A slow and faraway conversation between Slammer Musuta and Maya Richman

Photo by Alexander Andrews on Unsplash

Grounding

In late February, Astraea Lesbian Foundation for Justice graciously hosted a Why We Fund event centered on holistic security featuring their Mozilla fellow, Maya Richman, and Slammer “Selina” Musuta, a Mozilla fellow hosted at Consumer Reports.

Since it was an intimate conversation with a small group, we wanted to take the time to share with those who couldn’t be there what we talked about, our approaches to collective safety and care, and what feels challenging and hopeful in this work.

Discussion @ Astraea in NYC in February

If you are a practitioner or work with others to shift security culture, maintain policies, practices, you may enjoy this conversation. If you are working to further community safety or build websites for busy and burnout activists, this post could also be for you!

The blogpost was written slowly over the last two months, like a game of slow motion ping pong. We tried to refrain from editing our answers so it feels more like a conversation. Enjoy!

A slow and faraway conversation

M: I’m so glad we had a chance to talk about the joys and challenges of our work as practitioners/trainers. It’s so hard to remember to come up for air, and make time to think on a larger level about what we are doing and how we are doing it. I think in particular I enjoyed this sense of solidarity — this shared feeling in the room — like yeah we are doing this work and that’s great, but it’s also really hard! And often we don’t get to see dramatic change. this work takes time and serious patience, but that’s one of my core values i want to live: slowness, intentionality, and thinking long term. What about you? How did it feel talking about your work in this way?

S: I’m honored that I was part of this conversation. I’m working towards building in constructive processes for evaluation and reflection including time. That’s one of the reasons why I chose Consumer Reports as my host organization for this fellowship. I wanted to learn how they test and provide feedback.

This talk and the preparation for it gave me the opportunity to also reflect. We didn’t delve into how we structure that reflection in our work. But we shared the challenges we face. It was empowering to identify similarities that have led us to centering care when designing and implementing security management practices and tools. For example, so many orgs that I work with do not have written organizational policies. This includes employee code of conduct, conflict resolution processes, communication and storage guidelines. Security and safety is bound to all of that. It’s more than just deciding what data to encrypt or an organization’s password management. It’s about taking care of every part of our work. How does care fit into your security/safety work?

M: Yeah, it’s really important to acknowledge that safety and security relies on the same infrastructure as all core organizational practices and policies. You can’t install seatbelts on a plane that hasn’t been built. Often the success of our support comes down to practice and process — who cares if there is a new tool with heightened security features if there isn’t a collective agreement and documented process on how to use it. Defining that process, and making it stick has way more to do with people — how they learn and the organizational culture surrounding them — than the technology itself. Of course there are technical solutions that can make teams safer that they don’t need to interact as much with — for example, making sure a website is built with DDoS support or server-level hardening that most staff can’t see but benefit from. But most security recommendations I’ve given ultimately rely on humans to see the value of the work and maintain the system after I’m gone, and hold each other accountable.

This approach is also really respected and encouraged at Astraea, and one of the reasons I wanted to work with them. They fund grantees to do deep work and invest in their systems long term, because they know that the grantees will burnout and leave the movement if they aren’t given that time to breathe and plan together.

Security doesn’t exist in a vacuum — it is intimately connected to historical and intersecting oppression which increase not only the risks that some people face but also make it exponentially harder for those same people to protect themselves. If you work as a practitioner and you don’t acknowledge the different experiences of the staff, you might build a system that systematically omits/leaves out a large percentage of the team, who are already the most vulnerable. That’s why a one-size-fits-all approach to security doesn’t make sense, we need to find ways to honor everyone’s embodied knowledge and varying needs.

A few ways I do this in my work:

• I make sure, before I talk to staff about what to improve or change, that they understand and celebrate the ways they are already caring for each other.
• I find ways to expand security definitions and examples so more staff see themselves and their stories in the process.
• I make sure that there are multiple routes and opportunities for people to tell me what they want out of the work, so that the process isn’t driven by the most vocal or more powerful.
• I attempt to center the motivation to collectively care for each other, rather than rely on staff guilt and fear of causing someone harm.

