Have you ever really wondered how a spy operates? Have you ever thought about how difficult it might be to stop a person once they’ve committed to stealing your information? How should a good security manager operate? What is expected for success? What, after all, does success look like?
Clearly, all of us who hold security clearances know we are a part of the ‘system’ which protects sensitive information, but what are the formal processes? Over the years, several themes on how best to protect critical activities and secrets have been identified. They need to be known by all members of a cleared company, and practiced. Here are some good basics to begin with.
1. Let everyone know they have a role.
Most important of all is to enlist each member of your company as security eyes and ears. Everyone plays a part. Alone, security personnel can do little. They need to make all the people they work with feel a personal obligation to know what should be going on around them. If something ‘feels wrong’, they need to know how to report it. Security Executive Agent Directive (SEAD) 4 codified this by clarifying that cleared personnel have a reporting obligation for any other cleared person. It’s ‘see something, say something’ – with teeth.
All of this begs the question. What information needs to be reported? Who should they report it to? Let’s begin with the security manager. Good managers work best by walking around. The security manager should seldom be in his office. Best he go out and make all the employees, and that means all – even the cleaning staff – know who he is. Get to know the people for whom you have responsibility. They should know you as a friendly, professional, but above all, as an approachable person. Let them know that whatever they report is held in strict confidence. Let them know how to report something. Not over the telephone in the ‘cubicle farm’ where everyone listens in. Especially not on the computer. Don’t help make a reporter’s obligation easy for adversaries to monitor.
One ‘gallows humor’ comical aspect of an actual event should be mentioned here. Once a security manager received the suggestion to award an ‘espionage awareness coffee cup’ to anyone who reported a suspicious incident. Shocked, wiser heads prevailed. “Really? You want a potential espionage report to be broadcast by a prominent coffee cup awarded to the reporter? Great. Now all a spy has to do is wait to see who gets a cup to know whether his activities have been reported or not. Don’t make your rewards program red light your confidential reports.” The idea was squashed.
Security officers should have a quiet, accessible location where they can talk privately. If not in the office, outside somewhere where the reporter can feel alone and be open about what they saw. Then the report should be treated professionally, and above all discreetly. Remember the golden motto: need to know. Oh and we might also add to the aspect of discretion this vital aspect of human nature: people notice who goes to visit security and personnel people. When the door shuts, they know something’s up. Then the rumor mill starts. Don’t be a part of this. Meet somewhere genuinely discreet.
2. Let Everyone Know What They Need to Report.
How do they know what to report? You have at most a yearly briefing to get the word out formally. There you tell what to watch for in order to guard against potential espionage activities. But there is so much more you can manage throughout the year. Remember those ‘walking around’ visits? Don’t make them random and without a point. Ask program managers to give you a briefing on what they do, where they think they’re vulnerable, and who is on their team. This can be the start of a recurrent series of visits over time. You’ll become familiar, trusted, and hopefully, approached if there is a concern. You become smarter about what you are protecting, too.
3. How to Handle a Report.
What should guide your reporters? They first need to be appreciated. Let everyone know their reports are serious. Be sure they let you decide what is important to report. This is because a lot of people with serious concerns think, “Oh, this is just me worrying unnecessarily. They (the security people) with think I’m silly.” This is a serious concern which a good security manager must overcome. Anything can be reported, for ‘further assessment’. Never let anyone think they are not worth a report to you. One office had exceptional success when they briefed the cleaning staff. The staff was shown what to look for in the trash cans. “If you see something like this caveat, or this, let me know about it,” said the security officer.
Weekly notices on all company computers can give security reminders. Posters can be placed in elevators, in rest areas – anywhere. These should be professional, simple, and clear. “Does that man have a need to know what he just asked you?” is a favorite. And always, always give a number or office to contact if a report should be rendered. Of course, after you’ve been at your job as security manager for a while, they’ll already know you!
Any briefing about any contact with someone should conclude by reiterating need to know. This is the key to any espionage approach. Does this person have a right to know what he’s interested in? Why is he asking me this? What proof does he have that he should know?
Never forget, we Americans want to be liked. We don’t stop someone cold and say, “I can’t discuss this with you.” We need to learn to do this. This is the first step in serious awareness, and everyone in our company can do it. Enlist them as eyes and ears for our protection.