When you think of the term “OPSEC Superstar”, there are probably a few specific individuals that stand out in your mind. Some of them may be humorous characters, while others might be quietly toiling away to keep their organizations safe.

You, too, can be an OPSEC superstar.

First, you need to know the material. When you hit that red carpet at OPSEC events, you’ll encounter some tough questions. And given the nature of OPSEC, most of the questions will rely on your opinion and experience, rather than facts and figures. For instance, an employee isn’t likely to come up to you asking, “Say, what’s the fourth step in the OPSEC Process?”, but you will most likely hear, “Is it ok to publish this?” more than once. Understanding not only the “concepts” of OPSEC, but also the “philosophies” of OPSEC will allow you to give an informed and relevant reply. Failing to understand the material will destroy your credibility.

You also need to know yourself. Know your teaching style or styles of communication. If you’re not a comedian, don’t rely on the jokes. If you’re a gifted artist, skip the built-in clipart in favor of custom art. Everyone has some sort of talent. The important part is to figure out how you can use yours in your OPSEC program.

To be a true OPSEC superstar, you need to be visible. This works on two different levels. You need to be visible (most importantly) within your organization as you deliver presentations, reminders, and generally make yourself available for questions and issues. The OPSEC Officer/Manager/Professional is a critical part of any organization, and successful ones utilize them heavily. You need also to be visible within the OPSEC community as a whole. This is not to suggest shameless self promotion, but networking, advocacy and mentorship. In a small, close-knit community like the OPSEC community, each is extremely important and highly attainable.

Equally important is to know your audience. OPSEC Awareness campaigns and material need to be tailored to the particular level of the addressees, including technical level and responsibilities. It makes no sense to overwhelm a delivery driver with the full weight of a CIL generation briefing, OPSEC history, etc. Focus on the most important OPSEC aspects for their job or areas of responsibilities, and build on that. That’s not to say that you have to maintain dozens of OPSEC orientation briefings, but you do need to focus on the “most important” areas for each group whenever possible.

Know OPSEC, know yourself, be active in the OPSEC community and know your audience. Meet each of those criteria, and you’re on your way to OPSEC fame and fortune.

Tags: OPSEC, opsec program

Awareness campaigns are one of the most important tools in the OPSEC Professional’s Arsenal. Ranging from an Army OPSEC Training Program to local Schools or community centers, the OPSEC Awareness program is an opportunity for creativity and employee involvement.

The following list provides ideas for elements of an OPSEC Awareness Program, assuming management support:

Use the company newsletter

Placing regular articles in the company newsletter, such as short, attention getting mini-articles in a box are sure to grab the attention of readers. If you have an artist on hand, you can create a regular cartoon strip.

Naming and honoring the ‘OPSEC Employee of the Month (Quarter, Year, etc)’

The recognition, such as a plaque or a posted picture, would be a motivating factor, especially if you could get management support for some sort of reward.

Posting OPSEC Awareness posters

Mounting eye-catching, relevant reminders in common areas help to get the message out. Rotate the posters frequently for maximum effect.

Use of the employee bulletin board

Short reminders and tips should be rotated frequently.

Mailing inserts with paychecks

The paycheck is one piece of mail that’s always opened. Chances are that any inserts are read, or at least glanced at.

Sending E-mail reminders

Depending on management support, the OPSEC Manager or Officer may be able to send periodic reminders to a distribution list.

Use of security-related screen savers

It’s possible to control screen savers via centralized management, especially in a large organization. Your IT department may be able to help you implement and rotate OPSEC screen savers, such as the one on the OSPA website.

A catchy character

NNSA/NSO has the ‘Revelator’ and the ‘Security Health Professional’, and there’s always the Dice-Man. Don’t be afraid to do something that would stand out. If you stand out, so will your message.

Stickers

Reminder stickers can be affixed to telephones (‘Is your caller who he says he is?’), trash cans (‘Should that be shredded?’), shredders (‘shredder full? Another shredder is located at…’), etc.

Computer login banners

Banners can show an OPSEC reminder prior to logging in, and can be rotated as needed. The shorter the message, the more likely that it will be read. Note: This may not be possible in environments, such as DoD systems, which require a specific banner.

Performance reports and annual reviews

Consider adding OPSEC Awareness as an item on performance reports and annual reviews, as specific to your organization.

