Companies operating in hostile environments, corporate security has historically been a source of confusion and frequently outsourced to specialised consultancies at significant cost.
Of itself, that’s no inappropriate approach, but the problems arises because, in the event you ask three different security consultants to execute the www.tacticalsupportservice.com threat assessment, it’s entirely possible to obtain three different answers.
That absence of standardisation and continuity in SRA methodology may be the primary cause of confusion between those involved in managing security risk and budget holders.
So, just how can security professionals translate the traditional language of corporate security in a manner that both enhances understanding, and justify inexpensive and appropriate security controls?
Applying a four step methodology to any SRA is essential to its effectiveness:
1. What is the project under review trying to achieve, and just how could it be attempting to do it?
2. Which resources/assets are the most significant in making the project successful?
3. Just what is the security threat environment where the project operates?
4. How vulnerable will be the project’s critical resources/assets for the threats identified?
These four questions should be established before a security system may be developed that is certainly effective, appropriate and flexible enough to become adapted in a ever-changing security environment.
Where some external security consultants fail is spending little time developing a comprehensive understanding of their client’s project – generally contributing to the application of costly security controls that impede the project rather than enhancing it.
Over time, a standardised procedure for SRA can help enhance internal communication. It can do so by increasing the comprehension of security professionals, who make use of lessons learned globally, as well as the broader business for the reason that methodology and language mirrors that of enterprise risk. Together those factors help shift the perception of tacttical security coming from a cost center to 1 that adds value.
Security threats originate from a myriad of sources both human, such as military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To formulate effective analysis of the environment in which you operate requires insight and enquiry, not simply the collation of a list of incidents – regardless how accurate or well researched those could be.
Renowned political scientist Louise Richardson, author of your book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively evaluate the threats to the project, consideration has to be given not just in the action or activity conducted, but in addition who carried it out and fundamentally, why.
Threat assessments should address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for your threat actor, environmental injury to agricultural land
• Intent: Establishing the frequency of which the threat actor performed the threat activity rather than just threatened it
• Capability: Is it effective at doing the threat activity now and/or in the future
Security threats from non-human source including natural disasters, communicable disease and accidents can be assessed in a really similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What may be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor must do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat must do harm e.g. most frequent mouse in equatorial Africa, ubiquitous in human households potentially fatal
A lot of companies still prescribe annual security risk assessments which potentially leave your operations exposed facing dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration needs to be given to how events might escalate and equally how proactive steps can de-escalate them. As an example, security forces firing over a protest march may escalate the possibility of a violent response from protestors, while effective communication with protest leaders may, in the short term at the very least, de-escalate the possibility of a violent exchange.
This type of analysis can deal with effective threat forecasting, rather than a simple snap shot from the security environment at any point soon enough.
The most significant challenge facing corporate security professionals remains, how you can sell security threat analysis internally specifically when threat perception varies for every person based on their experience, background or personal risk appetite.
Context is crucial to effective threat analysis. Most of us know that terrorism is actually a risk, but like a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in a credible project specific scenario however, creates context. For example, the danger of an armed attack by local militia responding with an ongoing dispute about local employment opportunities, permits us to make your threat more plausible and offer a better variety of options for its mitigation.
Having identified threats, vulnerability assessment is likewise critical and extends beyond simply reviewing existing security controls. It must consider:
1. Exactly how the attractive project is usually to the threats identified and, how easily they could be identified and accessed?
2. How effective are definitely the project’s existing protections up against the threats identified?
3. How good can the project react to an incident should it occur despite of control measures?
Like a threat assessment, this vulnerability assessment has to be ongoing to make certain that controls not just function correctly now, but remain relevant as the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria where 40 innocent people were killed, made strategies for the: “development of the security risk management system which is dynamic, fit for purpose and aimed toward action. It should be an embedded and routine area of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and www.tacticalsupportservice.com executive protection allow both experts and management to possess a common knowledge of risk, threats and scenarios and evaluations of these.”
But maintaining this essential process is no small task and something that has to have a specific skillsets and experience. In accordance with the same report, “…in many cases security is part of broader health, safety and environment position then one in which very few people in those roles have particular experience and expertise. Because of this, Statoil overall has insufficient ful-time specialist resources devoted to security.”
Anchoring corporate security in effective and ongoing security risk analysis not just facilitates timely and effective decision-making. Furthermore, it has possible ways to introduce a broader range of security controls than has previously been considered as an element of the company security system.