Saturday, October 10, 2020

Becoming an FSO of Influence. How to grow with a growing company.


A few times I've had a similar conversation with a few leaders in the security industry. They had been experiencing the same reaction from their enterprize leadership and were frustrated to the point of looking for another job. Their joint frustration revolved around a lack of support for their security vision. They could not seem to get past the barriers in perception that they did much more than request and manage security clearances and facilities. This may be a common issue facing many FSOs throughout the National Industrial Security Program cleared defense contractor base. 

These issues could stem from from three possible challenges facing cleared defense contractor companies. The first is that the FSO has not developed a reputation of a corporate leader with effective strategies to ensure the organization is prepared to compete, win, and maintain classified contracts. The second is the cause of the first in that that the company has grown, and the original FSO may not possess the leadership skills necessary to continue engage as necessary. Finally, the security manager is not considered an executive function and falls under a corporate executive and outside of those performing on classified work (a corporate executive vs. a program manager.

Understanding how security fits into the organization is crucial. Security managers who over-react or use unsubstantiated scare tactics can lose credibility quickly. This could manifest through denial of requests for tools, resources, and capabilities that the workforce needs. Instead of considering workarounds, the FSO may naturally be inclined to say "no" instead of doing the hard and helpful work of performing a risk assessment and providing helpful solutions. Rather than assuming the role of "Dr. No" , the FSOs should possess the skill to develop policy that supports NISPOM requirements AND provides for the fulfillment of the classified contract's objectives, work products, and deliverables.

I've witnessed FSOs often respond to requests with "DSS (DCSA) won't allow it," or the more popular "it violates the NISPOM", only to have industrious cleared employees find a workable solution approved by the government customer, while going around the FSO. Think about what that does to the FSO's credibility and influence? They may never be consulted again and could have their office be reduced to, "just get us our security clearances and we'll take care of the rest".

FSO's should also understand that the security program is there for the cleared employees and not the other way around. The cleared employees perform on the classified contracts; the work that brings revenue to the company. The FSO brings the resources, guidance, consultation and tools to facilitate the performance on classified contracts.

For example, a security practitioners may present security requirements above and beyond the NISPOM when they are not necessary. When challenged to justify expenses or rationale for change in policy, the FSO's may defend their decisions by recalling conference or training events and may take such requests as personal challenges. The experienced FSO understands that security decisions are based on careful risk assessment, and not on general or best practices that may not fit a company's business model or culture. A more succinct example is the FSO requiring the organization to provide monitored surveillance and alarms for the protection of SECRET documents already adequately secured in a GSA approved security container.

    

The second problem addresses the level of the hired or appointed FSO and the company grows from 50 to 300 cleared employees. The FSO for the 50 person company may just need clerical and administrative skills to provide security assistance to the few cleared employees working one or two classified contracts. In this case the company grows to 300 cleared employees, with 15 contracts, and is managing growth problems and opportunities. The growth requires a sound strategy that go beyond clerical skills.

In the third situation, the corporate office misunderstands the role of the FSO and assumes that they have limited leadership skills and roles. Suppose the FSO is experienced in leadership, but is buried under many levels of leadership and not able to influence decision making. They could make sensible recommendations based on threat assessment and NISPOM requirements. The program is presented professionally, but the management does not understand the role of the FSO as compliance officer and they are typically left underutilized. Perhaps they consider the FSO as a strictly administrative function. In these instances, the FSO has little input into the culture of the company and struggles to implement critical security measures.

    

Larger and very successful cleared defense contractors understand the needed balance. These companies have security managers, chief security officers and compliance officers that are able to address security, privacy, and sensitive company information. These officers usually hold positions and responsibilities at the executive level as well as possess management skills and graduate degrees.

    

Influencing Change

So, how does the described security manager create influence and credibility that counts? First of all, they should address their professions as risk managers. They should factor the contractual requirements, NISPOM, government contracting activity, and potential growth. A growing security requirement is expensive and resources should be planned for and budgets presented based on quantified risk and not fear tactics.

    

Learn how the company earns money-Understand the acquisition and buying system and become an expert. When the security manager understands the contracts process, they can contribute and present the security program in such a way that everyone understands. Instant credibility is gained when management knows the security manager is on board with cost reduction and compliance.

    

Presenting the security program does not have to be a frustrating event. If a security manager is in a position lacking credibility and influence, then they should do whatever it takes to move to the next step. Establishing credibility is a must and it involves making the transition from an administrative clerk to a risk analyzing and compliance professional. Learning to look and act like management and demonstrating an understanding of the business cycle is key to making that move toward excellence.


Check out our book series: Security Clearance and Defense Contractorsd

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Security Through Walking Around-The Right Questions


I’ve recently fielded questions to some cleared employees. The intent was to generate discussion and get an assessment of how well they understood the National Industrial Security Program (NISPOM). I’ve received a variety of answers. The responses were intelligent, well thought out, but inaccurate. They demonstrated a lack of understanding based on popular culture and word of mouth.

 Keep in mind that out of all possible respondents less than a handful replied to each question. Additionally, the survey was in no way scientific. It was just a simple fielding of questions and not intended to be a representation of the industry in general. However, they do provide a sound training solution. How can one use such data to train the force? Well, thanks for asking.

Readers of this newsletter can use the same questions while conducting walk around security or otherwise conducting a security survey. Field these questions to your teams. If they respond correctly give loud and public praise. If they answer incorrectly you have just created a training opportunity. Proceed with diplomacy. Use the data you collect as a foundation to design future training. These responses go a long way in identifying weaknesses in the overall understanding of the National Industrial Security Program. These weaknesses could prove a vulnerability to your security program if not addressed properly.

