Leaders in Cyber Security: Church Funds Guide 2026

If you serve on a Church Extension Fund board or lead finance for one, you've probably had this moment. The audit is nearing completion. Cash is tight enough that visibility matters every day. Investor trust is central to your mission. Then a board member asks a simple question.

“What are we doing about cyber security?”

That question lands hard because it isn't really about firewalls or software patches. It's about stewardship. It's about whether the organization can protect investor records, borrower data, payment workflows, and the reputation that took decades to build.

Most CEFs don't have a large internal security team. Many are still operating with a mix of spreadsheets, legacy applications, outside IT support, and manual workarounds. That doesn't excuse weak governance. It makes governance more important.

The right response isn't to pretend your fund needs an enterprise-sized cyber department. It's to put real leadership, reporting discipline, and vendor oversight around the systems that carry your mission.

The New Fiduciary Duty Cybersecurity and Your Fund

A board doesn't care whether a cyber incident started with a phishing email, a weak password, or a vendor mistake. The board cares whether operations stop, funds are exposed, borrowers are affected, and confidence erodes.

That's the correct lens. Cyber risk is now a fiduciary issue.

Global cybercrime costs are forecast to exceed $10.5 trillion in 2026, and organizations face an average of 1,968 weekly cyber attacks, an 18% year-over-year increase, according to SentinelOne's cyber security statistics summary. For a CEF, those numbers don't mean you should panic. They mean you should stop treating cyber security as a side conversation delegated entirely to outside IT.

Why boards are asking harder questions

A Church Extension Fund sits in an uncomfortable middle ground. You aren't a consumer bank, but you do hold sensitive financial information. You aren't a global enterprise, but you still manage investor communications, loan servicing, ACH activity, reporting, and internal approvals. Attackers don't care that your mission is ministry.

They care that your systems move money and store trust.

Practical rule: If a cyber event could interrupt cash operations, expose investor information, delay reporting, or impair lending activity, it belongs on the board's risk agenda.

That changes the job of the CFO, controller, executive director, and treasurer. You don't need to become a security engineer. You do need to ask whether your controls are proportionate to the sensitivity of the work.

Some boards need help turning that question into action. A simple starting point is to review practical effective data security measures and then decide which ones are clearly owned, which ones are assumed, and which ones are missing.

What fiduciary responsibility looks like in practice

For CEF leaders, fiduciary responsibility in cyber security comes down to a few plain duties:

Protect entrusted data so investor and borrower information isn't casually exposed.
Preserve continuity so note servicing, loan payments, and reporting can continue during disruption.
Oversee vendors carefully because outsourced technology doesn't outsource accountability.
Document decisions so the board can show it exercised informed oversight.

Many organizations fall short. They discuss cyber risk only after an insurance renewal, a suspicious email, or a vendor questionnaire arrives. That's too late. Good governance means the board already knows who owns security leadership, what the major risks are, and how management is tracking them.

Cyber security used to be treated as an IT function. In a CEF, it now belongs beside liquidity, compliance, internal controls, and reputation risk.

Defining Security Leadership in a CEF Context

Most articles about leaders in cyber security assume you can hire a CISO, build a team, and add more tools when problems arise. Most Church Extension Funds can't do that. They shouldn't copy a large-bank org chart they can't sustain.

They need a structure they can run.

An organizational chart depicting security leadership roles including executive management, security leads, internal departments, and external partners.

The talent market makes this reality unavoidable. The U.S. had a shortage of 359,000 skilled cyber security workers, and the Bureau of Labor Statistics projects employment for information security analysts will grow 29% from 2024 to 2034, according to National University's cyber security statistics summary. If you wait to solve leadership only by hiring scarce specialists, you'll wait a long time.

Use a designated security leader model

For most CEFs, the workable answer is a designated security leader. That person is often the CFO, COO, finance director, operations head, or internal IT manager. The title matters less than the accountability.

This role should own coordination, not every technical task.

