Michael D. Moberly January 7, 2013 ‘A blog where attention span really matters’!
What is OPSEC…
As a methodology, OPSEC (operations security) emerged in 1967, during the Viet Nam war, when a small group representing relevant branches of the U.S. military were tasked to determine how adversaries, i.e., Viet Cong and the North Vietnamese Army, were obtaining information about forthcoming combat (air, ground) missions and able to use that intelligence to mitigate risk (damage) to their assets and personnel.
Among other things, the group learned in most numerous instances, there were ‘indicators’, i.e., routine and readily observable preparatory activities that signaled a pending military operation as well as its target. As adversary proficiency in identifying ‘indicators’ grew, they were able to distinguish indicators further on the basis of their relevancy to mission planning and preparation in addition the capabilities, intentions, and probable targets of the U.S. combat unit in which the indicators originated.
The original purpose for employing OPSEC in U.S. military and intelligence communities respectively, still today, is to deny the much larger number of adversaries advance notice of pending operations and their targets by exercising caution insofar as altering and/or disguising heretofore routine preparatory information, processes, and communications related to mission planning. This includes occasionally introducing subterfuges.
OPSEC’s relevance to reputation risk…
The principles of OPSEC, not unlike their Viet Nam era origins, but with some obvious adaptations, are very relevant to revealing company reputation – brand risks, particularly those which are festering under the surface, but when they rupture, often with the aid of communication mediums can instantaneously materialize with such sufficiency to…
influence rapid adverse reactions from investors, consumers, and other stakeholders throughout companies’ respective supply and production chains to rapidly place a project, product, or business initiative at financial, reputational, and competitive advantage risk and/or peril.
OPSEC principles are readily translatable to the private sector…
The principles of OPSEC remain widely practiced today primarily in the world’s intelligence communities, military mission planning, and have not gone unnoticed by most terrorist organizations. Respectfully, but fortunately, OPSEC’s very effective simplicity is resonating in the private sector, particularly in circumstances where secrecy and confidentiality for such transactions as R&D, product launches, and M&A’s, etc., are critical to execution and achieving projected revenues, efficiencies, and competitive advantages
Well practiced – executed OPSEC is not reliant on any particular IT application or system. In point of fact, its principles are the operational antithesis of the technical rigidity associated with computer/IT security (software) programs as well as overly presumptive deterrents and enforcement associated with intellectual property law.
Instead, OPSEC is dependent on project – enterprise wide internalization of its principles at each relevant level to consistently examine relevant activities, behaviors, and communications ‘through the eyes of global economic and competitive advantage adversaries’
Experience suggests, once the principles of OPSEC are articulated with timely examples of application specific (business) circumstances, management team reluctance for trying OPSEC on a project basis, dissipates and with further training, becomes intuitively practiced as self-evident assessment and analysis.
The distinguishing factors are, traditional practices, processes, and preparatory activities are framed through the eyes of global economic and competitive advantage adversaries. This means management teams and employees alike, are obliged to consider how the various steps, processes, and procedures they engage traditionally associated with executing a transaction or new business initiative in which the elements of secrecy and surprise are essential, will be translated when known by economic and competitive advantage adversaries.
Business rationale for incorporating OPSEC in your company…
For me, the most compelling rationale for integrating the principles of OPSEC to any business initiative, operation, or transaction insofar as mitigating, if not eliminating, reputation – brand risk lies in this economic fact…
80+% of most company’s value, sources of revenue, and ‘building blocks’ for achieving competitive advantages, profitability, growth, and sustainability evolve directly from intangible assets, i.e., intellectual, structural, and relationship capital, reputation, brand, image, and goodwill.
OPSEC is a practical, discreet, and intuitive process…
Having been consistently engaged in the information asset safeguard arena for 25+ years, I can say with considerable assuredness that global economic and competitive advantage adversaries have honed, to near perfection, their skills in business information (asset) analysis and compromise at their very earliest stages of development.
For example, it is possible today, often with the aid of specialized (competitive intelligence) software, to distinguish minutia of subtle and indirect indicators, i.e., information and processes that alert competitors to imminent business initiatives or transactions prior to any actual ‘go – no go’ decision has been made. What’s of equal value to competitors is the knowledge that an initiative or transaction is being considered and/or planned as compared to its actual execution.
By having this analysis, economic – competitive advantage adversaries can be better positioned to compromise, counter, or otherwise undermine the coveted and critical elements of secrecy and surprise.
State, corporate sponsored, and legacy free players engaged in economic-competitive advantage intelligence…
Understandably, state and corporate sponsored, as well as independent (legacy free) players globally, are predatorily persistent and aggressively engaged in competitive intelligence activities. Again, the objectives, for the most part are consistent, i.e.,
- to reveal the plans, intentions, and capabilities which, if executed, would allow a competitor or client to achieve an economic and/or competitive advantage.