Professional membership

Offer employees membership in an OPSEC professional organization, such as OSPA (http://www.opsecprofessionals.org) or OPS (http://www.opsecsociety.org)

Electronic display

Electronic message boards can be used in the cafeteria or common areas and display security reminders, tips or notices.

Fliers or brochures

Fliers or brochures can be made available in conference rooms, break rooms, even rest rooms. Whatever gets the message out.

Gimmicks

People love gimmicks. Consider OPSEC Messages in fortune cookies, keychains, toys, etc. Try to use items that will be used frequently and kept, such as pens or mousepads.

Now, a million OPSEC-points to anyone that’s done all of them.

Tags: awareness, tips

Famed Chef Julia Child was a spy.

Directly from her own words:
http://www.foxnews.com/story/0,2933,403443,00.html

According to the article, Ms. Child ’served in an international spy 
ring managed by the Office of Strategic Services, an early version of 
the CIA created in World War II by President Franklin Roosevelt‘, a 
group which professors, arctors, reporters, atheletes, etc, and 
’studied military plans, created propaganda, infiltrated enemy ranks 
and stirred resistance among foreign troops’.

In other words, the delighful, older lady puttering around the kitchen 
in all of our memories was also serving her Country with 24,000 other 
people just as innoculous as she was.

Why her? Because she didn’t LOOK like a spy. She didn’t fit the 
stereotype. In reality, the person that ‘looks’ like a spy would be 
the least effective- they would stand out. It’s the ones that fit in, 
the ones that have reasonable business in the area, and the ones that 
are likable that are the most effective for gathering information or 
other clandestine activities. In other words, your adversary could be 
the utility man that’s trying to get your building checked so he can 
go home for his kid’s birthday, or maybe the elderly couple that 
walked in the door, or… maybe your own employee.

Does that call for ‘ourging’ of your workforce and shuttering of the 
windows? Generally, no. But it is clear that the OPSEC Professional 
needs to be prudent, and needs to treat EVERYONE with the same level 
of professionalism and with a security focus, because you just don’t 
know, and you just can’t assume.

But all the same… Watch what you say in restaurants.

Tags: history, news

They say that the devil’s in the details. It’s really amazing at how a
small change can really set off alarm bells in our heads.

For instance, would you read a book called “The Princess and the Pee”?
Not if you’re used to the original “The Princess and the PEA”. What if
Shakespeare had written “That which we call a daffodil By any other name
would smell as sweet”?

Relatively small changes seem to stand out, if you know what you expect
to find. It’s important to remember that your adversary can see just as
clearly as you can. Remember that deviating from a set pattern can give
an important indication of future actions.

For example, if your company always has an armored car deliver funds
daily at a certain time, but suddenly they come twice in a day, that
could indicate increased financial transactions. If the number of
soldiers manning a guard tower suddenly increases, that could indicate
an increased security level. If the owner of the company never comes in
during the night, but suddenly does on a particular day, something may
just be amiss.

See the pattern there? So can they.  Remember, sometimes you may want to
use your own patterns against a watching enemy.

In the real world, things change and situations arise. You don’t need to
lose the competitive or tactical advantage just to avoid deviations from
a normal pattern. But be aware that any significant changes, if
observed, will be evaluated and matched with other known indicators to
try and “figger out” what you’re doing.

Tags: changes, deviations, indicators

I have been in contact recently with the owner of the blog UpstartAgent.com, a real estate blog. Michelle, the owner, had some excellent questions about OPSEC and how it could relate to real estate agents.
It was an interesting and enjoyable conversation, but I was most encouraged that she “got it”. She got that it’s impossible to find a profession, role, or even a hobby that couldn’t benefit from OPSEC. Living proof that more people out there are “getting it”!

Tags: opsec at home, real estate

Operations Security? or Operational Security?

The two terms are often used almost interchangeably, which can lead to a great deal of confusion and miscommunication. In reality, although both terms are often abbreviated as “OPSEC”, they each refer to distinct types of security.

OPSEC (as in OperationS Security) is the process by which we view our operations from
an adversarial standpoint. Countermeasures are then recommended to mitigate any potential indicators that may aid an adversary in determining what we are doing.

