Companies operating in hostile environments, corporate security has historically been a method to obtain confusion and quite often outsourced to specialised consultancies at significant cost.
Of itself, that’s no inappropriate approach, however the problems arises because, in the event you ask three different security consultants to handle the www.tacticalsupportservice.com threat assessment, it’s entirely possible to obtain three different answers.
That lack of standardisation and continuity in SRA methodology will be the primary reason behind confusion between those responsible for managing security risk and budget holders.
So, how could security professionals translate the conventional language of corporate security in a fashion that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology to your SRA is vital to the effectiveness:
1. What exactly is the project under review trying to achieve, and exactly how could it be seeking to achieve it?
2. Which resources/assets are the most important when making the project successful?
3. What is the security threat environment in which the project operates?
4. How vulnerable are the project’s critical resources/assets towards the threats identified?
These four questions needs to be established before a security alarm system could be developed that is effective, appropriate and flexible enough being adapted within an ever-changing security environment.
Where some external security consultants fail is spending little time developing an in depth knowledge of their client’s project – generally leading to the effective use of costly security controls that impede the project instead of enhancing it.
Over time, a standardised procedure for SRA will help enhance internal communication. It can do so by boosting the comprehension of security professionals, who benefit from lessons learned globally, as well as the broader business because the methodology and language mirrors that relating to enterprise risk. Together those factors help shift the thought of tacttical security from a cost center to 1 that adds value.
Security threats come from a number of sources both human, including military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To develop effective analysis of the environment that you operate requires insight and enquiry, not simply the collation of a list of incidents – regardless of how accurate or well researched those might be.
Renowned political scientist Louise Richardson, author in the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively measure the threats for your project, consideration has to be given not just in the action or activity conducted, but additionally who carried it all out and fundamentally, why.
Threat assessments should address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for your threat actor, environmental damage to agricultural land
• Intent: Establishing the frequency of which the threat actor conducted the threat activity as opposed to just threatened it
• Capability: Is it able to undertaking the threat activity now or in the foreseeable future
Security threats from non-human source for example natural disasters, communicable disease and accidents could be assessed in a very similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What could be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor should do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat need to do harm e.g. most popular mouse in equatorial Africa, ubiquitous in human households potentially fatal
Some companies still prescribe annual security risk assessments which potentially leave your operations exposed when confronted with dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration must be provided to how events might escalate and equally how proactive steps can de-escalate them. For example, security forces firing over a protest march may escalate the possibility of a violent response from protestors, while effective communication with protest leaders may, for the short term a minimum of, de-escalate the chance of a violent exchange.
This type of analysis can help with effective threat forecasting, instead of a simple snap shot in the security environment at any point over time.
The greatest challenge facing corporate security professionals remains, how to sell security threat analysis internally particularly when threat perception varies individually for each person based upon their experience, background or personal risk appetite.
Context is vital to effective threat analysis. Most of us recognize that terrorism can be a risk, but as a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in the credible project specific scenario however, creates context. For instance, the chance of an armed attack by local militia in response to an ongoing dispute about local job opportunities, permits us to have the threat more plausible and give a better number of selections for its mitigation.
Having identified threats, vulnerability assessment can also be critical and extends beyond simply reviewing existing security controls. It has to consider:
1. The way the attractive project is always to the threats identified and, how easily they could be identified and accessed?
2. How effective are the project’s existing protections against the threats identified?
3. How good can the project reply to an incident should it occur in spite of control measures?
Similar to a threat assessment, this vulnerability assessment has to be ongoing to make sure that controls not merely function correctly now, but remain relevant since the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria in which 40 innocent individuals were killed, made tips for the: “development of a security risk management system which is dynamic, fit for purpose and aimed toward action. It needs to be an embedded and routine portion of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and www.tacticalsupportservice.com executive protection allow both experts and management to experience a common knowledge of risk, threats and scenarios and evaluations of these.”
But maintaining this essential process is no small task and something that has to have a certain skillsets and experience. According to the same report, “…in many instances security is a component of broader health, safety and environment position then one where not many people in those roles have particular expertise and experience. As a consequence, Statoil overall has insufficient ful-time specialist resources focused on security.”
Anchoring corporate security in effective and ongoing security risk analysis not only facilitates timely and effective decision-making. In addition, it has possibility to introduce a broader array of security controls than has previously been considered as a part of the corporate alarm system.