Reflections on Organisational Security Audits

Paola Mosso
Maya Richman

This year, thanks to support from the SAFETAG fellowship, we’ve had the opportunity to invest in and deepen our expertise facilitating organisational security assessments. We’ve implemented two security audits in South America to support emerging organisations that are using civic technology to advance social justice. Here, we share some insights developed over the course of this work, and explore how we will put these learnings to use in the future.

Laying the groundwork

While there’s no magic recipe for a successful organisational assessment, there are assessment decisions to make when selecting an organisation that help lay the groundwork for an effective audit. To do that, we developed an organisational archetype with criteria that would lead to the greatest impact for the host organisation. We also considered our own resource and regional constraints. Once we had that archetype and an understanding of constraints, we proactively searched for organisations that would both benefit most from a partnership and be most likely to implement the recommendations going forward.

We identified the following five preconditions as critical to the success of the assessment:

  1. Trust: We had a prior relationship with the organisations, thereby increasing trust on both sides.
  2. Organisational need: The organisation had expressed a need and desire to be supported on organisational security and showed a drive for growing responsibly.
  3. Management support: Upper management and/or the executive directors were in full support of the assessment.
  4. Curiosity and willingness: The organisation was curious about the process and open to reflecting on their organisational practices.
  5. Context: We did significant context research before the audit in order to situate the conversations around risk and threats alongside concrete examples. (This also helped us to see if the context itself would allow for the organisation to have the space needed to implement recommendations.)

Lessons Learned

As an auditor, one core goal of an assessment is to leave with a grounded understanding of who the organisation is, what they do and how they work and their key priorities are. As we did this, we came away with the lessons below.

Save time for unexpectedly long conversations

It’s critical that auditors budget time between activities to allow for important conversations to arise naturally. Rushing conversations can bias findings towards the loudest voices, instead of digging deeper to the less obvious conclusions. A slow and patient approach leaves space for for difficult conversations to bloom.

Prioritise the one-on-one conversations

Individual conversations with each team member have two purposes: 1) trust-building 2) elevating hidden concerns and opportunities.

Speaking to each team member individually demonstrates that we value every perspective in the organisation, and that the assessment process will not be top-down. It also drives home the idea that all concerns are relevant for this process. These conversations also help the auditor build trust with the team, a necessary foundation for any substantive work that will be done following the assessment.

One-on-ones also create a safer space for staff to speak honestly about the work they do, the fears the have and the dynamics they see in the office. It’s an opportunity to air concerns and share opinions, which is extremely rare in a group setting or within daily work routines.

Provide a security training for the final day of the audit

As we’ve repeatedly seen, one-off trainings often don’t lead to long-term security culture change. Those receiving training tend to stop using the tools introduced soon after the trainer leaves, or default back to old habits.

That being said, one-off trainings can be extremely helpful in the context of an audit for three reasons:

  1. They make high-level security conversations during the audit immediately more concrete.
  2. They boost the staff’s confidence that they can improve their security with a few small changes.
  3. They lay the groundwork for the organisation to implement the recommendations in the final audit report.

Audits can sometimes seem like extractive exercises, so providing a training is a way to counter that by supplying guidance that can be immediately useful for staff. Trainings can also provide the team with practical tools to deal with any areas of vulnerability that arose during the audit.

Incorporating learnings

We enjoyed the process so much that we took the opportunity to facilitate a session on organisational security with The Engine Room staff during our staff retreat in July. During the session, we took a long pause from our daily routines to reflect on our concerns and how they are shaped not only by our work and personal lives, but also by the lives of those around us.

After facilitating an exercise to connect with our bodies and emotions, our personal history and our surroundings, we conducted an organisational interview, creating a space to talk about psychosocial aspects of security and to understand what security encompasses for each of us in our different contexts. Together we identified what our growth and improvement opportunities are.

This activity was followed by a data mapping exercise, which allowed us to lay out and discuss what data we collect, where it lives and where it’s best protected – an exercise which is also a great way of getting things in order for the GDPR. This showcased how complex the definition of sensitive data is and how critical is to consider each team member’s different context and perspective.

This process, along with one-on-one conversations with each member of the team, helped us identify key decisions and behaviours to inform a plan for security implementation going forward.

Next steps

Along with informing our organisational security strategy next steps, having the support of the SAFETAG framework will also help us better support partners in the future, and we’re keen to use our experience to carry out more organisational assessments in the future.

As we engage more with organisations who are emergent leaders within their communities, we look forward to working with them on holistic security. Lack of formalised or documented systems, difficulty prioritising well-being with the pace of work, and an uneven distribution of technical knowledge, are just some of the challenges we’ve already identified by working closely with them.

We will also look to transmit how a security assessments aren’t only about identifying technical vulnerabilities, but often the most important recommendations rest upon human resources and management structures that can either support or inhibit positive security culture change.

In the coming months, our experience with organisational security assessments will be present in more robust protection and well-being support for our next Matchbox partners, and in our Light Touch Support. Above all, we’ll continue listening to better support our partners in their aim to become safer and healthier.

If you are interested in talking more about how to integrate an organisational security approach within your organisation or learn more of our reflections, get in touch with me on paola[at]theengineroom.org.