We recently spoke at a conference in London in which three of us spoke on topic relating to protecting information. This is not uncommon for us, and always makes us a little anxious, as we in theory face the risk of having several people say the same thing as we are saying.
In practice, however, this never happens. What we always see from others in their excellent presentations – and saw in this case, too – is a discussion of rule-based steps taken by security professionals. While the information given is invariably valuable defensive information from communications security, or information security, IT security, security minded IP attorneys, and a number of other security fields, it is not what we discuss in our talks.
What we discuss is OPSEC, which is a threat-based (not rule-based) process. OPSEC allows us to put in place specific countermeasures based on analysis of specific threats, vulnerabilities, and impacts to reduce vulnerabilities to specific threats of competitive intelligence, economic espionage, and theft of information. We discussed how to implement a corporate program for the identification, valuation, and protection of information against competitive intelligence, economic espionage, and theft.
The rules from security folk (have access control, use telephone encryption, have firewalls, sweep conference rooms for bugs, do background searches on employees and subcontractors, have appropriate patents and trademarks, use pre- and post- hiring and firing confidentiality agreements, et cetera) are important – indeed critical – in addressing the overall security of your plant, your people, and your information by reducing crimes of opportunity.
That said, all of these are like the preventive and protective measures one takes with fire. You have detectors, and alarms, and sprinklers, and extinguishers, and fire drills. But they are not designed to prevent arson.
Competitive intelligence, economic espionage, and theft are the information- loss equivalent of arson. An OPSEC program helps you implement an overall corporate program for the identification, valuation, and protection of information from real threats, and not merely from crimes of opportunity.
When a specific threat is encountered, the OPSEC staff will work with other staff – either security staff or middle management in specific areas – who will use their disciplines to put countermeasure in place. OPSEC therefore tends to be a relatively small management function in the office of the VP of finance or operations that cuts across all organizational boundaries, depending on the threat encountered.