Companies operating in hostile environments, corporate security has historically been a way to obtain confusion and sometimes outsourced to specialised consultancies at significant cost.
Of itself, that’s no inappropriate approach, but the problems arises because, should you ask three different security consultants to undertake the www.tacticalsupportservice.com, it’s entirely possible to receive three different answers.
That lack of standardisation and continuity in SRA methodology will be the primary reason for confusion between those arrested for managing security risk and budget holders.
So, how could security professionals translate the traditional language of corporate security in ways that both enhances understanding, and justify inexpensive and appropriate security controls?
Applying a four step methodology to the SRA is essential to the effectiveness:
1. Just what is the project under review seeking to achieve, and the way is it seeking to achieve it?
2. Which resources/assets are the main in making the project successful?
3. What exactly is the security threat environment when the project operates?
4. How vulnerable would be the project’s critical resources/assets on the threats identified?
These four questions has to be established before a security system might be developed that is certainly effective, appropriate and versatile enough to be adapted inside an ever-changing security environment.
Where some external security consultants fail is in spending little time developing an in depth knowledge of their client’s project – generally resulting in the effective use of costly security controls that impede the project rather than enhancing it.
Over time, a standardised strategy to SRA will help enhance internal communication. It can so by enhancing the idea of security professionals, who benefit from lessons learned globally, and the broader business because the methodology and language mirrors that relating to enterprise risk. Together those factors help shift the perception of tacttical security from a cost center to just one that adds value.
Security threats originate from a myriad of sources both human, like military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To develop effective analysis of the environment where you operate requires insight and enquiry, not merely the collation of a list of incidents – regardless how accurate or well researched those can be.
Renowned political scientist Louise Richardson, author of your book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively evaluate the threats to your project, consideration should be given not just in the action or activity performed, but in addition who carried it out and fundamentally, why.
Threat assessments have to address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for your threat actor, environmental harm to agricultural land
• Intent: Establishing the frequency of which the threat actor completed the threat activity rather than just threatened it
• Capability: Is it effective at carrying out the threat activity now or in the future
Security threats from non-human source such as natural disasters, communicable disease and accidents could be assessed in a very similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What could be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor need to do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat should do harm e.g. most typical mouse in equatorial Africa, ubiquitous in human households potentially fatal
Many companies still prescribe annual security risk assessments which potentially leave your operations exposed facing dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration should be made available to how events might escalate and equally how proactive steps can de-escalate them. As an example, security forces firing over a protest march may escalate the potential of a violent response from protestors, while effective communication with protest leaders may, in the short term a minimum of, de-escalate the potential for a violent exchange.
This type of analysis can sort out effective threat forecasting, instead of a simple snap shot from the security environment at any point over time.
The most significant challenge facing corporate security professionals remains, how to sell security threat analysis internally specifically when threat perception varies individually for each person according to their experience, background or personal risk appetite.
Context is critical to effective threat analysis. Many of us recognize that terrorism is really a risk, but as a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in the credible project specific scenario however, creates context. For example, the potential risk of an armed attack by local militia in reaction with an ongoing dispute about local job opportunities, allows us to have the threat more plausible and provide an increased number of alternatives for its mitigation.
Having identified threats, vulnerability assessment is also critical and extends beyond simply reviewing existing security controls. It should consider:
1. Exactly how the attractive project would be to the threats identified and, how easily they may be identified and accessed?
2. How effective are definitely the project’s existing protections versus the threats identified?
3. How well can the project answer an incident should it occur in spite of control measures?
Such as a threat assessment, this vulnerability assessment must be ongoing to ensure controls not simply function correctly now, but remain relevant because the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria by which 40 innocent individuals were killed, made ideas for the: “development of any security risk management system that is certainly dynamic, fit for purpose and geared toward action. It should be an embedded and routine part of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and tactical support service executive protection allow both experts and management to possess a common comprehension of risk, threats and scenarios and evaluations of those.”
But maintaining this essential process is no small task and one that needs a particular skillsets and experience. In accordance with the same report, “…in many instances security is part of broader health, safety and environment position then one that few individuals in those roles have particular experience and expertise. As a result, Statoil overall has insufficient ful-time specialist resources focused on security.”
Anchoring corporate security in effective and ongoing security risk analysis not only facilitates timely and effective decision-making. Additionally, it has potential to introduce a broader selection of security controls than has previously been considered as a part of the corporate home security system.