Companies operating in hostile environments, corporate security has historically been a method to obtain confusion and sometimes outsourced to specialised consultancies at significant cost.
Of itself, that’s no inappropriate approach, although the problems arises because, if you ask three different security consultants to execute the www.tacticalsupportservice.com threat assessment, it’s entirely possible to acquire three different answers.
That absence of standardisation and continuity in SRA methodology is the primary reason for confusion between those responsible for managing security risk and budget holders.
So, how could security professionals translate the conventional language of corporate security in a way that both enhances understanding, and justify inexpensive and appropriate security controls?
Applying a four step methodology to any SRA is critical to its effectiveness:
1. Just what is the project under review attempting to achieve, and how would it be attempting to achieve it?
2. Which resources/assets are the most crucial in making the project successful?
3. Exactly what is the security threat environment wherein the project operates?
4. How vulnerable are the project’s critical resources/assets on the threats identified?
These four questions has to be established before a security system may be developed which is effective, appropriate and flexible enough to get adapted in a ever-changing security environment.
Where some external security consultants fail is in spending bit of time developing an in depth knowledge of their client’s project – generally causing the use of costly security controls that impede the project instead of enhancing it.
After a while, a standardised approach to SRA will help enhance internal communication. It does so by enhancing the understanding of security professionals, who reap the benefits of lessons learned globally, and also the broader business for the reason that methodology and language mirrors that from enterprise risk. Together those factors help shift the thought of tacttical security from the cost center to just one that adds value.
Security threats come from a myriad of sources both human, such as military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To formulate effective analysis of the environment in which you operate requires insight and enquiry, not merely the collation of a long list of incidents – no matter how accurate or well researched those may be.
Renowned political scientist Louise Richardson, author in the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively assess the threats for your project, consideration has to be given not just in the action or activity carried out, but additionally who carried it all out and fundamentally, why.
Threat assessments need to address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for your threat actor, environmental problems for agricultural land
• Intent: Establishing how frequently the threat actor completed the threat activity as opposed to just threatened it
• Capability: Is it capable of doing the threat activity now and down the road
Security threats from non-human source such as disasters, communicable disease and accidents may be assessed within a similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What could be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor need to do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat need to do harm e.g. most popular mouse in equatorial Africa, ubiquitous in human households potentially fatal
Some companies still prescribe annual security risk assessments which potentially leave your operations exposed when dealing with dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration needs to be given to how events might escalate and equally how proactive steps can de-escalate them. By way of example, security forces firing on the protest march may escalate the chance of a violent response from protestors, while effective communication with protest leaders may, for the short term at least, de-escalate the possibility of a violent exchange.
This particular analysis can sort out effective threat forecasting, rather than a simple snap shot from the security environment at any time in time.
The most significant challenge facing corporate security professionals remains, how you can sell security threat analysis internally especially when threat perception varies from person to person according to their experience, background or personal risk appetite.
Context is essential to effective threat analysis. Many of us realize that terrorism is really a risk, but being a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in a credible project specific scenario however, creates context. For example, the danger of an armed attack by local militia in reaction to a ongoing dispute about local job opportunities, permits us to make your threat more plausible and give a better quantity of choices for its mitigation.
Having identified threats, vulnerability assessment can also be critical and extends beyond simply reviewing existing security controls. It has to consider:
1. How the attractive project is to the threats identified and, how easily they can be identified and accessed?
2. How effective are the project’s existing protections from the threats identified?
3. How good can the project respond to an incident should it occur despite of control measures?
Just like a threat assessment, this vulnerability assessment needs to be ongoing to ensure controls not merely function correctly now, but remain relevant since the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria where 40 innocent everyone was killed, made recommendations for the: “development of your security risk management system that is dynamic, fit for purpose and geared toward action. It needs to be an embedded and routine portion of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and executive protection tacticalsupportservice.com allow both experts and management to have a common knowledge of risk, threats and scenarios and evaluations of those.”
But maintaining this essential process is no small task and something that needs a particular skillsets and experience. In accordance with the same report, “…in many instances security is a component of broader health, safety and environment position and another that very few people in those roles have particular expertise and experience. As a consequence, Statoil overall has insufficient ful-time specialist resources focused on security.”
Anchoring corporate security in effective and ongoing security risk analysis not only facilitates timely and effective decision-making. In addition, it has possible ways to introduce a broader selection of security controls than has previously been considered as a part of the company security system.