From our work
DDI
CiviConnect, Digital Resilience Platform for Civil Society in West Africa
West Africa
The audit that never happens
The standard recommendation for an organisation that wants to improve its digital security is to commission an external audit. The recommendation is technically correct and operationally useless for most civil society organisations. Audits cost money the organisation does not have, take time the team cannot afford to give, and produce reports that go on a shelf because nobody has the capacity to follow through. The audit that is recommended is the audit that does not happen.
The result is a familiar pattern. The organisation handles digital security reactively. A phishing incident triggers a flurry of password changes. A compromised account triggers a brief enthusiasm for two-factor authentication. The next training workshop reignites interest for two weeks. Then the organisation returns to baseline, with the next incident waiting to repeat the cycle.
What self-service assessment changes
A structured self-assessment tool designed for under-resourced organisations changes the dynamic in three ways. First, the assessment is free and available on demand, so the cost barrier disappears. Second, the questions are written in the language of operational practice rather than security theory, so the team can complete the assessment without translation. Third, the output is action-oriented, with each finding linked directly to a concrete next step, so the assessment produces movement rather than another report.
The discipline that makes the tool useful is the taxonomy underneath it. Questions cover the vulnerability areas that actually matter for civil society organisations operating in hostile environments. Communications security. Access controls and account hygiene. Software lifecycle and patch discipline. Backup procedures and recovery readiness. Incident response and escalation paths. Each area is broken into questions a team can answer truthfully without specialised knowledge, and the scoring engine produces a profile that prioritises by severity and likelihood rather than presenting an undifferentiated list.
What we built for the CiviConnect community
PANEOTECH delivered RiskRadar for the CiviConnect platform hosted by Jeunes Verts, as part of the digital resilience workstream supported by the Digital Defenders Partnership Sustainable Protection Fund. RiskRadar walks civil society organisations through a comprehensive structured questionnaire covering the vulnerability areas listed above, then generates a personalised risk profile with prioritised recommendations. Each recommendation links to relevant resources for immediate follow-through.
The tool is designed for repeated use. An organisation can complete the assessment, act on the recommendations, then return three months later to reassess. The shift the tool encourages is from digital security as a one-off audit moment to digital security as a continuous internal discipline. Early use across the CiviConnect community confirms the pattern, with organisations using the tool to identify vulnerabilities, implement recommended measures, and track improvement over time.
The institutional lesson
For under-resourced organisations the choice is not between an external audit and nothing. It is between a structured self-assessment tool and the cycle of reactive improvisation. Build the tool, ground the questions in operational reality, and the organisation gets the discipline its digital security posture actually needs.
We design tools for the institutions that cannot afford the standard playbook.
Self-service assessments, structured taxonomies, and the engineering that makes both useful at the realities of civil society work.
