You are currently browsing the archives for the Program Management category.
| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
| « Feb | ||||||
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 | |||
16. September 2009 by Revelator.
“I’ve called this meeting because, as we feared, our budget has been cut 14%. We’ve game-planned for this but now is the time to get serious about what we can slim down and what we can live without.”
“Sir, if I may…we do have one program that has absolutely no verifiable Return on Investment that I think we should consider.”
“You mean, we actually have a program that is costing us money that has absolutely no ROI?”
“Yes sir.”
“Frankly, I’m a little worried that this hasn’t come to my attention before. What program are you talking about Johnson?”
“OPSEC sir.”
“Op-what-now?”
“OPSEC sir; Operational Security. You know the one. That briefing we get once a year where they tell you to keep your mouth shut. Don’t talk about work in bars and stuff.”
“Yeah, I know it. You mean that program costs us money? It can’t be very much can it?”
“Well sir, we have a full time guy who runs the program and then we have a group of people who have to spend a small percentage of their time on it as OPSEC Committee members.”
“Hmmm. So what do they actually do for us?”
“No one really knows sir. I think I’ve seen a report or two floating around but I’ve never read one and no one I’ve asked has either.”
“Let me make sure I understand…they give briefings that no one wants to go to, write reports that no one reads and take up valuable time from committee members who should be doing something else. Is that about right?
“I would say that about sums it up sir.”
“And how much will we save annually if we kill it?”
“Based on the projected cuts for this upcoming FY killing this program would save us .003% off the top.”
“Well that’s not much is it Johnson?”
“No it isn’t sir, but if we think we really don’t need it anyway then why not just kill it? It will show that we’re being proactive and not afraid to cut what some of our security professionals say is a critical program.”
Ladies and Gentlemen, this is happening today. OPSEC has already been reduced or just plain cut from a number of organizations. We know OPSEC is a viable program. We also know that it does not and will not ever bring in money. ROI is almost impossible to prove also. Did OPSEC save any lives today? Did a competitor not find what he was looking for when he went through our trash because of OPSEC? Did Johnny or Susie not say something critical or sensitive on the Internet today because of OPSEC? Beats me. I hope so - but we have no proof.
Sooner or later your OPSEC program will come into question. At that time you will need to be able to answer the question: “Why should we keep the program?”
The answers to that question are as varied as the individual programs and can’t be fully answered in this forum. But you need to be thinking about how to answer that question for your program and your organization. I guarantee you that sooner or later the question will be asked and I’ll bet you that if you don’t have the answer they’re looking for…
Let’s just say you and your program may be in danger.
Keep the Faith!
Revelator
Fight The Power - Public Enemy
Posted in Leadership Support, Program Management, General OPSEC | Print | No Comments »
13. January 2009 by Layne.
Today I got yet another call from a long time OPSEC Program Manager saying that they had to foreclose on his OPSEC program. Rising OPSEC costs with no foreseable returns has buried many an OPSEC program recently. I know you’ve read the news accounts and experts from around the country are calling this an OPSEC recession or perhaps even an OPSEC depression. More to the point, an OPSEC depression that resembles - and may even be worse - than the Great OPSEC Depression of the late 70’s.
I guess to fully understand the problem we need to deal with exactly how we define recession and depression. In Operations Security, the term recession generally describes the reduction of the gross OPSEC product (GOP) for at least two quarters. The standard dictionary definition is “a period of reduced OPSEC activity.” The United States-based National Bureau of OPSEC Research (NBOR) defines OPSEC recession as: “a significant decline in OPSEC activity spread across the country, lasting more than a few months, normally visible in a lack of real OPSEC growth.” But does that accurately describe the current state of OPSEC affairs or do we need a stronger description? Perhaps this will do: An OPSEC depression is a sustained, long downturn in OPSEC. It is more severe than a recession, which is seen as a normal downturn in the OPSEC cycle. Considered a rare but extreme form of recession, a depression is characterized by abnormal increases in threat, vulnerabilities, risk, restriction of countermeasures, as well as highly volatile relative OPSEC value fluctuations, mostly devaluations. Yeah, that sounds more like it but I say to you that all is not lost…not yet at least.
