Operational Security (OPSEC)
By Chris Nyhuis, Vigilant CEO
A Vigilant Value Series
Operational Security or “OPSEC” is a military term.
If you have spent any time on the Vigilant website, you will read quotes from the Art of War, experience our Command and Control Center and witness how our service philosophy moves with military precision. We don’t align ourselves with warfare mindset because we love violence or war, quite on the contrary. However, we do believe that the only way to truly serve our clients and our company is to meet the enemy on the battlefield and that requires that we act as shrewdly and, in a sense, as “dangerously” as those threats actors act.
According to the Department of Defense:
OPSEC is a capability that identifies and controls critical information and indicators of friendly force actions attendant to military operations, and incorporates countermeasures to reduce the risk of an adversary exploiting vulnerabilities. When effectively employed, it denies or mitigates an adversary’s ability to compromise or interrupt a mission, operation, or activity. Without a coordinated effort to maintain the essential secrecy of plans and operations, our enemies can forecast, frustrate, or defeat major military operations. Well-executed OPSEC helps to blind our enemies, forcing them to make decisions with insufficient information.
Even a cursory reading reveals why OPSEC has essential parallels and applications for the Art of Cyber-War:
- “… reduce the risk of an adversary exploiting”
- “… denies or mitigates an adversary’s ability,”
- “Well-executed OPSEC helps blind our enemies.”
Also, according to the DOD, OPSEC is 1) an analytic process, 2) focuses on adversary collection capability and intent and 3) emphasizes the value of sensitive and critical information.
This is why Vigilant implements an OPSEC mindset in the implementation of our multi-front, omni-directional vision and assessment processes.
Operational Security is about safe-guarding information, and that safeguarding is not just about stopping the occasional security gap, it is also about thwarting aggregation, from both common and uncommon sources: The Operations Security Professional’s Association published the 5-step iterative process for military OPSEC.
Here are those steps with our recommended cyber-security application:
Identification of Critical information:
Cyber application: With the support and guidance of industry professionals who are experts in the enemy’s techniques and tactics, identify all sources and movements of intellectual property, customer information, research and development, company financial data, client data and employee information. Essentially any information that needs to be the focus of your security.
Analysis of Threats:
Cyber application: Consider both threats from outside (third party threat actors) and from within (disgruntled employees/sub-contractors.) Standing on your Security Partner’s public and proprietary knowledge (global, temporal, geographical and industry-specific), identify existing threats to the identified information from step one.
Analysis of Vulnerabilities:
Cyber Application: Sun Tzu said, “… rely not on (the enemy) not attacking, but rather on the fact that we have made our position unassailable.” This step is the study of potentialities, seeing where the gaps or weaknesses reside in the existing system. While step two analyses what IS, step three looks to WHAT COULD BE.
Assessment of Risks:
Cyber Application: This is when you, alongside your security provider, establish a plan to prioritize then mitigate those risks. Prioritization will be weighted based on (but not limited to in light of contextual tailoring): how essential is the system, the likelihood of an attack, power of that particular attack and the amount of company resources (time, personal, cost) would be required to recover.
Application of Appropriate OPSEC Measures:
Cyber Application: While all of these steps are iterative and on some level cyclical, step five is the true long-term strategy to assure Operational Security. This is the plan to mitigate risks and destroy potential threats, processes like: training employees on best practices, hardware assessments, systemic software updating, revising company policies and security practices (as advised by your security partner). It is important that these OPSEC measures be easily understandable AND that your entire team understands their value and importance in the ongoing process.
Ultimately the goal is preemptive protection. As Sun Tzu said, “Know your enemy and know yourself.” Operational Security requires a military mindset, and it requires the most highly trained professionals to carry it out. You must think like the enemy and protect like a family member. Then together we will ensure that your people, profits and property are always secure.