CEO-FSO
A Case Study in Challenges
July 2014
Oh Sensei, Why Are There No
Simple Security Solutions?
NISPOM
Madness
STEPP
Training
JPAS
Usability
Outsider
Threats
“The Industrial Security Process is like a martial art.
One can create the chi by devoting oneself to
practice, patience, dedication, discipline and
respect to the ‘wise’ ones.”
Sensei Gerardi, 2010
Insider
Threats
2
Story Arc
CEO forms CPG. As its, CEO he visualizes opportunities and lays an azimuth
that will result in great success.
One day, a “work fairy “ arrives at his door with a contract award and a
DD254 that change the life as I knew it. He is now the FSO.
Attacks
JPAS
NISPOM
DD254
Founding
Inspection
Tools
Application
Resolutions
FSO takes actions to implement the NISPOM in his company and encounters
numerous challenges.
Along the way, FSO makes friends and identifies resources that make his jobs
doable.
3
I Am Illiterate
Perception:
NISPOM is about the rules.
It is infeasible to learn all the rules if
you are not fully devoted to security.
NISPOM is written in the language
of bureaucrats with ambiguous
language that must be interpreted.
4
Lessons Learned
• Use a graduated approach to
digesting the NISPOM.
Start-up with the Chapters that matter:
Chapter 1: General Requirements
Chapter 2: Security Clearances
Chapter 3: Security Training & Briefings
Chapter 6: Visits and Meetings
• Don’t re-invent; re-purpose instead
FISWG is a resource.
Mentoring relationships (e.g., FBI)
DSS website
5
I Am Untrainable
Perception:
Security training can’t be that difficult.
Foundations of all effective training are
learning requirements, instructional
design and assessment tools.
Spend too much of the time figuring
out STEPP and not learning.
STEPP is not a good example of adult
learning.
6
Lessons Learned
Spend time with the STEPP tutorial;
it explains the mechanics.
STEPP training should not be
“check the box”. Don’t make it a
crash course if you want to learn.
Help desk personnel are helpful.
(e.g., Ft. Knox).
7
I Am Not a Single-Trial JPAS
Learner
Perception:
Without practice, you won’t get it.
Seems designed to be counter-intuitive.
Requires tribal knowledge to use efficiently.
The only tool it provides is a hammer.
Always better to have more than one set of
eyes and hands on the problem. :AFSO
8
Lessons Learned
Make logging on weekly a best practice.
Sit down with individual members to review
their information quarterly.
The only time I have called the Help desk was
to renew and expired password.
For an infrequent user, using JPAS is about
power and not finesse.
Invest in a highly competent AFSO.
9
I Am Paranoid for a Reason
Perception:
OPSEC requires continuous risk
assessment of insider and external
threats.
Risks take the form of competitors as well
as foreigners.
“Game of Pawns” represents a small part
of the OPSEC threat we must defeat.
There are no good measures for
assessing the return on investment for
OPSEC.
10
Lessons Learned
Social media presence represents a
significant breach in our OPSEC.
OPSEC threat is multi-dimensional
competitors and adversaries. DSS has us
focus on foreign adversaries.
OPSEC measures fail for two reasons:
1.
2.
we don’t take the perspective of the threat
when doing our risk assessment.
we don’t identify what needs to be protected.
OPSEC Plan is a “living” document that
needs periodic revision.
11
I Am My Worst Enemy
Perception:
Security is about discipline, practices and
quality assurance.
Take the time to be creative.
Being an FSO is about observing,
recognizing and perceiving what’s going
on in your organization.
CEO
FSO
Security is an imperative, and not a
tradeoff. Too little time, too much to do.
12
Lessons Learned
Biggest FSO surprises include—
• international travel
• international relationships
• DD254s with added requirements
• suspicious behaviors aren’t everywhere
Biggest CEO surprises include—
• security budget
• emerging cyber and information
security requirement
• impact of social media presence on
security
• get involved, stay involved
CEO
FSO
13
Solution Set
Administration
• JCAVS/JPAS
• Record Keeping
• Budget Resources
Training
• FSO STEPP
• Collective Annual
• FISWG/ Continual Learning
Best Practices
• SPP
• Cyber Security Plan
• Knowledge Management
Awareness
Security Enablers
Apply Risk Management
Use Guided Practice and Activity
Contact DSS Representative
Seek Mentoring and Networking
Conduct Self-inspections
Prepare for Periodic Formal Inspections
Make Security a “Team” Sport
• OPSEC Awareness
• Insider Threats
• Travel
14
CPG Security System
Threat Awareness
Cyber Awareness
OPSEC Risk Management
JPAS/JCAVS
FSO/AFSO
DSS Representative
Active Community of Practice
Security Practices & Procedures
Formal Staff Training & Checks on Learning
Performance Metric for Each Employee
www.cognitiveperformancegroup.com
3662 Avalon Park Blvd E., Orlando, FL
407.282.4433 (O)
15