What OPSEC needs right now is a stimulous package. Passage of an OPSEC Stimulous package by the Interagency OPSEC Stimulous Syndicate (IOSS) could be a critical step in OPSECs recovery, but as important as it is, it’s only the beginning of what I think all of you understand is going to be a long and difficult process of turning our OPSEC around. The current proposed stimulous package features nearly 20 dollars for renewable OPSEC and 11 bucks to modernize the Operations Security Professionals Association (OSPA) — steps former OSPA Ombudsman Bob Bitchen warmly endorsed weeks ago as a downpayment on the strategy for fighting OPSEC change. Supporters of the measure denied this amounted to diluting OPSEC, which had alarmed major OPSEC groups like OSPA.
Much of the justification for IOSS intervention in the form of the Stimulous Package comes from the assertion by many outside our community that OPSEC has failed. One OPSEC manager scoffed at this idea. “OPSEC programs are working fine, but they’re giving people answers that they don’t like, so people cry OPSEC failure.” Vulnerability and risk are high? That’s because program managers are afraid of a prolonged OPSEC depression. And well they should be.
To understand how the things went awry this time, go back a couple of decades, to a time when you could walk up to your OPSEC Manager and speak to someone who knew your name, your vulnerabilities and kept a record of your countermeasures. OPSEC was a simpler affair, and a no-nonsense one: If you didn’t write a CIL, understand your threat, identify vulnerabilites, assess risk then you didn’t get effective countermeasures. We all did our job and risk was lowered across the board. But lately falling interest in OPSEC and reliance on technology has lowered the impact any one OPSEC Manager can have on an organization, program or combat situation. We all wanted a piece of the OPSEC dream and by doing that, we forgot about the risks.
Most of the words above were borrowed from current news stories about the tough economic times this country is facing and while I tried to have some fun with it I found myself at the end without a viable point. And then I reread what I had written and it jumped out at me right there at the end - it’s all about the risk folks. Stay focused on lowering the risk to your unit, organization, mission or combat op and everything else will work itself out. Keep fighting the good fight and remember to always…
Keep the Faith!
Revelator
Manic Depression - Jimi Hendrix
Posted in Program Management | Print | No Comments »
9. October 2008 by Revelator.
Exerpt from an article I recently read: “Organizations are shifting their focus to the threat posed by insiders and turning their attention to training and data protection, according to a recently released survey. The 2008 Global Information Security Workforce Study, conducted by analyst firm Frost and Sullivan for certification organization (ISC)2, surveyed 7,548 information security professionals worldwide. 51% of respondents said internal employees pose the biggest threat to their organizations. The finding represents an ongoing trend in the past two to three years, as the numbers of remote workers and portable storage devices have jumped in the enterprise, said Frost & Sullivan’s network security industry manager. ‘That increases the chance of something happening, whether it’s malicious employees or just someone with good intentions but walks out of the building with data so they can work at home,’ he said. The findings are supported by Information Security’s Priorities 2008 survey, in which 70% of participants said they are worried about detecting and thwarting internal attacks.”
‘Bout time people start understanding what us OPSEC Professionals have known for quite a long time - unless you are in battle (and sometimes even then), the internal threat is the biggest threat to your organization. I wrote a blog entry on 30 May titled “Welcome to the Jungle” that spoke to this very thing.
From my perspective this isn’t an on-going trend from the past 2 or 3 years - it’s an on-going trend period. And it will never stop. Certainly advancing technology has made it easier for the malicious insider to cause harm but it has also made it easier for our biggest threat - the unitentional insider - to screw up and cause harm. Either through ignorance, lazyness, or simple lack of caring the unintentional insider is the single most devastating threat to your organization. You can attempt to counter this with an aggressive awareness program and constant employee vigilence within the organization but the threat will remain. Understanding is half the battle - now act on this understanding.
Keep the Faith!
Revelator
Insider - Tom Petty and The Heartbreakers
Sample “Insider” lyrics…
It’s a circle of deception
It’s a hall of strangers
It’s a cage without a key
You can feel the danger
And I’m the one who oughta know
I’m the one you couldn’t trust
Yeah I’m the lonely silent one
I’m the one left in the dust
Posted in Media, Program Management, General OPSEC | Print | No Comments »
20. June 2008 by Revelator.
Dear OSPA Forum,
I’m just an average guy who hasn’t ever really had much luck with OPSEC. I’ve tried everything but nothing seems to work. I’ve bought OPSEC drinks, I’ve sent presents, I’ve sweet talked and cajoled but no luck. My friends are constantly busting on me cuz I can’t keep an OPSEC program for more than one date. Trust me, I know what it feels like when doves cry. Well, imagine my total surprise when just last week I met the OPSEC program of my dreams! There she was sitting across the room all by herself. I stole furtive glances in her direction but always turned away when she looked my way. My track record was so bad that I didn’t dare approach her. But then here she came - she was coming over to me. Oh my God! My mouth dried up and my tongue tied itself into knots. Butterfly’s were conducting strafing runs on my stomach and my palms began to sweat. Is she really coming over to me? What will I say? What will I do? She was so hot! Her dress left nothing to the imagination (and my imagination was screaming) and her eyes were boring through me right into my soul.
