Building a Culture of Security
Integrate Security into your Regular Operating Structure
As is described in detail in Tactical Tech’s Holistic Security Guide, it is essential to create regular, safe spaces to talk about the different aspects of security. This way, if staff and members have concerns around security, they will be less anxious about seeming paranoid or wasteful of other people’s time. Scheduling regular conversations about security also normalizes the frequency of interaction and reflection on matters relating to security, so that the issues are not forgotten, and staff across teams are more likely to bring at least a passive awareness of security to their ongoing work. It does not need to be every week, but make it a recurring reminder. These discussions should not only leave space for topics of technical security, but also issues that impact staff comfort and safety such as online (and offline) harassment, or issues with using and implementing digital tools within parliamentary offices. Conversations can even include topics like offline information-sharing habits and the ways staff do or do not secure information outside of parliament. After all, it is important to remember that a parliament's security is only as strong as its weakest link.
One way to accomplish consistent engagement is by adding security to the agenda of a regular meeting. You can also rotate the responsibility for organizing and facilitating a discussion on security between different staff, which can help develop the idea that security is everyone’s responsibility and not just that of a select few or the “IT Team”. As you begin to formalize discussion about security, staff will likely feel more comfortable discussing these important issues amongst themselves as well in less formal settings.
It is also important to incorporate security elements into the normal functioning of parliament, such as during member and staff onboarding – and thinking about cutting off access for off-boarding. Security should not be some “extra thing” to worry about, but rather an integral part of your strategy and operations.
Remember that all security plans should be considered living documents, and should be re-evaluated and discussed regularly, especially when new employees or volunteers join the organization or your security context changes.
Remember that all security plans should be considered living documents, and should be re-evaluated and discussed regularly, especially when new employees or volunteers join the organization or your security context changes.