Security Practitioner Conversation

From DevSummit
Jump to navigation Jump to search

Session: Call to all information security trainers and capacity builders at DevSummit 19! Let's make a list of all the sessions and discussions we want to have!

Beyond trainings: What is needed to support organizations sustainably and in the long term beyond trainings?

Entering the training practice: How to access knowledge and who does have access to it?

How can information security trainers support each other? Let's make a list of shared efforts that can help us all

How to shift education culture to improve digital security in organizations

How can information security trainers establish standards, boundaries, no-harm approach in their practice?

How to set and manage expectations when providing information security training?


  • Go around of why this session was chosen.
    • Concerned about quality of training provided to orgs on the ground.
  • Follow up interested in is
    • What do you do collect feedback. What was useful?
      • Want to have a long term engagement. how to continue being in touch
  • Need to help members be secure. Hold workshops on various digital security topics for older adults.
  • Ongoing support for orgs improving their security
  • One off training is a start instead of a finish.
  • Pre-training: Be intentional on what you train on.
    • Is it important?
    • Does the org have capacity to take on changes?
    • What are the highest priority risks that org is facing?
    • Is the content of the training actionable?
  • After training
    • Clear tech support process.
      • Who to go to if there's a problem or need question answered, especially true of security.
        • Written materials are great for that
        • Having a person is important.
        • People doing practices need time to practice them.
        • Possible to have a peer champion. An internal champion who can potentially field answers to questions and if not, escalate.
        • Building more knowledge into the org.
  • There were plans to do training in secure comms.
    • Training was going to be a DIY online training.
    • It sounded fishy, a "check the box" action.
    • There was never a follow up. No check up if someone remembered what to do. How do we know if people learn anything from it?
    • How do you know if training is contextualized to needs fo audience.
    • Creates a false sense of security.
    • What's the intentionality of this type of training?
    • What outcomes are they looking for and for whom?
  • Issues:
    • Not enough hours in the day.
    • No time for people to participate in follow up.
    • Trainers need time as well as trainees.
    • Need time to plan for relationship.
    • Sometimes difficult to find trainers who also speak the language.
  • How can we build more capacity in the field? Security trainers who take a long term relationship approach.
  • In person follow is valuable.
  • May be easier to obtain time with program vs entire org.
  • Evaluation of training
    • What would you change?
    • How are tools used, type of evaluation form.
    • Would be good to see more practical and consistent tools for training evaluations.
    • What are some things that have changed in this area?
  • If outcomes are clear on what is wanted from training, it's easy to ask if XXX tool is being used.
  • Ongoing relationship helps trainer obtain feedback.
  • How do you make them long term/nurture them?
  • Say no to 1 time training. Offer long term support in place of 1 time training.
  • Orgs have specific requests for trainings, specific times to have everyone in the room.
  • What would be most effective format to provide training?
  • Work with org to determine if outcome is worth it.
  • If orgs are only willing to only invest 2 hours then how important is security to them?
    • An org wanted 3 1hour trainings so training was crafted to lay the groundwork.
  • Identify what group is already good at.
  • What does safety and security mean in your community?
    • A framework is important that's based in harm reduction.
    • Can't eliminate every threat.
    • Physical, emotional, mental well being as well as digital.
    • Stress that it's an ongoing process that needs to be repeated.
  • Data assessment: What is the data? Where is it stored?
  • Then risk assessment: ID what people are going to get at.
  • After is a report of analysis.
  • Then implementation.
  • Grounding session is a training but training is done during implementation.
  • Identify needs. e.g. VPN, anti-doxing, etc.
  • How is follow up done?
  • Getting password management and enforced 2FA is achievable.
  • Follow up can be as friendly/simple as "How are you?"
  • An email is circulated every 3 months as a reminder that the ED will NOT ask for you for money.
  • For phone scams, people are trained to state they will call the institution (bank, etc) back.
  • What does evaluation mean or is it more meaningful to have a long term relationship?