Holistic Security in Conversation

by Hannah Smith

Posted: 28.09.2016

Tactical Tech's Hannah Smith sits down with project lead Daniel Ó Cluanaigh to discuss the origins of the project, what we learnt while developing the manual, and what 'holistic security' means for trainers in practice.

Image of Holistic Security Sculpture

The text below has been edited for length and clarity.

Hannah Smith [HS] Dan, the Holistic Security Manual very much owes its existence to your hard work and perseverance – supported I know by a great many trainers and defenders who've contributed to the project along its development. To start us off maybe you can tell me a bit about where the holistic security project came from.

Dan Ó Cluanaigh [DOC] I think the first time we discussed it as a project was actually at the Psst! event we had in Ireland in October 2012. We had some really good technologists and digital security trainers together and a lot of people that were working on digital security had noticed that there was a strong emotional component coming out in their trainings. A lot of the human rights defenders that we were working with would be under a huge amount of pressure, a huge amount of risk, making it really difficult for them to effectively learn in a training environment. People mentioned that it was effecting them as trainers as well.

These comments came out in side conversations which weren't the focus of the event, so we decided to have an explicit multi-party dialogue about it which took place in February 2013 in Berlin. We got together with people working on psycho-social well-being and integrated security for human rights defenders, as well as people working on overall security management and risk analysis.

Over the three day workshop we teased out the things that we had in common - as people from different disciplines - in our approach to protecting defenders. We also identified some of the things we wanted to learn from each other. That's where it began.

HS So thinking about how the process went forward from there, I guess by this point you'd identified a specific need in terms of our capacities as trainers and what we can provide. But how did that develop into what eventually becomes a manual for human rights defenders?

DOC So there were a few different points where we were trying to deepen on this but it wasn't a full time job for any of us, it was still just an idea. When Tactical Tech did the Info Activism Camp in 2013, Niels [ten Oever], Ali [Ravi] and I played with the idea of 'holistic security' in the sessions we did there and tried to come up with ideas of presenting digital security in a 'holistic' context, but we didn't have a very developed idea of it yet.

One idea, which had come out of the first meeting, was to have a training of trainers (TOT) which would be holistic. We collaborated with Protection International and some others to do the TOT in September 2013. At first we thought we could just train people to do all three of these things. That was where Sandra [Ljubinkovic] became very deeply involved. She came to this TOT in Kenya and she helped us to let go of the idea that you would be able to create these 'unicorn' trainers - people who'd be able to train on all aspects of security at once. I guess if we'd had enough time to think about it, we'd have worked that out as well!

Sandra also brought in this very important concept that you can't just 'train' people to train others on something like well-being. You can't just say, “here are the best practices, now go teach other people that.” It means nothing unless the trainers are putting it into practice for themselves. That's this idea of walking the talk.

So from that point on, we changed our approach, and even during that TOT, to say, “This is a digital security TOT; that's the main focus”. But within it we were trying to implement best practices so that everyone involved could think about their own physical security and their own psycho-social well-being – which could then slowly work itself into their methodologies as digital security trainers. It stopped being about being a unicorn and started being about best practices. That was also the moment when we really started to crystallise a community around the project.

The next key learning moment was the first writing sprint that we held in Berlin in 2014. By that time we'd decided to write a manual for human rights defenders which would present a common framework and language, and integrate best practices from each discipline. We invited a really amazing group of people together. The idea was to start from the context of HRDs themselves, so some people were chosen to bring very front line experience of human rights work in dangerous environments. We wanted to put that at the centre of the whole thing and around that establish a set of common questions HRDs should ask themselves in order to plan for their well-being, digital security and physical security.

However, what we hadn't done by that point, but what we should have done, was to sit down with the orthodox frameworks that existed and identify the bits that needed to improve or evolve. Instead this ended up happening during the workshop, but in separate side conversations rather than as the focus. A lot of the content that was written during that first sprint wasn't actually used until right at the end of the process because we'd missed this step of engaging with the orthodoxy, with risk analysis methodologies and strategies out there to see how we could add something new to them from the other fields.

