As a person trusted in various capacities over the years, I want to share some perspective on what we should not be talking about outside of our operations.

Suppose you are self-employed or employed by an agency. In either case, the first thing you should consider is what needs to be kept hush-hush in safeguarding your protection assignments—clients, and of course, you and your family members through an Operational Security Assessment.

An Operational Security Assessment helps you understand what is truly “confidential” within your organization and your specific role. Maintaining Operational Security dissuades and prevents foes from causing harm or embarrassment. If the information is intentionally in the public domain, there is no need to safeguard this information.

Contrary to this, we have the “Secret Squirrel” issue. Secret Squirrels often hoard information for whatever reason and even withhold information from others needing to know or share in the knowledge. Please see my recent blog regarding synergy in the GSOC and the need to be fluid with our teammates.

I want to make another point, don’t be so laid back and humble that you don’t take what you do for a living seriously. What do I mean? In our attempt to be modest and not hold ourselves or our lifestyle and job above others, we discount what we do, what we know, and for who we provide services. Although you will not blatantly divulge detailed information, you are sure to give enough breadcrumbs that a serious foe will exploit these bits of information.

1. Don’t list your assigned client on social media. Do you want bad people knowing who you work for? Information entirely unrelated to your client could cause embarrassment and harm.
2. Don’t check in on social networks when at airports – if you really can’t resist, don’t do it in real-time. Not sharing this information is particularly important at the client’s destinations.
3. Don’t post your metadata information. Those photos you post to social networks hold nasty little bits of information, including your location! It is easy to remove; visit Norton to find out how.
4. Don’t share your spouse’s location, pending trips, and return to the home announcements or exotic locations he or she visited.
5. Don’t allow information to escape within the images you share. Can you see the ID badge for the event you are visiting or working? Is the location identifiable or well known by sight?
6. Don’t be so quick to share “that a’ boy” announcements because you and your buds had a successful detail. Again, we are in the business of protecting client integrities and do not need to mix our information with their privacy or standing.
7. Don’t do real-time check-ins at restaurants or other locations while on a detail or your favorite haunts. If I want to know more about you and what you do, I will be your next date when you go out for a beer – you provided the location, and now I need the introduction.
8. Don’t leave your family vulnerable. We all know the best way to threaten someone is through their weaknesses. We spend a tremendous amount of time away from our family and do our best to keep them safe, so why would you announce to everyone you are leaving on a trip, and your “prize and joys” will be left at home without you?

We all need to grow our businesses and careers to have a sustainable life that supports our families. To accomplish this, we need to let potential clients know we exist and the capability of assisting with their needs.

Too often, our shortcut to letting people know what we do is to post glam’ shots of our work with particular celebrities – be it in entertainment or corporate, but does these candid shots on social networks do anything for you? Don’t get me wrong; social networking is great for building your professional network as well. Just don’t subject yourself or your business to the pitfalls of sharing too much and damaging your success.

By no means is this an exhaustive dissertation on OPSEC, but it serves as a friendly reminder of what we commonly see within the security field. Assess for yourself improvements you can make.

Here are some terms to help you better understand OPSEC from the Center for Development of Security Excellence.

Countermeasures

Employing devices and techniques that has as its objective the impairment of the operational effectiveness of an adversary’s activities. Countermeasures may include anything that effectively negates or mitigates an adversary’s ability to exploit vulnerabilities.

Critical Information 

Specific facts about friendly intentions, capabilities, or activities vitally needed by adversaries to plan and act effectively to guarantee failure or unacceptable consequences for accomplishing friendly missions.

Indicator 

Anything that draws attention to critical information or gives an adversary a clue about what’s going on.

Operations Security (OPSEC)

An analytic process is used to deny an adversary information, generally unclassified, concerning intentions and capabilities by identifying planning processes or operations. Operations Security does not replace other security disciplines; it supplements them. The OPSEC process includes the following five steps: (1) identify critical information, (2) identify the threat, (3) assess vulnerabilities, (4) analyze the risk, (5) develop and apply countermeasures.

Operations Security Countermeasures

Methods and means to gain and maintain essential secrecy about critical information.

Risk 

A measure of the potential degree to which protected information is subject to loss through an adversary’s exploitation.

Risk Analysis 

A method by which individual vulnerabilities are compared to perceived or actual security threat scenarios to determine the likelihood of compromise to critical information.

Risk Assessment 

A process of evaluating the risks to information based on susceptibility to intelligence collection and the anticipated severity of loss.

Threat 

A threat is an adversary that has the capability and intent to take any actions detrimental to the success of our activities or operations.

Vulnerability 

A weakness an adversary can exploit to get critical information. Anything that might make critical information available to an adversary.