Explorations in Organizational Security

From IFF Wiki
Jump to: navigation, search

Session Description

Digital security training for individuals, and training for organization-level security adoption, have evolved into two very distinct practices. Security is much more a mindset, and there are no quick fix, "one-size fits all" solutions. But how to create that mindset? How to get ‘organisational buy in’, and create a feeling of ownership? The purpose of this session is to share organizational security lessons-learned, learn how those lessons resonate with others, and find additional examples/tactics/techniques to add to add to our growing toolbox.

How to continue building the community: https://organizationalsecurity.atlassian.net/wiki/display/OrgSec/

Explorations in Organizational Security
Presenter/s Kristin Antin, Wojtek Bogusz, Ali Ravi, Peter Steudnter, Dan O'Clunaigh, Michael Carbone, Jonah Sheridan, Wieke Meilink
Language English

Session Comments

Session notes: https://pad.riseup.net/p/explorations , Copied in here on Mar 9, because riseup's 30 day deletion cycle:

Explorations in Organizational Security. 4 March, 10.00-13.00, Internet Freedom Festival, Valencia


   - send an email to Kristin with one thing, you want to get out of the process and one thing you want to contribute to it! kristin@theengineroom.org
 - have page on the temporary Confluence instance with links to other communities of practice that we should reach out to
 - join the existing security audit email list as a temporary place: securityaudits@googlegroups.com

Other documentation / notes to be shared with: kristin@theengineroom.org Knowledge base on Confluence: LINK: https://ecl.gy/orgsec full link: https://organizationalsecurity.atlassian.net/wiki/display/OrgSec/ Login:

       Username: IFF
       P/W: iluvorgsec

Documentation of the Flipcharts etc. also on the confluence platform:


Description of the session: https://internetfreedomfestival.org/wiki/index.php/Explorations_in_Organizational_Security

This sessions follows up on a conversation that started in February in Prague. Some thoughts and background on that meeting can be found here:


Group work: Challenges and needs around organisational security. We write the on post its on the wall. Room is divided in groups: Discovery, Strategy, Actualise, Tech, Creat Trust, Funding


Questions on post-its; - how to deal with unexpected threats - labeling sensitivity of particular communication & information - how to overcome frustrations with technology - balancing percieved priority according to the org and real - how to cover many people in big orgs - reliable M&E strategy

(there is some confusion on the differene between strategizing and actualization, some discussion about it)

Realise that this is a proces; first discovery, than strategise, this feeds into the actualising, actually doing it. It is a circular proces. What you do, influences the strategy and adapt the actualisaiton etc.

What are the elements of usual strategies that we take into consideration;who do we bring to the table when we strategy.

This is a list of questions, of elements that should be taken into account making a strategy

       - available resources, funds
       - include organisation with shaping the strategy 
       - organisational buy in of all participants
       - Identify relevant characteristics of the organisation;
       • take into account the history of trainings and knowledge; the things that have been done before (and if needed think about a certain 'digital security saturation)

• scale (big/small) structure networked,(flat/informal etc) • organisational culture • What is the goal of the organisation, what are the issues they are working on. Digital information strategy should coincide with the general strategy of the organisation; integrate it in there work and processes on a broader level. It should be a synergy. Strategize who you need on the table to build security steps • Identifying who is your key allies and who is the key trouble maker - find a key person from within the org who has buy in and is the driver, and has trust/buy in from both the leadership as the staff - context; establishing what is visible; how far can we go (understanding what is possible within a situation, including the legality of tools etc. - Identifying clear targets; strategize together with the organisations what do we consider succes - roles and responsibilities during proces; - manage expectations (of time, etc) - how to roll it out without overwhelming the organisation: breaking into smaller bits, change small things; starting with the low-hanging fruit, at the other hand addressing the most harmfull vulnarabilities. Also the 'invisible' parts such as replecing an email server has little implications for the working process, and a good balance of tools/behaviour change - detangle the proces into digestible units bits. For example agree on 3 categories: things we are doing that work well, what we will not do anymore & what we want to change - information classification - monitoring - sustainability after proces; how to make the organisation independent/empowered, maintance

It is interesting how to get buy in from the staff that is most far away from the activities (such as accounting); sometimes disagreement between organisational units, also because they have different goals. Also they are bound to the things they are using and want to keep using them. Understanding that there is nothing persnal against the proces. They are things that manifest themselves to improce the proces.


    1. Need for tool development
  • Friendly FLOSS Tools
  • Getting beyond attachment culture & doable, affordable airgapping
  • Improvements for PGP
  • Bro / Snort for humans - prioritized; digestible threat intel on the local network
  • Affordable, easy, secure service hosting (e.g. email, wikis, etc.)
  • Access to malware incident response teams and individuals
      1. Solutions:

    1. Infrastructural
  • Lack of network access -> never use tools that need high bandwidth or constant updates;
  • backup problems
    1. Local technical support
  • Including other partners into security
    1. Risk Awareness
  • Tech schizophrenia
  • Shared devices (in-org and personal/work shared device)
  • Silver Bullet: if you use tech wrong it can be harmful
  • security needs not matching available training
  • under-estimation of what it takes to be secure
  • Licensing and Lock-in
  • WinXP
  • Old Computers
  • Licensing (Pirated software, lack of authentic software, MS licenses)
      1. Solutions:
  • Psycho-emotive stress overloads logical approaches; need to manage stress
  • Successes with moving people to Linux; but leveraging local, **in-risk-group** tech expertise, building their capacity
    1. "Other"