And then she sat down! I stared at her like a paralyzed deaf mute unable to do or say anything. I was sure she would realize her obvious mistake and leave - but she didn’t. And then she said something to me that I’d only heard in my fantasies; “Take me now or lose me forever.” Well, somehow I managed to get to my feet and get her back to my place without crashing my car - and that’s when it got real interesting…
Now you just know I’m not going to finish that story. Nope - I’ll leave that to your sordid imagination. All I wanted to do was give me a reason to mention the OSPA Forum. The OSPA Forum is a place where any OPSECer worldwide can come to catch up, ask a question or just see what’s been going on.
There are currently 20 members registered. Of the 20 registered there are a good couple of bonafide subject matter experts who can help you with any OPSEC question you might have. Currently there are 6 categories, 22 topic areas, 73 individual posts and well over 2000 views. These numbers may not seem overwhelming to you but OPSEC is a relatively small community and we’re doing everything we can to support you, the practicing OPSECer.
So take a moment and check it out. Like the commercial jingle says… “And like a good neighbor, OSPA is there.” http://www.opsecprofessionals.org/forum
Keep the Faith!
Revelator
“When Doves Cry” - Prince
Posted in Program Management, OSPA, General OPSEC | Print | 2 Comments »
13. June 2008 by Revelator.
Hear ye! Hear ye! Hear ye! I’ve got a message for you. It’s not the most important one I’ll ever give or the best written one I’ve ever given but it does go to the heart of an argument that has been raging since the early ’70’s. And the question is this: How long should a Critical Information List (CIL) be?
The best CIL I’ve ever seen was in an organization that required all personnel to wear badges within the confines of the building. The organization took their 12-item CIL - I say again their 12-item CIL - put it on a card and laminated it for all personnel to wear with their identification badge. Each person in the organization had access to the CIL at all times. This is about as good as it gets folks.
On the other hand, a good number of seasoned OPSEC professionals disagree with me on this subject. They’ll tell you that a “comprehensive” CIL is the only way to ensure that all of your critical information will be protected. Sound logic to be sure. Unless you take into account the human factor. I don’t know how many of you have photographic memories and can remember a 73, or 103 or 276 item CIL, but I sure can’t. 276 items! Are you freaking kidding me? How is this usable? My personal experience is that when I’m shown a CIL with more items than my wife’s grocery list I tend to ignore it. I know I can’t memorize it and if I’m on the phone or typing an email I most likely won’t consult the “Big Book of CILs” to see if I should be communicating the information. But if you show me a list that I can wrap my brain around, say about 20 items, then I’ll study that sucker and be able to commit most of it to memory. And even if I can’t memorize it I can pin it up somewhere in my cubicle where I can actually consult it quickly if need be.
There are too many things in our complicated lives to remember already. I’m forever writing things on sticky’s so I don’t forget them. Then I’ve got the task list in my Microsoft Outlook so I don’t forget anything. I’ve also got a long to-do list in my 7-Habits Daily Planner which is also loaded onto my Blackberry and then as a fail safe, I’ve got my wife around who is constantly reminding me of things I’ve already forgotten. And when I do make it to the grocery store my wife will make a list for me because she just knows I’ll forget something.
And finally on the subject of short CIL’s - remember the KISS Principle - Keep It Simple Stupid. The shortest Critical Information List I ever saw had only one item. “We are a military organization charged with protecting the freedom of the American peoples and their allies - keep your damn mouth shut!” I could argue that there should probably me a couple of more items but damn it - I like their attitude.
Keep the Faith!
Revelator
Posted in Program Management, General OPSEC | Print | 2 Comments »
6. June 2008 by Revelator.
Congratulations! You finally finished. Six months ago you made it through the OPSEC course. Sure, you had an unrequited love for your instructor but so did the other 17 dudes in your class - get over it. Back in the real world you found that you had purple blood flowing through your veins and you headed back to work ready to kick some OPSEC ass. The spirit of the legendary Purple Dragon burned in your heart and soul and you began grinding your way through the five-step process. You were a BEAST! A big, fire breathing beast on an OPSEC bender.