- serve as the basis for competitors to mount various strategic actions specifically intended to at least moderate, if not wholly undermine any advantage a competitor believed they would achieve.
Aides to achieving those objectives lie in an array of off-the-shelf scanning technologies which can keep information acquisition and analysis at ‘arms length’ and within the parameters of legality and business ethics, yet available for prompt and effective analysis. Aside from these scanning technologies, some conventional competitive intelligence methodologies remain unethical at best, if not illegal depending in part the country they are being executed.
That said, I have heard management teams variously rationalize competitive intelligence activities as…
- being the world’s second oldest profession.
- every company – nation is doing it, why shouldn’t I.
- the stakes of business initiatives and transactions have become so high that achieving ‘second place’ is neither an admirable nor profitable consolation.
- my stockholders and stakeholders compel me to do it.
- there is a consistent global market for business and competitive intelligence and analysis.
The term OPSEC is not routinely uttered in many c-suites or board rooms…
Admittedly, the term OPSEC is not routinely uttered in many c-suites or board rooms. My experience however has allowed me opportunities to effectively integrate OPSEC principles in several (private sector) engagements. Admittedly, some business management teams convey a dismissive attitude toward OPSEC by…
- by questioning its cross-over (military to private sector) relevance, or
- because it conjures off-putting connotations based on its Viet Nam war era origins.
Neither should deter exploring it further or incorporating it as an action item on either agenda.
But, let’s be clear, OPSEC is not a subterfuge for companies to conceal materialized reputation risks from public – regulatory scrutiny regardless of their causation. In other words, the principles of OPSEC are not a modus operandi for silence
OPSEC objectives to mitigate-eliminate risk to reputation and brand…
Instead, the principles of OPSEC are very proactive and call for consistent, thorough, and objective examination and unraveling of ways companies may be inadvertently or indirectly exhibiting indicators of pending business activities/transactions which are best executed if secrecy and surprise remain present without premature disclosure, e.g., the
- initial objective then for companies practicing OPSEC are determining whether any exhibited indicators could, upon analysis, manifest as reputation risks,
- second objective is to modify and/or eliminate the indicators, and the
- third objective is to recognize that deploying OPSEC is not intended to wholly displace conventional (reputation) risk management initiatives, rather to compliment them!
I’m confident few management teams, c-suites, and boards would disagree with the view that a financially favorable (company) reputation plays an increasingly significant role toward achieving – meeting projected desirable outcomes to business initiatives and/or transactions, the probability of which elevates when the principles and practices of OPSEC are accepted, consistently applied, and appropriately practiced.
Ultimately, company management teams need to recognize the ever increasing array of techniques and circumstances in which specific risks – threats can materialize to temporarily or irreversibly dilute the (contributory) value of a company’s reputation and brand simultaneously.
Some proprietary intangible assets will not fit requisites of trade secrecy…
Management teams are obliged to recognize there are contributory and underlying intangible assets in play to a company’s brand and its reputation, some of which do not fit the requisites of trade secrecy. Those assets can however retain proprietary status and remain out of the public domain through effective use of OPSEC, e.g., for sufficient periods of time to allow companies to ensure their R&D is complete, new product launches are prepared, and other (contributory) intangible assets are positioned to achieve maximum surprise, projected revenues and competitive advantages before sector competitors (globally) can mount distractive counter move(s) to undermine all or a portion of those anticipated benefits.
OPSEC is a dynamic methodology for addressing risks to reputation and brand…
Management teams of intangible asset intensive and dependant organizations are obliged to recognize that reliance on conventional (stationary) safeguards, particularly trademarks, copyrights, and patents are, while presumptively required, generally insufficient insofar as a standalone safeguard methodology in today’s simultaneously aggressively, globally predatorial, and instantaneously competitive business, R&D, and transaction environments. That is, the strength of the onetime deterrent effects and presumed self-enforcement of conventional intellectual properties, i.e., patents particularly, are, through my lens anyway, approaching irrelevance aside from their providing reactive (legal) standing for litigation when, not if, infringement and/or theft occurs
Somewhat unlike conventional IP, OPSEC’s guiding principles remain very much intact, relevant, malleable, and bolstered by continued employee awareness and interest in…
- examining – scrutinizing their preparatory behaviors, processes, communications, and activities through the eyes of their economic and competitive advantage adversaries.
- continually fine tuning and making relevant adjustments to keep pace with new twists and variations of risks to intangible assets, i.e., reputation and brand.