How can we check ourselves, as practitioners, that our approach is working and feels right to the staff?

S: I’m trying to figure that out. I wish that there were more templates for evaluation in this work including metrics (silently waving hand for help). What are ways — with care — to test and evaluate how an org detects and responds to a threat to their personal and/or organizational data. I don’t want to inject anxiety and distrust in that process. One method of evaluation is monitoring the time and the number of staff that adopt practices and tools but if your time with an organization is limited to less than a year, how do you know if that adoption is sustainable. And even if an organization adopts an agreed upon process and/or tool, how can staff strategically abandon that agreement if it no longer serves them. Can they revert back, adapt, or move towards something different without detrimentally hindering their work? Especially since I will not be there in the long term. For example, burnout is a real security risk. Am I asking staff members to take on new tasks, like instituting an information backup process, when they are working more than 40+ hours? Are they already feeling undervalued? I don’t want adoption of a security framework to add to burnout.

For those that are on that “Twitter as a resource joint”. I’m really digging this thread asking what 3 recommendations for organizations to begin to use to move towards better security. Whether I agree or not with the thoughts, the fact that there are infosec practitioners talking openly about these issues in a supportive way is super helpful.

M: Whoa! That thread…reminds me that we are in this bubble that is also naming the power dynamics and political/economic context that produce these challenges, and the reasons why a framework for safety is difficult to build. After attending Internet Freedom Festival in Valencia IFF I felt like OK I guess everyone is talking about collective care and a feminist approach to security. Crash! I have fallen back into this planet. We need to keep (SQL)injecting the cultural contexts and financial realities for many organizations into mainstream cybersecurity networks.

Re: evaluation, I often do surveys and ask staff to self-reflect on how much they understand and keep the practices I helped institute during support, but that isn’t enough. I have some exciting news for you though! Internews and The Engine Room are collaborating on a Monitoring and Evaluation (M&E) framework for organzsational security support and are attempting to ask that very question.

About burnout, it’s so tricky. Sometimes I shorten my long list of recommendations due to fears that it will seem overwhelming and nothing will move forward. Ideally security recommendations aren’t all time sucks, and some make their lives easier eventually? Maybe that’s hopeful thinking.

OK, we may be rambling (mostly me). What is one last thing that you want to make sure you say before we end this ping-pong blogpost?

S: My life is a long ramble so I’m really appreciating this style. I want to say that when that M&E framework from Internews and The Engine Room is released, it will be a game changer for me. So much of my work is done alone and involves trial and error with very little opportunity to get feedback and professional development. I have felt like an imposter in this work despite my experience and knowledge so I decided to take two major steps to build confidence in this work. Work towards certification and make an intentional effort to go to infosec meetups & conferences including product security training opportunities like LocoMocoSec. It’s been awesome to see my tech skills advance in so many areas. But also I’m frustrated to stay stagnate in other ways in terms of how these skills can be applied in the context i work in. It’s difficult to find the resources and the community in these gatherings to have those conversations. I think IFF is the only gathering in mass where I met so many like minded security practitioners. The infosec meetups and conferences that I go to do not directly work with the same populations that I do. They are not talking (like you mentioned) about their work as an inherent feminist project that is founded on collective care and that impacts the applications of tech tools & practices. Organizations reach out to me when there has been an external/internal breach or they have heard the latest scary news about some kind of surveillance technology being rolled out. So they are in emergency mode. And my challenge is to make sure I can help them with the now while also working toward sustainability because the attacks on us seem to never stop. Because at stake in this work is people’s money for survival, reputation, physical well-being and more. That means building a strong model where monitoring and evaluation has to be foundational in my work moving forward. Okay, now I’m going to share a rambling dream. Should we jump on the podcast bandwagon and dedicate a year on this topic, share resources, interview dope people in this work, and give makeup tips?