You developed your new and improved Critical Information List like a crazed maniac who just discovered that mixing Monster Energy with a Red Bull and two diet pills will keep you rocking and/or rolling all night long…and then all day…and then all night long again. Your threat research was focused and spot on and you knew exactly what threats were targeting your sensitive information.
Vulnerabilities? Indicators? They didn’t stand a chance against a highly motivated OPSEC professional such as yourself. No freaking way! So you rolled on like the man-beast you are - ready for anything and everything.
Risk? You don’t need no stinking risk! You’re prioritizing risk better than David Lee Roth’s groupie-hunting roadie and you started to think someday you could actually get that OPSEC Certified Professional certification bestowed upon you as your beautiful wife looks on with love in her eyes. Finally, you developed and institutionalized your countermeasures and you just knew the effectiveness of your new OPSEC program would certainly earn you the Individual Achievement Award at next years National OPSEC Conference. You even searched on-line for hotels and flights to San Antonio. Ahhhhhhh, the warm feeling of a job well done. Sit back my friend - it’s Miller time.
On the other hand (typically a backhand with a big ring on it) there is one thing you’ve missed. One thing that is so critical to an OPSEC program that if left undone will render all your hard work worthless and you can kiss your coveted award goodbye. Brothers and sisters I’m talking about feedback. Think about it - without feedback how will you ever know if your carefully crafted countermeasures are working? How will you ever know if your education and training is having any effect? How will you know if your new visitor controls are working?
A lack of feedback, in any endeavor, equals a lack of success. Let’s take dating for example. If you’re not paying attention to feedback on a first date, chances are you’ll never see a second date. Whether you notice or not you’ll be receiving feedback all night long. Some positive and some negative. But even the negative feedback helps, doesn’t it? If you’re paying attention you will learn real quick what dating measures and countermeasures are or aren’t working and you’ll be able to adjust accordingly. Ignoring, or not seeking out, feedback can kill your program.
Have you seen people who ignore feedback? I know you have. Ever worked for that one guy or gal who just won’t shut the hell up? You know the kind - the one that’s still yammering on even after you’ve wandered away and are strolling down the hall? And ladies, I know you’ve been out in the social environment and there’s always that one guy who just won’t give up. He’s trying to chat you up, or buy you a drink, or get you to dance and instead of getting your subtle hints he just thinks your playing hard to get and doesn’t realize that you don’t think his never-say-die attitude is all that charming and as a matter of fact if he says one more annoying word to you he’s gonna end up wearing that Appletini you’ve been nursing.
All I’m trying to say is that you need to establish some feedback mechanisms for your OPSEC program. You simply cannot succeed working in the blind. You need to find out how, or even if, your OPSEC message is getting across. You need to check to see if your countermeasures are working as designed. Is the information you determined sensitive or critical being protected in the manner you desire?
Be the beast! One of the best feedback mechanisms you can employ is to get out there in the gen-pop and talk to people in your organization. Get the feedback you need and adjust your program accordingly so that your program at least has an outside chance to succeed. And guys, next time you’re out there searching for Mrs. Right or Ms. Right Now - keep your eyes and ears open. You just might learn something.
Keep the Faith!
Revelator
Posted in Program Management | Print | No Comments »
30. May 2008 by Revelator.
Firewall and system probing, Network File Systems application attacks, email attacks, vendor default password attacks, spoofing, sniffing, fragmentation and splicing attacks. Where will it all end? Since this is clearly our biggest security concern why can’t we fix it? Why aren’t we throwing all our money, manpower and technical abilities at this problem? Computer crimes cost us $32 million is 2006. Boy, I’ll tell you what - somebody better do something quick. Unless the computer isn’t our biggest security concern…
But if (as I imply) the computer isn’t the biggest threat to the security of our organization or mission, then what is? Here’s a clue - look above. Didn’t you read all that stuff in the first paragraph? Of course the computer is the biggest threat to the security of your organization/mission. Or is it…
Well, duh. The computer and it’s evil spawn the INTERNET is just teeming with demon hackers who are trying to either crash or rape your system every minute of every day. It’s all over the news! Technology is killing security. Punks who were born with Playskool See-n-Hack starter laptop kits are wreaking havoc all over the technosphere. What’s an OPSEC Program Manager to do? Hell, you’re not the IT Security dude. You know nothing of firewalls routers and DMZ’s. Face it partner - you’re screwed. Unless…I mean, unless the computer is not the biggest threat to the security of your organization/mission…
And here we are again. What is, and will remain, the biggest threat to security in your organization is the person in the next cubicle, or the next stall, or the next chair, or sitting across from you at lunch asking you to pass the pink or yellow stuff that really isn’t sugar but will kill you just as fast. Humans…whattaya gonna do?
