This blog was a collaboration with Mike Marotti and Amanda Bennett of Personified Tech. I was inspired to write about the overlap of cybersecurity work and the role of a data director based on my own experiences. Yet, I wanted to balance my lived experiences navigating various cybersecurity responsibilities with real cybersecurity expertise. I contacted Personified, whom I have worked with in a previous role, and asked if they would be willing to contribute. Much of the advice in this piece stems from their wisdom and expertise, and I am incredibly grateful to them for donating their time and energy. If you want to learn more about Personified Tech, you can visit their website here https://personified.tech/
Mike Marotti https://www.linkedin.com/in/mikemarotti/
Amanda Bennett https://www.linkedin.com/in/ajbajb/
“If it runs on the Internet, it’s your responsibility.”
It was midnight when my phone started blowing up. My stomach dropped when I saw the red Signal notifications piling up on the screen. I jumped out of bed and read: “We’ve been hacked.” “They got everything.” “It’s all over the Internet.” Some right-wing YouTuber had published an “exposé” of our organization, and worse yet, they had some intel on us uncovered from our Slack and Google Drive. In the time it took me to orient myself to our situation, I had dozens of new messages from my coworkers, adding to the confusion and anxiety. I took a deep breath and wrote back: “Don’t worry. I’m on it.”
You may wonder why I, the data director, was responding to a cybersecurity attack. I had no formal training in cybersecurity, and it certainly wasn’t part of my formal job description. Yet my organization turned to me in a crisis–-why?
When my coworkers and colleagues first started asking me for IT and security advice, I would complain: “This isn’t my job!” But over time, my mentality shifted. I still believed that my organization should hire security and IT consultants, but I realized we were far from being able to make that budgetary decision, and the work still needed to get done. My colleagues looked up to me for technical advice, and I knew I had a role to fill in helping to keep my organization safe.
I don’t think I’m the only technical leader at a political group that’s had the responsibility of cybersecurity thrust upon them. We become data directors because we love optimizing spreadsheets and crafting the most elegant SQL query, which makes us natural targets for cybersecurity and IT related work. Many of us on the field joke that the optics of role seem to be that anything that runs on the internet is our responsibility. In my tenure as a data director, I have been asked to reset countless email passwords, manage a myriad of digital accounts, and even help a coworker’s mom learn to use Google Drive. I am sure many of you have had a similar experience. What is the line between being a data director and being an IT director in the world of politics when budgets are small, and all of us are doing three jobs in one?
In this blog, I share how I think data directors can contribute to building a culture of safety in their respective organizations, starting with work the technical leaders can do to keep their code bases secure, then delving into the responsibility that everyone on staff has to keep their organization safe, and ending with the kinds of IT and security tasks that are definitely not the job for a data director. I also include a guide for evaluating whether you need to bring on outside IT and cybersecurity help and provide some resources to deepen your knowledge and take back to your organization.
Definitely your job: Keeping your data secure
Political staffers spend a lot of time thinking about ideologically motivated attacks like infiltration, and some cybersecurity tasks like preventing phishing require vigilance from everyone. Still, some digital security tasks are expressly the responsibility of data directors. Every data director should know how to keep API credentials and other secrets secure and understand how to protect against vulnerabilities in your code base.
How to safely store API keys
My biggest shame is that I used to store all my API credentials as environmental parameters in my .zshrc file. It was easy! So convenient! It was how I was first taught, but over time, I grew skeptical that my practice was indeed a best practice. This method provides a seamless development experience but is not the most secure practice. If your laptop were ever stolen, all your organization’s data would be stolen.
Don’t be like me. Don’t store your API keys in plain text on your computer. Instead, you can employ a service called a "secrets vault." Examples include HashiCorp Vault, AWS Secrets Manager, or 1Password. At my current organization, we use 1Password because it seamlessly integrates with our password management tool (more on that later) and has an excellent command line interface for when we want to pass an API key into a line of code.
Secure vaults can significantly reduce the risk of unauthorized access to sensitive information. They are a safer place to store your credentials than your laptop: dedicated credential managers are designed with strong security measures, including encryption, access controls, and auditing capabilities. They are often built to comply with industry standards and best practices, providing a more robust security posture than ad-hoc methods of storing secrets.
