Interview: Rachael Cornejo on the importance of cybersecurity for non profit organisations

It’s great to be joined by Rachael Cornejo who joined GCA in September as part of the Hewlett Foundation/Charles Koch Institute Emerging Tech Policy Leaders Program. Rachael thanks for your time today - GCA are delighted to have you join us!

Hello Emma! It’s great to be here.

Rachael, tell us a little about your background and how you became interested in cybersecurity.

My journey into cybersecurity began at UC Berkeley. I was a project manager at Berkeley Law’s Human Rights Investigations Lab, which performs OSINT (online open source intelligence) to uncover evidence of threats to democracy and human rights. As a team leader, I taught these online investigation techniques to other students and felt responsible for their online safety. I thus set out to learn as much as I could about cybersecurity. I then joined a phenomenal program called Citizen Clinic, run through UC Berkeley’s Center for Long-Term Cybersecurity, in which participants become hands-on consultants for cybersecurity nonprofits. After consulting for a couple nonprofits, I discovered I loved cyber!

1 Like

Your research has focussed a lot in the nonprofit sector. What are your key findings from the research you have undertaken to date?

First, it is important to work hands-on with nonprofits when developing and implementing cybersecurity programs. Many organizations may not have experience implementing cybersecurity measures. They also may view cybersecurity as one of many competing priorities which demand the time and attention of themselves and their staff. Thus, cybersecurity practitioners are most helpful when we take the time to walk individual members of organizations through the mechanics and reasoning behind necessary cybersecurity processes. In addition, cybersecurity is important at all levels of the nonprofit. All employees, from junior employees up through senior management and board members, should be made aware of cybersecurity risks and protocols. Finally, cybersecurity practitioners should help nonprofits establish workflows that take the (typically) small size of the organization into account. Clear, specific protocols can help make up for the fact that many nonprofits may not have personnel dedicated to cybersecurity, or even IT.

From your perspective, why is it so important to support this sector?

It is important to support nonprofits because oftentimes, they do not have the same kinds of infrastructure and staffing in place to defend against attacks as large organizations do. In addition, while attacks against large institutions like banks are often financially motivated, attacks against nonprofits can be politically motivated – attackers such as trolls and extremists may be motivated to attack an organization or harass its employees due to their social agenda or political beliefs.

As well as cybersecurity you talk about psychosocial security, in your view how does one impact the other?

I believe that for cybersecurity to be effective, individuals and organizations should address three types of security: physical, digital, and psychosocial. Security involves not only digital and physical systems, but also psychosocial processes. Proper psychosocial security includes ensuring that employees’ workloads are manageable, that they are getting enough sleep, and that they do not experience constant stress, which can lead to burnout. Organizations should make this part of their security strategy – in part because when employees maintain proper psychosocial wellbeing, including higher levels of sleep and lower levels of stress, they become better equipped to counter other cybersecurity threats such as phishing attacks. Recently I started an organization called Rated Resilient to raise awareness about psychosocial security and provide training to cybersecurity practitioners and nonprofit workers. I hope to continue this work in the future!

1 Like

And what will you be working on during your time with us?

I will be delving into three of GCA’s projects – Internet of Things, routing security, and the small business, elections, and journalist security toolkits – to help improve them and to measure their impact. I am excited to help GCA understand the effectiveness of these programs as we work hand-in-hand with nonprofits and small businesses to improve their security. I’m hopeful that this knowledge will allow GCA to find even more effective ways to help nonprofit organizations with operational security in the future!

Thank you Rachael! We are delighted to have you with GCA. If anyone has further questions for Rachael, feel free to post here.

Thank you again, Emma! This has been great and I look forward to continuing work with GCA!

1 Like