Companies operating in hostile environments, corporate security has historically been a way to obtain confusion and often outsourced to specialised consultancies at significant cost.
Of itself, that’s not an inappropriate approach, although the problems arises because, should you ask three different security consultants to handle the tactical support service threat assessment, it’s entirely possible to acquire three different answers.
That insufficient standardisation and continuity in SRA methodology may be the primary reason behind confusion between those responsible for managing security risk and budget holders.
So, how could security professionals translate the regular language of corporate security in a way that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology to the SRA is essential to its effectiveness:
1. What exactly is the project under review trying to achieve, and how will it be seeking to achieve it?
2. Which resources/assets are the most crucial when making the project successful?
3. What is the security threat environment where the project operates?
4. How vulnerable will be the project’s critical resources/assets to the threats identified?
These four questions needs to be established before a security alarm system may be developed that is certainly effective, appropriate and versatile enough to become adapted in an ever-changing security environment.
Where some external security consultants fail is within spending very little time developing an in depth idea of their client’s project – generally contributing to the effective use of costly security controls that impede the project as an alternative to enhancing it.
Over time, a standardised method of SRA may help enhance internal communication. It can do so by increasing the understanding of security professionals, who benefit from lessons learned globally, along with the broader business as the methodology and language mirrors that relating to enterprise risk. Together those factors help shift the perception of tacttical security from a cost center to 1 that adds value.
Security threats originate from a number of sources both human, like military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To produce effective analysis of the environment that you operate requires insight and enquiry, not simply the collation of a long list of incidents – irrespective of how accurate or well researched those can be.
Renowned political scientist Louise Richardson, author of the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively assess the threats for your project, consideration must be given not only to the action or activity performed, but additionally who carried it out and fundamentally, why.
Threat assessments must address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for that threat actor, environmental injury to agricultural land
• Intent: Establishing how frequently the threat actor performed the threat activity as opposed to just threatened it
• Capability: Could they be capable of undertaking the threat activity now and/or later on
Security threats from non-human source for example natural disasters, communicable disease and accidents might be assessed in a very similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What could be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor should do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat need to do harm e.g. most popular mouse in equatorial Africa, ubiquitous in human households potentially fatal
Many companies still prescribe annual security risk assessments which potentially leave your operations exposed when confronted with dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration has to be made available to how events might escalate and equally how proactive steps can de-escalate them. As an example, security forces firing with a protest march may escalate the potential of a violent response from protestors, while effective communication with protest leaders may, for the short term at least, de-escalate the chance of a violent exchange.
This type of analysis can help with effective threat forecasting, as opposed to a simple snap shot of your security environment at any time over time.
The biggest challenge facing corporate security professionals remains, the way to sell security threat analysis internally especially when threat perception varies from person to person based upon their experience, background or personal risk appetite.
Context is vital to effective threat analysis. Most of us realize that terrorism is really a risk, but as being a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk within a credible project specific scenario however, creates context. By way of example, the risk of an armed attack by local militia in response to a ongoing dispute about local employment opportunities, permits us to have the threat more plausible and give a greater variety of options for its mitigation.
Having identified threats, vulnerability assessment is also critical and extends beyond simply reviewing existing security controls. It should consider:
1. Just how the attractive project would be to the threats identified and, how easily they are often identified and accessed?
2. How effective are definitely the project’s existing protections against the threats identified?
3. How good can the project respond to an incident should it occur despite of control measures?
Such as a threat assessment, this vulnerability assessment needs to be ongoing to ensure controls not just function correctly now, but remain relevant as being the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria in which 40 innocent everyone was killed, made recommendations for the: “development of your security risk management system which is dynamic, fit for purpose and geared toward action. It must be an embedded and routine portion of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and www.tacticalsupportservice.com allow both experts and management to have a common understanding of risk, threats and scenarios and evaluations of these.”
But maintaining this essential process is not any small task and one that requires a particular skillsets and experience. According to the same report, “…in many instances security is a component of broader health, safety and environment position and another where very few people in those roles have particular expertise and experience. Because of this, Statoil overall has insufficient ful-time specialist resources focused on security.”
Anchoring corporate security in effective and ongoing security risk analysis not merely facilitates timely and effective decision-making. It also has possibility to introduce a broader variety of security controls than has previously been considered as an element of the company burglar alarm system.