“WhatWorks in OPSEC” profile: Paul Roberts

Name: Paul Roberts
Industry: IT
Practices OPSEC in: USA
Works With: Civilian Company


Have you ever attended a formal OPSEC course of instruction?
No, plan to


How often do you review in-place countermeasures for effectiveness?
Every month, and we do red-teaming quarterly.


Do you have other duties besides OPSEC and what percentage of time is devoted to OPSEC?
IT Tech- I do OPSEC as available.


How often to you perform Open Source reviews against your site/location/mission/organization?
In addition to monthly assessments, I’ve also set up a google news alert to let me know if certain keywords are reported in the news.


Do you feel that having a well established network of OPSEC contacts is important? Why or why not?
Yes, it’s very important to develop a network of OPSEC contacts. I’ve found many times that I don’t have a particular form or legal reference, and it’s good to have those resources available. A good friend of mine leads an Air Force OPSEC program, and he’s been very valuable!


What is the toughest part of implementing OPSEC at your job station? How have you overcome these challenges?
Most IT personnel focus on technical security controls, but haven’t been trained in OPSEC as it relates to network security. I’ve found that, with technical personnel, it’s best to lay it out for them- show them examples of what can happen and why it’s a problem.


How did you become interested in OPSEC?
I was studying for my CISSP exam, and OPSEC is covered heavily


Do you feedback your survey results to the general populace through OPSEC awareness? (demonstrate and educate)
Yes, each employee is given a copy of my report


What has worked for you when attempting to gain leadership support for the OPSEC program?
The program was in place before I came to the company.


How do you promote an OPSEC/Security “Culture” at your site?
I try to make OPSEC fun. I’ve had good luck with roll playing, and here’s something that worked extremely well: I let employees take turns on the red team and try to find and exploit vulnerabilities using their knowledge of OPSEC. If they succeed, three day weekend!


What type of mass OPSEC awareness has worked for you?
Email reminders, computer-based-training, awareness posters.


From where do you get OPSEC awareness material?


Have you personally written a Critical Information List? How did you distribute the information to concerned parties/groups?
I wrote a massive CIL, but put it into sections of items that applied to everyone, and sections that only apply to specific groups.


What method for creating Critical Information Lists works best for you?
a combination of interviews and opsec surveys to determine what information is critical


What has worked for you for giving OPSEC training?
CBT and quarterly live briefings.


Do you have any tips for conducting Open Source (OSINT) Reviews?
Don’t forget to set up Google news alerts!


Do you have any advice for new OPSEC professionals?
Read every regulation and document you can get your hands on- even if they don’t apply to you. It’ll give you perspective.


Back to the list