When you take over a new security manager position, it can seem overwhelming. Some have described trying to figure out government line-and-block charts as being lost in Amazon forests without a map. Add to that your mission to secure the classified within, and you have a major job ahead of you. Such problems can be overcome. It takes time, but persistence and a strategic plan will always prevail.
First, visit all the department directors. Take a notebook to remind yourself of all you want to accomplish during your visit, and to record all they tell you. Formally set up your meeting. Random appearances are not appreciated. After you determine how aware your manager is regarding security, you can proceed to establish a program for the department with his or her assistance. Ask him to assign a security contact within the directorate for you. This way, you will have someone you can talk to regarding security without having to call a general meeting each time. Such an idea will delight most managers. Too often do managers see security as a painful, though admittedly useful requirement. Your goal is to appease this initial belief if your managers so think, while slowly overcoming it to show you are their caring and attentive ally. Ideally, they will come to look forward to your visits, indeed will call you with assistance and notices.
Once you have identified several security contacts in your organization, you can begin to establish procedures. You can set up regular, say quarterly ‘security contact’ meetings. For instance, at such collective meetings you can advise them of your weekly, or twice monthly travelers’ briefings. You can make it a requirement that they ensure that all their travelers attend. Next, you can have a regular update on events around the world which might affect their various directorates. They will come to see you as someone aware of their mission, and will appreciate that. Remember, if your classified programs are for pieces of equipment, many of your contacts are engineers. You and they might simply not speak the same professional language. If you ask about their programs and try to understand their responses, you will go a long way toward making them responsive to your requirements. Further, it will help you protect them better if you know their work more in depth. In fact, if they know what you want, they will endeavor to work accordingly. Knowing more than you regarding their program, they can also find anomalies you would never even know to ask about. If there are engineering conferences coming up, they can make you aware of them well ahead of time. Thus, both you and they will be better prepared. You can research who among our various adversaries is interested in stealing what will be discussed there. You can collect the classified and open-source threat information ahead of time. In short, when you give your briefings, you’ll be informed, prepared, and helpful. Everyone appreciates this.
Let your security contacts know what higher government headquarters will examine when they come for their regular security inspections. Set up your own walk-through inspection ahead of time. Make the overall directorate manager aware of the preparations. Make sure your security contact is on top of what to do to assure they pass. Often such inspections feature random discussions with employees. They are asked about general security themes. They should know, for instance, that they must all attend an annual security briefing, as well as how and what to report. Each must know how to protect information through OPSEC awareness, and be able to describe in general how that works. Each should know how the public release of information works. Further, they need to know when and where travel briefings occur, and how to respond to a Freedom of Information Act request. Each directorate will have its own classified programs, and all must be aware when, how, and under what circumstances, and with whom these can be discussed. How to deliver classified information, be it written or the actual component itself, must be known by all the employees. If you have international agreements, employees should know what to do when foreign or outside visitors come in.
Above all, your plant’s security team should be introduced at your annual briefing. From physical and document security, to personnel, industrial, computer protection and counterintelligence, all your team should become known. In short, all employees should know they are not alone if they are ever asked security related questions. They can always appeal to the identified professional staff available to them. Your goal is to make all who work in your company know to report if they believe he or she’s been approached by an adversary. All this knowledge takes time to disseminate. It starts with prepared briefings, selection of key players in each directorate, and patience.
