Internews continued the virtual Organizational Security Village today with community-led sessions targeting security auditors, digital security trainers, and other experts and practitioners.
Sessions on Day 3 explored OrgSec in Practice. Highlights included:
- An interactive session discussing the ways and sources through which we can learn and share more about threats affecting at-risk groups and individuals.
- A deep look at the main issues that OrgSec and other projects encounter at the planning and implementation stages, and what we can do to minimise such problems.
- The first part of a wider discussion on how to make our assessments more effective by better understanding our needs and those of our stakeholders.
- An exploration of the various adaptations OrgSec practitioners have deployed during the COVID-19 pandemic.
- A collaborative session to identify emerging challenges and map strategies and best practices for providing remote training of trainers (ToTs).
- A review of core principles for ensuring sustainability in security projects.
- A round of feedback sessions offering design and UX support for tools and resources supporting the OrgSec community.
Key takeaways from the discussions included:
It’s not that easy to access threat intelligence. Much of it is segmented and fragmented, or hidden behind paywalls. Additionally, there’s little threat intelligence that specifically focuses on civil society targets. As such, the community has many different ways of accessing it - from places such as social media sites and YouTube videos to results of forensic investigations and incident response. We need to invest more time and effort into trainings around malware research, intelligence sharing, threat analysis, and pentesting.
Our OrgSec projects must be flexible and adaptable. It’s very common for project priorities to shift once you’re a couple of months in. As such, it’s crucial to be able to change the project’s plans midway through, communicate actively about this with partners and donors, and focus on targets and indicators that are grounded in the needs of the local community. Trust is key to any project, but especially important for those which need to adapt their scope and priorities - as such, it’s crucial to listen to and engage partners, donors, and team members at every stage of the project implementation process.
One of the main reasons people don’t pursue more secure workflows is that they stop them from simply getting their job done. As such, it’s crucial for our security to not just be prescriptive but also empathetic and focused on listening to the needs of everybody within your organization. Everybody, including the security champions, will come from a different background and perspective.
In the context of COVID-19, OrgSec practitioners must be flexible in their approaches and be prepared to pivot quickly during engagements. Most people are experiencing additional trauma as a result of the pandemic, which can impact their ability to engage and increases the need for prioritizing wellness during all engagements. From providing funding support to cover data costs to extending virtual trainings or assessments across a longer period of time, it’s often the OrgSec practitioner who needs to adapt to accommodate participants who are already overwhelmed with their usual tasks and assignments.
It is important to make an online Training of Trainers (ToT) as interactive and engaging as possible. This can be achieved by hosting a series of shorter engagements over a longer period of time instead of one long session, utilizing games or scenarios to facilitate learning, assigning “homework” or group projects that allow participants to practice, and inviting participants to connect and share on collaborative tools and platforms.
Building trust, establishing community ownership, and using tools that will live beyond the life of a project are several strategies to help ensure the sustainability of your security project. It can also be useful to diversify providers (making sure the burden of community security does not fall on one single individual or organization) and to focus on establishing processes that encourage long-term behavior change, ongoing sharing of threat data, and prevention efforts in addition to incident response.
Our final day of sessions will focus on OrgSec in Practice, Advanced Threats, and more! Check back here for the daily recap!