“WhatWorks in OPSEC” profile: Scott B. Milliman

Name: Scott B. Milliman
Industry: Gov’t
Practices OPSEC in: USA
Works With: All that ask

 

Have you ever attended a formal OPSEC course of instruction?
Yes, more than one

 

Who presented the courses that you’ve attended?
IOSS, JIOWC/JOSC, USN

 

How often do you review in-place countermeasures for effectiveness?
During each and every Assessment or Survey I do.

 

Do you have other duties besides OPSEC and what percentage of time is devoted to OPSEC?
Yes, and 90%

 

How often to you perform Open Source reviews against your site/location/mission/organization?
Monthly myself, can’t respond for the rest of the IOSS

 

Do you feel that having a well established network of OPSEC contacts is important? Why or why not?
Absolutely. A solid network gives you more options to gather not only timely threat and intelligence information, but it also gives you a sounding board to try out new ideas and thoughts.

 

What is the toughest part of implementing OPSEC at your job station? How have you overcome these challenges?
In the Navy it was all about buy-in. You have to prove there are problems, then even military officers can’t balk.

 

How did you become interested in OPSEC?
My first dumpster dive. 1989.

 

Do you feedback your survey results to the general populace through OPSEC awareness? (demonstrate and educate)
Only to the customer.

 

What has worked for you when attempting to gain leadership support for the OPSEC program?
Dumpster dives work well to prove a problem, as does gathering support from mid level management first. Let them take it to the boss.

 

How do you promote an OPSEC/Security “Culture” at your site?
I work for the IOSS

 

What type of mass OPSEC awareness has worked for you?
Briefings, briefings, briefings. And good posters. Talk OPSEC whenever you get the chance, but DO NOT become the “OPSEC Nazi”

 

From where do you get OPSEC awareness material?
Anywhere, if it’s good

 

Have you personally written a Critical Information List? How did you distribute the information to concerned parties/groups?
Yes I keep it unclass if at all possible (generic) and assist people in understanding where it needs to be posted so it is easily accessable.

 

What method for creating Critical Information Lists works best for you?
“I ask myself if this info was handed to an adversary, would it matter? If the answer is yes, it’s CI.

 

What has worked for you for giving OPSEC training?
Knowing the topic. Nothing worse than a briefer/speaker/instructor that does not know their material.

 

Do you have any tips for conducting Open Source (OSINT) Reviews?
google, dogpile, facebook, myspace, togetherweserved, etc.

 

Do you have any advice for new OPSEC professionals?
DO NOT get discouraged. Call me….I’ll talk you off the ledge

 

Do you have any thoughts on OPSEC in non-government, non-military settings?
Yes, the need it desperatly. Work with your contractors. They are called GOVERNMENT Contractors for a reason.

 

Do you have any other advice for your OPSEC peers?
Keep fighting. We may never reach everybody, but everybody we do reach is one more OPSEC aware person out there.

 

Do you have any amusing/exciting/interesting OPSEC anecdotes or examples to share?
Not in mixed company !

 

Back to the list