A designated security leader should be responsible for:

Board communication about cyber risk, vendor issues, and response readiness
Policy ownership for access, incident response, training, and third-party oversight
Cross-functional follow-through so finance, operations, HR, and IT aren't working in silos
Escalation discipline when an issue requires outside counsel, auditors, insurers, or forensics support

Build a small leadership team around that person

One person can't secure a fund alone. A practical CEF model uses a small internal group with clear roles.

Finance representation should focus on payments, approvals, investor records, reconciliations, and fraud exposure.
Operations leadership should monitor workflow dependencies, vendor processes, and business continuity.
IT or managed service oversight should address system configuration, monitoring, backups, and endpoint protection.
HR or administrative support should manage onboarding, offboarding, policy acknowledgments, and training participation.

The strongest security leader in a CEF is usually not the most technical person. It's the person who can force clarity, assign ownership, and keep unresolved risk in front of decision makers.

Ministry-focused organizations often avoid formal structure in the name of flexibility. That habit becomes dangerous in cyber security. If nobody clearly owns risk, nobody closes it.

What this leader is not

Your designated leader is not expected to configure detection tools, inspect code, or personally investigate every alert. The role is governance-centered.

That means asking direct questions such as:

Who approved this vendor access?
Where is investor data stored?
How quickly would we know if a core workflow was compromised?
Who speaks for management if an incident affects operations?

That is what effective leaders in cyber security do in a CEF setting. They create accountability where small organizations often rely too heavily on assumptions.

Essential Competencies for Your Designated Leader

The best designated security leaders aren't always drawn from IT. In many CEFs, the strongest candidate is the executive who already understands controls, exceptions, approvals, audit evidence, and operational risk.

That person doesn't need to become very technical. They do need enough fluency to challenge weak answers.

A professional man with glasses analyzes cybersecurity data trends on a desktop monitor in his office.

MIT xPRO frames the role well. Effective technical leaders understand how systems are constructed, how to detect breaches, and how to implement policies for long-term resilience, as described in MIT xPRO's cyber security leadership program overview. For a CEF, that means your leader needs enough depth to question architecture and control design, even if an outside provider does the hands-on work.

The skills that matter most

A capable designated leader should bring four competencies to the table.

Risk translation

Security vendors often speak in technical shorthand. Boards don't.

Your leader must translate statements like “privileged access is federated but logging retention is inconsistent” into plain business language such as, “An administrator could make a material change and we may not be able to reconstruct the event cleanly later.”

That's a board skill, not a coding skill.

Access discipline

Most CEF incidents won't start with advanced tactics. They'll start with ordinary failures. Shared credentials. Poor offboarding. Excessive permissions. Weak approval paths.

A useful reference for management teams reviewing this area is access control best practices for financial systems. The point isn't to memorize terms. It's to make sure the designated leader can ask who has access, why they have it, and who reviews it.

Vendor interrogation

A strong leader doesn't accept “we take security seriously” as an answer from a software or service provider. They ask for evidence, dates, scope, and exceptions.

They also know how to separate cosmetic reassurances from real control maturity.

What technical fluency actually looks like

In a CEF context, technical fluency means the leader can hold a productive conversation in these areas:

System design: Where are the sensitive records? How do data move between applications? Where are manual exports happening?
Detection capability: What logs exist? Who reviews them? What would trigger escalation?
Resilience: How are backups protected? How would the fund keep operating during a prolonged disruption?
Policy practicality: Are the written rules usable by staff, or do they live in a binder nobody reads?

A good security leader asks, “Show me the control in operation.” A weak one settles for “We have a policy.”

The wrong profile to avoid

Don't appoint the person who is merely interested in technology. Appoint the person who has judgment, follow-through, and enough institutional standing to push back on convenience.

That usually means someone who already understands segregation of duties, exception handling, month-end pressure, and what happens when a process looks sound on paper but fails under stress. In a CEF, those instincts are often more valuable than specialized jargon.

Governance and Reporting Your Board Can Understand

Most cyber security reporting is badly designed. It overwhelms the board with technical details and hides the actual question. Is the organization reducing meaningful risk in a disciplined way?

