In the more historical sense, OpSec or Operational Security, was originally used to describe a proactive approach to protecting businesses from threats. The differentiator of this strategy is that it asks security professionals to look from the outside in, using the lens of a cyber criminal.

The purpose behind OpSec is to identify any weak points or loopholes in company operations, and then create strategies to fix them. In general, OpSec will follow this five-step strategy:

1. Identify Sensitive Information: The first step involves identifying and categorizing sensitive information within the organization. This includes data, processes, and systems that, if compromised, could pose a significant risk.
2. Analyze Threats: This involves studying the methods and motivations of potential adversaries, whether they are cybercriminals, competitors, or other entities with harmful intentions.
3. Analyze Vulnerabilities: This step involves a comprehensive assessment of the organization’s infrastructure, software, and personnel to pinpoint vulnerabilities that could be exploited by threats.
4. Assess Risk: OpSec isn’t just about identifying weaknesses but also evaluating the potential impact and likelihood of exploitation. A risk assessment helps prioritize areas that require immediate attention.
5. Apply Countermeasures: The final step is to implement countermeasures to mitigate the identified risks. This could involve implementing new security protocols, training personnel, or deploying advanced cybersecurity solutions.

OpSec applications

Where will you see the term “OpSec”?

You might encounter the term “OpSec” in various contexts within your organization. On your security team, there might be dedicated Operational Security Specialists or task forces assigned to work on OpSec. This means they are focusing on identifying threats and loopholes and implementing fixes. If you ever notice a hole in your organization’s security, this would be a great person to reach out to. 

You might also see “OpSec” in your security training modules, where it will typically refer to protecting sensitive information. However, in your daily interaction with passwords and security, it’s unlikely that you’ll be using this term. 

When will you be in contact with OpSec?

OpSec becomes especially pertinent during critical phases such as the development of new projects, changes in business processes, or when responding to security incidents. If you start a new project or add a new team to your company, you may notice your security team or managers mentioning OpSec.

You will also see the term “OpSec” more often in government or military operations. If you belong to either, you’re more likely to see these terms in your organizational structure and training.

The history of OpSec

The roots of OpSec trace back to 1966 during the Vietnam War when it was initially used by the U.S. military. During the war, the military faced significant challenges in protecting operational plans and intelligence. The effect this information had on the war, called for a more comprehensive strategy to stop the information from getting into the wrong hands. 

In response to these challenges, US military leaders created an OpSec team, named the Purple Dragons, that worked on finding the loopholes its adversaries were using to gain information on their military strategy. The impact the team had on the protection of sensitive data was monumental, and OpSec became an integral part of any military team following the war.

Since then, OpSec strategies have been adopted into government organizations and eventually became a cornerstone in various sectors, including finance, healthcare, and technology.

Other terms:

Other terms related to OpSec to know:

• Change management: Ensuring security is not compromised through transitions in networks, organizational structure, or processes.
• InfoSec (Information Security): A broader term that encompasses various practices, strategies, and technologies designed to protect business security. OpSec is a subset of InfoSec. 
• Risk assessment: The process of evaluating potential risks and their potential impact on the organization.

Operational Security is more than just a set of practices; it’s a mindset that organizations can adopt to look at threats in the eye of the attacker. By understanding the basics, applications, and historical context of OpSec, employees can better understand the structure and practices of their security team. Stay tuned for our next edition of Cyber Lingo, where we’ll define another important cyber security word.