What’s the first step in securing our organization’s technology?
“Securing” means assuring the security of your current activities, so the answer to this question depends on what those activities are, and how you structure your organization.
It’s vital to remember that a security program that works well for one organization may actually harm another. You must decide how your organization uses technology, then do your survey and audit.
Here are some questions to discuss with your staff and members:
What kind of organization are we? Do we provide a service to movements? Do we mobilize and organize? Do we provide information to the general public or to a specific community?
This question will help you see that the activities you’re engaged in as an organization powerfully impact how you use technology. From how much you use and update your website to whether you use a database to what’s the function of emailing in your program—all this is dependent on the type of organization you are. So define it.
How are we using information technology? What activities do we do on the Internet and on our network? How significant is our cellphone usage compared to computer usage?
This flows from the organizational self-definition. The interaction with the public or community often defines who will receive your information. More importantly, it defines who can add information to your website or other public venues. Providing service requires certain types of information and may require certain kinds of access from people visiting a site or emailing you. It also may require a database to keep track of these people.
What information do we convey to each other that we don’t want the government to have?
Do you use email to plan meetings, actions or other activities that you want to keep private? We don’t mean anything illegal, but when and how you are doing a campaign isn’t something you necessarily want to share until you’re ready.
Who would like us to disappear? Are there government agencies or other movements so opposed to your work that they would hack or block it?
This is the “enemy audit.”
It’s truly amazing how few organizations actually talk about this. If there are entities that would target you (and most of us have them), you need to identify as many as you can. And you need to talk about what they might do and how seriously you need to take them.
Most of the movement organizations that have been hit with Denial of Service attacks, for instance, were not able to quickly figure out who was attacking them. They were surprised by the attacks. That should not happen to you.
Who manages our office systems? What happens if that person isn’t available during an emergency?
Your organization should be confident that its systems are managed at all times. Do you have an in-house person or do you use a consultant? What happens when that person isn’t around? Many organizations are now opting to train staff (usually organizers) as techies. This might not fit your profile or budget, but you should consider it and discuss the pros and cons.
Who makes technology decisions? Is it one person, a group or the entire staff? How much real discussion goes on when making technology decisions? Do you weigh the impact of a decision on the political and programmatic work of your organization?
Your technology is part of your political program and activities. It should be treated and overseen that way. Your entire staff isn’t going to make all decisions, but the tech decisions you make should be governed by the policies and culture of your organization. That should always be a topic for staff discussion.
The answers to these questions can help your organization develop a technology profile which can guide decisions about what software to use, how to maintain hardware and networks, and how to secure everything.
But, as is frequently the case with technology, it can also help you review, reconsider and sharpen the entire culture, focus and program of your organization. It’s an exercise worth doing.