“I’ve called this meeting because, as we feared, our budget has been cut 14%. We’ve game-planned for this but now is the time to get serious about what we can slim down and what we can live without.”
“Sir, if I may…we do have one program that has absolutely no verifiable Return on Investment that I think we should consider.”
“You mean, we actually have a program that is costing us money that has absolutely no ROI?”
“Frankly, I’m a little worried that this hasn’t come to my attention before. What program are you talking about Johnson?”
“OPSEC sir; Operational Security. You know the one. That briefing we get once a year where they tell you to keep your mouth shut. Don’t talk about work in bars and stuff.”
“Yeah, I know it. You mean that program costs us money? It can’t be very much can it?”
“Well sir, we have a full time guy who runs the program and then we have a group of people who have to spend a small percentage of their time on it as OPSEC Committee members.”
“Hmmm. So what do they actually do for us?”
“No one really knows sir. I think I’ve seen a report or two floating around but I’ve never read one and no one I’ve asked has either.”
“Let me make sure I understand…they give briefings that no one wants to go to, write reports that no one reads and take up valuable time from committee members who should be doing something else. Is that about right?
“I would say that about sums it up sir.”
“And how much will we save annually if we kill it?”
“Based on the projected cuts for this upcoming FY killing this program would save us .003% off the top.”
“Well that’s not much is it Johnson?”
“No it isn’t sir, but if we think we really don’t need it anyway then why not just kill it? It will show that we’re being proactive and not afraid to cut what some of our security professionals say is a critical program.”
Ladies and Gentlemen, this is happening today. OPSEC has already been reduced or just plain cut from a number of organizations. We know OPSEC is a viable program. We also know that it does not and will not ever bring in money. ROI is almost impossible to prove also. Did OPSEC save any lives today? Did a competitor not find what he was looking for when he went through our trash because of OPSEC? Did Johnny or Susie not say something critical or sensitive on the Internet today because of OPSEC? Beats me. I hope so – but we have no proof.
Sooner or later your OPSEC program will come into question. At that time you will need to be able to answer the question: “Why should we keep the program?”
The answers to that question are as varied as the individual programs and can’t be fully answered in this forum. But you need to be thinking about how to answer that question for your program and your organization. I guarantee you that sooner or later the question will be asked and I’ll bet you that if you don’t have the answer they’re looking for…
Let’s just say you and your program may be in danger.
Keep the Faith!
Fight The Power – Public Enemy