Identity-First Security: Protecting Access, Trust, and Mission

By Mary Beth Foster, TPF’s Vice President & Treasurer

At Texas Presbyterian Foundation, protecting the resources, relationships, and information entrusted to churches and nonprofits is part of faithful service. In today’s digital world, that protection includes cybersecurity.

In a previous TPF blog post, “Cybersecurity Starts with People,” I shared that strong cybersecurity begins with awareness, leadership, clear reporting, and practical habits that help staff and volunteers make wise decisions. Identity-First Security builds on that same idea by focusing on one essential question: Who should have access?

For many years, cybersecurity centered on protecting the network perimeter. Firewalls and other tools helped defend what was inside an organization from outside threats. But the way churches and nonprofits work has changed. Cloud-based systems, online giving platforms, mobile devices, remote work, vendors, and shared digital tools have made access more complex.

Identity-First Security places identity at the center of protection. It verifies each user, device, application, or system before access is granted. Instead of asking only where someone is logging in from, it asks whether that person or system should have access in the first place.

This matters for churches and nonprofits because they often manage sensitive information, including donor records, financial data, employee information, ministry communications, and confidential relationships. Access may be needed by staff, volunteers, board members, vendors, and ministry partners, but not everyone needs the same level of access.

An identity-first approach helps ensure that the right people have the right access at the right time. It is supported by practical tools such as:

• Multi-factor authentication, or MFA, which adds protection beyond a password.
• Identity and access management, or IAM, which helps organizations assign, manage, and review user permissions.
• Privileged access management, or PAM, which provides added oversight for accounts with administrative or elevated access.
• Customer or constituent identity and access management, or CIAM, which helps protect access for donors, members, clients, partners, or others who interact with an organization’s digital systems.

These tools also support the principle of least privilege, meaning users receive only the access they need to do their work. That simple idea can significantly reduce risk.

The connection between these two important topics is simple: people-first cybersecurity creates the culture, and identity-first security puts that culture into practice. One helps staff and leaders understand their role in protecting the organization. The other helps ensure access to systems and information is intentional, appropriate, and secure.

For churches and nonprofits, cybersecurity is not just a technical issue. It protects trust, supports mission, and helps organizations continue serving with confidence.

Cybersecurity starts with people. Identity-First Security helps protect the people, information, and mission at the heart of that work. If you haven’t already seen it, CLICK HERE to check out our recent “Cybersecurity Starts with People” blog.