Craig [Higson Smith] brought a more constructivist perspective on risk analysis, for example, that you don't just do risk analysis as an objective process. Its a subjective process where you bring yourself, your experiences, your stress and trauma and positive things like your resilience, your resources, your philosophy, your perspective. That all plays a part in your defining and thinking about security. Its the first thing one has to recognise to begin the process of really dealing with security in a holistic way.

HS So in this case the orthodoxy is objective risk analysis and the holistic take on it is to have this more subjective approach, more centred on the individual's experience?

DOC The holistic security framework tries to recognise individuals' experiences duly, it's not necessarily more centred on them but it definitely has to recognise them. It's something that gets a little bit of attention in previous approaches to risk analysis, and maybe even a little attention in approaches to digital security, but it was never the explicit focus. The exception being of course the Integrated Security Manual written by Jane Barry, which Sandra had been involved in before, and which positions our subjective experience very centrally, and from a feminist perspective.

The other element which was missing [from earlier protection strategies] was digital security. There needed to be greater recognition of digital surveillance as a threat. And because digital threats don't trigger our innate responses, we find either risks might be staring us in the face but we just don't see them, or we can be super paranoid and consider risks that aren't genuinely there. This emphasises the need for us to have a calm, safe environment for doing risk analysis. So that's what we brought from the digital side.

HS So within the Holistic Security Manual, there are certain pre-existing elements there, but which had not previously been brought together. For example, you've got many people working on well-being already, but not within the confines of security or strategy-planning. And likewise within the later steps.

DOC Exactly. The holistic approach is really drawing these together, explicitly noting the interrelationships and perhaps closing the circle. You can't properly do a risk analysis without thinking about the digital side of things, without thinking about your mental state, your physical state, your health, and including that in the process. We felt there were minimums which weren't really being met by the materials that were out there, as good as they are.

HS And how easy or hard has it been to get people on board with the idea of 'holistic' security? Or do you feel that from the outset people were on the same page – motivated maybe by this need that we discussed at the beginning?

DOC So this is important – on the whole it was easy to get people on board with the word 'holistic' but hard to get people on board with the actual idea. Certainly at the very beginning some people were pushing back. Digital people we were talking to were sceptical about the idea. Then the buzz-word factor kicked in and everyone started saying “we need to be holistic”, but there wasn't clarity about what that meant.

Some things are not 'holistic'. Just doing three trainings on psychological, digital and physical security doesn’t equal holistic security. There's a certain ethos and methodology to training holistically. Likewise, trying to cover all three in one week probably doesn't work with the holistic approach because you are overloading people.

But nevertheless, people were still saying the word. And this is one of the challenges which still lies ahead of us. We need to unpack the buzz-word and be very specific about what we mean by holistic security. And especially about the 'walking the talk' side of things. For trainers, it needs to be about them going through their own process of physical security planning, psychological well-being, digital security. It's not just something to read about, but rather to reflect on and act on.

HS Yes, you mentioned that this project started with this idea of trainers themselves both not feeling comfortable and not feeling that they're meeting the needs of the people they're working with. Maybe its good to talk about the experience of walking the talk and what that means.

DOC Yeah, for example we facilitated a really good get-together of trainers from different backgrounds in 2015 and it was great to see digital security trainers, people from our own field, getting a moment in time where they could think and talk about their own security and about their well-being with experts from those fields and with peers who are working with the same communities.

It was great to see how that really impacted people, and how it's changed them in the long run. And it was a chance for us to do some really good bonding and awareness raising in the other direction - staying up late on the computers with the psycho-social and integrated security trainers, installing Linux and making GPG keys. People really seemed to get a huge amount out of that event. More than one person said it changed their lives, that it was the best event they'd ever been to - which was nice! Among trainers we have an opportunity here to build networks of care and solidarity which I think is vital, and a huge amount of learning can arise from that.

HS And how do you see holistic security being shared and growing beyond the community that attended those trainings and sprints?

