Name: NightTrain Layne
Practices OPSEC in: The good ol’ U S of A
Works With: Federal Government, Civilian Company
Have you attended a formal OPSEC course of instruction?
Yes, more than one
Who presented the courses that you attended?
IOSS, JIOWC/JOSC, USAF, USAF, USN, US Army, DOE, FBI
How often do you review in-place countermeasures for effectiveness?
Formally, once a year but as a matter of course we are reviewing them every time we conduct any type of assessment on any part of our organization or mission.
Do you have other duties besides OPSEC and what percentage of time is devoted to OPSEC?
I also am in charge of security awareness for the organization. 75% of my time is spent doing OPSEC.
How often to you perform Open Source reviews against your site/location/mission/organization?
No set time but based on the number of assessments we conduct against our own mission and programs we are conducting OSINT against some part of our organization at least once every two months.
Do you feel that having a well established network of OPSEC contacts is important? Why or why not?
Hugely. I frequently reach out to my fairly extensive network. I can’t tell you how much this has helped me over the years. It’s really immesurable.
What is the toughest part of implementing OPSEC at your job station? How have you overcome these challenges?
I walked into and took over a very well respected and established OPSEC program. There really have been no challenges to overcome. In my past experience though direct and visible leadership support has been difficult and employee buy in can be tough to get.
How did you become interested in OPSEC?
Via my intel career in the military.
Do you feedback your survey results to the general populace through OPSEC awareness? (demonstrate and educate)
Yes – this is a must.
What has worked for you when attempting to gain leadership support for the OPSEC program?
Somehow being able to convince them that OPSEC is a commanders/managers program and that effective use of OPSEC measures can imporove operations AND save lives and/or money.
How do you promote an OPSEC/Security “Culture” at your site?
Posters, mass emails, annual (mandatory) live briefings of every freaking employee.
What type of mass OPSEC awareness has worked for you?
From where do you obtain your OPSEC Awareness material?
We create our own.
Have you personally written a Critical Information List? How did you distribute the information to concerned parties/groups?
I’ve written over 100 CIL’s. Every member of the organization recieves one along with instructions in what it is, why it is and how to use it effectively.
What method for creating Critical Information Lists works best for you?
Go to each section of the unit and ask each “what information to do handle, control, diseminate – work with that you would consider sensitive or of value if the adversary wore to get it – or words to that effect. As non-OPSECers you will need to guid them a bit to get the right info. After I do this with all the sections I take this massive list and delete repeats, then group some like items into single items. Then comes the final wash which includes consideration for “is this info already known?” – “is this relevent?” – “is this information protectable?” and other considerations that are dealt with based on my experience. After all this, I create one overarching short list for all members of the organziation and then I create mission/task specific lists that include the overarching CIL items but also those that apply to; for example Admin, or Supply, or Maintenance, etc.
What has worked for you for giving OPSEC training?
Live, live, live, live. There is no substitute. Keep it short and make it relevent to the mission of the unit.
Do you have any tips for conducting Open Source (OSINT) Reviews?
There are a couple of “how to” resources on the internet – read those and just get to it. Experience via trial and error is the best teacher. Also, reach out to your network and ask if someone might have a list of resource sites that OSINTers reach out to on a regular basis.
Do you have any advice for new OPSEC professionals?
Get a job at WalMart – the pay and the hours are way better. Unless you want to have a potentially significant impact on the live of another human being.
Do you have any thoughts on OPSEC in non-government, non-military settings?
Just as important for civilian corps to have OPSEC programs by whatever name they want to call it. The tough selling point though is always going to be proving “return on investment”. Good luck with that.
Do you have any other advice for your OPSEC peers?
If you don’t have a passion for it – get out. You need to feel the need for OPSEC deep in your bones to have any real chance at success. As a lone voice crying out in the wilderness you will need the strength of no-shit convictions to get you through.
Do you have any amusing/exciting/interesting OPSEC anecdotes or examples to share?
Yes, 1,473 of them which I will happily share at the national conference