Companies operating in hostile environments, corporate security has historically been a way to obtain confusion and often outsourced to specialised consultancies at significant cost.
Of itself, that’s no inappropriate approach, however the problems arises because, should you ask three different security consultants to carry out the www.tacticalsupportservice.com threat assessment, it’s possible to get three different answers.
That lack of standardisation and continuity in SRA methodology may be the primary cause of confusion between those involved in managing security risk and budget holders.
So, just how can security professionals translate the standard language of corporate security in a fashion that both enhances understanding, and justify inexpensive and appropriate security controls?
Applying a four step methodology for any SRA is vital to its effectiveness:
1. Just what is the project under review seeking to achieve, and just how will it be attempting to do it?
2. Which resources/assets are the main when making the project successful?
3. What exactly is the security threat environment where the project operates?
4. How vulnerable would be the project’s critical resources/assets on the threats identified?
These four questions needs to be established before a security system might be developed which is effective, appropriate and versatile enough being adapted in a ever-changing security environment.
Where some external security consultants fail is within spending little time developing a comprehensive comprehension of their client’s project – generally causing the application of costly security controls that impede the project as an alternative to enhancing it.
With time, a standardised strategy to SRA will help enhance internal communication. It does so by improving the idea of security professionals, who make use of lessons learned globally, as well as the broader business as the methodology and language mirrors that of enterprise risk. Together those factors help shift the thought of tacttical security from the cost center to just one that adds value.
Security threats come from numerous sources both human, such as military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To build up effective research into the environment that you operate requires insight and enquiry, not simply the collation of a long list of incidents – regardless of how accurate or well researched those can be.
Renowned political scientist Louise Richardson, author of your book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively evaluate the threats to the project, consideration has to be given not only to the action or activity performed, but in addition who carried it out and fundamentally, why.
Threat assessments must address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for your threat actor, environmental harm to agricultural land
• Intent: Establishing the frequency of which the threat actor completed the threat activity rather than just threatened it
• Capability: Will they be capable of doing the threat activity now and in the future
Security threats from non-human source like disasters, communicable disease and accidents may be assessed in a very similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What could be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor must do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat should do harm e.g. most common mouse in equatorial Africa, ubiquitous in human households potentially fatal
Some companies still prescribe annual security risk assessments which potentially leave your operations exposed while confronting dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration has to be made available to how events might escalate and equally how proactive steps can de-escalate them. For instance, security forces firing on the protest march may escalate the chance of a violent response from protestors, while effective communication with protest leaders may, in the short term at the very least, de-escalate the potential of a violent exchange.
This sort of analysis can sort out effective threat forecasting, rather than a simple snap shot of the security environment at any point with time.
The largest challenge facing corporate security professionals remains, how you can sell security threat analysis internally specifically when threat perception varies individually for each person according to their experience, background or personal risk appetite.
Context is critical to effective threat analysis. Many of us recognize that terrorism is actually a risk, but being a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk within a credible project specific scenario however, creates context. For instance, the risk of an armed attack by local militia in reaction with an ongoing dispute about local employment opportunities, permits us to make the threat more plausible and give a larger variety of alternatives for its mitigation.
Having identified threats, vulnerability assessment can also be critical and extends beyond simply reviewing existing security controls. It must consider:
1. Exactly how the attractive project is to the threats identified and, how easily they are often identified and accessed?
2. How effective will be the project’s existing protections against the threats identified?
3. How well can the project reply to an incident should it occur in spite of control measures?
Such as a threat assessment, this vulnerability assessment needs to be ongoing to ensure controls not simply function correctly now, but remain relevant because the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria by which 40 innocent everyone was killed, made recommendations for the: “development of your security risk management system which is dynamic, fit for purpose and geared toward action. It should be an embedded and routine section of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and tacticalsupportservice.com allow both experts and management to have a common understanding of risk, threats and scenarios and evaluations of such.”
But maintaining this essential process is no small task and one that needs a unique skillsets and experience. In line with the same report, “…in many instances security is a component of broader health, safety and environment position then one in which very few people in those roles have particular expertise and experience. As a result, Statoil overall has insufficient ful-time specialist resources devoted to security.”
Anchoring corporate security in effective and ongoing security risk analysis not only facilitates timely and effective decision-making. In addition, it has possibility to introduce a broader selection of security controls than has previously been considered as a part of the company burglar alarm system.