Many security elements of major corporations and the government have a bad reputation. It begins easily enough, and the causes are understandable. Most cleared personnel have one major encounter with security before they receive their clearance. They fill out a ream of papers asking detailed, personal questions they’d rather not share with total strangers. If they think about security at all after this, they usually do it when someone has made an alleged ‘security violation’. Violation stories tend to be vaguely understood missteps which cause lamentation among those who hear of it. They don’t pursue what really happened, generally tending to accept the aggrieved miscreant’s woeful tale of persecution.
Both of these examples indicate how standard interactions with the security branch might not result in amity among co-cleared workers. How can this be overcome?
Make Annual Security Briefings Relevant, Not Misery
The annual security briefing can be made interesting and challenging. How often do security personnel give some boilerplate, ‘canned’ briefing which bores his colleagues to flights of anguish. I’ve heard people leave briefings stating, “There’s an hour of my life I’ll never get back.” It doesn’t have to be like that. Ask the FBI to come tell about efforts to unravel current espionage stories in the news. One ingenious presentation had a large trashcan on a table as a prop. No one could see what it contained. The briefer said that he’d retrieved personnel information from office trashcans for a month. He knew investments, personal problems, and medical issues, all of which had been thrown out. What did this have to do with security? A spy would dream of such information, the better to recruit someone by blackmail. A member of the audience was asked to come up, reach in and read the information to the briefing attendants…and then came cries of ‘You can’t do that!’ Oh but he could. But when the audience member reached in the trashcan, there was….nothing. The point? Discarded items are public domain, and have no expectation of protection. The awareness point was made.
Make your multimedia relevant, and current
Consider all the media which is available today for security awareness. Old fashioned, but effective, are posters. Good posters. One agency re-purposed old WWII propaganda posters for modern times. When America’s existence was in the balance, people made posters to reflect that fact. Why not use them now? A little creativity can go a long way in engaging your workforce.
Whatever you do, change your messages. A poster, or for that matter the ‘morning security notice’ on your computer, is literally not visible after a while. Try this. Ask a member of your company to tell you what is written on any poster in the building that’s been there for over two months. They can’t do it. Change the themes you emphasize. Rotate your OPSEC messages with simple messages about how your security system works. Post notices, flyers, computer comments, and helpful guides which explain FOIA, taking classified information across town or overseas, about the need for a pre-travel briefing. Don’t make the mistake of only making dire warnings. “If you don’t do this….” Sometimes the simple explanatory message can be as effective as the warning.
Why is all this important? You, the security manager, have two eyes. If, though collegiality and patient explanation, you can bring all your cleared colleagues into your frame of mind, you will have thousands of their eyes open and reporting. And those problems mentioned above? At the annual briefing, explain any violation issues still festering in the company. Or explain why several sets of eyes need to review documents for public release. Patience is not a great American virtue. It can however serve any security plan well by assessing what the problems are, and explaining the why behind any security action taken. This treats your cleared colleagues like adults, and wins them to your side. Their eyes will then help you.