CEO-FSOA Case Study in

Challenges

July 2014

Oh Sensei, Why Are There No Simple Security Solutions?

2

NISPOMMadness

STEPPTraining

Insider Threats

Outsider Threats

JPASUsability

“The Industrial Security Process is like a martial art. One can create the chi by devoting oneself to practice, patience, dedication, discipline and

respect to the ‘wise’ ones.” Sensei Gerardi, 2010

3

Story ArcCEO forms CPG. As its, CEO he visualizes opportunities and lays an azimuth that will result in great success.

One day, a “work fairy “ arrives at his door with a contract award and a DD254 that change the life as I knew it. He is now the FSO.

FSO takes actions to implement the NISPOM in his company and encounters numerous challenges.

Along the way, FSO makes friends and identifies resources that make his jobs doable.

FoundingDD254 Application

NISPOM Inspection

JPASAttacks

Tools

Resolutions

I Am Illiterate

4

Perception:

NISPOM is about the rules.

It is infeasible to learn all the rules if you are not fully devoted to security.

NISPOM is written in the languageof bureaucrats with ambiguous language that must be interpreted.

Lessons Learned

5

• Use a graduated approach to digesting the NISPOM.

Start-up with the Chapters that matter:

Chapter 1: General RequirementsChapter 2: Security ClearancesChapter 3: Security Training & Briefings

Chapter 6: Visits and Meetings

• Don’t re-invent; re-purpose instead

FISWG is a resource.Mentoring relationships (e.g., FBI)DSS website

I Am Untrainable

6

Perception:

Security training can’t be that difficult.

Foundations of all effective training arelearning requirements, instructionaldesign and assessment tools.

Spend too much of the time figuring out STEPP and not learning.

STEPP is not a good example of adultlearning.

Lessons Learned

7

Spend time with the STEPP tutorial; it explains the mechanics.

STEPP training should not be “check the box”. Don’t make it a crash course if you want to learn.

Help desk personnel are helpful.(e.g., Ft. Knox).

I Am Not a Single-Trial JPAS Learner

8

Perception:

Without practice, you won’t get it.

Seems designed to be counter-intuitive.

Requires tribal knowledge to use efficiently.

The only tool it provides is a hammer.

Always better to have more than one set of eyes and hands on the problem. :AFSO

Lessons Learned

9

Make logging on weekly a best practice.

Sit down with individual members to review their information quarterly.

The only time I have called the Help desk was to renew and expired password.

For an infrequent user, using JPAS is about power and not finesse.

Invest in a highly competent AFSO.

I Am Paranoid for a Reason

10

Perception:

OPSEC requires continuous risk assessment of insider and external threats.

Risks take the form of competitors as well as foreigners.

“Game of Pawns” represents a small part of the OPSEC threat we must defeat.

There are no good measures for assessing the return on investment for OPSEC.

Lessons Learned

11

Social media presence represents a significant breach in our OPSEC.

OPSEC threat is multi-dimensional competitors and adversaries. DSS has us focus on foreign adversaries.

OPSEC measures fail for two reasons:1.we don’t take the perspective of the threat when doing our risk assessment.2.we don’t identify what needs to be protected.

OPSEC Plan is a “living” document that needs periodic revision.

I Am My Worst Enemy

12

Perception:

Security is about discipline, practices and quality assurance.

Take the time to be creative.

Being an FSO is about observing, recognizing and perceiving what’s going on in your organization.

Security is an imperative, and not a tradeoff. Too little time, too much to do.

FSOCEO

Lessons Learned

13

FSOCEO

Biggest FSO surprises include—•international travel•international relationships•DD254s with added requirements•suspicious behaviors aren’t everywhere

Biggest CEO surprises include—•security budget•emerging cyber and information security requirement•impact of social media presence on security•get involved, stay involved

Solution Set

Apply Risk Management

Use Guided Practice and Activity

Contact DSS Representative

Seek Mentoring and Networking

Conduct Self-inspections

Prepare for Periodic Formal Inspections

Make Security a “Team” Sport

Security Enablers

Administration

Training

Best Practices

Awareness

14

• JCAVS/JPAS• Record Keeping• Budget Resources

• FSO STEPP• Collective Annual• FISWG/ Continual Learning

• SPP• Cyber Security Plan• Knowledge Management

• OPSEC Awareness• Insider Threats• Travel

CPG Security System

www.cognitiveperformancegroup.com

3662 Avalon Park Blvd E., Orlando, FL

407.282.4433 (O)15

Threat AwarenessCyber Awareness

OPSEC Risk ManagementJPAS/JCAVS

Security Practices & ProceduresFormal Staff Training & Checks on Learning

Performance Metric for Each Employee

FSO/AFSODSS Representative

Active Community of Practice

Cognitive Performance GroupCognitive Performance Group