I can’t count the number of times I’ve been allowed into “secure” facilities by people who should have known better. And you would be surprised how many buildings you can waltz right through when you’re wearing a UPS uniform and carrying a couple of boxes. You can have the best physical security money can buy for your building but if smokers leave the back door propped open for convenience…establish a great password policy but if your people write their passwords down…carefully screen all information you put on your web page but if Marketing feels the need to publicize…
The old saying is that we spend 80% of our security money protecting ourselves from outside threats while, in truth, 80% of our threat comes from within your own organization. The next time you head over to the fridge to see if anyone has left a Klondike bar without a name on it take a look around - you are surrounded by people who will unmaliciously give away sensitive information at the drop of a hat. They don’t mean to by the way. They just haven’t been properly educated about how NOT to inadvertently give away sensitive and critical information. That’s your job - now get to it!
Keep the Faith!
Revelator
Posted in Risk, Countermeasures, Critical Information, Vulnerabilities, Threat, Program Management, WWW, Computer Intrusions | Print | 2 Comments »
23. May 2008 by Revelator.
When I was an OPSEC Program Manager in the military I can’t tell you how much I appreciated when the boss called me in and told me that the “secret” deployment was in two days and they needed me to give the OPSEC okay to the plan. Yeah, that was always fun - and rewarding too. And then while I was in the corporate world I really enjoyed being told by a corporate honcho that the new product will be released tomorrow and do I want to look over the press releases that have already been sent out. You know…just to make sure they’re all OK from a security perspective. Ahhhhh, good times - good times. That always made the job worthwhile for me. I mean, what can bring more job satisfaction than knowing that you’re being brought into a mission or project at the precise moment that anything you might do will be a total waste of time? Boy, it doesn’t get much better than that. Assuming you have caught all the sarcasm that’s dripping off these words then I guess you’ve been there - done that - got the t-shirt - wore it - washed it - gave it to the “Poor OPSECers Fund Drive” - claimed it on your taxes.
But when should OPSEC be put into our processes or our missions? Is it during the planning phase? It is sandwiched between planning and execution? Does it happen during market research? Does it come after product release or deployment? Boy, this is a complicated decision. So many factors, issues and considerations. So many things to deliberate, considerate, cogitate, meditate and contemplate. Seriously, there are just too many variables for me to answer that question. Except maybe this way…OPSEC begins at birth!
Every concept, idea or plan has an inception. And from there it has a defined life cycle. OPSEC must be considered in every step of the life cycle. We don’t wait until our children are five years old and then start to protect them. We don’t wait a year before we buy car insurance and we don’t wait until we’re wheels up before we start to add in some OPSEC.
Now, I understand that if you’re a regular reader of this blog you most likely are a fairly seasoned OPSECer and you’re probably hip to this little pearl of insight. So your challenge now is to educate your leadership and develop ways to ensure that you, as the OPSEC Manager, get invited to all those planning meetings that you’ve been missing. So get out there and bang down some doors. You need to be there - OPSEC needs to be there. Make it so.
Keep the Faith!
Revelator
Posted in OPSEC Plans, Planning, Program Management | Print | No Comments »
16. May 2008 by Revelator.
Be they in high or low places you need friends if you want to do this thing we call OPSEC. I guarantee you that your workload will go up and your success will go down without your own OPSEC professionals network. People out there are doing some great and innovative things that you need to know about. None of us should work in a vacuum. Communicate with other OPSEC managers. Join OSPA or the OPS. You need to make a conscious effort to meet new people. Go to the National OPSEC Conference or an OPSEC Forum. Get out from behind your desk and get to a threat seminar. When you get out to an event like a conference or formalized training you will meet people. You can’t help it. I make, at least, five good contacts at every event I attend. That’s five more people I can call or email when I’ve got a question. Five more people who I can share ideas with. Five more people I can “benchmark” off of.
