OPSEC — Operations Security
OPSEC — what it is, where it comes from, and how private organisations apply it to protect sensitive operations and information.
OPSEC — Operations Security — is a systematic process for identifying, controlling, and protecting information that could be used by adversaries to harm an organisation's operations, personnel, or assets. Originally a military discipline, OPSEC is now applied across governmental, corporate, and private security contexts.
Definition and origin
OPSEC was formalised by the US military during the Vietnam War as a process to prevent adversaries from collecting and exploiting information about planned operations. The core insight — that individually non-sensitive pieces of information can, when aggregated, reveal sensitive operational details — remains the discipline's foundation. OPSEC has since been adopted across NATO, governmental agencies, and the private sector.
The five-step OPSEC process
- 1. Identify critical information — what information, if obtained by an adversary, would damage operations, personnel, or competitive position?
- 2. Analyse threats — who are the potential adversaries, what is their capability and intent, and what are they trying to collect?
- 3. Analyse vulnerabilities — where are the gaps between the critical information and the protection currently in place?
- 4. Assess risk — which vulnerabilities, if exploited, would cause the most significant harm?
- 5. Apply countermeasures — what controls, procedures, or technical measures reduce the identified vulnerabilities to acceptable levels?
OPSEC in the private sector
For private organisations, OPSEC discipline typically addresses: control of information in public communications (job postings, LinkedIn profiles, conference presentations, social media); meeting and communication security (who attends, what is discussed where, what channels are used); supply chain and vendor information sharing; and M&A or legal process information control, where strategic information is necessarily shared with external parties.
Common OPSEC failures
- Oversharing in job postings — revealing technology stack, security architecture, or operational procedures
- Social media disclosure by employees — publishing location data, meeting participants, or internal information
- Predictable patterns — fixed routes, schedules, and meeting locations that allow adversaries to plan and position
- Inadequate need-to-know controls — sharing sensitive information beyond the minimum required audience
- Insecure communications channels — discussing sensitive matters on platforms not appropriate for the classification of the information
Frequently Asked
Request a Security Assessment
Operational engagements start with a vetted conversation. Mission Support responds inside one working day for governmental and Tier-1 enquiries.
Continue to service brief