Companies operating in hostile environments, corporate security has historically been a way to obtain confusion and frequently outsourced to specialised consultancies at significant cost.
Of itself, that’s no inappropriate approach, nevertheless the problems arises because, if you ask three different security consultants to handle the tacticalsupportservice.com, it’s possible to acquire three different answers.
That insufficient standardisation and continuity in SRA methodology is definitely the primary reason behind confusion between those responsible for managing security risk and budget holders.
So, how can security professionals translate the regular language of corporate security in a way that both enhances understanding, and justify inexpensive and appropriate security controls?
Applying a four step methodology to any SRA is critical to the effectiveness:
1. Exactly what is the project under review looking to achieve, and the way could it be looking to do it?
2. Which resources/assets are the most important to make the project successful?
3. What exactly is the security threat environment where the project operates?
4. How vulnerable are definitely the project’s critical resources/assets on the threats identified?
These four questions must be established before a security alarm system might be developed that may be effective, appropriate and flexible enough to become adapted within an ever-changing security environment.
Where some external security consultants fail is spending very little time developing a comprehensive comprehension of their client’s project – generally contributing to the application of costly security controls that impede the project rather than enhancing it.
Over time, a standardised strategy to SRA may help enhance internal communication. It will so by enhancing the understanding of security professionals, who benefit from lessons learned globally, and the broader business as the methodology and language mirrors that of enterprise risk. Together those factors help shift the perception of tacttical security coming from a cost center to just one that adds value.
Security threats come from a myriad of sources both human, like military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To produce effective analysis of the environment that you operate requires insight and enquiry, not simply the collation of a long list of incidents – regardless of how accurate or well researched those can be.
Renowned political scientist Louise Richardson, author of the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively assess the threats for your project, consideration should be given not just in the action or activity performed, but also who carried it out and fundamentally, why.
Threat assessments have to address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for that threat actor, environmental problems for agricultural land
• Intent: Establishing the frequency of which the threat actor carried out the threat activity as opposed to just threatened it
• Capability: Are they able to performing the threat activity now and/or later on
Security threats from non-human source for example natural disasters, communicable disease and accidents can be assessed within a similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What could be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor should do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat must do harm e.g. most popular mouse in equatorial Africa, ubiquitous in human households potentially fatal
Many companies still prescribe annual security risk assessments which potentially leave your operations exposed facing dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration needs to be made available to how events might escalate and equally how proactive steps can de-escalate them. For example, security forces firing on the protest march may escalate the potential of a violent response from protestors, while effective communication with protest leaders may, in the short term at least, de-escalate the potential for a violent exchange.
This type of analysis can help with effective threat forecasting, rather than a simple snap shot of your security environment at any time soon enough.
The most significant challenge facing corporate security professionals remains, the way to sell security threat analysis internally especially when threat perception varies from person to person based on their experience, background or personal risk appetite.
Context is critical to effective threat analysis. All of us understand that terrorism is a risk, but being a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in a credible project specific scenario however, creates context. As an example, the risk of an armed attack by local militia in response with an ongoing dispute about local employment opportunities, permits us to make your threat more plausible and offer an increased number of choices for its mitigation.
Having identified threats, vulnerability assessment is likewise critical and extends beyond simply reviewing existing security controls. It must consider:
1. Exactly how the attractive project is to the threats identified and, how easily they may be identified and accessed?
2. How effective will be the project’s existing protections versus the threats identified?
3. How well can the project reply to an incident should it occur in spite of control measures?
Like a threat assessment, this vulnerability assessment must be ongoing to make certain that controls not just function correctly now, but remain relevant because the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria in which 40 innocent individuals were killed, made tips for the: “development of any security risk management system that is certainly dynamic, fit for purpose and geared toward action. It must be an embedded and routine portion of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and tactical support service executive protection allow both experts and management to experience a common understanding of risk, threats and scenarios and evaluations of those.”
But maintaining this essential process is not any small task and something that requires a certain skillsets and experience. In accordance with the same report, “…in many instances security is a component of broader health, safety and environment position then one in which few people in those roles have particular experience and expertise. As a consequence, Statoil overall has insufficient ful-time specialist resources committed to security.”
Anchoring corporate security in effective and ongoing security risk analysis not simply facilitates timely and effective decision-making. Furthermore, it has possibility to introduce a broader selection of security controls than has previously been considered as an element of the corporate burglar alarm system.