Since our program here at the National Nuclear Security Administration, Nevada Site Office won the Organizational Achievement Award at the National Conference last month I get two or three calls or emails a week from people asking for assistance/help/guidance for some area of their program. Trust me when I tell you there is no way this program would be where it is today without the help and valued assistance from people I now call friend (starting with Wayne Morris who built the program I was fortunate enough to inherit). As for the calls for assistance, I do everything I can for these people. When you’ve been as blessed as I have then you understand that you must give back to the community in any way you can. Plus I feel I need to honor folks like Tom Ariosto, Wayne Morris, Lynne Clark, Dan Wilkinson, Joan Hellon, Scott Milliman, Bill Feidl and Pat Sipes who have helped and guided me so much over the years. I just hope that some day you are as fortunate as me to have such a fine OPSEC support network to reach out and touch when you’re in need.
And when, not if but when, you attend one of these events don’t be afraid to walk up to someone and say “Hi, I’m Joe from Colorado Springs. How are you today?” You can start with me. I’ll be your first contact (if it is me though and I just finished a 90-minute speech, please just follow me to the smoking area and chat me up there instead of keeping me away from the post-speech nicotine fix I need so bad). Whatever you do, just get the hell out there and talk to someone new and get that network working.
Keep the Faith!
Revelator
Posted in Conferences, Program Management, General OPSEC | Print | No Comments »
13. May 2008 by Revelator.
“Leaders are busy doing the things critics say can’t be done.” You may have seen this quote before. I read it in a book last week.*
As OPSEC Managers your creativity and the ability to see the road ahead are paramount if you wish to have any level of a successful OPSEC Program. Beyond that is the fortitude to not only see the vision but to act on that vision. As an OPSEC Manager you are frequently alone in your passion to push the program but you must not let this stop you. You’ve got to be like The Bandit and have that “..we’re gonna do what they say can’t be done” attitude. Rare is the unit/company who shouts Hallelujah! when the new OPSEC Manager shows up. Rare are the times you will walk into a meeting and all will hail you as the savior of the mission. Rarer still is the man or woman who can keep running into this wall of denial until it is broken down.
The sad fact is that you just may be the only one who truly cares about OPSEC. At least this is the attitude that you need to have. Don’t let people fool you - they don’t care…not really. I’ve interviewed a number of OPSEC Managers who are quite sure they have the support of the people in their organization. And I’ll ask them; “How’s your program working? And they’ll go on and on about all the great stuff they’ve done. Unfortunately, I get a different story when I interview people within the organization. Invariably, members of the unit have no idea who their OPSEC Manager is and if they do actually know a name, they have no idea what the OPSEC program means to their mission. What about you? What about those of you who may have been hired or hand-picked as the OPSEC Manager? Surely, you care about OPSEC. Right? Well, maybe. And maybe not. I’ve seen a lot of people get burned out by OPSEC because of the abnormally high frustration levels associated with repeatedly trying to accomplish something you know is right and getting beat down by leadership or those who run the mission. I mean, you are just the OPSEC guy or gal, right? Not only have I seen this - I’ve experienced it first hand, and it’s not pretty.
You try to do a good job and you either don’t have the support of the big dogs or you’re kept too busy doing other “more important” tasks or, maybe, just maybe, you don’t really care about OPSEC at all. Maybe it’s just a paycheck or a silly little additional duty. I’ve met these people and I can see it in their eyes. You can tell they just don’t have a passion for this stuff. I can’t explain it but I’ll be honest with you - the passionate people are in the minority. And it’s rather sad because you can’t be a half-assed OPSEC Manager. You can’t simply satisfy the minimum requirements and expect to have a positive effect on the mission or the lives of those executing that mission. You can’t send out an 18-slide PowerPoint presentation as your annual training and expect it to mean anything. You can’t walk up to a group of shooters about to execute a mission and tell them they can’t do something because you say so. You can’t be so removed from the leadership that they never think to call on you when they are making long-range plans. You can’t stick your head in a sales or marketing meeting and shout “Think OPSEC” and expect it to positively effect the outcome of the meeting. You can’t wait until all the jobs are posted and then run to HR and beat them down for putting too much information in job postings. And you can’t expect your coworkers to give a you-know-what about OPSEC and how it effects the mission and their lives if you haven’t repeatedly told them - if you haven’t made it personal to them - if you haven’t fully demonstrated how it effects them personally.
