CEO-FSOA Case Study in
Challenges
July 2014
Oh Sensei, Why Are There No Simple Security Solutions?
2
NISPOMMadness
STEPPTraining
Insider Threats
Outsider Threats
JPASUsability
“The Industrial Security Process is like a martial art. One can create the chi by devoting oneself to practice, patience, dedication, discipline and
respect to the ‘wise’ ones.” Sensei Gerardi, 2010
3
Story ArcCEO forms CPG. As its, CEO he visualizes opportunities and lays an azimuth that will result in great success.
One day, a “work fairy “ arrives at his door with a contract award and a DD254 that change the life as I knew it. He is now the FSO.
FSO takes actions to implement the NISPOM in his company and encounters numerous challenges.
Along the way, FSO makes friends and identifies resources that make his jobs doable.
FoundingDD254 Application
NISPOM Inspection
JPASAttacks
Tools
Resolutions
I Am Illiterate
4
Perception:
NISPOM is about the rules.
It is infeasible to learn all the rules if you are not fully devoted to security.
NISPOM is written in the languageof bureaucrats with ambiguous language that must be interpreted.
Lessons Learned
5
• Use a graduated approach to digesting the NISPOM.
Start-up with the Chapters that matter:
Chapter 1: General RequirementsChapter 2: Security ClearancesChapter 3: Security Training & Briefings
Chapter 6: Visits and Meetings
• Don’t re-invent; re-purpose instead
FISWG is a resource.Mentoring relationships (e.g., FBI)DSS website
I Am Untrainable
6
Perception:
Security training can’t be that difficult.
Foundations of all effective training arelearning requirements, instructionaldesign and assessment tools.
Spend too much of the time figuring out STEPP and not learning.
STEPP is not a good example of adultlearning.
Lessons Learned
7
Spend time with the STEPP tutorial; it explains the mechanics.
STEPP training should not be “check the box”. Don’t make it a crash course if you want to learn.
Help desk personnel are helpful.(e.g., Ft. Knox).
I Am Not a Single-Trial JPAS Learner
8
Perception:
Without practice, you won’t get it.
Seems designed to be counter-intuitive.
Requires tribal knowledge to use efficiently.
The only tool it provides is a hammer.
Always better to have more than one set of eyes and hands on the problem. :AFSO
Lessons Learned
9
Make logging on weekly a best practice.
Sit down with individual members to review their information quarterly.
The only time I have called the Help desk was to renew and expired password.
For an infrequent user, using JPAS is about power and not finesse.
Invest in a highly competent AFSO.
I Am Paranoid for a Reason
10
Perception:
OPSEC requires continuous risk assessment of insider and external threats.
Risks take the form of competitors as well as foreigners.
“Game of Pawns” represents a small part of the OPSEC threat we must defeat.
There are no good measures for assessing the return on investment for OPSEC.
Lessons Learned
11
Social media presence represents a significant breach in our OPSEC.
OPSEC threat is multi-dimensional competitors and adversaries. DSS has us focus on foreign adversaries.
OPSEC measures fail for two reasons:1.we don’t take the perspective of the threat when doing our risk assessment.2.we don’t identify what needs to be protected.
OPSEC Plan is a “living” document that needs periodic revision.
I Am My Worst Enemy
12
Perception:
Security is about discipline, practices and quality assurance.
Take the time to be creative.
Being an FSO is about observing, recognizing and perceiving what’s going on in your organization.
Security is an imperative, and not a tradeoff. Too little time, too much to do.
FSOCEO
Lessons Learned
13
FSOCEO
Biggest FSO surprises include—•international travel•international relationships•DD254s with added requirements•suspicious behaviors aren’t everywhere
Biggest CEO surprises include—•security budget•emerging cyber and information security requirement•impact of social media presence on security•get involved, stay involved
Solution Set
Apply Risk Management
Use Guided Practice and Activity
Contact DSS Representative
Seek Mentoring and Networking
Conduct Self-inspections
Prepare for Periodic Formal Inspections
Make Security a “Team” Sport
Security Enablers
Administration
Training
Best Practices
Awareness
14
• JCAVS/JPAS• Record Keeping• Budget Resources
• FSO STEPP• Collective Annual• FISWG/ Continual Learning
• SPP• Cyber Security Plan• Knowledge Management
• OPSEC Awareness• Insider Threats• Travel
CPG Security System
www.cognitiveperformancegroup.com
3662 Avalon Park Blvd E., Orlando, FL
407.282.4433 (O)15
Threat AwarenessCyber Awareness
OPSEC Risk ManagementJPAS/JCAVS
Security Practices & ProceduresFormal Staff Training & Checks on Learning
Performance Metric for Each Employee
FSO/AFSODSS Representative
Active Community of Practice
Cognitive Performance GroupCognitive Performance Group
Top Related