OPSEC: Don’t be fooled by the name
A major marketing problem with OPSEC lies in its full name: OPSEC is an acronym for OPerations SECurity. While OPSEC is no more related to what security professionals do than is Social Security, the mere inclusion of the word security condemns any area to being ignored by many.
In the case of OPSEC this confusion is neither a big surprise nor unreasonable, because OperationS Security is easily confused with
OperationAL Security, which is, in fact, all the rule-based stuff done by security professionals.
OPSEC (we won’t here discuss Social Security, which is already much in the news), on the other hand, is a threat-based (not rule-based) process allowing us to put in place internal controls in the private sector that use risk analysis based on specific threats, vulnerabilities, and impacts, to reduce vulnerabilities to (and therefore derived risk from) competitive intelligence, economic espionage, and theft of information.
Further confusing this issue is the fact that OPSEC, like Social Security, sometimes does require intervention on the part of security professionals. Thus, for example, a lot of what we know about dealing with check theft and fraud come from our experiences with Social Security. And many of the protective measures that have been put in place to deal with check theft and fraud came from Social Security. Nonetheless, we think of Social Security more as an administrative/financial/accounting system than something to be run by Homeland Security (though the folks at DHS probably are eyeing it).
Similarly, OPSEC </EM>may</EM> add security measures to the list of actions being taken. These security measures generally relate to things that not have been thought of as important before the OPSEC analysis (they are measures designed to counter specific vulnerabilities based on specific adversaries, and therefore reduce mission risk). Largely, however, OPSEC is more likely to generate countermeasures and internal controls that are invisible from a security perspective. They may, for example, be revealed in operational activities themselves (how or when an action is performed), or generated through the plans or management function, and therefore not fall into the category of a security measure.
Thus, it is no surprise that when Sarbanes-Oxley required internal controls dealing with the OPSEC function, management would turn to the CFO to handle these, rather than the director of security, as they probably would if OPSEC were not more commonly known by its acronym.