- Understand org culture
- Identifying change leaders and champions
- Access to staff
- Desk research
- Learn what is the decision-making structures in the org
- Learn about knowledge-sharing in the org
- Feel out organisational culture
¶ Understanding organisational structures
- Identify key players (during assessment)
- Are there group group dynamics exercises to be pulled in? more formalized practices
- Observe staff interactions during group exercises – who talks a lot, who causes others to get quiet when they talk, who comes up afterwards with key insights
- Have channels of communications with the whole staff - establish friendships and trust across org to tap in to "rumors"
- Include deeply in buy-in process, planning, and strategizing
- Address fear of change in a non-blaming way
- Prepare for: Process can go off track far after implementation - e.g. people escape to shadow infrastructure / BYOD during transition phase (e.g. libre/linux/etc.) – reality will slowly hit and expose a strong pocket of resistance
- Create an Organigram
- Access to people in the organization
Clear visual of how people interact and manage organizational projects/operations
Clear understanding and first pass at analysis of time restraints and interpersonal/political aspects of the organization
Identify employees who may not be as accessible (but just as important) like people in the 'field', active board members, etc
¶ Understanding the power dynamics in an organisation
- Bureaucracy or strict hierarchy
- non-vertical orgs with hidden power structures ("flat is never flat")
- Leadership buy-in is "shallow"
- Strong "anti-champion"
- Org decides to do the opposite of what was recommended
- discovering an insider threat (or is it just extreme incompetence?)
- what about infiltration?
- How do you make te tech person an ally and not an enemy?
- IT people are against you and your plan ; feel iniewre
See also: Identify champions
- To get Journos to use tor and globalleaks - leverage source protection
- for transparency orgs - don't you want your software to be transparent?
- For free-expression groups - code is speech, it should be free
- In-depth workshop for leadership buy-in; 1-2 leaders from multiple org
- Methodology (Spanish) https://cargo.engnroom.org/index.php/s/2cPl7hvdYsASydl/download?path=%2F&files=Metodologia-alto-impacto-2015-final.odt
- Remote, in safe space, trapped in resort hotel with enough distance from other things;; but also long breaks to manage org's work
- Train leaders on MITM/SSLStrip and similar hacking tools to show how easy hacking can be; ethical hacking fraprevent umed
- Offer solutions/mitigations; disaster recovery plans, continuity plan (password mgmt)
- Suggest elevating IT leadership in the org;
- Before suggesting any solutions; ask IT staff for input - what are they unhappy about
- Let IT make decisions about which solutions are put forward
- Clarifyng to leadership with IT present the difference between digisec and infrastructure support
- IT person procuring hardware and over-buying to profit off it
- exist as a power center - they have all the passwords, control of DNS, backups, etc.
- Exit management / change management - leverage policies to force broader access and allow an exit; leverage audits, funders, etc.
- Short and long term engagements have different options:
- short term can only offer policy suggestions
- long term can build trust and create policies
- using logs and alerts to show users what they browsed each day to manage appropriate tech usage