Understand this; as a OPSECer you are outgunned and under-equipped for the job you’ve been asked to accomplish. Boldness under such circumstances may seem almost foolish, yet boldness may be the one advantage to have. Unlike those who lead in battle, your life may not be on the line as the OPSEC Manager - but lives, jobs, your co-workers welfare, and their families’ welfare may be. Your program may have less muscle, so you will need more brains. You have to reorient your thinking, behavior and strategy. Pull off the sunglasses of pride and arrogance, and drop them in the nearest trash can - you’ll see the road ahead and the obstacles more clearly without them. Then get yourself our on that road and kick some OPSEC ass!
Keep the Faith!
Revelator
*The Centurian Principles by Colonel Jeff O’Leary (Ret)
Posted in Program Management, General OPSEC | Print | No Comments »
28. November 2007 by Revelator.
As promised this is the first entry from what I hope will be many guest bloggers. Rick is a member of OSPA, a Major in the United States Army and an all-around good guy. Enjoy…
It’s been said that Operations Security (OPSEC) is everyone’s responsibility; that no person alone can make OPSEC work. On the other hand, it only takes one person to ignore items on the Critical Information List (CIL) and disclose sensitive information over non-secure media or during open discussions in public. The “I” in OPSEC can be viewed from several angles.
The very foundation of OPSEC involves a five-step process: 1) Identify critical information, 2) Threat analysis, 3) Vulnerability analysis, 4) Risk assessment, and 5) Apply countermeasures. The OPSEC Program Manager (OPM) should coordinate the five-step process. Meaning, he/she should ensure the appropriate personnel complete each step. This process is a team effort. No “I” here.
To identify critical information, the OPSEC officer should work with the Operations section and the commander to determine what unclassified, yet sensitive, information must be protected. The list of critical information items should then be placed on a Critical Information List, or CIL. Each command will have a unique list of critical information for day-to-day operations and/or each specific mission or Operations Plan (OPLAN). Again, the OPSEC officer cannot do this alone. There is no “I” in this step.
The Intelligence section supplies the OPM with information regarding the current threat. Normally, the OPSEC Officer does not have the expertise to conduct a thorough threat analysis. Even if the OPSEC officer is the same person as the S2, it still requires assistance from others within the Intelligence section. Demonstrating again, there is no “I” in this step.
To complete a thorough vulnerability assessment, the OPSEC officer must again work with the Operations section, the “Staff”, and the Antiterrorism Officer (ATO) and the Force Protection officer (one person may perform both duties, depending on the unit). There is no “I” in this step, either.
The OPSEC officer can conduct the risk assessment step, but usually the Operations officer or the commander must approve it. This step involves subjectivity as to how much risk is acceptable and the severity of the consequences should something go awry. Therefore, the commander must be aware of the risks and give the ultimate approval for the taking certain risks. There is no “I” in this step.
Applying OPSEC measures must certainly be the job of the OPSEC officer. However, the OPSEC officer can only advise the commander on the OPSEC measures. If the commander deems the OPSEC measures too costly, time consuming, or would delay the mission, the OPSEC measures may be rejected. If the OPSEC measures are accepted, it is up to the leadership of the unit to ensure they are implemented. There is no “I” in the last step of OPSEC, either.
OPSEC is everyone’s responsibility. It is not solely the responsibility of the OPSEC officer to make sure OPSEC is “good” at the unit. OPSEC is a team effort. So, the “I” in OPSEC rests with every single individual who is assigned to, attached to, under operational control (OPCON), or is in some manner responsible to the commander of a specific unit where the OPSEC officer has put together an OPSEC plan.
In all actuality, everyone is the “I” in OPSEC. Your careless words or the “they aren’t listening to this phone call” attitude may cause mission failure or the deaths of allied troops and innocent civilians. You must be cognizant of the information you disclose in public, in emails, and over non-secure phones and faxes. OPSEC is everyone’s responsibility. Do your part to keep sensitive information from the adversary.
There is a saying that goes something like, “I am but one, but I am one.” The adversary only has to be right once. We have to be right all the time. The “I” in OPSEC means everybody needs to be aware of OPSEC 100% of the time. The lone OPSEC Officer or OPSEC Working Group member in your organization cannot do it for you. Be the “I” in OPSEC!
Richard E. Millikan, MAJ, USAR
Chief, OPSEC Assessments - Joint OPSEC Support Center (JOSC)
210-925-4781 / DSN 945-4781
Posted in Program Management | Print | No Comments »