Board reporting should answer that question directly.

A useful starting point is to treat cyber security as a data problem. Leaders who normalize and correlate information from identity systems, endpoints, network activity, and financial workflows can detect weak signals that isolated systems miss, as discussed in the Stellar Cyber founder interview on cyber security as a data problem. For a CEF, that principle matters because your risk often sits between systems, not inside one application.

What a quarterly board report should include

A board packet doesn't need technical noise. It needs concise, repeatable oversight categories.

Include these items every quarter:

Incident summary with plain-language descriptions of any events, near misses, or vendor issues that affected operations or required escalation
Training and awareness status showing whether staff, contractors, and board members completed assigned cyber training
Access review status focused on privileged accounts, terminations, and unresolved permission issues
Vendor oversight update covering material findings, missing documentation, remediation items, and concentration risk
Business continuity readiness including backup validation, tabletop exercise status, and dependency concerns
Open risk register items with owner, due date, and board-level decisions required

The right way to present metrics

Most boards don't need dozens of metrics. They need a short set that ties to governance and mission protection. If a metric doesn't support a decision, remove it.

A helpful governance reference for structuring oversight expectations is the FFIEC IT Handbook overview for financial institutions. Even if your CEF isn't examined like a bank, the discipline is useful. It pushes reporting toward controls, oversight, and accountability.

Here is a practical board-level scorecard.

KPI Category	Metric	Target	Why It Matters
Access governance	Privileged user accounts reviewed on schedule	All reviews completed and documented	Confirms elevated access is still justified
Workforce readiness	Staff security training completion	Full participation with follow-up on exceptions	Reduces avoidable human error
Vendor oversight	Critical vendors with current security documentation on file	Current for every critical vendor	Shows third-party risk is being actively managed
Incident readiness	Incident response plan review and tabletop status	Current plan and recent exercise completed	Tests whether leadership can act under pressure
Remediation	High-priority findings closed within internal deadline	No overdue high-priority items without approved exception	Keeps known weaknesses from lingering
Data protection	Sensitive investor and borrower data mapped to approved systems	No unmanaged storage locations	Limits exposure from shadow processes

Boards don't need more dashboards. They need fewer surprises.

What not to send upstairs

Don't send raw vulnerability lists, dense system logs, or long vendor questionnaires unless a committee specifically requests backup detail. Those materials belong below the board level.

A board should receive a summary that answers five plain questions:

What are the top risks right now?
Who owns them?
What progress was made?
Where are we behind?
What decision or support does management need?

That reporting style does two things. It improves oversight, and it forces management to think clearly.

How to Evaluate Security in Your Critical Vendors

For most Church Extension Funds, vendor risk is the primary cyber security battlefield. Core systems, cloud storage, payment processors, managed IT providers, statement platforms, and outsourced support staff all sit close to your data and operations.

If a critical vendor has weak leadership in cyber security, your fund inherits that weakness.

A vendor security evaluation checklist for Church Extension Funds with six key steps for digital risk management.

Ask for evidence, not reassurance

Every vendor says security matters. That statement is worthless without documentation.

When evaluating a core vendor, ask for:

Independent audit documentation such as a current SOC report, along with management responses to any notable exceptions
Encryption practices for data at rest and in transit, stated clearly enough that your team can understand where protection applies
Incident response documentation that explains notification expectations, escalation paths, and customer communication
Access control standards for vendor staff, especially administrators and support personnel
Backup and continuity procedures that address service restoration and customer-impact scenarios
Data location and subcontractor details so you know where your information is processed and who else can touch it

For teams preparing those requests, a practical SOC 2 audit checklist for software due diligence can help standardize what you collect and review.

Focus on leadership behavior, not just controls

A mature vendor usually answers security questions in an organized, transparent way. An immature one stalls, deflects, or sends marketing language.

Pay attention to signs of leadership quality:

Clarity: Do they explain controls plainly, or hide behind jargon?
Ownership: Can they identify who leads security internally?
Responsiveness: Do they provide documents promptly and answer follow-up questions directly?
Candor: Will they acknowledge limitations, remediation work, or scope boundaries?

