Companies operating in hostile environments, corporate security has historically been a supply of confusion and quite often outsourced to specialised consultancies at significant cost.
Of itself, that’s not an inappropriate approach, however the problems arises because, when you ask three different security consultants to handle the tacticalsupportservice.com, it’s entirely possible to get three different answers.
That deficiency of standardisation and continuity in SRA methodology may be the primary reason for confusion between those charged with managing security risk and budget holders.
So, how can security professionals translate the regular language of corporate security in ways that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology to the SRA is critical to its effectiveness:
1. What is the project under review looking to achieve, and the way will it be looking to achieve it?
2. Which resources/assets are the main when making the project successful?
3. What is the security threat environment wherein the project operates?
4. How vulnerable would be the project’s critical resources/assets towards the threats identified?
These four questions needs to be established before a security alarm system may be developed which is effective, appropriate and versatile enough to be adapted inside an ever-changing security environment.
Where some external security consultants fail is in spending almost no time developing a detailed comprehension of their client’s project – generally resulting in the use of costly security controls that impede the project rather than enhancing it.
After a while, a standardised strategy to SRA will help enhance internal communication. It does so by boosting the knowledge of security professionals, who make use of lessons learned globally, and also the broader business because the methodology and language mirrors that from enterprise risk. Together those factors help shift the thought of tacttical security from your cost center to just one that adds value.
Security threats originate from numerous sources both human, such as military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To produce effective research into the environment in which you operate requires insight and enquiry, not simply the collation of a long list of incidents – irrespective of how accurate or well researched those might be.
Renowned political scientist Louise Richardson, author in the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively look at the threats for your project, consideration needs to be given not just to the action or activity performed, but in addition who carried it out and fundamentally, why.
Threat assessments have to address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for your threat actor, environmental damage to agricultural land
• Intent: Establishing how frequently the threat actor carried out the threat activity as opposed to just threatened it
• Capability: Could they be competent at undertaking the threat activity now or down the road
Security threats from non-human source including natural disasters, communicable disease and accidents may be assessed in a very similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What may be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor need to do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat should do harm e.g. most typical mouse in equatorial Africa, ubiquitous in human households potentially fatal
Most companies still prescribe annual security risk assessments which potentially leave your operations exposed when confronted with dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration needs to be made available to how events might escalate and equally how proactive steps can de-escalate them. For example, security forces firing on a protest march may escalate the potential of a violent response from protestors, while effective communication with protest leaders may, in the short term at the very least, de-escalate the potential for a violent exchange.
This particular analysis can sort out effective threat forecasting, rather than a simple snap shot of the security environment at any time in time.
The biggest challenge facing corporate security professionals remains, the best way to sell security threat analysis internally specially when threat perception varies individually for each person based on their experience, background or personal risk appetite.
Context is vital to effective threat analysis. All of us know that terrorism is a risk, but as a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in the credible project specific scenario however, creates context. For instance, the potential risk of an armed attack by local militia in reaction to a ongoing dispute about local employment opportunities, allows us to make your threat more plausible and give a greater number of selections for its mitigation.
Having identified threats, vulnerability assessment is also critical and extends beyond simply reviewing existing security controls. It needs to consider:
1. The way the attractive project is usually to the threats identified and, how easily they could be identified and accessed?
2. How effective will be the project’s existing protections against the threats identified?
3. How good can the project respond to an incident should it occur despite of control measures?
Like a threat assessment, this vulnerability assessment has to be ongoing to ensure that controls not just function correctly now, but remain relevant since the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria by which 40 innocent people were killed, made strategies for the: “development of any security risk management system that may be dynamic, fit for purpose and geared toward action. It should be an embedded and routine area of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and www.tacticalsupportservice.com executive protection allow both experts and management to experience a common understanding of risk, threats and scenarios and evaluations of such.”
But maintaining this essential process is not any small task and one that really needs a unique skillsets and experience. In line with the same report, “…in most instances security is a component of broader health, safety and environment position and one where few individuals in those roles have particular experience and expertise. Because of this, Statoil overall has insufficient ful-time specialist resources devoted to security.”
Anchoring corporate security in effective and ongoing security risk analysis not just facilitates timely and effective decision-making. Additionally, it has potential to introduce a broader array of security controls than has previously been considered as part of the company alarm system.