Name: Thomas R
Industry: Software Development
Practices OPSEC in: USA
Works With: Civilian Company
How often do you review in-place countermeasures for effectiveness?
I take time each day to review a few countermeasures. I look to see if it’s been effective, and try to think of any changes that may effect them.
Do you have other duties besides OPSEC and what percentage of time is devoted to OPSEC?
I also devote time evenly with physical security and information assurance.
How often to you perform Open Source reviews against your site/location/mission/organization?
I conduct a full review monthly, and perform spot checks daily.
Do you feel that having a well established network of OPSEC contacts is important? Why or why not?
Yes, this is one of the most important things that an OPSEC manager can do. You’re just not going to know everything, and it’s important to have someone for a second opinion!
What is the toughest part of implementing OPSEC at your job station? How have you overcome these challenges?
Since I deal with other types of security as well, I know that I have to balance security and usability. Employees really don’t want to be bothered with random checks, extra training, longer login times, etc, so I have to balance the security with the time that it costs to impliment.
How did you become interested in OPSEC?
I did 10 years in the Army, and always saw it as a military function. When I got out into the civilian world, I saw that it had applications in that area, too. I thought I was the only one to think of that until I stumbled on the DOE OPSEC page!
Do you feedback your survey results to the general populace through OPSEC awareness? (demonstrate and educate)
All key employees have to read the OPSEC survey sections relevant to their area, and I use what I’ve learned to target weaknesses. For instance, they’ve got phone conversations down pat- my next target is piggybacking.
What has worked for you when attempting to gain leadership support for the OPSEC program?
It was simple, in my case, I wrote out many scenarios for things that could go wrong, and how OPSEC could fix them. Stapled it together and delivered it to each managing partner!
How do you promote an OPSEC/Security “Culture” at your site?
I try to keep it real- as it relates to the individual. For instance, I’m not going to harp on delivery dates with the graphics folks, even though I’ll mention it to them. You have to keep it relevant, so they’ll stay interested!
What type of mass OPSEC awareness has worked for you?
You have to know your audience. Since I deal with mostly tech folks, email reminders and intranet postings are very effective.
From where do you receive your OPSEC awareness material?
IOSS, OSPA, DOE
Have you personally written a Critical Information List? How did you distribute the information to concerned parties/groups?
No, I inherited a CIL. I broke it up by department and made sure that each department had the part that was relevant to them. I also made sure that managers read the entire list at least once.
What has worked for you for giving OPSEC training?
I’ve been using Computer Based Training mixed with live events. Management appreciates the one-on-one briefings, which I use for training!
Do you have any tips for conducting Open Source (OSINT) Reviews?
Google is your friend! You can search the news, groups, and also restrict a search to specific sites.
Do you have any advice for new OPSEC professionals?
Network! Join groups, chats, whatever you can do. Learn from the best you can find. Remember that most OPSEC Professionals will be more than happy to teach you what you need to know.
Do you have any thoughts on OPSEC in non-government, non-military settings?
Like I’ve learned first-hand, it’s a great thing! The same tactics that the military uses could be applies to the corporate and civilian world.
Do you have any other advice for your OPSEC peers?
Work together! It’s a small world, and what happens opsec-wise to your collegues overseas can and will effect you.