Roles in organizational digital security
this session is building on the previous one. see those notes for more context.
organizational digital security - digital security for groups of people working together. as small as a 6 person collective to a funder driven project for a group of 100 people.
yesterday we talked about different processes. we came up with a lot of different roles.
roles that we identified previously - our vision of the roles can be limited (just techies, just trainers). facilitator, internal champions, leadership sponsors,
GROUNDING is integral: concerns, values, harm reduction, holistic, collective process. A facilitator, or many, is a needed role for this piece. Can be external, but lack of resources OR needing to get people interested before being able to start, can require internal facilitators. looking at organizational culture can be useful to help with the grounding.
Internal champions, leadership sponsors - keep reminding people why this is important, why we need to do this.
DIGITAL INVENTORY is the next step. Role needed can be the internal champion/leadership sponsor person, but needs to be someone. You may want to consult with a technical-oriented person, to help flush out hidden pockets of work.
RISK ASSESSMENT is next. Helps you narrow down your adversaries and then prioritize. Participants
In all these steps, it is very helpful to have someone who is thinking about digital security. Expertize may not be needed up to this point, it could all be done internally.
these are the rest of the steps, which are covered in detail in previous session notes
ANALYSIS & RECOMMENDATIONS
RINSE & REPEAT
other roles we came up with - tech implementers, tech advisors, trainers, documentation writers, internal ops or IT holders,
since people leave, new ones come in. having documentation can help orient people.
how to get more folks into those roles?
how to create a community of practice, so that we can rise to meet the huge needs. people doing similar work, sharing resources, offering support to each other.
interests from the participants - support community groups, accidental digital security consultant, doing it (wrong) for a long time, in charge of doing digital security trainings (expiring links to docs have been a challenge), been in the space for a long time - excited about seeing the democratization of the process, side interest and does our service provider group need to know more about this, responsible for security best practices for our org and believe that the individuals need it too, been hard for my org to develop a robust culture of this practice.
hw do we help people do this? what kind of support do we need?
EFF - trainings for free, robust website. accessible digital security trainings - free, location,
time - orgs need time to deout to it
people power, people resources
support group - changing organiation culture can be really hard. how to get support
tough love - an org that got phished was then suddenly really able to change the culture
technics - an example could be how to do testing people. can we send phishing emails to staff, to test whether they are paying attention? Q A help.
click-through rates. if a typical non-profit rate is 10% and ours is 47%, is management okay with that?
data exposure tests - can we look at our data, the sahreable links we sent, what percentage has PII?
PII - personally identifiable information
language specific documentation - language appropriate documentation - organizational appropriate matrix of resources (if you are this type of org, these set of
the universe tech presentation, ysenia?, might be a useful model for this org matric suggestion
email list - there is one that is int'l, highly technical, that maybe we could join up in. or do we start an email list that starts with just us?
quarterly meeting perhaps, online, instead of a hard to follow email list. where people can share things they have learned, challenges, etc.
an email list was created last year, cooperating trainers, that we can add people to.
how about a "backchannel" conversation space about things like funder decisions, community analysis, assessment of what is going on
ford has hired the engine room (int'l non profit doing celebrity digital security stuff, maybe also build things, not clear what they do) to do this, an assessment of our community. not having a process for looking at at out community from the inside, this is happening with external players.
mailing list - how secure is that? are we living our values?
what is the danger with non-movement people identifying and then implementing the "solutions" for movement
sharing and collaborating on curriculum an resources - github, creative commons, get better at sharing