Companies operating in hostile environments, corporate security has historically been a method to obtain confusion and frequently outsourced to specialised consultancies at significant cost.
Of itself, that’s no inappropriate approach, although the problems arises because, if you ask three different security consultants to execute the www.tacticalsupportservice.com threat assessment, it’s possible to receive three different answers.
That deficiency of standardisation and continuity in SRA methodology is the primary cause of confusion between those involved in managing security risk and budget holders.
So, how can security professionals translate the regular language of corporate security in a way that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology to any SRA is essential to its effectiveness:
1. What exactly is the project under review seeking to achieve, and exactly how would it be looking to achieve it?
2. Which resources/assets are the main for making the project successful?
3. What exactly is the security threat environment wherein the project operates?
4. How vulnerable will be the project’s critical resources/assets to the threats identified?
These four questions should be established before a security system can be developed which is effective, appropriate and flexible enough being adapted in an ever-changing security environment.
Where some external security consultants fail is at spending almost no time developing an in depth comprehension of their client’s project – generally causing the application of costly security controls that impede the project as opposed to enhancing it.
As time passes, a standardised strategy to SRA may help enhance internal communication. It does so by boosting the knowledge of security professionals, who make use of lessons learned globally, as well as the broader business since the methodology and language mirrors that relating to enterprise risk. Together those factors help shift the thought of tacttical security from the cost center to one that adds value.
Security threats originate from a myriad of sources both human, for example military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To produce effective analysis of the environment that you operate requires insight and enquiry, not merely the collation of a summary of incidents – irrespective of how accurate or well researched those could be.
Renowned political scientist Louise Richardson, author of your book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively measure the threats in your project, consideration needs to be given not just in the action or activity carried out, but also who carried it and fundamentally, why.
Threat assessments should address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for that threat actor, environmental damage to agricultural land
• Intent: Establishing how often the threat actor performed the threat activity as opposed to just threatened it
• Capability: Are they competent at carrying out the threat activity now and later on
Security threats from non-human source like disasters, communicable disease and accidents may be assessed in a very similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What could possibly be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor have to do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat should do harm e.g. most common mouse in equatorial Africa, ubiquitous in human households potentially fatal
Some companies still prescribe annual security risk assessments which potentially leave your operations exposed when confronted with dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration should be presented to how events might escalate and equally how proactive steps can de-escalate them. For example, security forces firing on the protest march may escalate the potential of a violent response from protestors, while effective communication with protest leaders may, in the short term a minimum of, de-escalate the potential for a violent exchange.
This kind of analysis can sort out effective threat forecasting, as opposed to a simple snap shot of the security environment at any point over time.
The greatest challenge facing corporate security professionals remains, the best way to sell security threat analysis internally specifically when threat perception varies from person to person based upon their experience, background or personal risk appetite.
Context is crucial to effective threat analysis. Most of us understand that terrorism is a risk, but being a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk inside a credible project specific scenario however, creates context. By way of example, the chance of an armed attack by local militia responding to a ongoing dispute about local job opportunities, allows us to make your threat more plausible and offer a greater quantity of choices for its mitigation.
Having identified threats, vulnerability assessment can also be critical and extends beyond simply reviewing existing security controls. It should consider:
1. Just how the attractive project is always to the threats identified and, how easily they may be identified and accessed?
2. How effective will be the project’s existing protections versus the threats identified?
3. How good can the project react to an incident should it occur despite of control measures?
Like a threat assessment, this vulnerability assessment has to be ongoing to make sure that controls not simply function correctly now, but remain relevant as being the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria in which 40 innocent people were killed, made recommendations for the: “development of the security risk management system which is dynamic, fit for purpose and aimed toward action. It must be an embedded and routine part of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and www.tacticalsupportservice.com executive protection allow both experts and management to experience a common knowledge of risk, threats and scenarios and evaluations of these.”
But maintaining this essential process is not any small task then one that requires a specific skillsets and experience. In line with the same report, “…in many cases security is a component of broader health, safety and environment position then one in which few individuals in those roles have particular experience and expertise. As a consequence, Statoil overall has insufficient ful-time specialist resources devoted to security.”
Anchoring corporate security in effective and ongoing security risk analysis not merely facilitates timely and effective decision-making. Additionally, it has potential to introduce a broader selection of security controls than has previously been considered as an element of the corporate alarm system.