Companies operating in hostile environments, corporate security has historically been a source of confusion and quite often outsourced to specialised consultancies at significant cost.
Of itself, that’s no inappropriate approach, although the problems arises because, in the event you ask three different security consultants to handle the www.tacticalsupportservice.com threat assessment, it’s possible to obtain three different answers.
That insufficient standardisation and continuity in SRA methodology is definitely the primary cause of confusion between those charged with managing security risk and budget holders.
So, how do security professionals translate the standard language of corporate security in ways that both enhances understanding, and justify inexpensive and appropriate security controls?
Applying a four step methodology to the SRA is critical to the effectiveness:
1. Just what is the project under review attempting to achieve, and exactly how is it looking to do it?
2. Which resources/assets are the most important for making the project successful?
3. What is the security threat environment in which the project operates?
4. How vulnerable would be the project’s critical resources/assets on the threats identified?
These four questions must be established before a security system may be developed that is effective, appropriate and flexible enough to become adapted in an ever-changing security environment.
Where some external security consultants fail is in spending very little time developing a detailed understanding of their client’s project – generally contributing to the application of costly security controls that impede the project rather than enhancing it.
After a while, a standardised method of SRA will help enhance internal communication. It can do so by improving the idea of security professionals, who take advantage of lessons learned globally, and also the broader business because the methodology and language mirrors that of enterprise risk. Together those factors help shift the perception of tacttical security from the cost center to 1 that adds value.
Security threats originate from a number of sources both human, for example military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To build up effective research into the environment for which you operate requires insight and enquiry, not simply the collation of a summary of incidents – regardless of how accurate or well researched those might be.
Renowned political scientist Louise Richardson, author in the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively measure the threats to your project, consideration needs to be given not just to the action or activity conducted, but additionally who carried it all out and fundamentally, why.
Threat assessments should address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for that threat actor, environmental problems for agricultural land
• Intent: Establishing how many times the threat actor completed the threat activity as opposed to just threatened it
• Capability: Are they able to doing the threat activity now and/or down the road
Security threats from non-human source like natural disasters, communicable disease and accidents can be assessed in an exceedingly similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What may be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor need to do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat have to do harm e.g. most common mouse in equatorial Africa, ubiquitous in human households potentially fatal
A lot of companies still prescribe annual security risk assessments which potentially leave your operations exposed facing dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration must be presented to how events might escalate and equally how proactive steps can de-escalate them. For instance, security forces firing over a protest march may escalate the chance of a violent response from protestors, while effective communication with protest leaders may, for the short term at least, de-escalate the chance of a violent exchange.
This particular analysis can sort out effective threat forecasting, instead of a simple snap shot from the security environment at any time in time.
The biggest challenge facing corporate security professionals remains, the way to sell security threat analysis internally particularly when threat perception varies for every person depending on their experience, background or personal risk appetite.
Context is critical to effective threat analysis. We all understand that terrorism is actually a risk, but as a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk within a credible project specific scenario however, creates context. By way of example, the potential risk of an armed attack by local militia responding to an ongoing dispute about local job opportunities, permits us to create the threat more plausible and present a greater amount of choices for its mitigation.
Having identified threats, vulnerability assessment is likewise critical and extends beyond simply reviewing existing security controls. It must consider:
1. Exactly how the attractive project is always to the threats identified and, how easily they can be identified and accessed?
2. How effective would be the project’s existing protections against the threats identified?
3. How good can the project react to an incident should it occur despite of control measures?
Similar to a threat assessment, this vulnerability assessment has to be ongoing to make certain that controls not merely function correctly now, but remain relevant as being the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria through which 40 innocent everyone was killed, made tips for the: “development of your security risk management system which is dynamic, fit for purpose and geared toward action. It ought to be an embedded and routine area of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and executive protection tacticalsupportservice.com allow both experts and management to get a common knowledge of risk, threats and scenarios and evaluations of these.”
But maintaining this essential process is not any small task and another that requires a unique skillsets and experience. According to the same report, “…in most cases security is a component of broader health, safety and environment position and one where very few people in those roles have particular experience and expertise. Because of this, Statoil overall has insufficient ful-time specialist resources devoted to security.”
Anchoring corporate security in effective and ongoing security risk analysis not simply facilitates timely and effective decision-making. Additionally, it has possible ways to introduce a broader selection of security controls than has previously been considered as a part of the company security system.