- risks/threats emanating from variously sophisticated state sponsored entities, legacy free players, corporate (business/competitive) intelligence programs, insiders, and the proliferation of independent ‘desk top’ competitive intelligence and information brokering operations.
OPSEC in practice…
As readers will find in the example below, a company’s ability to sustain the elements of secrecy and surprise, against the ever present reality of persistent reputational and brand risks lurking and probing for vulnerable targets, serves to enhance a company’s stature and become valuable and respected signals that will resonate throughout a market sector. Collectively, this contributes to a company’s reputational value and strengthens its relationship capital.
Too, as readers know, there are several industry sectors where enterprise wide – project secrecy and integrity with respect to R&D planning, marketing, and launch execution are sacrosanct. That is, they are mission critical underliers to achieve profitability and enhance reputation and brand. The warp operating speed of the tech sector in particular, is a good illustration wherein safeguarding intellectual, structural, and relationship capital is related to most every projects ultimate success, and, by extension, a company’s reputation and brand.
As the world knows, the U.S, not unlike numerous other (G-8) countries, there are multiple ‘silicon valleys’, perhaps one of the more notable is California’s San Jose area where there are also untold numbers of sophisticated and globally predatorial competitor – business intelligence operations ongoing and have been since the Valley’s inception. That, coupled with a somewhat incestuous employee hire – downsize – fire – layoff – rehire environment, maintaining comprehensive project – product R&D and launch secrecy for a substantial period of time is, to be sure, a routine, but highly significant undertaking encompassing countless variables.
A colleague of mine, Mr. Greg Acton, CPP, CISM, is very deservedly, a highly sought after security executive throughout California’s Silicon Valley. Several years ago while Greg served as Global Chief Security Officer for a leading technology communications firm, he and his team were tasked with the responsibility for enterprise wide security – secrecy for a developing product and its projected launch at the annual ‘consumer electronics’ show, which is one of tech sector’s most desired and coveted product launch and showcase venues. As expected, Mr. Acton’s two year effort proved completely successful.
That is, there was no evidence of unauthorized – premature disclosures, adverse leakages to the tech ‘underground’ or media anyone of which, had they occurred, would have invariably and rapidly led to unmanageable speculation, little or no consumer – sector surprise, probable product piracy, significantly diminished competitive advantage in the products’ market space, and most certainly a much sullied and perhaps irreversible downward spiral to its reputation and brand as well as undermining – deflating the 300% increase in stock price Acton’s company enjoyed immediately following the products’ public unveiling at the show. In addition to the company’s rapid stock spike, the VP of marketing informed Greg, in a congratulatory manner, the company had spent $1M on marketing the products’ lead up’ to the consumer electronics show.
In return for sustaining secrecy of the project for the two years prior, the VP also estimated the company received fifty times that amount in free advertising during and immediately following the show. Collectively the efforts of Mr. Acton and his team solidified the product’s price point premium and the company/s brand and reputation. A strategy relied on to accomplish this feat was, in large part rooted in Greg and his teams operational familiarity with and application of the principles of OPSEC.
OPSEC’s key to success…
As noted previously, there are numerous ‘off-the-shelf’ tools and firms today which variously purport to mitigate reputation and brand risk. Respectfully, some firms and individuals offering such services, through my lens, constitute do-overs of previous, now less lucrative careers that (a.) emphasize tactically reactive approaches, versus (b.) strategically proactive processes, often emanating from the principles and practices of OPSEC.
Understandably, experience points to numerous management teams which have already staked out their company’s position about how to address – respond to materialized reputation and brand risk(s). For the most part, I find those positions are more closely resemble the former, i.e., ‘a’, vs. the latter, i.e., ‘b’.
When ‘a’ prevails, regardless of management team rationale, I encourage them to separately ask legal counsel, marketing, and accounting how much it will cost to try to retrieve their companies’ compromised or substantially diminished reputation and/or brand once risks have materialized and begin taking their financial and reputational toll.
Again, for companies to be consistently successful in today’s increasingly aggressive, competitive, and predatorial global business (transaction) environment, it’s important to routinely, systematically, and critically examine processes, activities, behaviors, and communications associated with company R&D, strategic planning, and product – service launch etc., through the eyes’ of economic and competitive advantage adversaries, to…
- assess the adversary’s motivations, intentions, and capabilities to actually detect and exploit relevant intangible assets, and
- eliminate, or substantially mitigate projects’ routine – accustomed preparatory activities, behaviors, processes, and communications that individually or collectively constitute ‘indicators’.
Correctly assessing both of the above can measurably decrease the respective ‘foot prints’ which most business initiatives unwittingly, but inevitably leave.
Stone v. Ritter, does it make OPSEC a fiduciary responsibility…?