DOC A lot of people are bringing what they got from the concept and talking about it from their own personal perspective at other events which is really nice. I'd be keen for us to have a more explicit agreement on what the core principles of the thing are, but we've identified some core best practices which can be brought to any training and those have gone into the Trainers' Manual. That gives people some concrete things that they can hopefully really get a hold on, rather than this vague adjective 'holistic' that can mean everything and nothing. In fact, some people don’t want to use the word ‘holistic’ but are still happy with ‘integrated security’, which is fine. But for the manual itself we didn’t want to appropriate a concept which had origins in the WHRD movement, so we went with ‘holistic’ instead.

HS So what do you see as the tangible shifts in training and how you approach trainings?

DOC There were a few things that came out of the meetings as fundamentals. A lot of people were tired of this parachute model of training, that it's basically stressful in the long run, both for trainers and participants, and that it's not useful as a model. It was something really important for us all to recognise.
Another was of co-facilitation where possible, so bringing another trainer with you and ideally one with a different type of expertise. That doesn't mean you have to give a training on a mixed theme, or give a training on both topics at once, but there's someone else there who can influence and shape the training, adding an alternative perspective and bring their own wisdom. That's been really useful also in communicating the idea of holistic security to participants in a tangible way.

It's important to note, however, that co-facilitation requires a lot of co-ordination and having clear, realistic objectives which aim for minimum best practices. Just putting two trainers from different disciplines in a room together and hoping for the best isn't going to cut it. There needs to be a clear trajectory for the training and obvious, deliberate inter-linkages to ensure that the participants don't just leave confused.

Another key thing we recognised was the importance of gender and intersectionality. It’s important to truly understand the structural violence which leads to attacks and re-victimisation against HRDs, as well as how they want to define ‘security’. As an aspect of digital security, it also has an impact on the resources available to HRDs and the nature of the attacks against them, which is really important to recognise.

And then there are little best practices that we were able to identify – just considering the devices people are bringing with them to a training and how that might impact the security situation of the training, or the wi-fi in the hotel. Considering people's health, and that they can often get sick during a training because they simply haven't stopped working in so long.

Small things like giving people a space at the beginning of each day so they can say if anything is on their mind – it's not something you'd traditionally do in a digital security training, but by doing it you can take the weight off both your own mind as a trainer, and off the minds of participants too. You then understand why someone is checking their phone all the time, for instance – perhaps because something important is happening at home – and it means you can be more responsive to their needs. Some of these things require no expertise but can make a big difference to how a training plays out.

HS You mentioned the issues around just putting two trainers of different disciplines in a room together hoping something 'holistic' will come out of it. I guess the problem the holistic approach faces is that you have these clear pre-defined fields, which exist in a certain formation because it is both practical and logical to compartmentalise different aspects of our security. Holistic security pushes back against what we deem to be artificial separations, yet on the implementation side that can become confusing. How can you do trainings that aren't simply a mash-up of two or more areas of security training, nor end up resurrecting those artificial boundaries between digital, physical and psycho-social?

DOC We've tried to build a training curriculum around the holistic framework. It's a bit experimental – we've done four trainings at Kurve Wustrow with small groups of HRDs, where we tried to see what we could do with the content of the Holistic Security Manual in four days, as part of the longer training process they go through. We came up with some sessions that people can do to look at this analysis process in particular, and we developed other sessions which try to draw together or highlight the different aspects of security which could work in any training.

In terms of not resurrecting artificial boundaries, there's an organisation I'm working with, where all their trainings have a 'holistic' approach. The key lies in how you do the training, not purely in the content. For example, of a given training say 70% might be about digital security, with 30% about the rest. That gives you room to deep dive on some specific topics, but digital security is not left as a standalone either.

So far, participant responses have been very positive. The psychological well-being side of things really hit home with people and has had a big impact. Buy-in has been really big, and even the implementation of these best practices, which might seem non-consequential, have eased a lot of tensions in trainings which would have otherwise been impossible to do.

For example, there was a training recently which took place in a hotel which was full of police, in a militarised city, with participants who included the wives of political prisoners who were hearing on a daily basis about the torture their husbands were being subjected to. We were clearly under surveillance in the hotel, and lots of the participants were being subjected to gender-based harassment... all of that happening at once. If I'd been on my own, if I had been unaware of the various impacts of those factors and how to deal with them, and if I hadn't been accompanied by other trainers who had been through the holistic process too, that training would have collapsed. But in the end we were kind of prepared for all that. We had a really good training. We were able to be explicit about the situation we were in and implement best practices. It ended up being quite nice – or not nice, but... you know! I've seen [the holistic approach] really save our asses at least once – so that's the best outcome yet.

