Operations Security (OPSEC)

As I noted in Spy Mindset: The Business of Intelligence, the best kept secret in the world is the one you keep in your own head. However, unless you’re a lone wolf, it’s also the worst way to keep a secret.

The best kept secrets are like plot twists or reveals in a movie: information that's withheld until the right moment to achieve the desired result. The reason we classify and protect information is to control the timing and the narrative. A secret with no theoretical expiration date falls under national security, not the world of business.

Every security program should include three pillars. First, you must identify which information should be classified, which is anything you’re not ready to reveal. Second, you must take steps to store the information in a secure manner, which could include safes for documents or computers with firewalls and encryption for electronic files. Finally, you must grant the right people access to the information, based on need-to-know.

However, even if you master the three pillars of security and establish an impenetrable lockbox for your secrets, your public actions might reveal your secrets. For example, if a man decides to ask for his girlfriend’s hand in marriage, then a visit to the jewelry store in the shopping mall will reveal his intentions.

OPSEC means adjusting our public actions to not reveal our secrets, which we can do by understanding three important concepts from Joint Publication 3-13.3:

1. Critical Information: Specific facts about friendly intentions, capabilities, and activities needed by adversaries to plan and act effectively against friendly mission accomplishment.

2. OPSEC Indicators: Friendly detectable actions and open-source information that can be interpreted or pieced together by an adversary to derive critical information.

3. OPSEC Vulnerability: A condition in which friendly actions provide OPSEC indicators that may be obtained and accurately evaluated by an adversary in time to provide a basis for effective adversary decision making.

Critical Information is what you’re protecting, your secrets, so there’s nothing new to understand here. However, OPSEC Indicators might be less obvious.

Suppose you own a biotechnology company that is interested in buying a startup in the Amazon basin that is conducting research on exotic plants and animals. Suppose also that all the information is protected with quantum encryption – no chance of a leak. However, suppose your company is chartering private jets from Aruba to the Amazon basin.

This is clearly an OPSEC Indicator because your competitors could probably figure out why you're traveling to the Amazon basin.

Unless you’re prepared to conduct all business discussions remotely, any attempt to purchase the startup in the Amazon basin will reveal some OPSEC Indicators. The most important question is whether any of these OPSEC Indicators are OPSEC Vulnerabilities, meaning that your competitors are both willing and able to monitor them and disrupt your plans.

The basic idea with OPSEC is that after you recognize who might want to disrupt your plans, you take measures to prevent them from discovering your plans, even the less obvious indicators like travel plans. If no one cares about your plan to purchase the startup in the Amazon basin, there’s no reason to invest money in the OPSEC machinery.

That said, one of the challenges with OPSEC is we often don’t know what we don’t know. You might not know of any competitors that are monitoring your actions, but it’s a best practice to act as if someone is. In the intelligence business, tradecraft includes all the measures we take to detect and mitigate the threat of outside monitoring.

Developing a spy mindset means understanding the basic OPSEC principles but it also means taking your thinking to the next level by developing a strategic narrative.

Every press release, every event, every public activity should be part of this narrative for revealing and concealing information to achieve your objectives.