Another application is to use the answers I provide here to bring about discussion or add to your security education agenda. Again, no scientific study here. However, certain broad assumptions can be made about general knowledge of the National Industrial Security Program.


Now, the questions and answers:

    1. Will your security clearances or the way we protect classified material be impacted by a new President?

Answers:

a. "The President can de-classify any classified information."

b. "There should be some sort of "transition" in place for business that overlaps 4-year Admin tenures."

c. "I don't foresee any significant changes."

The reality: In recent history two sequential presidents have provided separate executive orders directing how to protect classified information. Presidents have issued policies directing what qualifies to receive a CONFIDENTIAL, SECRET or TOP SECRET classification. 

Contractors and government agencies protect classified information based on the guidance from the executive orders. When changes occur, they affect storage capacity, employee manpower and resources toward re-marking or improving security. These resources are funded through overhead and impact profits. Organizations can project requirements and put a proactive plan in place to make necessary transitions easier.

2. Is a defense contractor allowed to advertise their facility security clearance level or post about it on social media?

"It depends on what level you're advertising. You should be able to advertise clearance levels."

The reality:

According to the National Industrial Security Program Operating Manual (NISPOM , the contractor cannot use their security clearance level to advertise for business.

NISPOM 2. General. An FCL is an administrative determination that a company is eligible for access to classified information or award of a classified contract.

 A contractor shall not use its FCL for advertising or promotional purposes

As the lead security education provider, the Facility Security Officer has to break through perceptions. Those cleared employees should grasp a good understanding of their responsibilities to protect classified information. The FSO’s can ask simple questions to gage the effectiveness of the training and discover areas in which to conduct training.

Check out our book series: Security Clearance and Defense Contractorsd

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Managing Export Violations




Let’s test your knowledge of international operations. The following situation is pure fiction, but is based on issues facing businesses everyday. This situation is tricky enough with unclassified contracts, but the addition of possible classified work may complicate the issue. Try to answer the following question:

As the security manager of a classified facility, you have many responsibilities including approving classified visits. Not a problems since most visit requests are handled through agency approved data bases . Besides, you have a very large staff and the process is pretty much routine until….

A program manager enters your office and informs you that her foreign customer wants to send an employee to work onsite on a classified program for six months. The program manager wants you to give her a visit request form that the foreign company can use to submit a visit request. You think about this for a moment and realize that though the situation is unusual, it should be a workable solution. Do you provide the visit request form? Why or why not?

In the course of business, it is not unusual for a foreign entity to request a visit to a U.S. company. Foreign business employees may desire to visit a U.S. contractor in furtherance of a contract. When the business is related to a classified contract, involves classified information or relates to a government to government agreed upon plant visit, the foreign entity requests the visit through their embassy. The only way these types of visits are authorized is through government to government channels. Unclassified visits are sent through commercial channels and are conducted through licenses with the Department of State or the Department of Commerce.

Visit requests submitted by a foreign entity pass through their government channels to the U.S. government for approval. The U.S. government agency having jurisdiction over the classified contract submits the request to the U.S. contractor for their approval. The request also includes guidance and limitations of the information and items the foreign national will be allowed to access. The contractor reviews the limitations and determines whether or not they concur with the request. The contractor has the final say of whether or not the foreign national will access their facility.

Security managers, exports compliance officers, technology control officers, etc will face more challenges as our market becomes global. In future topics we will discuss is once a visit is authorized, what does a contractor need to do in preparation for the visit? How does one prepare employees and the visiting foreign person from exporting unauthorized technical data?


Check out our book series: Security Clearance and Defense Contractorsd





Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Export Compliance and Leadership


A few years ago I facilitated a short but very rewarding eight hour seminar on the International Traffic In Arms Regulation (ITAR) Overview. I am grateful to the staff at the University of Alabama in Huntsville and the North Alabama Trade Association for both sponsoring the event and allowing me to present. I found the course rewarding as I presented to a mixed audience of 30 professionals ranging from shipping and receiving specialists to executive vice presidents. The mix also consisted of professionals with various degrees of know-how as consultants, attorneys, technology control officers and those brand new to the field shared experiences and learned from one another. As a compliance officer in various disciplines, I have had the privilege of leading security and compliance teams and seminars on multiple topics

Though this was my first of hopefully many export regulations seminars, I noticed the similar need in the compliance field. Regardless of the discipline, compliance works best when driven from the top down. No matter the program a compliance officer intends to build or support, Influence is key when developing it whether security, privacy protection, safety, export, etc. Experience and technical savvy are great to have however, minus influence; the person is just an administrator playing catch-up in a crucial game.

Like other compliance disciplines, export compliance first and foremost helps companies and individuals successfully earn profits while playing by the rules. Our government encourages international business. The opportunities for lucrative business and growing employee experience pools make international trade an attractive endeavor. The benefits are huge as long as enterprises know the rules and are able to implement them into every program. The reality is that a license will most likely be granted when given the time and consideration required. Unfortunately, the routes people take to avoid licenses probably take more energy and export violations cause significant damage to our defense and economy

Influence comes in where the whole team understands the mission and each business unit and employee role. The compliance officer trains the company and keeps the empowered official abreast on licensing and technical assistance issues. They also establish trigger mechanisms to ensure international travel, business, or employment opportunities come to their attention early in any endeavor involving technology transfer. 

Check out our book series: Security Clearance and Defense Contractorsd




Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".