Difference between revisions of "Security Practitioner Conversation"

From DevSummit
Jump to navigation Jump to search
(Created page with "Session: Call to all information security trainers and capacity builders at DevSummit 19! Let's make a list of all the sessions and discussions we want to have! Beyond traini...")
 
 
Line 20: Line 20:
 
How to set and manage expectations when providing information security
 
How to set and manage expectations when providing information security
 
training?
 
training?
 +
 +
----
 +
* Go around of why this session was chosen.
 +
** Concerned about quality of training provided to orgs on the ground.
 +
* Follow up interested in is
 +
** What do you do collect feedback. What was useful?
 +
*** Want to have a long term engagement. how to continue being in touch
 +
* Need to help members be secure. Hold workshops on various digital security topics for older adults.
 +
* Ongoing support for orgs improving their security
 +
 
 +
* One off training is a start instead of a finish.
 +
 +
* Pre-training: Be intentional on what you train on.
 +
** Is it important?
 +
** Does the org have capacity to take on changes?
 +
** What are the highest priority risks that org is facing?
 +
** Is the content of the training actionable?
 +
 +
* After training
 +
** Clear tech support process.
 +
*** Who to go to if there's a problem or need question answered, especially true of security.
 +
**** Written materials are great for that
 +
**** Having a person is important.
 +
**** People doing practices need time to practice them.
 +
**** Possible to have a peer champion. An internal champion who can potentially field answers to questions and if not, escalate.
 +
**** Building more knowledge into the org.
 +
 +
* There were plans to do training in secure comms.
 +
** Training was going to be a DIY online training.
 +
** It sounded fishy, a "check the box" action.
 +
** There was never a follow up. No check up if someone remembered what to do. How do we know if people learn anything from it?
 +
** How do you know if training is contextualized to needs fo audience.
 +
** Creates a false sense of security.
 +
** What's the intentionality of this type of training?
 +
** What outcomes are they looking for and for whom?
 +
 +
* Issues:
 +
** Not enough hours in the day.
 +
** No time for people to participate in follow up.
 +
** Trainers need time as well as trainees.
 +
** Need time to plan for relationship.
 +
** Sometimes difficult to find trainers who also speak the language.
 +
 +
* How can we build more capacity in the field? Security trainers who take a long term relationship approach.
 +
 +
* In person follow is valuable.
 +
* May be easier to obtain time with program vs entire org.
 +
 +
* Evaluation of training
 +
** What would you change?
 +
** How are tools used, type of evaluation form.
 +
** Would be good to see more practical and consistent tools for training evaluations.
 +
** What are some things that have changed in this area?
 +
 
 +
* If outcomes are clear on what is wanted from training, it's easy to ask if XXX tool is being used.
 +
* Ongoing relationship helps trainer obtain feedback.
 +
* How do you make them long term/nurture them?
 +
* Say no to 1 time training. Offer long term support in place of 1 time training.
 +
 
 +
* Orgs have specific requests for trainings, specific times to have everyone in the room.
 +
* What would be most effective format to provide training?
 +
* Work with org to determine if outcome is worth it.
 +
* If orgs are only willing to only invest 2 hours then how important is security to them?
 +
** An org wanted 3 1hour trainings so training was crafted to lay the groundwork.
 +
* Identify what group is already good at.
 +
* What does safety and security mean in your community?
 +
** A framework is important that's based in harm reduction.
 +
** Can't eliminate every threat.
 +
** Physical, emotional, mental well being as well as digital.
 +
** Stress that it's an ongoing process that needs to be repeated.
 +
 +
* Data assessment: What is the data? Where is it stored?
 +
* Then risk assessment: ID what people are going to get at.
 +
* After is a report of analysis.
 +
* Then implementation.
 +
 +
* Grounding session is a training but training is done during implementation.
 +
* Identify needs. e.g. VPN, anti-doxing, etc.
 +
 +
* How is follow up done?
 +
* Getting password management and enforced 2FA is achievable.
 +
* Follow up can be as friendly/simple as "How are you?"
 +
 +
* An email is circulated every 3 months as a reminder that the ED will NOT ask for you for money.
 +
* For phone scams, people are trained to state they will call the institution (bank, etc) back.
 +
* What does evaluation mean or is it more meaningful to have a long term relationship?