Finding digital security narratives that empower

Human greed


- Reference to the Holistic Security Process and Guide, where creating space is big effort:


- long termin angagement with organisations - self awareness questionnaires - Start off with first perceptions of threats they have and already existing security measures /formal / informal) - Take IT-person to support him/her, but not to get into competition, but to make his / her work easier and tackle challenges together - participatory processes - by analysing threats make them more visible and tangible and in this way workable - include legal, emotional and physical security part of the org.sec process by drawing on the resourcse from within or within the reach of the organisation / group - blockers have reasons / nonimplementation has a rational reason, try to find and find alternatives to the existing nonfunctional strategies -> aks "why" questions to get deeper reasons, bringing them to own solutions - act on existing good practices to transfer / adapt these to other areas -> buy-in - stay connect to the actual goals for the organisation / group -> extracting actual need - make security (strategy) process part of the discussion and knowledge management and handover culture of the organisation - share knowledge about psychosocial reactions to fear, stress and trauma (natural reactions to unnatural situations) - reframing security from an obligation/liability into an opportunity (for orgs as well as funders) -- positive opportunity to be more strategic - make it part of organisational security, jobs can become easier - How to sensitize students groups for getting into more secure digital practices -- films (one here on "nothing to hide") / Tacticaltech.org / minority report -- explaining "how the internet works" -- cryptoparties


1)long-term sustainability for beneficiaries is very hard, because many thingsneed to be taken into account - follow-up - leadership-buy in - idea that you cansolve everything with technology is wrong - informationsecurity problems are actually human security

2) resource sharingand discovery is hard & failing - knowledge sharingtools are created but then not used (ex. Levellup) - resources need tobe interchangeable - still a lot ofinfo on structures, best practices, sustainability not shared

3) how orgs canbudget and plan for digital security support - how to help orgswith budgeting and planning? - threat modelling using while youcreate a budget - how to getlong-term funding from donors to make tools/support sustainable - deliverable ofsupport is language - (funding) competition among implementors


  1. post-it notes

- contiuity / org culture shift - making "failing" OK - using it to improve & strengthen community/org sec - how to support strong adoption of practices & not just tools - getting orgs to make security a priority - lack of time (-for me, -for my trainees/partners) - staff turnover & change makes support hard to guarantee, practice hard to maintain - walk the talk --> funders, implementers too! - ways to increase PGP uptake - implement mitigation plans after identifying weaknesses - organizational clear policy on security of behaviours & tools - how to develop and implement policies - maintaining transparency and being aware of the vulnerabilities of transparency - how to organizational changes - deploying PGP-encrypted email on org w/ MS exchange server - hard to match a working mitigation to the technical capacity of all the member of the organization - organizational inertia & management reticence to implement major change - overcoming internal resistance to change - how to make digital security practices continuous - access to organizational security assistance - deploying full-disk encryption on windows environemnt - which organizations can actually receive our support? (size, staff, resources) - material about PGP key manamagement in terms of expired keys and how to fix errors (human) uploading keys to servers - empowering local groups - security by mandate not as a luxury - how to break the technical divide

  1. discussion notes

- what's the minimal criteria to engage w/ an org

  • small orgs (e.g. <5 ppl) = not an audit (treat as individuals?)
  • in-house IT person ??
  • institutional vs. hero structure
  • "actualise" = combination of tools & practices

- follow-through / habits / follow-up --> 2, 3, 6-months down the road

  • org policies vs. practices

--> external stakeholders --> --> more difficult, vs just internal - lack of tool localization --> bad jitsi russian, iOS russian, Android swedish --> feedback loop to devs --> --> difficult due to lack of capacity / org focused on this - making it ok to fail --> iterate "first recommendation... second recommendation" --> rather tha client lying to oimplementer --> follow-up becomes baked into process

  • org policies

--> push, pull, crystallize existing

  • BYOD
  • ask right questions
  • affordable "air-gapping"

--> workflow disruption

  • data retention

--> policy (offboarding, pgp key management)

  • MS licenses

--> cyber grants

  • tie into org mission / politics
  • large org cultures
  • MGMT modelling behavior / MGMT buy-in

--> HR person, tech leader (internal)

  • knowledge --> responsibility / self-care
  • integrate digital into physical security roleplay
  • buddy system? affinity groups?


Existing collaborative knowledge space LINK: https://ecl.gy/orgsec full link: https://organizationalsecurity.atlassian.net/wiki/display/OrgSec/


       Username: IFF
       P/W: iluvorgsec

4 major buckets - Discover - Strategise - Actualise;recommended tools and technology, and how to roll it out - Create space,trust & buy-in

Everyone is welcome to add, and edit information to this space

  1. what next

what are good/existing practices to stay connected (email list, wiki, etc.) -- Video 4 Change, Level Up, securityaudits mailing list, wiki

regional network mapping? anonymized sharing of stories (case studies!) place to get updates of materials and resources (new translation of SAFETAG! etc)

--> have page on Confluence instance with links to other communities of practice that we should reach out to

--> email Kristin with one thing you want and one thing you can provide

--> join jon's existing email list as a temporary place: securityaudits@googlegroups.com