Companies operating in hostile environments, corporate security has historically been a source of confusion and quite often outsourced to specialised consultancies at significant cost.
Of itself, that’s no inappropriate approach, however the problems arises because, in the event you ask three different security consultants to handle the threat assessment tacticalsupportservice.com, it’s possible to obtain three different answers.
That insufficient standardisation and continuity in SRA methodology will be the primary reason for confusion between those arrested for managing security risk and budget holders.
So, how could security professionals translate the traditional language of corporate security in a way that both enhances understanding, and justify inexpensive and appropriate security controls?
Applying a four step methodology for any SRA is critical to the effectiveness:
1. Just what is the project under review seeking to achieve, and how is it trying to do it?
2. Which resources/assets are the most crucial in making the project successful?
3. Exactly what is the security threat environment wherein the project operates?
4. How vulnerable will be the project’s critical resources/assets on the threats identified?
These four questions needs to be established before a security system may be developed that is effective, appropriate and versatile enough to become adapted in an ever-changing security environment.
Where some external security consultants fail is at spending very little time developing a comprehensive idea of their client’s project – generally leading to the application of costly security controls that impede the project as an alternative to enhancing it.
With time, a standardised approach to SRA can help enhance internal communication. It can so by boosting the understanding of security professionals, who take advantage of lessons learned globally, along with the broader business because the methodology and language mirrors those of enterprise risk. Together those factors help shift the perception of tacttical security coming from a cost center to a single that adds value.
Security threats come from a host of sources both human, like military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To formulate effective analysis of the environment for which you operate requires insight and enquiry, not merely the collation of a list of incidents – irrespective of how accurate or well researched those can be.
Renowned political scientist Louise Richardson, author of the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively measure the threats in your project, consideration needs to be given not only to the action or activity carried out, but additionally who carried it out and fundamentally, why.
Threat assessments must address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for your threat actor, environmental injury to agricultural land
• Intent: Establishing how often the threat actor carried out the threat activity as opposed to just threatened it
• Capability: Will they be effective at carrying out the threat activity now and later on
Security threats from non-human source including natural disasters, communicable disease and accidents can be assessed within a similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What could possibly be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor have to do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat must do harm e.g. most popular mouse in equatorial Africa, ubiquitous in human households potentially fatal
Most companies still prescribe annual security risk assessments which potentially leave your operations exposed when dealing with dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration has to be presented to how events might escalate and equally how proactive steps can de-escalate them. For instance, security forces firing with a protest march may escalate the potential for a violent response from protestors, while effective communication with protest leaders may, in the short term a minimum of, de-escalate the potential for a violent exchange.
This particular analysis can deal with effective threat forecasting, rather than a simple snap shot of the security environment at any point in time.
The biggest challenge facing corporate security professionals remains, the way to sell security threat analysis internally specially when threat perception varies individually for each person depending on their experience, background or personal risk appetite.
Context is essential to effective threat analysis. We all recognize that terrorism is a risk, but being a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk within a credible project specific scenario however, creates context. By way of example, the potential risk of an armed attack by local militia in reaction with an ongoing dispute about local employment opportunities, permits us to create the threat more plausible and present a greater quantity of selections for its mitigation.
Having identified threats, vulnerability assessment is additionally critical and extends beyond simply reviewing existing security controls. It should consider:
1. The way the attractive project would be to the threats identified and, how easily they can be identified and accessed?
2. How effective are the project’s existing protections up against the threats identified?
3. How well can the project respond to an incident should it occur in spite of control measures?
Like a threat assessment, this vulnerability assessment should be ongoing to make sure that controls not only function correctly now, but remain relevant because the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria by which 40 innocent everyone was killed, made tips for the: “development of your security risk management system that is dynamic, fit for purpose and geared toward action. It should be an embedded and routine portion of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and tacticalsupportservice.com allow both experts and management to have a common understanding of risk, threats and scenarios and evaluations of those.”
But maintaining this essential process is no small task and another that really needs a certain skillsets and experience. In line with the same report, “…in most cases security is part of broader health, safety and environment position and one in which few individuals in those roles have particular experience and expertise. Because of this, Statoil overall has insufficient ful-time specialist resources focused on security.”
Anchoring corporate security in effective and ongoing security risk analysis not just facilitates timely and effective decision-making. Additionally, it has possible ways to introduce a broader range of security controls than has previously been considered as an element of the business burglar alarm system.