Michael D. Moberly April 25, 2014 ‘A long form blog where attention span really matters’.
This post is written for entrepreneurs, researchers, and companies who recognize the importance and value of retaining some semblance of confidentiality regarding perhaps a pending merger, acquisition, R&D project, new product launch and/or public rollout. The following is one example.
I colleague of mine who very deservedly is a highly sought after ‘chief security officer’ (CSO) for Fortune ranked technology firms. In a previous CSO position he assumed enterprise wide responsibility for maintaining absolute secrecy regarding a newly developed product and its launch at the annual ‘consumer electronics’ show in Las Vegas. His efforts were successful, that is, there was no evidence of leakage or premature disclosure that would have provided fodder for analyst speculation that may have, at least partially, negated – undermined the company from experiencing a rapid 300% increase in its stock price following its public launch at the show.
In the U.S. Silicon Valley, where there are large numbers of extraordinarily sophisticated, and globlly predatorial competitor – business intelligence activities ongoing, coupled with the somewhat incestuous employee fire – hire – rehire environment, maintaining comprehensive project – product launch secrecy for any substantial length of time is, to be sure, is a significant responsibility and undertaking encompassing countless variables. Though, my colleague is and remains an ardent advocate and practitioner of OPSEC.
The Origins of OPSEC
As a methodology, OPSEC (operations security) emerged in 1967, during the Viet Nam war, when a small group of U.S. Navy personnel were tasked to determine how the enemy was obtaining advance information about U.S. military combat (air, ground) missions. The enemy, in this instance, was the Viet Cong, the North Vietnamese Army and their various allies.
This group of Navy personnel learned that, in many instances, there was an abundance of unclassified ‘indicators’ that were readily observable by adversaries that, in many instances, signaled a pending military mission or operation.
The enemy’s intelligence collection and analysis methodologies were quite unsophisticated, generally relying on personal observations and understanding which indicators were relevant, which in turn allowed them to ‘connect the proverbial dots’ to develop a rapid and frequently accurate assessment of (a.) the capabilities of the particular combat unit involved, and (b.) it’s intentions, which included the missions’ intended target.
As the adversary’s honed their observation and analytical skills insofar as recognizing mission/operation ‘indicators’, the always desirable and preferred element of surprise was routinely being compromised, along with a reduction in mission effectiveness. More importantly however, the military personnel executing the compromised missions were now being exposed to greater risk.
In short, the U.S. Navy personnel charged with examining how missions – operations were being compromised came to learn that, even though mandated security and intelligence countermeasures were being used, reliance solely upon them, was insufficient to completely deny adversaries from surmising mission intentions and capabilities to their benefit.
It was ultimately concluded that, if military operations ‘were examined through the eyes of the adversary’, i.e., from the planning phase through execution, mission planners would themselves come to recognize and ultimately eliminate the myriad of subtle and often indirect indicators, i.e., actions, behaviors, etc., that ‘signal’ a pending operation.
Then, as now, operations security (OPSEC) is associated with the planning and executing operations in which…
- integrity, and the
- element of surprise
…are absolutely essential to mission success and mitigating personnel risk!
Since the Viet Nam war, the OPSEC process has undergone numerous revisions and refinements. Its benefits are now widely recognized and applied throughout much of the defense, public law enforcement and even certain corporate R&D environments.
What Is OPSEC?
OPSEC is a specialized security discipline. It focuses on discovering and eliminating the indirect ways in which information assets pertinent to the planning and execution of an operation and/or project can become known to and used by an adversary to undermine the mission’s success and elevate exposure to risk
OPSEC emphasizes the view that adversaries have a consistent interest in acquiring information that will aid them to evade (a.) detection, (b.) capture and arrest, and (c.) otherwise permit them to continue their intelligence collection activities unabated.
Insofar As The Private (Tech) Sector Is Concerned, The Key To OPSEC’s Success Is Examining Projects Through The Eyes Of Economic and Competitive Advantage Adversaries
To be effective in today’s global business environment, a company must be able to systematically examine all planning and execution related activities ‘through the eyes’ of their known economic and competitive advantage adversaries, which entails…
- assessing the adversary’s motivations, intentions, and capabilities to actually detect and exploit relevant intangible assets, particularly intellectual, structural, and relationship capital.
- eliminating, or, at least minimizing preparatory ‘indicators’ related to pending operations, projects, and R&D throughout the planning and execution stages.
In my judgment, each OPSEC principle is readily translatable to the private sector. It’s merely a matter of recognizing how military related goals fit a private sector initiative or transaction.
For example, companies, be they Fortune ranked or early stage start-ups, that are about to ‘go public’ with a new product, service, or technology have an interest in discovering and eliminating even the most subtle indicator that could become known and applied by competitors to undermine and/or deny success.
I am hard pressed to identify any circumstance in which it would be in a company’s interest to inadvertently or negligently provide a close competitor with advance notice. Given the aggressively competitive, globally predatorial, and ‘winner-take-all’ nature of most companies today, any advance notice would give competitors ample time to develop a counter campaign of sorts, to undermine the projected success of a new products’ rollout, merely because ‘the element of consumer surprise’ was absent.
There is little question that the combined elements of consumer anticipation and surprise are valuable commodities to the private sector!
But, in part because of how and why OPSEC originated, particularly perhaps its association with military (war) operations, there have been challenges to overcome (address) with business decision makers to render it a more appreciated application, not solely to new product launches, but also to various types of business transactions in which confidentiality and due diligence are essential, e.g., mergers and acquisitions, etc.
A key and very favorable factor, insofar as applying OPSEC to private sector transactions is concerned is the economic fact that 80+% of most company’s value, sources of revenue, and competitive advantage now lie in – evolved directly from intangible assets.
So, an initial step is for a company to recognize various ways in which valuable intangible asset shrinkage – compromise – misappropriation can prematurely occur to benefit a competitor and its market space. Company leadership must too recognize that some intangibles may not meet the six requisites of trade secrecy, but still they may be identified as proprietary and remain out of the public domain for as long as possible so the company is positioned to take full advantage – exploit their intangibles before any (global) competitor can mount a counter move designed to undermine and/or diminish any projected successes.
Translating OPSEC To The Private Sector
To security practitioners already well versed in the principles and practices of OPSEC, the safeguarding and preserving the value of the array of contributory intangible assets, while being (a.) integral to OPSEC and (b.) routinely part of conversations among company decisions makers, the term OPSEC itself, is rarely uttered because a significant percentage of business decision makers are far removed from any defense and/or military reference points on which OPSEC was founded.
Too, well practiced OPSEC is not reliant on any particular automated procedure. Instead, OPSEC is dependent on a high level of (user) internalization coupled with keen awareness and observation skill sets in which users and decision-makers consistently examine most all of their business-related activities through the eyes of global economic and competitive advantage adversaries
Broadly speaking, these OPSEC attributes are, in some respects, the antithesis of the very technical and procedural (disclaimer and liability influenced) rigidity associated with most computer/IT security (software) programs and/or enforcement provisions related to intellectual property law.
OPSEC compliance and its ultimate value – contribution to a company is, for the most part, dependant on people – user awareness, and alertness. Figuratively then, OPSEC may be more art than science, but it is quite successful.