Companies operating in hostile environments, corporate security has historically been a source of confusion and sometimes outsourced to specialised consultancies at significant cost.
Of itself, that’s not an inappropriate approach, although the problems arises because, should you ask three different security consultants to undertake the threat assessment tacticalsupportservice.com, it’s entirely possible to acquire three different answers.
That absence of standardisation and continuity in SRA methodology may be the primary reason behind confusion between those responsible for managing security risk and budget holders.
So, how can security professionals translate the regular language of corporate security in ways that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology to your SRA is essential to its effectiveness:
1. What exactly is the project under review attempting to achieve, and how could it be seeking to do it?
2. Which resources/assets are the most crucial for making the project successful?
3. What is the security threat environment where the project operates?
4. How vulnerable are the project’s critical resources/assets to the threats identified?
These four questions should be established before a security system could be developed which is effective, appropriate and versatile enough being adapted in a ever-changing security environment.
Where some external security consultants fail is within spending very little time developing a comprehensive understanding of their client’s project – generally resulting in the effective use of costly security controls that impede the project instead of enhancing it.
After a while, a standardised approach to SRA will assist enhance internal communication. It can so by enhancing the knowledge of security professionals, who benefit from lessons learned globally, and also the broader business for the reason that methodology and language mirrors that from enterprise risk. Together those factors help shift the thought of tacttical security from a cost center to one that adds value.
Security threats come from numerous sources both human, such as military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To formulate effective analysis of the environment in which you operate requires insight and enquiry, not simply the collation of a summary of incidents – irrespective of how accurate or well researched those may be.
Renowned political scientist Louise Richardson, author from the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively measure the threats in your project, consideration must be given not just to the action or activity completed, but additionally who carried it and fundamentally, why.
Threat assessments must address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for that threat actor, environmental damage to agricultural land
• Intent: Establishing how often the threat actor conducted the threat activity rather than just threatened it
• Capability: Could they be competent at performing the threat activity now and/or in the future
Security threats from non-human source like natural disasters, communicable disease and accidents may be assessed in a very similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What may be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor need to do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat have to do harm e.g. most frequent mouse in equatorial Africa, ubiquitous in human households potentially fatal
Most companies still prescribe annual security risk assessments which potentially leave your operations exposed while confronting dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration must be presented to how events might escalate and equally how proactive steps can de-escalate them. For example, security forces firing with a protest march may escalate the potential of a violent response from protestors, while effective communication with protest leaders may, in the short term at least, de-escalate the chance of a violent exchange.
This sort of analysis can deal with effective threat forecasting, as opposed to a simple snap shot of the security environment at any time over time.
The biggest challenge facing corporate security professionals remains, how you can sell security threat analysis internally specially when threat perception varies individually for each person based upon their experience, background or personal risk appetite.
Context is vital to effective threat analysis. Many of us understand that terrorism can be a risk, but as being a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in a credible project specific scenario however, creates context. For example, the risk of an armed attack by local militia in response with an ongoing dispute about local job opportunities, permits us to make the threat more plausible and provide a better amount of alternatives for its mitigation.
Having identified threats, vulnerability assessment is also critical and extends beyond simply reviewing existing security controls. It must consider:
1. The way the attractive project is always to the threats identified and, how easily they are often identified and accessed?
2. How effective are definitely the project’s existing protections versus the threats identified?
3. How good can the project respond to an incident should it occur despite of control measures?
Similar to a threat assessment, this vulnerability assessment should be ongoing to make certain that controls not merely function correctly now, but remain relevant since the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria through which 40 innocent individuals were killed, made tips for the: “development of any security risk management system that is certainly dynamic, fit for purpose and aimed toward action. It must be an embedded and routine section of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and executive protection tacticalsupportservice.com allow both experts and management to have a common comprehension of risk, threats and scenarios and evaluations of those.”
But maintaining this essential process is no small task and another that needs a particular skillsets and experience. In accordance with the same report, “…in most cases security is an element of broader health, safety and environment position and another where few people in those roles have particular expertise and experience. Because of this, Statoil overall has insufficient ful-time specialist resources devoted to security.”
Anchoring corporate security in effective and ongoing security risk analysis not merely facilitates timely and effective decision-making. It also has possibility to introduce a broader selection of security controls than has previously been considered as a part of the corporate security system.