are the partners. When Misata works with a nonprofit and it identifies a security hole, the next step is to find caulk to fill it. That’s where the partners come in. They are cyber security vendors that have solutions to offer. Sightline has created a marketplace for them, and it works to help them tailor solutions to meet members’ needs. Misata works directly with vendors to show them what she’s found in the assessments, and to help them craft programs members may respond to. Then she turns on the music and hopes they dance. The arrangements they make, including fees charged, are up to them, she explained. Sightline is not compensated for any of this.

What distinguishes Sightline from other businesses is that Misata is not trying to prescribe solutions. She’s not telling nonprofits what they need and trying to sell it to them, or even telling them to go out and buy it. She’s helping them figure it out for themselves. And giving vendors an opportunity to work with them—for profit or not.

Her vision, “way back before Sightline was even a name,” was that security “becomes woven into how [these nonprofits] function as a business,” she said. And the beauty of that, she added, is that nonprofits will naturally pass on some of that knowledge to the people they serve.

This is what ties her journey together. If the nonprofits she’d approached as a victim seeking help had embraced security in their businesses from the start, “they would have been able to give me better advice,” she said. And not just “checklist advice.” They could have said, "Hey, you know we do security here. You might want to try doing it on your phone or on your laptop, because that's how we keep our business protected."