Tuesday, August 26, 2008


How amusing is it that platform is the dominate meme for this blog?

Monday, August 18, 2008

What is Donor Management Software?

So NTEN decided not to include CiviCRM as a listing in their Donor Management Survey. On the face of it, that was an OK decision because CiviCRM wasn't specifically designed as donor management software.

That kind of made sense to me, plus we have plenty enough users that use CiviCRM that we'll have just as many responses as the named systems. [If you use CiviCRM for donor management, Vote Now!]

Then they modified the front page of the survey to define donor management and I started thinking this is another conflict between the platform solution vs. "best-of-breed". Their definition of donor management is:

1. Manages relationships with current and prospective donors
2. Sends/Tracks correspondence and relationship history
3. Is more than just a donation processor (i.e. PayPal, Google Checkout, DonateNow)
4. Tracks ALL types of monetary gifts (on- and offline, events, etc.)
5. Is available for purchase/download
CiviCRM was probably excluded since it does so many other things, but from CiviCRM v1.0 oh so many years ago we supported each and every on of these "features". But as a platform, we tend not to support "deeper" version of these features... for example, you could track pledges in v1.0, but real useful pledge management / automation functionality had to wait for the current release.

As a platform, we weren't included, but I bet if we called ourselves fundraising software from day one, we would have been.

Platforms like CiviCRM are designed very much on the 80% rule... try to get most of the way there for most of your users. But when you are trying to be a platform for operating a charity, most of the way there for most of your users doesn't look anything like most of the way there for most of your users if you are just building a gifts database. Features for a platform tend to be broad and shallow.

Over time, however, each aspect of the platform becomes deeper and more capable as more users use it, more contributions (code and financial) are made and time simply allows you to get around to a specific piece of functionality.

And finally, there is another reason that CiviCRM doesn't show up on the comparision lists (Techsoup, Aspiration, NTEN, etc.). I think the assumption is that if you can't install it on your Windows PC or access it as SaaS online, it is simply too complex for charity users and therefore shouldn't be put out there as an option. I agree a little with this, but the simple fact is that installing and maintaining a MYSQL application is not beyond an advanced accidental techie... I'm not sure we are helping too much by excluding a high-quality solution for the reason it requires some technical competence to deal with.

Wednesday, August 13, 2008

OK, they get the benefit of the doubt

I've watched Wild Apricot since it came out of the gate and been impressed with their product as a solution for small groups. I've also been impressed with their well thought out blog and they seem like all around good guys.

I see this blog post about how they are going to:

...take a closer look at free and open-source software: the real costs, the barriers, and the trade-offs; some of the best FOSS alternatives to “brand name” software; and online resources to help you make the most of it.
And I start to wonder if it is going to turn into a stealth vendor hit piece / FUD on open source. But as I mentioned, they don't seem like those type of folks, so I'm looking forward to what they write up.

PS, if anyone wants to compete head to head with Wild Apricot using open source software, you could run a CiviCRM-based ASP ;)

Tuesday, August 12, 2008

Manatees of the Tech World: The End of Best-of-Breed

Part of the fun of nonprofit technology is that you always know where it is headed with 100% certainty. Just look at the small & mid-sized enterprise (SME) technology market 5 years ago... that is where nonprofit tech is heading today. [note: that time gap is closing, but is still pretty significant]

You'd think you could make some money with that insight, but I digress.

There are a few great debates in the software world client server vs. SaaS, best-of-breed vs. platform. Nonprofit technology is finally getting its head around SaaS being better than client server. A year or two ago, it became pretty clear that SaaS was the way to deploy applications even though the cost advantages were not what were once pomised--in the SME world. In a couple of years, nonprofits too will just accept SaaS is better than client server-- actually the adoption gap here is far smaller since SaaS addresses a bunch of challenges nonprofits have... the least of which no tech staff.

And now no less a luminary publication than the Wall Street Journal has published the truth, "The End of Best-of-Breed," noting best-of-breed software companies have been bought at fire sale prices.

Such software vendors became known as “best-of-breed,” reflecting a belief that specialists in automating certain business tasks can provide customers with a competitive advantage—at least over companies that use multifunction suites of programs that come from a single vendor.

But there was a problem with this approach: It is hard to get different pieces of software to exchange data, which is necessary to understand everything that is happening in a business, said George Lawrie, an analyst at Forrester Research.

So what does this mean in the nonprofit software space? Be very afraid of Blackbaud Infinity if you are a vendor. Find lots of money to buy Infinity if you are an NPO. Since infinity is the closest thing to a platform we have in the sector.

For the small charities, as always, technology will be a harder nut to crack... yet things like CiviCRM, Wild Apricot and others are approaching the world as a platform so eventually something complete might be avaliable. And then there is Salesforce and NetSuite... if they could release a set of applications on their platform, the smaller organizations would have a pretty fantastic resource.

Monday, August 11, 2008

Thinking about security

So after 5 years, I changed all my basic passwords. Why? I was reminded that some of them were used in less than secure sites and I have been remiss in my regular practice of changing them every year or so.

Recent compromises at TechSoup and Network for Good reminded me that ultimately I am responsible for my own security. It is inevitable that security breeches will happen. Most of the responsibility for dealing with those breeches is on me... when a site is breeched, how much of my online life is vulnerable?

The other part of responsibility is on the provider. How do they react? How do they manage risk? How do they communicate the facts and the implications of those facts? The rather minimizing notifications from providers are a little bit disconcerting: http://techsoup.org/maintenance/page10338.cfm.

I'm not sure there is clear communication going on:

  1. Viruses and malware means "a key logger could have been installed in your computer"
  2. No evidence of download of personal information does not mean the keylogger didn't get your personal information.
You don't want to scare people unecessarily, but I would certainly hope that a mission driven NTAP would err on the side of caution and education rather than delivering what i would call a text-book vendor notification of a breech.

Viruses and malware are used to do little things like capture all your passwords (keyloggers). I saw a great demonstration once of cracking online banking after visiting an infected site.... these are serious issues and I'm not sure that the magnitude of the potential issues is really being communicated to those impacted.

What if viruses and malware are just decoys? I know that most NPO technical services are staffed by competent, well meaning folks. But hard-core security folks that can uncover the *whole* story? Not so much. Without information on what, exactly their response has been, it is hard to have a lot of confidence.

Finally, I think there is something very inevitable about two major NTAPs suffering a compromise of their older, creeky infrastructure... technology changes rapidly... continuous expensive investment is required to keep up with the moving ball. If you can't invest the money and people and time and planning in moving the ball forward, it's time to outsource your efforts.

I will note that both providers have made timid forays into modern technology that can address some of these issues.

Techsoup has used the Drupal open source system for a number of projects. Keeping up-to-date with an open source platform does a huge amount to improve security... the open source community fixes vulnerabilities and staying up to date protects the user.

But why not over the past 3-5 years budget and upgrade to an open source platform?

Network for Good takes another good tack... go to the cloud. They have experimented with Salesforce.com, where Salesforce engineers take responsibility for security and as the cloud gets updated the user is protected.

But why not over the past 3-5 years budget and upgrade all your services to a cloud-based platform?

In the end its all about management. How well do I manage risk by changing my passwords? How well do providers manage risk by investing in their technology infrastructure?