Companies operating in hostile environments, corporate security has historically been a source of confusion and quite often outsourced to specialised consultancies at significant cost.
Of itself, that’s no inappropriate approach, but the problems arises because, in the event you ask three different security consultants to carry out the tactical support service, it’s possible to get three different answers.
That insufficient standardisation and continuity in SRA methodology is definitely the primary cause of confusion between those arrested for managing security risk and budget holders.
So, how can security professionals translate the conventional language of corporate security in a way that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology to your SRA is essential to its effectiveness:
1. Just what is the project under review seeking to achieve, and just how could it be attempting to do it?
2. Which resources/assets are the main to make the project successful?
3. Exactly what is the security threat environment wherein the project operates?
4. How vulnerable would be the project’s critical resources/assets for the threats identified?
These four questions needs to be established before a security alarm system may be developed that may be effective, appropriate and flexible enough to get adapted inside an ever-changing security environment.
Where some external security consultants fail is at spending almost no time developing a comprehensive comprehension of their client’s project – generally contributing to the application of costly security controls that impede the project rather than enhancing it.
After a while, a standardised method of SRA can help enhance internal communication. It can so by increasing the understanding of security professionals, who benefit from lessons learned globally, and the broader business as the methodology and language mirrors those of enterprise risk. Together those factors help shift the thought of tacttical security coming from a cost center to one that adds value.
Security threats originate from a host of sources both human, including military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To produce effective analysis of the environment that you operate requires insight and enquiry, not simply the collation of a long list of incidents – irrespective of how accurate or well researched those can be.
Renowned political scientist Louise Richardson, author in the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively measure the threats to the project, consideration has to be given not only to the action or activity completed, but in addition who carried it and fundamentally, why.
Threat assessments must address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for the threat actor, environmental problems for agricultural land
• Intent: Establishing how frequently the threat actor conducted the threat activity as opposed to just threatened it
• Capability: Could they be effective at undertaking the threat activity now and down the road
Security threats from non-human source such as natural disasters, communicable disease and accidents may be assessed in a really similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What could be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor need to do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat need to do harm e.g. most common mouse in equatorial Africa, ubiquitous in human households potentially fatal
Most companies still prescribe annual security risk assessments which potentially leave your operations exposed when confronted with dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration should be presented to how events might escalate and equally how proactive steps can de-escalate them. By way of example, security forces firing on the protest march may escalate the potential for a violent response from protestors, while effective communication with protest leaders may, for the short term at the very least, de-escalate the possibility of a violent exchange.
This type of analysis can help with effective threat forecasting, instead of a simple snap shot of the security environment at any time soon enough.
The most significant challenge facing corporate security professionals remains, the way to sell security threat analysis internally particularly when threat perception varies individually for each person based upon their experience, background or personal risk appetite.
Context is critical to effective threat analysis. All of us know that terrorism is really a risk, but as a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in a credible project specific scenario however, creates context. For example, the potential risk of an armed attack by local militia in reaction to an ongoing dispute about local employment opportunities, permits us to make the threat more plausible and present an increased variety of selections for its mitigation.
Having identified threats, vulnerability assessment can also be critical and extends beyond simply reviewing existing security controls. It must consider:
1. Exactly how the attractive project would be to the threats identified and, how easily they may be identified and accessed?
2. How effective would be the project’s existing protections from the threats identified?
3. How well can the project respond to an incident should it occur in spite of control measures?
Like a threat assessment, this vulnerability assessment must be ongoing to make sure that controls not simply function correctly now, but remain relevant because the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria by which 40 innocent individuals were killed, made ideas for the: “development of your security risk management system that is certainly dynamic, fit for purpose and aimed toward action. It ought to be an embedded and routine area of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and executive protection tacticalsupportservice.com allow both experts and management to experience a common knowledge of risk, threats and scenarios and evaluations of these.”
But maintaining this essential process is no small task and one that has to have a certain skillsets and experience. In line with the same report, “…in many instances security is a component of broader health, safety and environment position and another that few people in those roles have particular experience and expertise. As a consequence, Statoil overall has insufficient ful-time specialist resources committed to security.”
Anchoring corporate security in effective and ongoing security risk analysis not just facilitates timely and effective decision-making. Furthermore, it has possibility to introduce a broader variety of security controls than has previously been considered as a part of the company home security system.