Security practitioners solidarity II

From DevSummit
Jump to navigation Jump to search
  • There is no one pathway into this work
  • You can do a lot of training but can't get people to do the things. How do you get people to believe that they should shift that?
  • What are the baselines we want people to do?
    • Password manager
    • Secure internal communications
  • Accidental tech journey: don't fix the printer or else you'll be the default techie in your organization
  • Capitalism thrives in the landscape of security; it's an industry based on fear, militarism. What does that mean as we think about safety and security?
  • How did our skill development happen? What are resources we turn to for skills? Conferences, professional organizations, etc?
    • We can talk about community of practices and skill sharing and keeping it going beyond this conversation
      • Signal group? Mattermost? Element?
  • Self-directed learning runs through our convos; how do we create standards or basics for our work?
    • We need to admit that this is how it's done and the downsides of it so we can look for solutions, get past structural barriers
    • We need this kind of thing for practitiners
    • We are working on the intersection in tech and humanity that doesn't matter in corporate but is necessary when working within nonprofits and community organizations
    • We don't have movement security center organizations/formations/business; they are few and far between (The UC Berkeley program, Vision Change Win)
    • How can we build spaces where we can ask each other for ideas, reflects, advice
  • There's a "tech will cure everything" but hearing some tech skepticism in the room
  • There are lots of things out there that are currently serving the purpose of what we want -- we don't want to reinvent the wheel
    • Been in TeamCommUNITY, orgsec list, but sometimes we don't know how to break into these spaces
    • We try those spaces and somehow they're not working out
    • We try to find each other in alternative spaces -- maybe Mastodon would work? But where?!?
    • What are the spaces designed for our work, specifically organizational digisec
  • Our style of security is very different than what the larger digisec industry does
  • VCW - trainings that cover org security, operational security (opsec), physical security and digisec.
  • How do we shift the security culture in our organizations in movements?
  • How do we think holistically and on a human-level about security?
  • We do train the trainers BUT who trains the trainers who train the trainers?
  • VCW - security school - a rich and rewarding experience to do digisec within that conference, but still
  • There are resources out there but sometimes they are business and corporate-oriented yet still offer good frameworks
  • Existing compliance regulations can't apply in nonprofits; no capacity, no funding, shortage on practitioners
  • Challenge in digisec landscape: thinking back to 2016, there's a frantic rush but then we don't know what happened after that?!? Don't have ways to evaluate security incidents? What does it for real look like in our space?
  • Do we build theese networks of trust where we can warn each other about the threats
  • NGO-ISAC - there's a Slack channel, mailing list, dominated by big corporate nonprofits that do not understand the
  • Interest in starting a Signal group to keep in touch with each other
  • Our groups that we approach with holistic and humanist practices get better buy-in, more easily get the basics done because they care
  • Tactical Tech digital security guide is great but inaccessible. What are holistic resources, newsletter etc that are more
    • https://riseup.net/security -- comprehensive, accessible
    • EFF - Security Education Companion - handed over to Level-Up.cc, good community resource
    • Human Rights Centered Design - https//humanrightscentered.design
    • Vision Change Win - Get in Formation community security guide
  • Can't find suitable guides or handbooks on digisec, including because materials are not available in enough languages. A tough process
  • Some orgs are between grassroots and corporate nonprofits; want to bring holistic and humansitic approaches but need to sneak it in, it isn't already part of the culture
  • "White hat social engineering" is a way to get people in the door
  • Political education is the first step to actually get people to practice digisec and have that buy-in
  • People have tried to build community of practices for this kind of digisec that didn't last, but trying to formulate more
  • Approaching this as an accessible approach, people can come with pain points and get them addressed

Some places to learn about digital security or digital security training:

Retrieved from "https://devsummit.aspirationtech.org/index.php?title=Security_practitioners_solidarity_II&oldid=3297"