Again, I respectfully, but strongly encourage management teams representing intangible asset intensive and dependant companies in which reputation and brand play valuable and integral roles, to objectively examine the principles of OPSEC for their suitability, regardless whether the firm is mature, maturing, Fortune ranked, early stage, a promising start-up, or small-medium size.
With fewer exceptions, any company’s actions and processes, i.e., indicators related to new products, services, or technologies will expose the underlying intellectual, structural, and relationship capital, and by extension, reputation and brand to an array of increasingly irreversible and certainly costly risks. Having processes and practices in place to mitigate, deny, and/or eliminate such risk is now akin to a fiduciary responsibilities that management teams, c-suites, and boards bear, i.e., See Stone v. Ritter, 911 A.2d 362, Del. Supr. 2006
An objective reading of the Stone v. Ritter concludes sustaining control, use, ownership, and monitoring value, materiality, and risk to intangible assets throughout their respective life, value, and functionality cycles is a responsibility management teams and c-suites should not dismiss or overlook.
OPSEC advocate and intangible asset strategist and risk specialist…
Taken further, through my lens as an OPSEC advocate, intangible asset strategist, and risk specialist, the fiduciary responsibilities emanating from Stone v. Ritter, also entails initiatives to discover, disguise, counter, and/or change even the most subtle of ‘indicators’ which, if they were recognized and used by an economic – competitive advantage adversaries, are all but sure to deny, or at least undermine and dilute the financial, reputational, and competitive advantages a company projected.
I am sure there are circumstances in which some organization may conclude it’s in their marketing – launch playbook to discreetly leak information about pending projects to spark consumer interest and elevate anticipation. For those companies that find such strategies are productive, I encourage them, before execution, to ensure their backside is duly covered.
But still, to allow ‘indicators’ to be externally observed and acquired either inadvertently or through negligence, will, with confidence, end up in the hands of competitors, providing them with ample time to mount counter initiatives. In large part this is due to the absolute proliferation of entities, organizations, and individuals globally engaged in the acquisition, analysis, and trading-brokering of business – competitive intelligence.
OPSEC, more art than science…
Deployed OPSEC can fit any company or managerial metric requirement even though its principles and benefits are largely intangible they can still be objectively measured.
Attempting to assign a contributory value to OPSEC (for a particular business operation or transaction) in traditional return-on-security-investment terms often becomes an exercise in trying to ‘quantify the negative’. For example, prior to a company implementing OPSEC its management team would prudently ask…
- what risks will be prevented, eliminated, or mitigated?
- how will those benefits manifest and be subject to measurement?
Instead, I encourage clients to reframe our initial engagement discussion and incorporate questions for ‘quantifying the positive’, e.g., what contributory value – competitive advantage enhancements will emerge following OPSEC’s implementation that otherwise would not have occurred? This, I believe is a more insightful and strategic methodology for assessing – measuring the impact of OPSEC.
OPSEC, increasing receptivity and confidence…
There remain a significant percentage of management teams, who have yet to be initiated to the asymmetric and extraordinarily rapid materialization (fire) of reputation-brand risks. That said, with more regularity, I find management teams who respectfully display a sort of vicarious intrigue with the principles of OPSEC which I attribute, at least in part, to the reality that OPSEC’s origins are rooted in secretive military operation planning and mission execution.
But also, I attribute management team receptivity to OPSEC due to its…
- understandable and instinctive, but often overlooked obviousness, and
- peoples base desire to address and sustain secrecy absent condescending reliance on non-disclosure and/or and confidentiality agreements.
The term (acronym) OPSEC has consistently been in the language action repertoire of the military and intelligence communities for 40+ years. But, as noted previously, the term OPSEC is seldom uttered in c-suites or boardrooms in favor of ‘mba light’, sometimes cryptic, and ever changing ‘buzzword’ language and phrasing.
One phrase that won’t change however, is the economic fact that 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability lie in or emerge directly from intangible assets’.
True, some millennial entrepreneurs, business owners, and decision makers find OPSEC’s 40+ year existence and its origins in military and intelligence circles as rationale for its obsolescence and irrelevance in somewhat of a context of contrasting cyber warfare to‘boots-on-the-ground (conventional) warfare.
Again, considering 80+% of most companies value and sources of revenue and competitive advantages today lie in intangible assets, it only seems prudent, in light of the increasingly sophisticated, surreptitious, aggressive, predatorial and global nature of economic-business competitive intelligence activities that company policy makers and action oriented management teams have an intellectual curiosity, coupled with fiduciary responsibilities, to sufficiently and consistently safeguard their company’s key, and in some instances, most valuable intangible assets, i.e., reputation and brand.