Security Practitioner Conversation

From DevSummit
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Session: Call to all information security trainers and capacity builders at DevSummit 19! Let's make a list of all the sessions and discussions we want to have!

Beyond trainings: What is needed to support organizations sustainably and in the long term beyond trainings?

Entering the training practice: How to access knowledge and who does have access to it?

How can information security trainers support each other? Let's make a list of shared efforts that can help us all

How to shift education culture to improve digital security in organizations

How can information security trainers establish standards, boundaries, no-harm approach in their practice?

How to set and manage expectations when providing information security training?

  • Go around of why this session was chosen.
    • Concerned about quality of training provided to orgs on the ground.
  • Follow up interested in is
    • What do you do collect feedback. What was useful?
      • Want to have a long term engagement. how to continue being in touch
  • Need to help members be secure. Hold workshops on various digital security topics for older adults.
  • Ongoing support for orgs improving their security
  • One off training is a start instead of a finish.
  • Pre-training: Be intentional on what you train on.
    • Is it important?
    • Does the org have capacity to take on changes?
    • What are the highest priority risks that org is facing?
    • Is the content of the training actionable?
  • After training
    • Clear tech support process.
      • Who to go to if there's a problem or need question answered, especially true of security.
        • Written materials are great for that
        • Having a person is important.
        • People doing practices need time to practice them.
        • Possible to have a peer champion. An internal champion who can potentially field answers to questions and if not, escalate.
        • Building more knowledge into the org.
  • There were plans to do training in secure comms.
    • Training was going to be a DIY online training.
    • It sounded fishy, a "check the box" action.
    • There was never a follow up. No check up if someone remembered what to do. How do we know if people learn anything from it?
    • How do you know if training is contextualized to needs fo audience.
    • Creates a false sense of security.
    • What's the intentionality of this type of training?
    • What outcomes are they looking for and for whom?
  • Issues:
    • Not enough hours in the day.
    • No time for people to participate in follow up.
    • Trainers need time as well as trainees.
    • Need time to plan for relationship.
    • Sometimes difficult to find trainers who also speak the language.
  • How can we build more capacity in the field? Security trainers who take a long term relationship approach.
  • In person follow is valuable.
  • May be easier to obtain time with program vs entire org.
  • Evaluation of training
    • What would you change?
    • How are tools used, type of evaluation form.
    • Would be good to see more practical and consistent tools for training evaluations.
    • What are some things that have changed in this area?
  • If outcomes are clear on what is wanted from training, it's easy to ask if XXX tool is being used.
  • Ongoing relationship helps trainer obtain feedback.
  • How do you make them long term/nurture them?
  • Say no to 1 time training. Offer long term support in place of 1 time training.
  • Orgs have specific requests for trainings, specific times to have everyone in the room.
  • What would be most effective format to provide training?
  • Work with org to determine if outcome is worth it.
  • If orgs are only willing to only invest 2 hours then how important is security to them?
    • An org wanted 3 1hour trainings so training was crafted to lay the groundwork.
  • Identify what group is already good at.
  • What does safety and security mean in your community?
    • A framework is important that's based in harm reduction.
    • Can't eliminate every threat.
    • Physical, emotional, mental well being as well as digital.
    • Stress that it's an ongoing process that needs to be repeated.
  • Data assessment: What is the data? Where is it stored?
  • Then risk assessment: ID what people are going to get at.
  • After is a report of analysis.
  • Then implementation.
  • Grounding session is a training but training is done during implementation.
  • Identify needs. e.g. VPN, anti-doxing, etc.
  • How is follow up done?
  • Getting password management and enforced 2FA is achievable.
  • Follow up can be as friendly/simple as "How are you?"
  • An email is circulated every 3 months as a reminder that the ED will NOT ask for you for money.
  • For phone scams, people are trained to state they will call the institution (bank, etc) back.
  • What does evaluation mean or is it more meaningful to have a long term relationship?
Retrieved from "https://devsummit.aspirationtech.org/index.php?title=Security_Practitioner_Conversation&oldid=2828"