Companies operating in hostile environments, corporate security has historically been a supply of confusion and quite often outsourced to specialised consultancies at significant cost.
Of itself, that’s not an inappropriate approach, although the problems arises because, in the event you ask three different security consultants to handle the tactical support service threat assessment, it’s entirely possible to get three different answers.
That insufficient standardisation and continuity in SRA methodology is definitely the primary reason for confusion between those involved in managing security risk and budget holders.
So, how do security professionals translate the traditional language of corporate security in a way that both enhances understanding, and justify inexpensive and appropriate security controls?
Applying a four step methodology to the SRA is crucial to the effectiveness:
1. What is the project under review trying to achieve, and exactly how will it be attempting to achieve it?
2. Which resources/assets are the most important for making the project successful?
3. Just what is the security threat environment where the project operates?
4. How vulnerable are definitely the project’s critical resources/assets for the threats identified?
These four questions needs to be established before a security system might be developed that is certainly effective, appropriate and versatile enough to become adapted in an ever-changing security environment.
Where some external security consultants fail is in spending very little time developing a detailed comprehension of their client’s project – generally leading to the use of costly security controls that impede the project as opposed to enhancing it.
As time passes, a standardised approach to SRA can help enhance internal communication. It can do so by improving the knowledge of security professionals, who benefit from lessons learned globally, and also the broader business because the methodology and language mirrors that relating to enterprise risk. Together those factors help shift the thought of tacttical security from a cost center to just one that adds value.
Security threats come from numerous sources both human, including military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To build up effective analysis of the environment in which you operate requires insight and enquiry, not simply the collation of a long list of incidents – irrespective of how accurate or well researched those might be.
Renowned political scientist Louise Richardson, author of your book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively look at the threats to your project, consideration must be given not just to the action or activity completed, but in addition who carried it out and fundamentally, why.
Threat assessments have to address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation to the threat actor, environmental harm to agricultural land
• Intent: Establishing how often the threat actor conducted the threat activity as opposed to just threatened it
• Capability: Could they be competent at doing the threat activity now and down the road
Security threats from non-human source such as disasters, communicable disease and accidents could be assessed in an exceedingly similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What could be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor should do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat have to do harm e.g. most frequent mouse in equatorial Africa, ubiquitous in human households potentially fatal
Some companies still prescribe annual security risk assessments which potentially leave your operations exposed facing dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration must be provided to how events might escalate and equally how proactive steps can de-escalate them. By way of example, security forces firing on the protest march may escalate the potential for a violent response from protestors, while effective communication with protest leaders may, in the short term no less than, de-escalate the potential of a violent exchange.
This particular analysis can help with effective threat forecasting, as opposed to a simple snap shot of your security environment at any point soon enough.
The most significant challenge facing corporate security professionals remains, how you can sell security threat analysis internally especially when threat perception varies for every person according to their experience, background or personal risk appetite.
Context is vital to effective threat analysis. Many of us realize that terrorism can be a risk, but as a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in a credible project specific scenario however, creates context. For instance, the danger of an armed attack by local militia in response to a ongoing dispute about local job opportunities, allows us to create the threat more plausible and give a greater variety of choices for its mitigation.
Having identified threats, vulnerability assessment can also be critical and extends beyond simply reviewing existing security controls. It has to consider:
1. Just how the attractive project is to the threats identified and, how easily they may be identified and accessed?
2. How effective will be the project’s existing protections against the threats identified?
3. How good can the project react to an incident should it occur in spite of control measures?
Just like a threat assessment, this vulnerability assessment must be ongoing to ensure that controls not merely function correctly now, but remain relevant as the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria in which 40 innocent people were killed, made ideas for the: “development of the security risk management system which is dynamic, fit for purpose and geared toward action. It should be an embedded and routine portion of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and executive protection tacticalsupportservice.com allow both experts and management to have a common idea of risk, threats and scenarios and evaluations of the.”
But maintaining this essential process is not any small task and another that has to have a specific skillsets and experience. According to the same report, “…in most cases security is an element of broader health, safety and environment position then one in which few people in those roles have particular expertise and experience. As a result, Statoil overall has insufficient ful-time specialist resources devoted to security.”
Anchoring corporate security in effective and ongoing security risk analysis not simply facilitates timely and effective decision-making. Additionally, it has potential to introduce a broader range of security controls than has previously been considered as part of the corporate alarm system.