Companies operating in hostile environments, corporate security has historically been a way to obtain confusion and quite often outsourced to specialised consultancies at significant cost.
Of itself, that’s not an inappropriate approach, however the problems arises because, should you ask three different security consultants to execute the tactical support service, it’s entirely possible to get three different answers.
That insufficient standardisation and continuity in SRA methodology is definitely the primary source of confusion between those responsible for managing security risk and budget holders.
So, just how can security professionals translate the traditional language of corporate security in ways that both enhances understanding, and justify inexpensive and appropriate security controls?
Applying a four step methodology to any SRA is essential to its effectiveness:
1. Just what is the project under review attempting to achieve, and the way is it trying to do it?
2. Which resources/assets are the most crucial when making the project successful?
3. Exactly what is the security threat environment wherein the project operates?
4. How vulnerable are definitely the project’s critical resources/assets to the threats identified?
These four questions must be established before a security system could be developed which is effective, appropriate and versatile enough to be adapted inside an ever-changing security environment.
Where some external security consultants fail is in spending bit of time developing an in depth idea of their client’s project – generally contributing to the effective use of costly security controls that impede the project instead of enhancing it.
After a while, a standardised strategy to SRA can help enhance internal communication. It will so by improving the knowledge of security professionals, who make use of lessons learned globally, along with the broader business as the methodology and language mirrors that of enterprise risk. Together those factors help shift the thought of tacttical security from your cost center to one that adds value.
Security threats originate from a number of sources both human, including military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To build up effective analysis of the environment where you operate requires insight and enquiry, not merely the collation of a long list of incidents – regardless of how accurate or well researched those could be.
Renowned political scientist Louise Richardson, author in the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively evaluate the threats to your project, consideration has to be given not just to the action or activity conducted, but additionally who carried it all out and fundamentally, why.
Threat assessments must address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for the threat actor, environmental damage to agricultural land
• Intent: Establishing how often the threat actor carried out the threat activity rather than just threatened it
• Capability: Is it capable of carrying out the threat activity now and/or in the foreseeable future
Security threats from non-human source such as natural disasters, communicable disease and accidents might be assessed in a really similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What could be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor need to do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat must do harm e.g. most typical mouse in equatorial Africa, ubiquitous in human households potentially fatal
Some companies still prescribe annual security risk assessments which potentially leave your operations exposed facing dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration should be presented to how events might escalate and equally how proactive steps can de-escalate them. For instance, security forces firing on the protest march may escalate the possibility of a violent response from protestors, while effective communication with protest leaders may, in the short term no less than, de-escalate the chance of a violent exchange.
This kind of analysis can sort out effective threat forecasting, instead of a simple snap shot from the security environment at any time over time.
The largest challenge facing corporate security professionals remains, how you can sell security threat analysis internally specifically when threat perception varies individually for each person according to their experience, background or personal risk appetite.
Context is crucial to effective threat analysis. All of us realize that terrorism is actually a risk, but being a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in the credible project specific scenario however, creates context. For example, the danger of an armed attack by local militia responding with an ongoing dispute about local job opportunities, permits us to create the threat more plausible and provide an increased variety of choices for its mitigation.
Having identified threats, vulnerability assessment is likewise critical and extends beyond simply reviewing existing security controls. It should consider:
1. Exactly how the attractive project would be to the threats identified and, how easily they may be identified and accessed?
2. How effective would be the project’s existing protections versus the threats identified?
3. How well can the project answer an incident should it occur in spite of control measures?
Just like a threat assessment, this vulnerability assessment must be ongoing to ensure that controls not simply function correctly now, but remain relevant as being the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria by which 40 innocent people were killed, made tips for the: “development of a security risk management system that may be dynamic, fit for purpose and aimed toward action. It must be an embedded and routine portion of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and www.tacticalsupportservice.com allow both experts and management to have a common comprehension of risk, threats and scenarios and evaluations of these.”
But maintaining this essential process is no small task and one that needs a specific skillsets and experience. Based on the same report, “…in most instances security is a component of broader health, safety and environment position and something in which few people in those roles have particular expertise and experience. As a consequence, Statoil overall has insufficient ful-time specialist resources committed to security.”
Anchoring corporate security in effective and ongoing security risk analysis not merely facilitates timely and effective decision-making. In addition, it has possible ways to introduce a broader array of security controls than has previously been considered as an element of the business burglar alarm system.