M: Re: Podcasts, yes! I have lots of thoughts about podcasts. I don’t have a lot of patience for the editing part though…anyways we’ll figure it out. LET’S DO THIS THING. I love the way a conversation takes a life of its own and I find it’s easier to get the “aha” moments there than when I’m on my own writing a ‘formal report’, which I guess is why I wanted to write our blogpost this way. I also just want to do things this year that I enjoy and communicate what I’m learning about life and my work through those channels. People absorb your excitement and energy and that’s gonna be more impactful than doing things the RIGHT AND PROPER WAY. Anyways I digress-

I’m finding myself pulled in two directions these days. For several years, I’ve called myself a holistic security practitioner without the training or real investment in the well-being / psycho-social security methodology. So I’ve felt like an imposter on both fronts: I’ve doubted my technical security knowledge and skills, and my ability to support organizations with their emotional trauma and burnout. I still want to dig in and get some serious professional development on more technical aspects of my work, but I’m leaning more towards leveling up on the well-being / facilitation side.

During the fellowship, it occurred to me that I’ve spent the last few years working in this field but not really thinking about how to combat surveillance and burnout in the body. This year I dedicated some serious time to reading and learning about the effects of trauma, resilience, and the disability justice and healing justice movement. Inspired by the practitioners and activists I’ve been reading / listening to like Mia Mingus, Leah Lakshmi Piepzna-Samarasinha and Adrienne Maree Brown, I am keen to get trained on somatics / body work so I can offer it to the people I work with as part of my safety support. I also think a grounding in these practices will help me take care of myself while I do the work and help reduce my own burnout in the long run.

I also want to say that I’m really honored to have met you as part of the Mozilla fellowship, and truly appreciate your candor and openness about what you struggle with and how you are combating imposter syndrome, and your approach to supporting the people and organizations in your life.

S: It’s about to get emotionally raw in this post. Because I feel the same way about you, Maya. You are so patient & present in our conversations — offering much needed opportunities of pause to truly reflect on what and why I am doing this work, and how does it serve my entire self. If I truly want my community to live full lives in joy and kindness towards each other, how am I doing that with myself and my chosen family. I have witnessed seeing you listen to what your body needs while also caring for the people around you. There is so much I have learned from you that I will carry in my work going forward. I feel privileged that I have been able to see your very well-documented resource lists and I’m excited to see any project that features the research you have done. Because we need reminders that this work is being done everywhere and by folx that do not receive recognition.

I think this fellowship was a watershed year. I realized I needed a blueprint of what I want to build in the next 3 to 5 years of my life. I’ve created quite a few parallel universes so far including jumping into the field of privacy engineering. That would mean pursuing a masters in a career that has very few programs like it. Another universe is finding an application security apprenticeship and really focusing the next 5 years in that world. Several universes include the hustle of working with nonprofits in supporting their tech infrastructure including my existing work as a digital security practitioner. Or I could invest in Blockchain…j/k. Either way, I need a break (and I have the privilege to take one).

During that time of reflection, I’m going to take the following 6 months to further develop Soupy Security — my multimedia project that explores how we talk about digital security and safety in our communities. I’m going to study for the Network+ & Sec+ exams. Enjoy the sun and warmth this summer through outdoor pool time & gardening. Go camping. Love up on my chosen family thru food, dancing, hugs, and daily affirmations. Plan my second cryptoparty with the DC Public Library crew. And code more.

M: SO NICE THANK YOU! One more plug, as part of my fellowship I am designing a zine that talks about all these things and more which will be online and in print in the summer — message me if you want a copy!

M & S: Below are some resources that are nourishing our development.

Photo by Alfons Morales on Unsplash

Resources

Here are some resources that we have found useful, interesting or inspiring in our work. Peruse them and uplift the fantastic people behind this work.

• Upturn
• Healing Justice Podcast
• Trauma Stewardship: An Everyday Guide to Caring for Self While Caring for Others
• Ancestral Spiritual Resistance Zine
• Care Work
• Security Education Companion
• Holistic Security Manual
• Tall Poppy
• FRIDA Happiness Manifestx
• Adrienne Marie Brown
• The Digital Standard
• SheHacksPurple
• Our Data Bodies Project