Companies operating in hostile environments, corporate security has historically been a method to obtain confusion and quite often outsourced to specialised consultancies at significant cost.
Of itself, that’s not an inappropriate approach, but the problems arises because, in the event you ask three different security consultants to execute the www.tacticalsupportservice.com threat assessment, it’s possible to get three different answers.
That absence of standardisation and continuity in SRA methodology may be the primary reason behind confusion between those responsible for managing security risk and budget holders.
So, how can security professionals translate the conventional language of corporate security in a manner that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology for any SRA is crucial to its effectiveness:
1. Exactly what is the project under review seeking to achieve, and just how is it trying to do it?
2. Which resources/assets are the main in making the project successful?
3. What exactly is the security threat environment where the project operates?
4. How vulnerable are definitely the project’s critical resources/assets to the threats identified?
These four questions should be established before a security system may be developed that is certainly effective, appropriate and versatile enough to become adapted within an ever-changing security environment.
Where some external security consultants fail is spending almost no time developing an in depth comprehension of their client’s project – generally leading to the application of costly security controls that impede the project instead of enhancing it.
As time passes, a standardised strategy to SRA can help enhance internal communication. It does so by boosting the idea of security professionals, who make use of lessons learned globally, along with the broader business for the reason that methodology and language mirrors that from enterprise risk. Together those factors help shift the thought of tacttical security from your cost center to one that adds value.
Security threats originate from a number of sources both human, for example military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To build up effective research into the environment in which you operate requires insight and enquiry, not merely the collation of a listing of incidents – regardless how accurate or well researched those may be.
Renowned political scientist Louise Richardson, author in the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively evaluate the threats to your project, consideration should be given not only to the action or activity performed, but also who carried it out and fundamentally, why.
Threat assessments need to address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation to the threat actor, environmental problems for agricultural land
• Intent: Establishing how frequently the threat actor completed the threat activity as opposed to just threatened it
• Capability: Are they able to undertaking the threat activity now and/or in the future
Security threats from non-human source including natural disasters, communicable disease and accidents could be assessed in a very similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What might be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor must do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat must do harm e.g. most common mouse in equatorial Africa, ubiquitous in human households potentially fatal
Some companies still prescribe annual security risk assessments which potentially leave your operations exposed when dealing with dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration should be made available to how events might escalate and equally how proactive steps can de-escalate them. By way of example, security forces firing on the protest march may escalate the potential of a violent response from protestors, while effective communication with protest leaders may, for the short term at the very least, de-escalate the chance of a violent exchange.
This particular analysis can sort out effective threat forecasting, rather than a simple snap shot of your security environment at any time in time.
The greatest challenge facing corporate security professionals remains, the best way to sell security threat analysis internally particularly when threat perception varies individually for each person based on their experience, background or personal risk appetite.
Context is crucial to effective threat analysis. Many of us know that terrorism is actually a risk, but as a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in the credible project specific scenario however, creates context. As an example, the risk of an armed attack by local militia responding to a ongoing dispute about local job opportunities, allows us to have the threat more plausible and give a greater number of selections for its mitigation.
Having identified threats, vulnerability assessment is likewise critical and extends beyond simply reviewing existing security controls. It needs to consider:
1. Just how the attractive project is usually to the threats identified and, how easily they are often identified and accessed?
2. How effective would be the project’s existing protections from the threats identified?
3. How good can the project react to an incident should it occur in spite of control measures?
Like a threat assessment, this vulnerability assessment has to be ongoing to make sure that controls not just function correctly now, but remain relevant as the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria where 40 innocent people were killed, made strategies for the: “development of any security risk management system that is dynamic, fit for purpose and geared toward action. It needs to be an embedded and routine part of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and tactical support service executive protection allow both experts and management to have a common knowledge of risk, threats and scenarios and evaluations of these.”
But maintaining this essential process is not any small task and one that needs a certain skillsets and experience. According to the same report, “…in most cases security is an element of broader health, safety and environment position then one where few people in those roles have particular experience and expertise. As a consequence, Statoil overall has insufficient ful-time specialist resources focused on security.”
Anchoring corporate security in effective and ongoing security risk analysis not just facilitates timely and effective decision-making. It also has possible ways to introduce a broader range of security controls than has previously been considered as part of the corporate security system.