If a vendor becomes defensive during reasonable security due diligence, assume the operating relationship will get worse during an actual incident.

A board-level vendor checklist

When management brings a critical vendor recommendation to the board or a committee, the package should answer these questions:

What data or workflow would this vendor handle?
What would happen operationally if the vendor were unavailable?
What security evidence did management review?
What unresolved issues remain?
What contractual protections or notification requirements are in place?
What is the exit plan if the relationship fails?

That final question is often ignored. It shouldn't be. A vendor that is easy to buy but hard to exit grants them considerable influence over your fund.

Apply the same discipline to long-time providers

Legacy relationships can be more dangerous than new ones. Boards often assume that a provider used for many years must be safe. That assumption has no control value.

Re-underwrite critical vendors periodically. Review whether their controls, staffing, and support model still fit the sensitivity of the work. If your CEF depends on that provider to issue statements, support investor servicing, maintain records, or facilitate cash workflows, management should be able to defend the relationship with current evidence.

Building a Security Culture that Protects Your Mission

A designated leader matters. Good reporting matters. Vendor oversight matters. None of it holds if staff treat cyber security as somebody else's job.

That's why the strongest leaders in cyber security build culture, not just controls.

A professional team of business leaders collaborating on a cyber security presentation in a modern office environment.

NASCIO's guidance on underserved communities makes an important point. Security leadership depends on inclusive execution, meaning leaders must adapt controls, training, and governance to environments that don't have enterprise-level staffing or budgets, as outlined in NASCIO's guidance on cyber security in underserved communities. That maps directly to the CEF world.

You may have a lean staff, long-tenured employees, part-time support, and heavy dependence on trust. Culture has to account for that reality.

Make security usable for ordinary staff

If policies are too technical, staff won't use them. If training is generic, people will ignore it. If mistake reporting feels punitive, incidents will stay hidden.

A workable CEF culture uses plain rules:

Pause before payment changes and verify requests through a second channel
Report suspicious messages early without fear of embarrassment
Use approved systems only for investor, borrower, and payment data
Escalate unusual access requests instead of making informal exceptions

This is basic operational discipline. It's also ministry protection.

Train for behavior, not box-checking

Annual training alone won't create a strong culture. Short reminders tied to real tasks work better. Focus on invoice changes, wire or ACH approvals, login prompts, shared files, and offboarding.

For leaders thinking about how values shape behavior, this HR guide to cultural excellence is useful because it reinforces a broader truth. Culture changes when expectations are made visible, reinforced consistently, and modeled by leadership.

Staff watch what leaders do. If executives bypass controls for convenience, everyone else learns that speed outranks stewardship.

Build a reporting culture, not a blame culture

Every CEF should want employees to raise a hand quickly when something feels off. That includes a suspicious email, a misdirected attachment, a failed login pattern, or an unusual vendor request.

Leaders can encourage that by doing three things:

Thank people for reporting even when the issue turns out to be harmless.
Respond quickly so reporting feels worthwhile.
Correct privately and improve publicly so lessons are shared without humiliating staff.

A culture of silence is expensive. It allows small issues to become operational ones.

Keep the mission in view

Church Extension Funds exist to serve churches, investors, and borrowers faithfully. Cyber security supports that mission by protecting continuity, confidentiality, and confidence.

That's the frame I'd urge every board to adopt. Don't treat security as a technical burden imported from the corporate world. Treat it as a modern expression of stewardship. The same discipline that protects cash, reconciles accounts, and documents approvals should also protect the systems that carry your work.

When boards and executives lead that way, cyber security becomes manageable. Not easy. Not finished. But governed.

If your fund is ready to reduce operational risk by replacing fragmented processes with a platform built for Church Extension Funds, take a close look at CEFCore. It brings loans, investor notes, general ledger, cash operations, reporting, and security controls into one purpose-built environment so leadership can govern with better visibility, cleaner workflows, and stronger protection of the mission entrusted to them.