Practices OPSEC in: USA
Works With: Military- DOD Contractor/Civillian
Have you ever attended a formal OPSEC course of instruction?
Yes, more than one by IOSS, JIOWC/JOSC, USAF and others
How often do you review in-place countermeasures for effectiveness?
Routinely in course of normal duties as such duties make these visible. Structurally, during studies, assessments, and surveys; thus quarterly now, more frequently as new program established
Do you have other duties besides OPSEC and what percentage of time is devoted to OPSEC?
Yes, 90+% to OPSEC
How often to you perform Open Source reviews against your site/location/mission/organization?
As an agency lead, I have multiples for each of these items. Goal is to have each OPSEC Coordinator performing Open Source reviews supporting their activities and site at least annually, with informal reviews happening more frequently. The agency level team I lead plans to hit all priority agency locations/missions/sites at least once every three years. Actual practice today is indeterminate but reasonable assumption is ‘less than my standard’…recently assumed this role and am gaining a series of “go-ahead” approvals for team operations.
Do you feel that having a well established network of OPSEC contacts is important? Why or why not?
two answers. Network of OPSEC Contacts outside of the organization supports ideas, morale, and solutions (i.e. lateral and senior experienced people via professional and society relationships). Internal network of OPSEC contacts – (i.e. agency or organizational OPSEC Coordinators who support subordinate and lateral organizations and working group) is critical because other than for small organizations, the OPSEC PM for an organization rarely sees and makes day to day observations and changes to processes down in the weeds of an organization. Recommendations made in snapshot survey activities may never be implemented and outsider teams tend to encounter similar problems each time they return to the organization. Need distributed execution of an OPSEC Program across the functional process management, worked to the devil in the details for effective implementation, whether it takes days or years to implement, and this takes someone responsible for mission accomplishment to handle, supported by an OPSEC coordinator in that functional area.
What is the toughest part of implementing OPSEC at your job station? How have you overcome these challenges?
New in this organization but from experience, keeping the real OPSEC from being killed by the middle management. Overcome by scratching the itch they want, whether it’s routine awareness or another form of deliverable…keep them happy by seeing regular and value added deliverables that affect the larger mission and gain them positive feedback. Do this and you’ll be able to work the tougher items, freelancing or into the schedule.
How did you become interested in OPSEC?
Originally, military duties. Later, I kept working the discipline as I saw too many under-resourced and/or underachievers doing as much or more damage than benefit and felt a need to push for more effective and sustainable improvements.
Do you feedback your survey results to the general populace through OPSEC awareness? (demonstrate and educate)
Yes, but using non-attribution methods as much as possible and general populace is a broad statement. All survey results do not need to be provided to the masses, just key messages and some messages need to stay at the classified levels.
What has worked for you when attempting to gain leadership support for the OPSEC program?
Value-Added Benefits and Realism…don’t spout off just the philosophy or the high level mantras. Be able to face the music of real limitations and realities, then give leadership an approach to doing key tasks that they will approve. Be able to talk about OPSEC in terms of specific skills and deliverables, not “OPSEC Support”
How do you promote an OPSEC/Security “Culture” at your site?
Need to fight for regular and sustainable methods to keep security and OPSEC awareness fresh and interesting. Some items need to be sold through the senior and mid-level management food chain and some activities just need to be done free lancing to get attention, but you need a balance and approval to operate that makes your messages stick and generates culture improvements. Where possible, delegate this but make a system of deliverable trackiing tied to performance and organizational metrics so they don’t get overcome by the day to day other duties
What type of mass OPSEC awareness has worked for you?
I’ve worked the large group presentations, as well as supervised others who integrated distributed web-based distributions. I’ve distributed coffee cups to course attendees and seniors who received assessment outbriefs. Many ways to get to the masses with messages from trinkets at booths (they need to be quality enough to stay with people though) to mandatory briefings. People won’t attend mass presentations unless they are interested enough or mandated to do so. People won’t work the online stuff unless they are mandated and the mechanism really holds them accountable. Remember the audience(s) and how different components of the audience think.
From where do you receive your OPSEC awareness material?
Interagency OPSEC Support Staff (IOSS), OPS, JIOWC/JOSC, Military branch OPSEC Support Element, DOE, own organization and media
Have you personally written a Critical Information List? How did you distribute the information to concerned parties/groups?
yes. Early in career, built them and had commander sign them, then physically delivered them around the organization and mandated they post them by telephones. Later in career, normally in concert with the organizational OPSEC coordinators or organizations’ core OPSEC teams to gain better structured list. OPSEC Coordinator needs to vet and coordinate distribution. High level lists at agency levels are normally lists of categories of information and have value but are too vague for effectiveness other than general awareness…(ex. capabilities and limitations are so high-level a statement that they are meaniningless to implement)
What method for creating Critical Information Lists works best for you?
I’ve used brainstorming, adversary strategy trees, and walked through security classification guides trying to determine what gray areas exist between the classified and the unclassified for key topics of classification that a community already had determined. I like adversary strategy trees because they place you at the core of the problem and leave the practitioner with a multi-purpose tool that can look longer term than the short-term snapshot of “today’s list.”
What has worked for you for giving OPSEC training?
Ensure you understand the audience, their role, the skills you want them to perform, and the standards you want to train them to. Note:
Do you have any tips for conducting Open Source (OSINT) Reviews?
Develop a structured way to scope the tasks, collect, organize, and document the results or you’ll forever be giving this lip-service and asking for snapshot reports from outsiders. Adversaries don’t do this once in a lifetime and you shouldn’t either…make it a regular part of your program so you have the groundwork started when you get a short-timeline task.
Do you have any advice for new OPSEC professionals?
Establish achievable goals and demonstrate completion. Without offending everyone around you, promote accurate terminology and don’t use five terms that mean very different things synonomously in your speech and writing. Help others see OPSEC in terms of functional tasks vs vague “OPSEC Support” type statements that mean totally different things to everyone you meet.
Do you have any thoughts on OPSEC in non-government, non-military settings?
OPSEC Program activities and the specific methodologies used to have effective OPSEC happen are the basis for identifying and protecting what any organization cares about the most. Decisions made to prioritize program tasks and holistically approach the mission as well as the specifics will help any organization focus and be effective in protection efforts. When you don’t have the full list of government required ‘security’ programs, OPSEC will help you identify and focus protective efforts.
Do you have any other advice for your OPSEC peers?
Never Quit! The probability of success is zero if you quit. Don’t burn bridges…it’s a small world. That said, understand reality, think long term, and be a professional in all things. This means you also, like Kenny Rogers said, need to “Know when to hold ’em, know when to fold ’em, know know when to walk away, and know when to run.” But don’t quit because of some rough times…we all have tough times. That’s why they call it work.