You and your organisation may not think much about digital security unless you have dealt with a security breach or threat. We’ve written recently about how you can use threat modeling and a wide range of online privacy tools to help protect yourself, your colleagues and data. However, tools, threat models and individual awareness are just ingredients in the security recipe. Almost every conversation we had with NGO staff and security experts came around to one common element: a strong organisational security culture.
Getting to a strong security culture is more amorphous than deploying a new tool. Digital security is about education and habit formation.
This article provides some concrete steps your organisation can take to promote a strong security culture.
We Don’t Have Anything to Hide
When Glenn Greenwald, the reporter that introduced the world to Edward Snowden and his revelations, talks about privacy, inevitably there is a person in the room who says, “Why should I care? I’ve got nothing to hide.” To this remark Greenwald calmly hands the person his email address and says, “What I want you to do when you get home is email me the passwords to all of your email accounts. Not just the nice, respectable work one in your name, but all of them. Because I want to be able to just troll through what it is you’re doing online, read what I want to read and publish whatever I find interesting. After all, if you’re not a bad person, if you’re doing nothing wrong, you should have nothing to hide.”
No one has taken Greenwald up on his offer.
It doesn’t matter if you have nothing to hide, it matters if the people in your networks have anything to hide. You don’t know. They may or may not.
– Nick Sera-Leyva, Internews
Acknowledging that even the most upstanding of us have reason to care about our privacy is the first step to individual and organizational culture shift. However, converting yourself isn’t enough. Whether you are the director of an NGO or a community organizer, security culture is about bringing others with you.
Bill Budington, a software engineer at the Electronic Frontier Foundation, put it clearly. “Privacy isn’t an issue about you, it’s about all of us.”
Digital security means different things to different people. It means something different to an IT administrator as it does to an NGO director. The staff themselves might think it’s opaque and intimidating.
– Allen Gunn, Aspiration
Nick Sera-Leyva, Human Rights and Training Programs Manager at Internews, agrees. He starts with an ethical imperative, “It doesn’t matter if you have nothing to hide, it matters if the people in your networks have anything to hide. You don’t know. They may or may not. They are not obligated to be forthcoming about that, and you as an activist or journalist might not know what those things are.”
While this imperative is a strong philosophical place to start from, Kristin Antin, Community Catalyst at the engine room, provides actionable steps forward. When working with organizational partners the engine room will first create common ground within the organization, then create a plan with the participants, and finally provide ongoing support where possible.
Find Common Ground
Shauna Dillavou, the executive director at CommunityRED, believes that security culture can’t be created from a point of fear. “Scaring the pants off of someone just terrifies them. There’s no clear call to action.” Dillavou thinks that getting an organization on board requires meeting individuals and organizations on common ground.
Finding common ground requires a common language. As Allen Gunn, the executive director at Aspiration, notes, “Digital security means different things to different people. It means something different to an IT administrator as it does to an NGO director. The staff themselves might think it’s opaque and intimidating.”
Sera-Leyva works on creating that common language. As he travels through different communities, countries and professions he starts with the basics. Take the word “hacking” for example. “In a lot of countries the word ‘hacking’ means a bunch of green 1s and 0s and with a few key strokes the person can penetrate your entire digital world. Your email being hacked could be as easy as you using a simple password that someone can guess,” explains Sera-Leyva.
Scaring the pants off of someone just terrifies them. There’s no clear call to action.
– Shauna Dillavou, communityRED
Common language, however, isn’t enough, says Antin. It’s important to find how that organization’s identity and values can intertwine with security.
Antin uses an organization she worked with as an example. This organization valued integrity and impact. Through discussions, the organization identified concrete ways that security connected to these values. The protection of their contacts’ information was tied to their value of integrity, and protecting information about strategy and tactics was tied to their impact.
The engine room then worked with this organization to identify and roll out a plan to protect contact information and internal communications. Creating a plan also requires that common ground. “People need to know why there’s a plan and why you are recommending a certain tool or approach,” says Antin.
By understanding the organization, the engine room was able to leverage what the organization cared about and create an entry point to security culture.
Find Your Allies, Build Your Community & Don’t Give Up
If you follow the engine room’s example and foster stakeholder buy-in and understanding during the planning stage you run a higher chance of success. During the planning process it’s also important to identify your allies and early adopters.
If you give up, you’re going to get what you expect: defeat. If you fight, you have a chance.
– Allen Gunn, Aspiration
These allies will help foster peer-sharing, which, as Gunn describes, is an important part of creating security culture. “As you’re learning, you need to make sure your knowledge propagates amongst your organization.”
All of this is to say, one training isn’t enough. According to Sera-Leyva, trainers don’t always have the resources to follow up after a training session. Finding champions within your organization is critical. Further, don’t expect that everyone in your organization or social group is going to buy-in at first. By creating this core of support, it builds momentum that can help convert slower adopters and make your entire organization more secure.
Even by undertaking all of the efforts outlined in this series, creating a security culture is ever evolving. “You never arrive at security culture, you never get to secure. People need to understand what works today might not work tomorrow, and certainly wont work forever,” opines Gunn.
But to Gunn this isn’t grounds to become overwhelmed and just give up on security.
“If you give up, you’re going to get what you expect: defeat. If you fight, you have a chance.”