Once you adopt a secrets vault, staying on top of your API credentials and other confidential information is easy. Many secret vaults allow the sharing of credentials with specific coworkers, ensuring that staffers only have the credentials necessary for their particular tasks and minimizing potential points of vulnerability. For example, I have a set of API credentials that I share only with my data team staff and another set of secrets with non-technical staff. Furthermore, by using a secrets vault and storing all your keys in one place, it becomes easy to rotate your API keys. This helps mitigate the impact of a potential breach, as it limits the window of opportunity for malicious actors.
I fundamentally believe that even the smallest of political data teams should use a secrets vault: the technology is easy to grasp, quick to implement, and drastically levels up your organization's data security.
Keeping your code base up to date and secure
The code you write can be a security vulnerability in itself. First, insecure coding practices, such as the use of outdated libraries or failure to validate input, can introduce vulnerabilities that attackers exploit. Poorly implemented authentication and authorization mechanisms may also allow unauthorized access to sensitive data. Code that lacks proper error handling can inadvertently leak information, aiding potential attackers. Finally, not staying vigilant about code maintenance and updates can expose systems to known vulnerabilities, making it crucial for developers to review and patch code to regularly ensure robust security measures.
I prefer to stay on top of my code base and prevent vulnerabilities by installing Dependabot on all my repositories. Dependabot is a native feature of GitHub that helps automate keeping project dependencies up-to-date. Dependabot identifies outdated dependencies in a repository and automatically creates pull requests to update them to the latest versions.
Using Dependabot offers several benefits:
Security Updates: It helps ensure that your project uses dependencies with the latest security patches.
Bug Fixes and Features: It lets you stay up-to-date with bug fixes and new features in your project's dependencies.
Automation: It automates the dependency management process, saving developers time and reducing the chance of human error.
To enable Dependabot on a GitHub repository, you typically need to add a configuration file (such as .github/dependabot.yml) to specify how Dependabot should behave for your project. The configuration allows you to customize settings like update frequency, version constraints, etc.
There are plenty of tools you can use to take your security engineering to the next level:
DataDog Security: DataDog offers security monitoring solutions that help data engineers monitor the security of their cloud infrastructure. It includes features like anomaly detection, log management, and integration with various cloud providers.
Snyk: Helps identify and remediate vulnerabilities in open-source dependencies used in the project, ensuring that libraries and packages are up-to-date and secure.
Docker Bench for Security: A set of scripts and tools for assessing Docker container security, checking for best practices and potential vulnerabilities
Splunk: Monitors and analyzes security events in real-time, providing insights into potential threats and vulnerabilities.
Code Climate: Automates code review and identifies security issues, technical debt, and other code quality issues.
LGTM (Looks Good To Me): A code review tool that analyzes code for security vulnerabilities and other issues, providing automated feedback to developers.
Tenable.io: Provides vulnerability management solutions, helping organizations identify, prioritize, and remediate vulnerabilities across their infrastructure.
Everyone’s responsibility: Social engineering and community safety
Even though digital security is often not enshrined in our job descriptions, we have a leadership responsibility in this domain. Data directors can be pivotal in advocating for and implementing robust safety protocols within political organizations. Given our status as the most senior technical leaders in the organization, our words and actions influence the rest of the staff. Data directors set a powerful precedent for the entire organization: when we embody a culture of safety, our coworkers will follow our lead.
To be a leader and advocate for data security practices in your org, you must have a handle on the basics, namely good password hygiene, 2FA on all organizational systems, and device protection measures that provide the biggest ROI. There are many resources available that can be used as a roadmap to work through within your organization; the DNC security checklist and the CISA Campaign Security checklist are great places to start.
Once you have a handle on the basics, you can start communicating guidance to your staff and advocating for data security in your organization. The primary digital threat organizations face is phishing, which most of these measures are designed to protect against.
