Name: Rich Roth
Industry: Security Consulting
Practices OPSEC in: US, South America, North America, and the Mid East, some Russia engagements
Works With: Civilian Company
Have you attended a formal OPSEC course of instruction?
Yes, more than one
Who presented the courses that you attended?
How often do you review in-place countermeasures for effectiveness?
I think it is a continuing basis, with new looks changed to meet new challenges. I think the worst thing we can do is get into a place where we think we have it all covered.
Do you have other duties besides OPSEC and what percentage of time is devoted to OPSEC?
Yes, CTI works on wide range of security issues, but I think both withing CTI ourselves and for our clients, good OPSEC is the foundation of good well rounded security program.
How often to you perform Open Source reviews against your site/location/mission/organization?
In this area I think a security company is even more closed to outside looks, than the Govt is. On one side we have clients information to worry about, on the other we have what we like to believe are proprietary methods,which we need to protect. I would say that I think we realize the danger of not having outside reviews, and as new people are brought on board, one of the first tasks we give them is to take a look at our program. It does two things for us, gives us an outsiders view, and also validates our process. But it also lets us learn about new approaches that we can incorporated into our existing program. Continued improvement is key.
Do you feel that having a well established network of OPSEC contacts is important? Why or why not?
First from a business growth view, contacts are our best marketing method. There is nothing better or more effective than to have another professional tell a prospective client here is a firm that I think can help you. Two, it is an important way to continue the growth of my and CTI’s capabilities.
What is the toughest part of implementing OPSEC at your job station? How have you overcome these challenges?
In CTI we are fortunate that we have a good group that are all used to working within a good opsec foundation. Probably one of the biggest problems our clients have are the same as the Govt’s, research and development folks are often used to working in a university environment that is open and sharing. In many firms this is also where the critical information is that makes a company profitable. Getting these folks into a basic opsec mode or to live with in the opsec frame works is a challenge.
How did you become interested in OPSEC?
I started my Govt. work as a Security Specialist in the US Secret Service. Everything we do is within a good opsec frame of practice. My main duties where in the counter intelligence arena, which in our case was based on the Air Force’s OSI program, which is where most of the people that started the USSS program worked.
Do you feedback your survey results to the general populace through OPSEC awareness? (demonstrate and educate)
No, another ingrained weakness of a Security Consulting firm.
What has worked for you when attempting to gain leadership support for the OPSEC program?
I founded CTI the other two principals are former Police officers, it came with the package. But with our clients, it is a mixed bag, by the time we are called in, there has been a problem in most cases, so for at least the short term it sells well. As in any programs time goes by it falters, sometimes going out the window, other times it can be built back up, but almost always with holes for “ease of operations” which requires re-emphasizing the needs. Some times you win, sometimes you lose. We have found that of the three, finance, legal, and the most senior execs, for the majority of the time the finace folks are the real cheer leaders for making an opsec program work.
How do you promote an OPSEC/Security “Culture” at your site?
Not a real problem for us internally, but for clients sometimes it is a fix and go away situation, where you try and promote an internal process of re auditing of the system, and providing ongoing training.
What type of mass OPSEC awareness has worked for you?
Desk top exercise’s when a client will do it is proven to be our best way of getting and keeping the leaders of the agency, firm, or group on board, and they make it a priority for tier folks.
From where do you obtain your OPSEC Awareness material?
ASIS & the US State Departments OSAC material.
Have you personally written a Critical Information List? How did you distribute the information to concerned parties/groups?
Yes. Both internally and for clients we have developed a dash board type of presentation, that can be used in hard copy for meetings and electronically available to all participants.
What method for creating Critical Information Lists works best for you?
Having check lists that are discussed with the proper managers works best for out clients and really still is a base for CTI internally. I am a big believer in check lists as a way to try and insure all areas are addressed.
What has worked for you for giving OPSEC training?
We use virtually everything. Pamphlets, power points in emails, briefings at meetings are all good on going methods. We find formal classes, aimed at different levels of management and staff are really the only way to build opsec in a firm, group, or agency that does not have a formal program.
Do you have any advice for new OPSEC professionals?
Keep learning, keep talking to other professionals. Just the war stories alone are valuable beyond belief. I can not tell you how many times I get asked the question why should I do that or is that important, and answer best with a war story about the subject.
Do you have any thoughts on OPSEC in non-government, non-military settings?
One of my first jobs outside Govt, was a client that was working the buy out and merger game that was so prevalent in the mid to late 80’s. After our first engagement together, out developing, auditing, and ongoing testing and training was a key feature of every engagement. Later clients then and now are often only as good as what ever their research and development teams produce. If that information gets out their commercial advantage witch equals profitability go with it. In a constantly changing environment everything from Police departments to retail stores, all need a good opsec program foundations to keep ahead of the bad guys in some instances, and the other guys in other instances.
Do you have any other advice for your OPSEC peers?
Keep the old basics as your foundations, it seems we often tend to look at new challanges and programs as the most critical. I look at all the fears and regulations on electronic based information, and then the new cases coming up where dumpster diving is still being used, hard copy materials are left out in the open with great passwords on the electronic stuff, and think we need to keep a good basic foundation and grow from there, always checking the foundations as we do.
Do you have any amusing/exciting/interesting OPSEC anecdotes or examples to share?
Way to many it is often been said of me. Let me end with, somewhere all Govt. station chiefs where tracked as they came and went from tours of duty, by tracking basic but key equipment and furniture shipping records.