Even with a working definition, organizational security is a pretty complicated thing. When more than one person works together to achieve a goal, they need to be able to communicate and manage information to get things done. In the process, they start to develop systems. Systems are the result of a thousand little decisions. And when security isn’t a consideration in making these little decisions organizations can face big risk.
We’ve been developing ways to understand how organizations’ systems work, the vulnerabilities of those systems, how individual members of the team relate to those systems, and how best to manage change over time in an organization without overwhelming team members with too much change at once. Every team is different, so what have we learned working with different types of organizations and how have we evolved our approach?
It’s not (just) about the technology
Organizational security has much more to do with the social and political decision-making of an organization. Security isn’t about the perfect technical fix, it’s about working with all members of the team to make sure that they understand the issues and the value of protecting information. Supporting awareness raising activities to encourage individual thinking about security (in addition to how-to’s, instructions, and policies) is key to supporting longer term growth and more organic adaptation to new threats.
Cloud infrastructure versus locally managed services
Increasingly, organizations are outsourcing their information management to cloud services. In many instances, companies with experienced system administrators can do a better job of securing information than a small civil society organization can. However, moving data to the cloud requires careful examination of new types of threats. Questions like: Who owns your data? Who can force your new cloud service provider to hand information over? In sum, it is possible to make appropriate decisions about what to outsource and what to manage in-house but that requires honest appraisals of resources, risks, and priorities. And with the everchanging landscape of options, legal terrains, and security offerings, it can be difficult to make the perfect choice. We will be working in 2015 to develop a more structured approach to making these decisions.
Distributed team versus teams with offices (and everything in between)
Technology allows for more and more remote work, and it has made it possible for organizations and teams to save costs by working in distributed ways. (The engine room itself is made up of 10 people who live in 9 different countries.) This changes the way teams share and manage information because it removes what used to be the centralized point of information exchange: the office. With the office gone, there is less dependence on desktop computers, less possibility for locking down local networks, and less centralized control of IT systems. This means that staff can have different machines, use wildly different internet access points (from the cafe to the home office), and are more likely to use their personal services to manage their professional communication. Organizational security planning and training is very different in a distributed team than in an office-based team, and we’ve found that discussions and planning about infrastructure are just as important with distributed teams, its just a more difficult conversation to have because distributed teams might not think of Skype and Dropbox as organizational ‘infrastructure’.
With so much more variation and adoption in the software and devices that individuals use, it can be hard to keep tabs on who is using what. Establishing baselines of staff practices and regularly updating teams as they make progress (or don’t) is key to maintaining momentum in overall team changes in practice. A process we’ve found to be really helpful is baseline surveys of large teams (What computer operating system do you use? etc), and flash surveys around specific tools (Are you using a password manager in your day-to-day work?).
Finding allies early
Allies are key to sustained growth and learning in an organization. Not everyone is going to be equally excited about prioritizing and improving security practices. But finding motivated and interested members of an organization early can make the longer term process much easier and the feedback process more helpful in correcting course.
Policy development is important, but awareness raising comes first
At first we considered working with organizations to develop security policies and then determine what they needed to do to make those policies a reality. Based on some smart insights from collaborators and experience from last year, we’ve started to push policy development further along in the process, beginning instead with baseline surveys and interviews with staff, to gauge interest and awareness, and then focus on awareness raising and motivation so that the introduction of policy is about solving a clear problem, not leading with a blue sky solution.
Breadth versus depth
Working on the many security issues that any organization faces, means deciding to prioritize certain things so they can be addressed in a smart sequence. An organization can be very intimidated when confronted with the long laundry list of everything that they *should* do. We’ve found that creating a small number of clear short term goals, focusing on providing sustained awareness raising about each of those goals, and updating those goals as others are accomplished leads to more uptake than providing a broad overview of risks and potential mitigation tactics. Over time, going into depth on small sets of issues in a focused way results in the breadth that is required to make lasting change. Starting with breadth can be a turn off.
Developing a security ethos
One of the reasons we’re excited about working with teams (as opposed to lots of individuals) on security practices is that group dynamics can result in social motivation. If a group feels that being deliberate with data management and communication is part of its identity, it becomes much easier for the individual team member to find the will and persistence required to change behavior. This works both ways. If an organization identifies as cavalier and risk-seeking they may find it much harder to address security concerns because it goes against their identity. Given that, we’ve found that by focussing on how an organization identifies is a great way to encourage more sustainable change on any particular security issue. This might include discussing brand management (and how a brand can be affected by an exploited vulnerability), addressing how security fits into the organizations principles, and other more subtle aspects of the role security plays in the organization’s identity and persona.
Longer term support is more effective, but it takes more resources
This point might be obvious, but I think it’s worth stressing. The novelty of the organizational security approach is less that it addresses something new, and more that it addresses an old problem in a way that assumes there will be resources for sustained support. Oftentimes there aren’t resources for more than an introductory training on several security tools that can be used to protect information. Sometimes there aren’t even enough resources to have more than a 30 minute talk about the risks an organization faces. Our work on organizational security requires 6 to 12 months of time, and about 20-40 days of work for each organization. We’re testing the approach to see if the gains are worth the investment, but from what we are seeing so far, this investment accelerates the changes in an organization dramatically. It allows attention to culture shifts that cannot happen in a single training or two. These shifts might lead to more sustainable behavior change, and take advantage of team qualities that promote change (while stifling the qualities of a team that impede advances).
In the past year, we’ve been working with several organizations to address their organizational security. We’ve also been teaming up with several support organizations to develop our approach. Some of the fantastic collaborators in this process have included: Wojtek Bogusz from Frontline Defenders, Jon Camfield from Internews, Niels Ten Over from Article 19, Mallory Knodel from Association for Progressive Communication, Ali Ravi from Confabium, and Friedhelm Weinberg from HURIDOCS.
This year we will work with more organizations who are prioritizing security and responsible data overhauls, looking for resources to keep the work going, and building resources to make our organizational security support stronger.
If you are an organization looking for organizational security support, get in touch. We might not offer what you need (for example, we don’t do penetration testing, software audits, or one-off end user security trainings) but if we don’t, we know some fantastic people and teams that do. We are always happy to matchmake.
If you are a support organization working with other groups on their organizational security, we would love to hear more about how you are going about it. We are also really keen to hear more from people who have worked inside organizations to create change over time. Please get in touch or drop a comment at the end of the post to let us know if you have anything to expand on or if you have had different experiences you want to share.
If you are a funder and are interested in supporting this work, we are actively seeking funding for activities to fully test, document, and evaluate this model and make it available to advocacy organizations who cannot afford to pay for the full cost of the support.