Companies operating in hostile environments, corporate security has historically been a method to obtain confusion and sometimes outsourced to specialised consultancies at significant cost.
Of itself, that’s not an inappropriate approach, but the problems arises because, when you ask three different security consultants to handle the www.tacticalsupportservice.com, it’s possible to obtain three different answers.
That insufficient standardisation and continuity in SRA methodology is definitely the primary reason behind confusion between those responsible for managing security risk and budget holders.
So, how could security professionals translate the traditional language of corporate security in ways that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology to the SRA is critical to the effectiveness:
1. Just what is the project under review trying to achieve, and exactly how is it looking to achieve it?
2. Which resources/assets are the main to make the project successful?
3. What is the security threat environment in which the project operates?
4. How vulnerable would be the project’s critical resources/assets to the threats identified?
These four questions must be established before a security system could be developed that is effective, appropriate and flexible enough to be adapted in a ever-changing security environment.
Where some external security consultants fail is spending bit of time developing an in depth knowledge of their client’s project – generally causing the effective use of costly security controls that impede the project as opposed to enhancing it.
As time passes, a standardised method of SRA will help enhance internal communication. It can so by improving the understanding of security professionals, who reap the benefits of lessons learned globally, along with the broader business because the methodology and language mirrors those of enterprise risk. Together those factors help shift the perception of tacttical security from a cost center to just one that adds value.
Security threats originate from a host of sources both human, like military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To build up effective analysis of the environment where you operate requires insight and enquiry, not merely the collation of a listing of incidents – irrespective of how accurate or well researched those could be.
Renowned political scientist Louise Richardson, author of the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively evaluate the threats to your project, consideration has to be given not only to the action or activity conducted, but additionally who carried it all out and fundamentally, why.
Threat assessments have to address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation to the threat actor, environmental problems for agricultural land
• Intent: Establishing the frequency of which the threat actor carried out the threat activity as opposed to just threatened it
• Capability: Will they be effective at carrying out the threat activity now and/or in the future
Security threats from non-human source such as natural disasters, communicable disease and accidents can be assessed in a really similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What may be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor need to do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat should do harm e.g. most common mouse in equatorial Africa, ubiquitous in human households potentially fatal
Many companies still prescribe annual security risk assessments which potentially leave your operations exposed facing dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration needs to be made available to how events might escalate and equally how proactive steps can de-escalate them. For example, security forces firing with a protest march may escalate the possibility of a violent response from protestors, while effective communication with protest leaders may, for the short term no less than, de-escalate the chance of a violent exchange.
This type of analysis can deal with effective threat forecasting, as opposed to a simple snap shot of the security environment at any time with time.
The biggest challenge facing corporate security professionals remains, how you can sell security threat analysis internally specially when threat perception varies from person to person according to their experience, background or personal risk appetite.
Context is essential to effective threat analysis. We all recognize that terrorism is actually a risk, but being a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in the credible project specific scenario however, creates context. For example, the danger of an armed attack by local militia in reaction for an ongoing dispute about local employment opportunities, allows us to have the threat more plausible and give a larger quantity of selections for its mitigation.
Having identified threats, vulnerability assessment is also critical and extends beyond simply reviewing existing security controls. It has to consider:
1. Just how the attractive project would be to the threats identified and, how easily they can be identified and accessed?
2. How effective are definitely the project’s existing protections up against the threats identified?
3. How good can the project reply to an incident should it occur despite of control measures?
Like a threat assessment, this vulnerability assessment needs to be ongoing to ensure controls not merely function correctly now, but remain relevant as being the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria through which 40 innocent people were killed, made strategies for the: “development of a security risk management system that is dynamic, fit for purpose and aimed toward action. It must be an embedded and routine area of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and tacticalsupportservice.com allow both experts and management to have a common understanding of risk, threats and scenarios and evaluations of such.”
But maintaining this essential process is not any small task and another that has to have a specific skillsets and experience. In line with the same report, “…in most cases security is an element of broader health, safety and environment position and something in which few individuals in those roles have particular expertise and experience. As a result, Statoil overall has insufficient ful-time specialist resources dedicated to security.”
Anchoring corporate security in effective and ongoing security risk analysis not merely facilitates timely and effective decision-making. It also has potential to introduce a broader variety of security controls than has previously been considered as an element of the company burglar alarm system.