Phishing attacks
Phishing attacks, the deceptive practice of impersonating trusted entities to trick individuals into divulging sensitive information or taking malicious actions, pose a significant threat to the digital security of progressive political organizations. It is the most frequently deployed digital attack targeting organizations, as it can be effectively run at scale and repeated as many times as needed to gain a foothold within a targeted org.
While there are technical tools that can help attackers deploy phishing campaigns at a large scale, phishing is a “social engineering” attack, using psychological tricks to get you to act before you have time to think. Phishing emails can get you to disclose your credentials or install malware on your laptop. They can also simply try to get your money.
You are most likely aware of the classic phishing examples, e.g., a fake Google alert sent via email that leads to a fake Google login page (see the Podesta breach in 2016). However, the attack most frequently seen today by organizations is the “fake boss gift card scam,” where an attacker poses as leadership from an org and emails/texts staff asking to purchase gift cards. This is highly effective, and we expect to see more malicious forms of this attack in 2024. Here is more guidance on this scam. These attacks often manifest through seemingly legitimate emails or text messages, exploiting social engineering tactics to manipulate recipients. For example, they often target new employees who aren’t yet familiar with company culture or protocols and will be eager to impress someone they think is their boss.
You can help protect your staff against phishing attacks by advocating for employee training and multi-factor authentication. On a new employee’s first day, warn them about the fake boss gift card scam. You can save examples of scams and phishing messages that target your employees as they are reported so that you can use real examples in this training. You can deepen this culture of safety by training new employees about proper procedures for expenditures and banking. Many scams try to get employees to purchase gift cards, pay an invoice, or change direct deposit info, and having solid practices around verifying expenditures and banking requests can help interrupt these scams. Finally, you can use phishing quizzes like shira.app to talk through phishing examples related to your organization’s work.
Multi-factor authentication is a critical component of your organization’s safety. You should collaborate and consult with your fellow leaders to ensure that MFA is enforced throughout your organization. For systems you administer (e.g., Github), turn on enforced MFA so that the software will walk people through setting up their second factor as part of their account setup. Make security the default whenever you can to save people the work of implementing all the tactics on their own! Enforcing MFA for your email client (e.g., Google or Microsoft) is the most significant and most straightforward security win you can give your organization. If you don’t admin your organization’s email/file storage software, advocate for MFA from whoever does!
Password managers
I have seen my coworkers share passwords in plain text over email and Slack countless times. These are often simple, human-readable passwords that could be easily guessed. I have seen a password for a Canva login that was essentially “Canva2020!”. Such predictable and human-readable passwords are susceptible to brute-force attacks and compromise our accounts' security by failing to meet basic password-strength standards. If you resonate with this example, it is time to advocate for your organization to adopt a password manager.
A password manager is a secure vault that stores and organizes complex, unique passwords for various accounts, mitigating the risks associated with weak or reused passwords. The truth is that it is simply impossible for us to remember all the passwords we have to create and make them long and strong. The only way to remember all our passwords and reliably generate strong ones is by using a password manager! And once you get into the habit of using one, it will make your online life much easier. It's a rare combination of security and convenience.
Many of us are familiar with our browser’s ability to store passwords. It may seem like a safe and convenient way to keep your login information– it is as easy as clicking a button, and the browser auto-fills the password when we return to the site. However, while this is a tempting strategy, browsers often lack the advanced encryption and protection mechanisms that dedicated password managers employ. Password managers use robust encryption algorithms to secure credentials, reducing the vulnerability to hacking attempts.
If you pursue a password manager, I cannot recommend 1Password enough. It is one of the most secure options for password management and is easy to use, so even your most technologically impaired staffer would feel comfortable using this tool. In terms of security, 1Password employs end-to-end encryption, meaning that even if there were a security breach, the encrypted data would be nearly impossible to decipher without the user's encryption key. 1Password also operates on a “zero-knowledge” security model, meaning the company has no access to or knowledge of the user's master password or the data stored in their vault. 1Password provides a built-in password generator that creates complex, unique passwords for each account. These passwords are designed to be highly resistant to brute-force attacks and are far more secure than easily guessable or reused passwords.