Compare this to OPSEC (As in OperationAL Security- you can see how this gets confusing!) is best described as the security that is in place to secure a particular Operation.

In simpler terms, Operations Security refers to the program, procedures, mindset, etc., while Operational Security refers to a specific Operation, and is on a case by case basis.

It must be noted that while Operational Security is often abbreviated as OPSEC, this is not technically correct. OPSEC means, and when used correctly, always refers to, Operations Security. This is standardized within the industry so as to avoid this confusion.

-Thanks to Wayne Morris for the phrasing!

Tags: definitions, terms

OPSEC posters can be an effective tool in an organization’s OPSEC Awareness Program…
But only if they’re read.
When creating awareness posters, it’s tempting to cram as much information as possible into a relatively small space. However, if you do that, you can pretty much say whatever you want to say in that space. Afterall, no one’s going to read it!
However, simple guidelines can help to “draw the eyeballs” to your OPSEC awareness materials.

Put your posters in visible/high traffic locations
Whenever possible, posters should be placed at eye level in high-traffic locations, such as conference rooms, hallways, waiting areas, cafeterias enterences, etc.

Rotate posters
“All new!”
“Under new management!”
“New formula!”

People are attracted to the “new”. New content and awareness material is no exception. Rotate awareness posters, to include new material as frequently as possible. Entertaining OPSEC posters, like the NNSA/NSO “Dogs of OPSEC” line, can be released on a schedule, effectively generating interest.

Keep it simple
The poster will most likely have no more than a few seconds to make the point before the reader moves on, and often from a distance. A simple message and relevant visual can be quickly scanned and will stick with the reader.

For example, consider the following two messages on an OPSEC poster:

“Loose Lips Sink Ships”
or
“Avoid talking about military movements or upcoming operations, because advanced knowledge of operations could result in a tactical advantage to the enemy.”

Clearly, a simple, eyecatching headline, with optional information elsewhere on the poster, is more effective and more likely to be remembered.

use effective design and presentation
Attract attention to your message with unique colors, fonts or visual designs.
Customize the OPSEC poster to your organization. Consider your audience and what would appeal to them.
Make sure that your posters fit in with the overall theme of your OPSEC awareness program.

The first step is to have your poster read. Without that, the message is lost!

Tags: ospec awareness, ospec program

I believe in OSPA. I have the passion of a madman, which is only possible due to a wife that has the patience of a saint. I believe because I know that I’m not the only one that understands that OPSEC saves lives and livelihoods. I believe because I know that each of you understands that, and that our members have picked up on that belief and that passion.

From the end user perspective, our message is out there. It is making an impact and that is what saves lives. Last estimate was that the semi-daily messages go to distribution lists totalling somewhere in the four figures, including almost 200 subscribers. Layne’s blog is getting thousands of hits each week, and the OSPA OPSEC Academy is going to be a true sign of our impact. It WILL be big - I guarantee it.

Don’t forget that we’re doing what we set out to do - to raise OPSEC awareness and to increase the capabilites of the OPSEC Community, and to give people the tools that they need to save those lives and livelihoods. And I’m proud to say we are doing that today. We are making those impacts. Of course, sometimes it is hard to see that direct impact from the Board of Director level but that doesn’t change the fact that every day, more and more people look to us and our site(s) for help and advice. We’ve changed the world a little…we CAN AND WILL do more.

We’ve received requests for assistance from three allied countries so far. We’re working with groups of Domestic Violence centers and schools. The Vanished Children’s Alliance (VCA) has asked for advice and guidance…the list goes on. OSPA is active in OPSEC training worldwide, assisting OPSEC programs all across the country, have been in contact with companies big and small who “get it”.

As for me, I just have to keep going back to what Layne said in the beginning: “We’re not here to speak for the Government or to represent the desires of the grey beards - we’re here for that poor SOB that’s in the trenches and needs effective OPSEC right freaking now! We don’t offer high-level policy or theory. OSPA will offer practical tools and experienced based guidance and advice that is designed to save lives.’

If we forget that, then we really are obsolete. That’s why I believe

Tags: opsec program, OSPA

Welcome to the OSPA President’s Blog! This Blog is maintained by the current OSPA President, and will allow him or her to interact directly with the OSPA membership and the OPSEC community at large.

Comments are certainly welcome, and encouraged.