CyberCAN: A Roadmap for Municipal Support of Cybersecurity
Sarah Powazek, Shannon Pierson
BSidesSF 2025 — Here Be Dragons · Day 2 · Main
Researchers Sarah Powazek and Shannon Pierson from UC Berkeley's Center for Long-Term Cybersecurity surveyed 68 San Francisco nonprofits and found that 85% had suffered at least one cyberattack, over half had no full-time IT staff, 75% collect social security numbers, and the ratio of IT staff to total employees is 1:96 — nearly three times worse than the nonprofit sector average. Their research, conducted with San Francisco's Department of Technology, produced six concrete recommendations for how cities can use their unique position as conveners, grantmakers, and technical resources to dramatically improve cybersecurity outcomes for the nonprofits that provide critical public services. ---
AI review
Legitimate research with real survey data — 68 San Francisco nonprofits, 85% attack rate, 1:96 IT-to-staff ratio — and six specific policy recommendations directed at a city government with the actual authority to implement them. The finding that nonprofits without IT staff are statistically less likely to use MSPs, not more, is the most counterintuitive and important data point. The impact ceiling is bounded by the policy audience.