In the security industry we have this buzzword, “OPSEC.” As someone who managed OPSEC programs in the military at levels all the way to working in it at the national level in DC, I thought that was really awesome when my enlistment ended and I entered the world of private security and I started hearing this word being used. But I learned really quickly that there is a real problem. People hear the word. People repeat the word. But they do not know the word. That needs to change.
So what is OPSEC? It is a systematic process of analyzing your threat, figuring out what information about our activities they need to do to carry out their scheme, how they will find that information out, and figuring out what we can do to mitigate the probability they acquire that information. Now in a perfect world where money and time are unlimited and you have the expertise on hand you would have some formalized risk analysis. Dependent upon the site you work you actually might. US Government agencies that have national security duties are required to have OPSEC programs since President Reagan signed National Security Decision Directive 298 in 1989. If you are at a US Government contract site, you may have been provided an OPSEC operational manual. But if not, it is unlikely you have a formalized OPSEC program.
It is not likely that you are going to get one if you ask. Even if you did, who would be the person with the necessary training and skills to build an OPSEC program you would want to abide by? So what can the average security guard do without having such a program in place? Well you can at the very least have the OPSEC mindset. You probably have a pretty good idea of the threats at your site. You know what nefarious things they want to do. As a security guard what do they need to know about your security operations in order for them to carry out their malicious intentions?
While in an OPSEC program the risk assessment is specifically tailored to each site or activity when you use the OPSEC mindset you are usually being very general. OPSEC professionals generally recognize we want to prevent adversaries from knowing about your capabilities, activities, limitations, and intent (CALI).
What capabilities do you have?
Do you have radios to call your team or another form of backup?
Do you have alarms that can be triggered around the site? If so, do those alarms go to someone that will send help?
Do you have motion sensors, cameras, X-ray machines, or other situational awareness force-multipliers? Knowing information like this helps criminals understand the threat they face. The more they know the better they can plan to circumvent those capabilities.
What activities do the guards perform?
Do the guards merely sit in an access control point (ACP) and make sure unauthorized people pass them? If so the criminal knows they merely need to find a point out of the view of the ACP as not to be seen to make their entry.
Are guards conducting roving patrols? They have more concern about getting caught by a wandering guard. Are guards checking to make sure doors and windows are locked? Perhaps that criminal wants to enter a specific door or window. They may need to be concerned if the guard will check the door while they are inside. At worst the guard might stumble upon them, at best maybe the guard will lock them inside if they secure the door.
What limitations do you have?
Do you have communication issues such as poor radios where are those poor reception areas at? Criminals may decide to conduct their act when they know that calls for help will not reach you, or if they are targeting you they may attack you when they know you cannot call for help.
Are there equipment failures to worry about? If the lighting is not working in a certain part of the site, doors are broken, cameras malfunctioning, or the X-ray is not sensing things properly that gives criminals an idea about weak spots.
In this instance intent could be considered powers do you have or are you willing to do?
What are your protocol limitations? If your company limits your duties to observe and report only the criminal may not be very afraid about conducting an illicit act right in front of you. If they know the response time of the local PD they may not be worried if their plan is to do something quick and run. Perhaps they have recognized that some guards sleep on duty or they recognize that one guard is loathe to actually check on anything or get involved in incidents. They may decide the best night to conduct their entry into the site is when that lazy guard is on site.
So now that we have taken a look at a few of things criminals are interested in knowing about, being our CALI, let’s look at vulnerabilities. How can they gain this information? Once we know our faults we know where to patch up the holes.
The first is observation. Since ACPs are at the perimeter to open areas they are the easiest to gain information about by observing from outside the perimeter. That is if you even have such a place. If you are a mall security guard or at a venue open to the public without access control they can walk all around and even right by you without attracting much attention. They do not need to ask any odd questions which might set off your Spidey senses. They can just watch and write down any patterns they see or count the number of guards they see. Any information they want to know.
The next is by interaction with you, other guards, or depending upon the site employees or residents. Those good at elicitation will ask around the question they actually want to know so that you will naturally give up that answer without being directly asked. That way they said nothing that you will look back on as being suspicious. They may not even ask you at work. They might identify your personal routines. They could be that person that strikes up a conversation with you in a line at the gas station or at the local bar. Employees or residents can be good sources of information. They likely have information they do not even remember knowing about you until someone asks them. Without OPSEC training they may be unlikely to understand that the information they are being asked has any importance.
In today’s world there are plenty of digital means as well. Your radios may be able to be picked up by a scanner or by simply tuning a radio until they find your channel if it is not encrypted and is a public channel. Hopefully, that is not the case but with today’s security companies you might be surprised. So many are focused on little effort to get as much reward. Additionally, they may just not have the knowledge on what they should have for secure communications.
Remember that threats vary from site to site. When you are talking about apartment buildings and other residential areas you are probably worried about burglars whether they want to break into someone’s car or home. If you are working at an industrial site, you might have threats of terrorism or corporate espionage. The training, capability, and sophistication of threats vary wildly. When you are talking about some of the high end threats you may be looking at cyber professionals that can hack your cameras or break-in specialists. There is only so much you as a security guard can do with the limited means at your disposal. But it does not mean you should do any less than your duty which is to be vigilant for such threats.
So as an individual security guard how can you reduce your risk? This will all be constrained by capabilities and company policy. If you go on patrols change up the times you go on patrol. Change the route so you are hitting different points at different times and potentially coming into locations from a different direction. This throws off their ability to be able to time your movements and estimate their windows of opportunity. It also should increase their wariness of you. When someone is practicing good OPSEC measures an adversary recognizes the professionalism. They know this is someone with a little more security mindset than the average Joe.
Understand what not to talk about. Knowing what the criminal wants to know means knowing what not to talk about. You should not waste your time trying to prevent people from gaining unimportant information. Some things people can figure out whether you tell them or not. For instance, some sites only have security on site for a certain portion of the time such as from 10pm to 4am. If that security guard is posted at a front shack that is very easy to see. So no matter whether you tell people or not they can learn that information with very minimal effort. So when you decide what should not be discussed think about give and take. If you act like a super-secret agent man with the on-site staff or residents are you going to come across as professional or a goofball? You can still have discussions with these people and with visitors. You should know what information about your job is acceptable to talk about.
You will be limited in what actions you can take. Whether you are a contracted or a proprietary security guard you are there for a reason. Usually that reason is to be a visible deterrent to crime. Therefore, you cannot set up in a blind or hide out in the bushes in a ghillie suit. Perhaps you cannot randomize your routes. Some sites still have the old-style set up where they must reach certain points to somehow trigger a system that lets the auditor know they are doing their mandated patrols. Sometimes they are set up in a way that you will fail to meet the deadlines if you do not use a certain path. Maybe you can talk to whoever controls that and explain the need to change the deadlines, maybe not. Unfortunately, not everyone sees the importance of OPSEC. But it is up to you to do the best within your power to practice it.
---
By Jim Garrett, Security Specialist
Risk Mitigation Services LLC provides corporate training to security forces on operations security. The company also conducts consults, risk assessments, and helps companies develop their OPSEC programs to be self-sustaining in their security practices.