Building a Culture of Security
Integrate Security into your Regular Operating Structure
As is described in detail in Tactical Tech’s Holistic Security Guide, it is essential to create regular, safe spaces to talk about the different aspects of security. This way, if team members have concerns around security, they will be less anxious about seeming paranoid or wasteful of other people’s time. Scheduling regular conversations about security also normalizes the frequency of interaction and reflection on matters relating to security, so that the issues are not forgotten, and team members are more likely to bring at least a passive awareness of security to their ongoing work. It does not need to be every week, but make it a recurring reminder. These discussions should not only leave space for topics of technical security, but also issues that impact staff comfort and safety such as community conflict, online (and offline) harassment, or issues with using and implementing digital tools. Conversations can even include topics like offline information-sharing habits and the ways staff do or do not secure information outside of work. After all it is important to remember that an organization's security is only as strong as its weakest link. One way to accomplish consistent engagement is by adding security to the agenda of a regular meeting. You can also rotate the responsibility for organizing and facilitating a discussion on security between members of the organization, which can help develop the idea that security is everyone’s responsibility and not just that of a select few or the "IT Team." As you begin to formalize discussion about security, staff will likely feel more comfortable discussing these important issues amongst themselves as well in less formal settings.
It is also important to incorporate security elements into the normal functioning of the organization, such as during employee onboarding – and thinking about cutting off access to systems during off-boarding. Security should not be some “extra thing” to worry about, but rather an integral part of your strategy and operations.