IFF OrgSec Village – Day 2

Internews is hosting the virtual Internet Freedom Festival (IFF) Organizational Security Village throughout this week (June 8-12)! The event is bringing together security auditors, digital security trainers, and other experts and practitioners for a five-day program of over 20 community-led sessions exploring five major themes in organizational security.

Sessions on Day 2 explored examples of OrgSec in Practice. Highlights from Day 2 of the OrgSec village included:

A collaborative survey of the OrgSec Community’s Response to Emerging Crises.

A presentation of work carried out with the Mechanism for the Integral Protection of Human Rights Defenders and Journalists in Mexico City, including a typology and workflow for the diagnosis of digital incidents.
A discussion around Non-technical Due Diligence when choosing security tools and services, exploring questions on jurisdiction, open sourcing, and reputation. 

An exploration of alliances as a support mechanism to guarantee the Digital Security of Human Rights Defenders Working in Civic and Internet Repressive Environments.

A step-by-step playbook of the OrgSec Audit Process in different contexts.

A hard look at how Digital Security Trainings Can Do More Harm than good. 

Key takeaways from the discussions included:

  • Cross-sector partnerships can expand OrgSec support. At times, it can be advantageous for organizations providing digital security support to at-risk communities to coordinate with government agencies offering similar support mechanisms. Traditional training methods combined with local and federal protection mechanisms allow for maximum protection for those communities who are most at-risk. 
  • Approaches to OrgSec must be adapted to the local context or threat model. What may be a serious threat to one organization, may not be to another. When working with an organization, it is important to understand the threats that are relative to their work and/or location. What are the risks that they face? What has been happening to similar organizations in the region? It is not a one-size-fits-all approach, but rather needs to be tailored to the needs and capacity of each organization.
  • Empower organizations with the knowledge and guidance to understand and mitigate their risks. Security can be overwhelming, particularly for less-technical users. It is critical for an auditor or trainer to focus on the how and why and not just the end result. The more organizations understand, the more confident they will be. This will better equip them to replicate the process in the future. Accessible language and easy to navigate guides and checklists can facilitate this sharing of knowledge. 
  • Know when your support does more harm than good. Digital security trainings are helpful — except for when they’re not. As an auditor or trainer, it is often difficult to find the time needed to properly onboard organizations to the security practices they need. Behavior change takes time and cannot be accomplished in a two-hour training session. There is no guarantee that the organization will continue to properly use (or use at all) a tool or software installed or downloaded during the training. OrgSec practitioners must be aware of these limitations, as insufficient training or support may lead to a false sense of security and can ultimately put the organization at a greater risk than they were to begin with. 
  • SAFETAG is meant to be a general framework. The SAFETAG framework serves as a toolbox, or collection of relevant tools and activities that can be used to conduct an organizational security audit. When planning for an audit, the auditor must select which tools and activities are most relevant based on the local context, size of the organization, and resources available. Some activities may be too complicated or irrelevant. You do not need to complete every activity in the SAFETAG framework!