Regarding ease of use, I have found 1Password to be magnitudes more user-friendly than the alternatives I have tried. When we adopted 1Password at my current organization, the universal feedback was that this tool was much easier to use than the previous tool we were using. Everything from the bright and clean user interface to the ease with which passwords could be generated and populated for websites to the intuitiveness of the design made it so that staff had an enjoyable experience using the tool. It was not just our tech-savvy data and digital teams that could pick up 1Password quickly, but our HR, creative, and organizing staff as well. Overall, 1Password is by far my top choice for a password manager for political organizations.
⭐ Tips for hot girls: Onetimesecret is your friend. There are many moments when I need to share a password or credential with a trusted colleague quickly. While I almost always use 1password to share secrets safely, onetimesecret can be handy for quickly and securely sharing information. You simply paste your secret into onetimesecret, and it will create a one-time link for you to share. Once the link has been opened, it can never be opened again. To be even more secure, I recommend using their passphrase feature to set a unique password to the one-time link. I share these passwords directly with the intended recipient in a private, secure channel like Signal.
If you use a tool like this, be sure not to include all the information in the one-time secret! For example, if you are sharing email credentials, add the password to a one-time secret with no other context. This way, if your secret is intercepted, the interceptor won’t know what your random string of characters is for. Account management
I know many of us are guilt of having one login for paid accounts that was shared freely with our coworkers. And look, I know that you know that this is a bad practice, but the reality is that we’re not going to get the budget for everyone on our team to have their own individual accounts for paid services. As much as I would love to tell you not to do this, I think a more realistic compromise would be to encourage you to think through the systems you can implement that can keep your team safe.
For example, you can work with your HR team to develop a system for identifying employees and interns who leave the organization and a process for quickly reviewing all your digital accounts and removing account access within 48 hours of their departure. Or better yet, bake account management into your on- and offboarding experience. This means always knowing who can access what accounts and where the password is stored. One of the most significant risks is a disgruntled employee taking access to a domain or an account with them.
To be extra safe, you could rotate your shared account passwords every 3-6 months to ensure that only those who need the password have the password. And if you were not sold on password managers yet, you can use a password manager shared vault to manage access, removing people once they're gone and changing the password for the entry. Everyone else will still have access to the new password, avoiding the chaos of lockouts and signaled passwords.
Of course, you do not just need a password to log in to a shared account, but also the MFA code. Lucky for us, 1Password also doubles as an authenticator app. When you share a password with a teammate, you can also share the MFA code so they can securely log in. No more texting your coworker, asking them to text you back the login code, and praying they check their phone. 1Password makes it easy and secure for teams to navigate shared logins.
Not your job: IT support
Many aspects of cybersecurity fall squarely within the role of a data staffer. We are primarily responsible for our data and tech systems, ensuring that our code and credentials are secure. We even have a role to play in advocating for a culture of safety in our organization through training, education, and the adoption of specific tools. Yet some aspects of cybersecurity are squarely not our jobs.
Your data director should never be mistaken for an IT director. Many of us find ourselves in situations where anything “tech” related becomes our job, but I believe it is important for us to advocate for dedicated IT support if this boundary starts to become murky. Data staff are uniquely qualified to clean, transform, move, analyze, and present data to drive strategy at our respective organizations. When our roles start to blend with IT, we become less able to execute our true responsibilities and serve our organizations in ways that we are uniquely qualified to do.
If you find yourself doing any of the following, it may be time to advocate for hiring IT support:
You are in charge of purchasing office and tech equipment for your staff.
You manage your organization’s Google Workspace.
Your Executive Director is asking you for help navigating Google Drive.
You are storing laptops, hardware, etc., at your house.
You set up mobile device management on your employee’s hardware.
You manage your organization’s VPN.
You are the one resetting your coworker's email passwords when they are locked out.
You are the one evaluating suspected phishing attacks and scam emails of your coworkers.
Your organization turns to you when it starts receiving hate mail and death threats.
Your organization turns to you when it experiences a security scare.
If your job is starting to blend with the job of an IT Director, you may want to start planning a way to advocate for bringing on additional capacity. This could look like bringing on a part-time consultant, hiring an in-house IT manager or director, or outsourcing the work to an IT company.
