Using outside sources to help establish an OPSEC program
There has been a lot of talk (including advertisements) from the government in the past month or so about protecting information. For those of us who do this sort of thing for a living, what they are talking about is having companies put an OPSEC program in place.
The sad fact is that OPSEC is an area about which many executives know nothing, and, in most cases, their security staff doesn’t know much more. This is, neither a surprise nor unexpected: Until now OPSEC hasn’t made much of an impact on most corporations because loss of information has not seemed terribly critical. And this is precisely why it is reasonable for companies to turn to professionals such as LUBRINCO to help them establish an OPSEC program.
Although this has worked out well for most of our clients, we occasionally run across security departments that can’t bring themselves to admit that there are things outside their ken, and don’t see this as an opportunity to expand their area of competence. This is, of course, silly, as most managers recognize that certain specialized knowledge need not actually be available in-house. Even large financial institutions with competent domestic due diligence expertise have no problem turning to us for financial investigations abroad, where they are weak, and VPs of finance have no problem going to tax specialists for tax advice. There may also be a needless fear that we will make them look bad or displace them, which is patently absurd; professional outside security assessments, like any other service a company contracts for, are carried out by professionals with a special level of expertise, who are hired to provide a specific service, to provide some follow-on work, and to then move on. We are not set up for, nor are we interested in running a dayto- day security department, and it is to our benefit to make our peers look good so that they can work more fruitfully with their organizations.
As an example of how things can go badly, we recently met with a management team to discuss OPSEC. Things were going fairly well until their security director showed up. He assured management that OPSEC was appropriate for the Feds (true), but not for private enterprise (not true). The meeting broke up shortly thereafter. We were surprised at his attitude, as he was not saying he could and would do the work himself (which we could have understood), but that this issue, which management believed to be critical, shouldn’t be addressed at all.
Not long after that we got a call asking if we could have another meeting, this time without the security manager. This is not good for any of the players. It is not good for the company because it is not productive for them to be bypassing their security manager. It is not good for the security manager to be bypassed. It is absolutely the worst position for us, not merely because we don’t like to end-run our peers in security, but also because we don’t like to help implement programs that are doomed to fail because of a lack of support from one of the key players.
The moral of this is not that this security director is a bad person (which he undoubtedly is not), but, rather, that professionals need to recognize the limits of their expertise (we ourselves only handle a few highly specialized areas, and make no claim to being a full-service protective firm), and be prepared to either bring in the resources needed to get the job done while they learn, or to develop them in advance if it would be a cost effective way to fulfill a new, but ongoing, need.