Companies operating in hostile environments, corporate security has historically been a supply of confusion and sometimes outsourced to specialised consultancies at significant cost.
Of itself, that’s not an inappropriate approach, however the problems arises because, should you ask three different security consultants to handle the tactical support service threat assessment, it’s entirely possible to get three different answers.
That lack of standardisation and continuity in SRA methodology will be the primary reason behind confusion between those charged with managing security risk and budget holders.
So, how could security professionals translate the regular language of corporate security in a way that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology to the SRA is vital to its effectiveness:
1. What is the project under review looking to achieve, and exactly how is it attempting to do it?
2. Which resources/assets are the most important to make the project successful?
3. What exactly is the security threat environment where the project operates?
4. How vulnerable are the project’s critical resources/assets for the threats identified?
These four questions needs to be established before a security system might be developed which is effective, appropriate and versatile enough to get adapted within an ever-changing security environment.
Where some external security consultants fail is within spending almost no time developing an in depth idea of their client’s project – generally contributing to the use of costly security controls that impede the project as opposed to enhancing it.
Over time, a standardised procedure for SRA will help enhance internal communication. It can do so by improving the knowledge of security professionals, who make use of lessons learned globally, along with the broader business since the methodology and language mirrors that of enterprise risk. Together those factors help shift the thought of tacttical security from the cost center to just one that adds value.
Security threats originate from a myriad of sources both human, such as military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To develop effective research into the environment that you operate requires insight and enquiry, not merely the collation of a list of incidents – no matter how accurate or well researched those could be.
Renowned political scientist Louise Richardson, author in the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively measure the threats for your project, consideration has to be given not only to the action or activity carried out, but additionally who carried it all out and fundamentally, why.
Threat assessments have to address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for your threat actor, environmental damage to agricultural land
• Intent: Establishing how often the threat actor completed the threat activity rather than just threatened it
• Capability: Is it able to undertaking the threat activity now and/or later on
Security threats from non-human source such as natural disasters, communicable disease and accidents might be assessed in a very similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What may be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor must do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat must do harm e.g. most frequent mouse in equatorial Africa, ubiquitous in human households potentially fatal
Some companies still prescribe annual security risk assessments which potentially leave your operations exposed when dealing with dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration should be presented to how events might escalate and equally how proactive steps can de-escalate them. As an example, security forces firing on the protest march may escalate the potential of a violent response from protestors, while effective communication with protest leaders may, in the short term at the very least, de-escalate the potential of a violent exchange.
This particular analysis can deal with effective threat forecasting, instead of a simple snap shot of the security environment at any point soon enough.
The largest challenge facing corporate security professionals remains, the way to sell security threat analysis internally specially when threat perception varies from person to person according to their experience, background or personal risk appetite.
Context is vital to effective threat analysis. All of us recognize that terrorism can be a risk, but being a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk within a credible project specific scenario however, creates context. For example, the potential risk of an armed attack by local militia in reaction to a ongoing dispute about local employment opportunities, allows us to have the threat more plausible and give a greater number of selections for its mitigation.
Having identified threats, vulnerability assessment is additionally critical and extends beyond simply reviewing existing security controls. It should consider:
1. How the attractive project would be to the threats identified and, how easily they can be identified and accessed?
2. How effective are definitely the project’s existing protections up against the threats identified?
3. How good can the project react to an incident should it occur in spite of control measures?
Just like a threat assessment, this vulnerability assessment needs to be ongoing to ensure that controls not simply function correctly now, but remain relevant as being the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria where 40 innocent individuals were killed, made ideas for the: “development of your security risk management system that may be dynamic, fit for purpose and aimed toward action. It should be an embedded and routine area of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and executive protection tacticalsupportservice.com allow both experts and management to experience a common knowledge of risk, threats and scenarios and evaluations of the.”
But maintaining this essential process is no small task and something that has to have a certain skillsets and experience. Based on the same report, “…in many cases security is part of broader health, safety and environment position then one where few individuals in those roles have particular experience and expertise. As a consequence, Statoil overall has insufficient ful-time specialist resources dedicated to security.”
Anchoring corporate security in effective and ongoing security risk analysis not simply facilitates timely and effective decision-making. Additionally, it has possibility to introduce a broader array of security controls than has previously been considered as a part of the company home security system.