OPSEC: Operations or security?
The identification and protection of critical but not trade-secret (or classified) information is known as OPSEC (short for operations security). In some cases, we have seen OPSEC being ignored within corporations because it was not clear who should be doing it. On one hand, the work “operations” indicates it is an operational issue, and should perhaps be handled by someone in operations. On the other hand, the word “security” indicates that it should be handled by the security department. In other cases, its usefulness as a management tool is not understood and there is no perceived “need” for OPSEC, which is, in any case, still a fairly new concept in private industry, and virtually unknown outside the US, as far as we can determine.
Although these problems could be in theory handled, and in a perfect world might be handled by a security department, they generally aren’t. We cannot think of a single high-risk problem where The LUBRINCO Group has ever been called in by an organization’s security department, nor where have we been asked by the senior manager who hired us to work with the security department. Normally, security departments get short shrift and have been shoehorned into very limited areas of work dealing with physical security.
To illustrate the point, let’s say your company is planning to invest $50,000,000.00 in a business venture in China (an area in which we provide services). In theory, you could turn to your security department to oversee the exercise of due diligence, but you probably won’t for a variety of reasons. Likewise, who are you like to call on first if an employee becomes violent? Human Resources, into whose bailiwick this falls as a personnel issue, or Security into whose bailiwick this falls because someone could get hurt? No matter what the org-chart says, prudence tells you to call Security. And how likely are you to call the people that handle the one issue to handle the other?
OPSEC presents the same kinds of issues. The logic is that there is “something to be protected – albeit something as intangible as information – so there is some justification for thinking of it as a security issue. We would argue, however, that it is largely a management issue: Identifying what is critical to the company and how the organization’s actual adversaries might wish to acquire this information and use it is something that only management is in a position to know and assess.
Is your security department in a position to determine what precisely represents the company’s “crown jewels?” The answer to this question lies largely in what your security department does. If what they do is largely handle physical security, and if most of their budget and time goes to guards and monitoring and alarm systems, then the likelihood of their having the internal expertise to handle OPSEC is low. If on the other hand, areas such as financial planning and oversight, financial due diligence, and executive protection are handled by security, then the likelihood is greater that this would be within their scope. The real danger lies in nobody dealing with OPSEC, because nobody knows what it is or who should be handling it. For most organizations of our acquaintance, lack of an OPSEC program is costing them quantifiable losses of cold, hard, cash. Whoever handles OPSEC (and we have no practical or emotional attachment as to where it should be handled), it needs to be handled by someone.