HS So given that this project originated, or has at least been pushed by people who started out in the digital security world, what do you see as the key departures from traditional digital security training? You've already spoken about giving space in the training room to people to talk about their feelings.

DOC So a lot of them are in the Trainers' Manual, but to summarise; consider the physical security of your training and the place you're in; consider the workload and the experience of the participants before the training and understand where they're coming from; be able to deal with your own experiences as an activist – you need to be in your own process of growth, recognising the psychological and emotional strength you bring to your work and also how [your work] affects you emotionally – which will help you be able to create spaces for others.

Obviously don't take on things you don't think your able to; recognise that security is subjective and that people's perceptions play a big role – if an objective security exists you're almost never going to reach it. Even in the digital realm, your role is just to facilitate the increased accuracy of people's perceptions without thinking that perfect perception is a realistic goal. And especially in digital security, people are often starting from a point where their perception is heavily skewed, either in the direction of unrecognised threats or unfounded fears.

People need to be in a good place to be able to learn something new, and learn something which might in fact be very scary. As a facilitator, you need to be able to acknowledge that that stuff you teach might be scary, and you've got to be able to hold space for people to have those conversations and express that they feel scared. But you're role is actually to help them feel empowered, not to leave them feeling scared, which is what a lot of digital security trainers do for all manner of reasons, the best of which is that they don't know better.

Another thing that is really important is recognising the wisdom in the room. HRDs at risk are survivors. They have and use many different tools and strategies for their security, even their digital security. You've got to recognise these. Even if they're not 'right', it's vital to acknowledge them and celebrate the fact that they've got some awareness of the issue and they're attempting to bring best practices into their work – even if it's not the most effective solution. This helps people not to feel disempowered. And recognise their actions as strategies, even if they themselves have not recognised them as such – especially with regard to the digital where a lot of the content can be new and scary.

HS A conversation we've had is around this desire that comes from the parts of the digital security community sometimes, to be able to provide some kind of 'apt-get install' solution for every eventuality. But this is precisely what the Holistic Security Manual pushes back against.

DOC With very few exceptions, it's really dangerous to come into anyone's context with a list of tools and say these are the tools for security, no matter what. And this applies equally across the different domains. So when talking about security you have to be very careful. There are lots of tools out there and there need to be guides for those tools so we're glad that they exist. But people need a process to understand what tools are the right ones for them in the first place. We've focused a lot on process because that's where it's important for people to start.

We've only focused on tools where they would be quite broadly accepted to be good practices. For example, in the first section of the manual, Prepare, we talk about non-violent communication, which you could call a tool. But it's one with a very specific mandate, to allow people to discuss emotive topics without getting stuck down rabbit holes. Then there's the guide to Protest which features in section four, Act, and there are tools there – or at least defined tactics - which can be seen to be almost invariably positive for people's security. We felt able to be explicit here because we didn't feel there could be many negative impacts on people's security by following that advice.

We've tried to stay away from recommendations that don't have such broad application, or might in the wrong circumstances even endanger people. What works in one context has no guarantee of working in another and we were worried about making recommendations which might be dangerous in the wrong context.

Defenders are placed at risk for doing human rights work, but they choose to keep engaging in that work and they define security for themselves. Our focus was very much on helping people analyse their own contexts and make independent decisions about their security, over prescribing and fix-all blanket solutions.

HS So lastly, what would you like to see happen with the project next?

DOC The main thing is that communities take the Holistic Security Manual into their contexts, take control of it and hack it! What’s also vital is that the community of practice stays alive, that we support each other and continue to build on what we’ve done so far, critique it and improve it.


Holistic Security: a Manual for Human Rights Defenders is now available in print. If you would like to request copies for yourself or your organisation please write to holisticsecurity [at] tacticaltech [dot] org and let us know a little about yourself.