When to Call in the Experts
I went to bed at 3 AM that night. I spent three hours reviewing the attack video against us, meticulously reviewing each frame to identify every bit of leaked information. I started making my lists—a list of everyone I needed to call the next day to inform them that their personal information had been revealed in a right-wing attack video and a separate list of the advice I would give them to keep themselves safe.
At the start of the next work day, I began calling through that list, informing co-worker after coworker that they needed to take immediate action in order to protect against doxxing. It was one of the most challenging days of my career, and it’s something I hope I never have to do again.
There were many lessons learned after this incident, but the clearest one I learned was the limitations of my expertise. As my organization's most senior technical leader, cybersecurity was de facto my responsibility. But this attack illuminated the extent of what I could do. Clearly, we needed legitimate cybersecurity professionals involved–not just with this incident but in creating a culture of safety at my organization.
You may also ponder whether to hire security and IT professionals for your organization. Let my story be a lesson: please do not wait until you have a security breach to make that call.
Indicators that it’s probably time to hire IT/cybersecurity help:
Your org has a need or desire to wipe/lock laptops remotely, deploy computer updates, or enforce computer settings like encryption.
Your org has experienced a data incident of some sort (ideally, you want support before this, but certainly an indicator if not). Remember, your data incidents are most likely to originate from your own staff (E.g., staff downloading proprietary data before they leave the org)
Your organization is providing laptops, and one of your staff members is storing spares at their house.
You are 40+ staff.
You are filling out security questionnaires or cybersecurity insurance applications.
You know a lot of what you should be doing to help secure your organization but can’t imagine having the time or capacity actually to do it.
There are a few options available for organizations looking for IT support:
Internal hire: Getting approval for an IT Manager or IT Director role in your org. Ideally, this should report to someone on leadership and not you (otherwise, you become the IT Director whether you like it or not, as you are the ultimate backstop). You will want someone at least at manager seniority who has run IT for other organizations as a one-person shop. Hiring a junior IT staffer with no senior-level guidance will create more work and risk, not less.
IT Consultant: There are many individual IT consultants, many of whom work on an hourly basis as a side gig to their day job. These are almost exclusively found via referral from others who use them; IT consultants tend not to advertise themselves and take on a limited set of clients. Make sure your consultant has the bonafides to prove they can provide trustworthy support for your org - this person will have the keys to your castle and should have references in your network who can vouch for them.
Managed Service Provider (MSPs): These are third-party outsourced IT firms. These firms vary wildly in scope, approach, and capability; while more expensive than individual IT consultants, they come with a fully-equipped team with the ability to provide more consistent coverage and availability. If you are looking into hiring an MSP, put together an RFP outlining your org’s needs and try to get proposals from ~5 MSPs. This will allow you to compare price, scope, and capability in order to select the MSP that is the best fit for your org. Managing a good MSP as a data director will be the least labor-intensive option of the 3 here.
Wrapping up
My relationship with cybersecurity and my role as a data director has shifted tremendously over the last few years. In the beginning, I was adamant that cybersecurity tasks were outside the scope of my responsibilities. However, as time progressed, I found myself gradually taking on more cybersecurity and IT responsibilities, eventually taking pride in the pivotal role I played within my organization. I continued to take on more and more of these tasks until, before I knew it, I was moonlighting as my organization’s IT director. When my organization experienced a cybersecurity attack, I quickly realized I was way out of my depth and needed to call in the experts–but by then, it was almost too late.
I hope that in reading this blog, you are also thinking about your own relationship to cybersecurity and IT work in your organization. Maybe you are doing way too much and hold the roles of both a data director and an IT director. If so, I encourage you to explore bringing on additional support and offloading some of that work to experts. Or, maybe you want to lean more into cybersecurity and bring some security best practices into your tech stack or help advocate for better security practices at your workplace. Whatever your journey is, I would love to hear about it in the comments or by emailing me directly at hello@brittanybennett.com
Lastly, I would like to leave you with a set of digital security resources compiled by Amanda Bennett or Personified Tech: https://digitaldefensefund.org/learn/#external-resources