Companies operating in hostile environments, corporate security has historically been a method to obtain confusion and sometimes outsourced to specialised consultancies at significant cost.
Of itself, that’s not an inappropriate approach, nevertheless the problems arises because, should you ask three different security consultants to handle the threat assessment tacticalsupportservice.com, it’s possible to get three different answers.
That insufficient standardisation and continuity in SRA methodology may be the primary cause of confusion between those involved in managing security risk and budget holders.
So, how can security professionals translate the conventional language of corporate security in ways that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology to your SRA is critical to its effectiveness:
1. Just what is the project under review trying to achieve, and exactly how would it be trying to achieve it?
2. Which resources/assets are the most crucial when making the project successful?
3. Exactly what is the security threat environment where the project operates?
4. How vulnerable would be the project’s critical resources/assets for the threats identified?
These four questions should be established before a security system can be developed that may be effective, appropriate and versatile enough to get adapted inside an ever-changing security environment.
Where some external security consultants fail is in spending almost no time developing a detailed understanding of their client’s project – generally leading to the use of costly security controls that impede the project as an alternative to enhancing it.
With time, a standardised procedure for SRA may help enhance internal communication. It will so by improving the knowledge of security professionals, who reap the benefits of lessons learned globally, along with the broader business since the methodology and language mirrors that from enterprise risk. Together those factors help shift the perception of tacttical security from your cost center to a single that adds value.
Security threats come from a host of sources both human, for example military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To develop effective research into the environment in which you operate requires insight and enquiry, not simply the collation of a listing of incidents – no matter how accurate or well researched those could be.
Renowned political scientist Louise Richardson, author of the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively assess the threats in your project, consideration should be given not only to the action or activity carried out, but additionally who carried it all out and fundamentally, why.
Threat assessments have to address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for your threat actor, environmental injury to agricultural land
• Intent: Establishing the frequency of which the threat actor completed the threat activity rather than just threatened it
• Capability: Will they be able to performing the threat activity now and/or later on
Security threats from non-human source such as disasters, communicable disease and accidents might be assessed in a really similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What could possibly be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor must do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat must do harm e.g. most common mouse in equatorial Africa, ubiquitous in human households potentially fatal
Some companies still prescribe annual security risk assessments which potentially leave your operations exposed when confronted with dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration needs to be presented to how events might escalate and equally how proactive steps can de-escalate them. As an example, security forces firing on a protest march may escalate the potential of a violent response from protestors, while effective communication with protest leaders may, in the short term a minimum of, de-escalate the potential for a violent exchange.
This particular analysis can deal with effective threat forecasting, rather than a simple snap shot of the security environment at any point soon enough.
The largest challenge facing corporate security professionals remains, how to sell security threat analysis internally particularly when threat perception varies individually for each person based upon their experience, background or personal risk appetite.
Context is crucial to effective threat analysis. We all know that terrorism is a risk, but as a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in a credible project specific scenario however, creates context. For example, the danger of an armed attack by local militia in response to an ongoing dispute about local job opportunities, permits us to make the threat more plausible and present a greater number of alternatives for its mitigation.
Having identified threats, vulnerability assessment is additionally critical and extends beyond simply reviewing existing security controls. It should consider:
1. How the attractive project would be to the threats identified and, how easily they can be identified and accessed?
2. How effective will be the project’s existing protections up against the threats identified?
3. How well can the project react to an incident should it occur despite of control measures?
Like a threat assessment, this vulnerability assessment must be ongoing to make certain that controls not simply function correctly now, but remain relevant as being the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria in which 40 innocent everyone was killed, made ideas for the: “development of the security risk management system that may be dynamic, fit for purpose and geared toward action. It should be an embedded and routine part of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and executive protection tacticalsupportservice.com allow both experts and management to have a common understanding of risk, threats and scenarios and evaluations of such.”
But maintaining this essential process is no small task then one that has to have a particular skillsets and experience. Based on the same report, “…in many instances security is a component of broader health, safety and environment position and something that few people in those roles have particular experience and expertise. As a consequence, Statoil overall has insufficient ful-time specialist resources dedicated to security.”
Anchoring corporate security in effective and ongoing security risk analysis not merely facilitates timely and effective decision-making. It also has potential to introduce a broader range of security controls than has previously been considered as a part of the corporate home security system.