OPSEC as a Formula
by
Douglas Boemker
As a Security Manager, I’ve never liked the common saying, “They chose Convenience over Security”. The reason it bothered me, is that it seemed like a false choice. It insinuates that anyone who takes a shortcut over using a security best practice, doesn’t actually care about the success of the mission as a whole, and perhaps they are lazy and just don’t want to be bothered with anything that is going to make their job more difficult. As a Security Manager, you come to realize that convenience is a tool in your work-belt. If you can bake security measures into workflow, that are both effective and convenient, you will greatly improve the likely hood that you will maintain Operational Security. A Security Manager has other tools of course. We often find that our ability to enhance convenience is limited by outside guidelines, budget, or perhaps our own lack of imagination. When we run into these limitations, we have to expend energy into other areas. One of our other tools we have, is security education. Education has a dual purpose, one you create awareness (of security procedures, threats, and vulnerabilities). Secondly, and just as precious, you create a cultural importance on the value of security.
The longer you spend as a Security Manager, the more likely that your view of the system becomes more holistic. You realize, there are many stakeholders and interested parties that have different motivations, skills, and influence. You realize that accomplishing your mission of Operational Security means getting “buy-in” by most, if not all of these stakeholders. Many of these stakeholders, are on the operational side. They have a mission to create a product or provide a service, and they are trying to do so efficiently and with utmost efficacy. These Operational players usually view security as a necessary evil. There are some good reasons for them to see things this way. Usually, these individuals are being pulled by two opposing forces. On one side they are being incentivized to reduce operational friction, accomplish their goals quickly,with the least expense possible, while maintaining quality. Depending on the effectiveness of their management team, this can be a very powerful gravitational force. Additionally, they are being pulled towards security. Since there are threats and vulnerabilities, they become aware that they can accomplish their mission, but still fail their organization. The cross-section of these two forces are procedures, and these procedures can have varying degrees of convenience. Through this interpretation you begin to realize that people are not choosing between security and convenience, but rather mission over security. At this point, I know I will have some people shaking their heads in disagreement. Security managers like to believe that their job is so important that, mission and security are really one and the same. But, I see them as two separate variables in one equation.
In the diagram above, I show the main variables at play. This is a little bit like Newtonian equation of gravity. The main difference is that gravitational forces in this case, are not a constant.
I show that you have two main bodies that I labeled, the Importance of Mission and the Importance of Security. I should explain that both of these bodies are subjective and rely on the perception of those within the system. Rarely are Mission and Security seen as the same level of importance, one oversizes the other. One example would be a Mission to clean Bathrooms in common areas. Perhaps there are little security risks in this instance, but the mission is seen as an operational requirement. The pull towards operational efficiency is going to win out unless the convenience of security procedures are very convenient. On the opposite side of the scale, perhaps the is a routine that is being conducted with the use of classified information. The need to protect that information may be of greater importance than actually accomplishing the routine itself.
When there is a great imbalance between Mission and Security, convenience is the only thing that can save you. In my equation, convenience actually is twice as powerful than the two opposing bodies of perception. The closer you can bring those bodies together, the more likely you will achieve Operational Security.
As I stated earlier, despite the fact that we would love to make things easier, it’s just not always possible. Many times, when this is the case, Security managers try to alter the perceptions of those within their organization. If they can bring balance to perceptions they can overcome opposing forces. In most cases they will attempt to balloon the perceived importance of Security. Though, in some cases, this will backfire. If the mission is perceived to have little value, increasing that S-value could bring project collapse because it will ultimately cause paralysis. Sometimes, the right thing to do is attempting to increase the M-Value. By believing the mission is important, you will increase tolerance for security measures, even if they are slightly inconvenient.
I stated earlier that in equation, gravitational forces are not constant. In all organizations the power of leadership can create larger gravitational pulls. A particularly gifted leader in the field of security will create a huge pull that needs to be offset on the operational side. For security to work well in an organization we are trying to create harmony. When you look at a single security violation, it can be difficult to tell where the system broke down. Did someone feel the mission was so important that they could not be bothered with irrelevant security procedures? Were security procedures, although important, just too inconvenient? Was the perception of Security and Mission both so low, that apathy took hold making any inconvenience intolerable?
Of course, we know that there are other reasons that security fails, but as Security Managers, we know that internal attitudes and motivations play the most important roll in deciding if procedures are followed or disregarded. Such as it is, knowing this formula is important for deciding how to manage scarce resources at any given organization.
No comments:
Post a Comment