Latest revision as of 08:38, 30 December 2019

Session: Call to all information security trainers and capacity builders at DevSummit 19! Let's make a list of all the sessions and discussions we want to have!

Beyond trainings: What is needed to support organizations sustainably and in the long term beyond trainings?

Entering the training practice: How to access knowledge and who does have access to it?

How can information security trainers support each other? Let's make a list of shared efforts that can help us all

How to shift education culture to improve digital security in organizations

How can information security trainers establish standards, boundaries, no-harm approach in their practice?

How to set and manage expectations when providing information security training?

  • Go around of why this session was chosen.
    • Concerned about quality of training provided to orgs on the ground.
  • Follow up interested in is
    • What do you do collect feedback. What was useful?
      • Want to have a long term engagement. how to continue being in touch
  • Need to help members be secure. Hold workshops on various digital security topics for older adults.
  • Ongoing support for orgs improving their security
  • One off training is a start instead of a finish.
  • Pre-training: Be intentional on what you train on.
    • Is it important?
    • Does the org have capacity to take on changes?
    • What are the highest priority risks that org is facing?
    • Is the content of the training actionable?
  • After training
    • Clear tech support process.
      • Who to go to if there's a problem or need question answered, especially true of security.
        • Written materials are great for that
        • Having a person is important.
        • People doing practices need time to practice them.
        • Possible to have a peer champion. An internal champion who can potentially field answers to questions and if not, escalate.
        • Building more knowledge into the org.
  • There were plans to do training in secure comms.
    • Training was going to be a DIY online training.
    • It sounded fishy, a "check the box" action.
    • There was never a follow up. No check up if someone remembered what to do. How do we know if people learn anything from it?
    • How do you know if training is contextualized to needs fo audience.
    • Creates a false sense of security.
    • What's the intentionality of this type of training?
    • What outcomes are they looking for and for whom?
  • Issues:
    • Not enough hours in the day.
    • No time for people to participate in follow up.
    • Trainers need time as well as trainees.
    • Need time to plan for relationship.
    • Sometimes difficult to find trainers who also speak the language.
  • How can we build more capacity in the field? Security trainers who take a long term relationship approach.
  • In person follow is valuable.
  • May be easier to obtain time with program vs entire org.
  • Evaluation of training
    • What would you change?
    • How are tools used, type of evaluation form.
    • Would be good to see more practical and consistent tools for training evaluations.
    • What are some things that have changed in this area?
  • If outcomes are clear on what is wanted from training, it's easy to ask if XXX tool is being used.
  • Ongoing relationship helps trainer obtain feedback.
  • How do you make them long term/nurture them?
  • Say no to 1 time training. Offer long term support in place of 1 time training.
  • Orgs have specific requests for trainings, specific times to have everyone in the room.
  • What would be most effective format to provide training?
  • Work with org to determine if outcome is worth it.
  • If orgs are only willing to only invest 2 hours then how important is security to them?
    • An org wanted 3 1hour trainings so training was crafted to lay the groundwork.
  • Identify what group is already good at.
  • What does safety and security mean in your community?
    • A framework is important that's based in harm reduction.
    • Can't eliminate every threat.
    • Physical, emotional, mental well being as well as digital.
    • Stress that it's an ongoing process that needs to be repeated.
  • Data assessment: What is the data? Where is it stored?
  • Then risk assessment: ID what people are going to get at.
  • After is a report of analysis.
  • Then implementation.
  • Grounding session is a training but training is done during implementation.
  • Identify needs. e.g. VPN, anti-doxing, etc.
  • How is follow up done?
  • Getting password management and enforced 2FA is achievable.
  • Follow up can be as friendly/simple as "How are you?"
  • An email is circulated every 3 months as a reminder that the ED will NOT ask for you for money.
  • For phone scams, people are trained to state they will call the institution (bank, etc) back.
  • What does evaluation mean or is it more meaningful to have a long term relationship?
Retrieved from "https://devsummit.aspirationtech.org/index.php?title=Security_Practitioner_Conversation&oldid=2828"