Caption: Evan Summers describing how HTTPS connections work

Digital Security Trainings Don’t Work (By Themselves)

Improving digital security takes a change in lifestyle - and that takes more than just training.
One of my favorite parts of our work here at NDItech is working with partners to stay safe in the wild wild west of the internet. Back in my past life as a bona fide computer geek I was in charge of much of the network and systems security for my organization, and it’s fascinating to see how technical tactics have changed while the strategies of attack and defense seem to remain.
I was out with my teammate Evan Summers working with a number of partner organizations to help improve their overall digital security posture. They were a really impressive set of people facing pretty significant threats. I’ve done my share of security trainings with at-risk civic or political groups, but this time we tried a new experimental approach which looks promising.
Typical digital security training as I learned it from the masters at Tactical Tech (really, those guys are fantastic), is an intense 2-5 day in-depth training with a mix of lecture on security principles, demos, stories from the field, and hands-on practice with actual security tools. It’s a great approach; doing it right takes a lot of time. Side note: If anyone ever tells you they’re going to do a digital security training in less than two days gently correct them and say that it will be, at best, an awareness raising exercise. Laudable and all, but it’s not going to make anyone magically secure. #DonorTip: don’t bother funding those. 
NDI is in the long-term relationship business - we tend to work with civic or political groups over a period of years. As such, we don’t need to try and drive organizational change in a week. With that in mind, Evan and I decided to take a different tack.
First: The Training
We did two days of in-depth digital security training on the fundamentals we thought  most relevant for these partners. We were able to draw upon our personal experience as well as content from the Level Up project with which NDI has been involved over the years. Great resource not only for the security content, but suggestions on ways to do adult learning, deal with psychological trauma and have engaging physical exercises.
Over two full days we covered a range of topics including background on how the internet works, patching, encryption, two-factor authentication, secure messaging, and a lot more. This was less time than I’ve spent  in some trainings in the past, which have been up to five full days, so didn’t go into as much depth and didn’t cover a number of less relevant concepts - but that left us the rest of the week free.
Second: Site Visits
This was the new part. Since we’d done an abridged training, we had 3 full days to work with. We spent a half day with each of six partner organizations, really digging into their practices and technologies. We drew upon the SAFETAG auditing framework to build our agendas, but were not doing such a deep dive. It was amazing how over a few hours of conversation, physically tracing cables, and spelunking in computers one can really understand an organization, their operations, their habits - and their most glaring threats.
Third: Ongoing Support and Mentoring
Based on our evaluation, we came up with targeted recommendations for each group. Fine, great, but acting on them is the hard part. Changing your security posture is like losing weight - it’s not so much the knowledge of how to do it, it’s the daily discipline reflected in thousands of tiny choices. Also, new practices and tools take a while to learn. Since NDI works with these partner groups over a period of months and years, we’ll bake ongoing support into our work in the future, following up on them to see how things are going, working through the inevitable bumps, being a front line of help, and providing some guided practice as they go.
Four: Give them the right incentives
People like money. Groups like money too - it lets them keep doing whatever cool, world-changing stuff they’re doing. We’re going to start getting a bit strict when providing sub grants or contracts with organizations - if we can’t verify they’re following the recommendations that we developed together, they’re not going to be eligible for further funding from NDI.
It was a great trip - and I feel better about the long-term impacts of doing it this way. Let us know if you try this out.