Companies operating in hostile environments, corporate security has historically been a method to obtain confusion and frequently outsourced to specialised consultancies at significant cost.
Of itself, that’s no inappropriate approach, however the problems arises because, in the event you ask three different security consultants to undertake the tactical support service threat assessment, it’s possible to obtain three different answers.
That absence of standardisation and continuity in SRA methodology may be the primary cause of confusion between those arrested for managing security risk and budget holders.
So, how can security professionals translate the regular language of corporate security in ways that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology to any SRA is crucial to the effectiveness:
1. Just what is the project under review attempting to achieve, and exactly how is it trying to do it?
2. Which resources/assets are the most crucial in making the project successful?
3. Exactly what is the security threat environment in which the project operates?
4. How vulnerable are definitely the project’s critical resources/assets to the threats identified?
These four questions needs to be established before a security system may be developed which is effective, appropriate and flexible enough being adapted in an ever-changing security environment.
Where some external security consultants fail is spending very little time developing a comprehensive understanding of their client’s project – generally causing the effective use of costly security controls that impede the project instead of enhancing it.
With time, a standardised approach to SRA will help enhance internal communication. It can do so by boosting the idea of security professionals, who take advantage of lessons learned globally, as well as the broader business for the reason that methodology and language mirrors those of enterprise risk. Together those factors help shift the perception of tacttical security from a cost center to a single that adds value.
Security threats come from a number of sources both human, such as military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To formulate effective analysis of the environment that you operate requires insight and enquiry, not simply the collation of a long list of incidents – regardless how accurate or well researched those might be.
Renowned political scientist Louise Richardson, author of your book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively evaluate the threats to your project, consideration should be given not just in the action or activity completed, and also who carried it all out and fundamentally, why.
Threat assessments need to address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for the threat actor, environmental injury to agricultural land
• Intent: Establishing how often the threat actor conducted the threat activity rather than just threatened it
• Capability: Could they be capable of performing the threat activity now and later on
Security threats from non-human source including natural disasters, communicable disease and accidents can be assessed within a similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What could be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor have to do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat need to do harm e.g. most popular mouse in equatorial Africa, ubiquitous in human households potentially fatal
A lot of companies still prescribe annual security risk assessments which potentially leave your operations exposed when confronted with dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration must be made available to how events might escalate and equally how proactive steps can de-escalate them. For example, security forces firing with a protest march may escalate the possibility of a violent response from protestors, while effective communication with protest leaders may, in the short term at the very least, de-escalate the chance of a violent exchange.
This type of analysis can help with effective threat forecasting, rather than a simple snap shot of the security environment at any point with time.
The most significant challenge facing corporate security professionals remains, how you can sell security threat analysis internally particularly when threat perception varies individually for each person depending on their experience, background or personal risk appetite.
Context is vital to effective threat analysis. All of us realize that terrorism is a risk, but as being a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk inside a credible project specific scenario however, creates context. As an example, the chance of an armed attack by local militia responding with an ongoing dispute about local job opportunities, allows us to make your threat more plausible and give a larger amount of selections for its mitigation.
Having identified threats, vulnerability assessment can also be critical and extends beyond simply reviewing existing security controls. It should consider:
1. The way the attractive project would be to the threats identified and, how easily they are often identified and accessed?
2. How effective are the project’s existing protections from the threats identified?
3. How good can the project respond to an incident should it occur despite of control measures?
Just like a threat assessment, this vulnerability assessment needs to be ongoing to make sure that controls not only function correctly now, but remain relevant as the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria by which 40 innocent individuals were killed, made tips for the: “development of the security risk management system that may be dynamic, fit for purpose and geared toward action. It must be an embedded and routine portion of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and www.tacticalsupportservice.com executive protection allow both experts and management to possess a common idea of risk, threats and scenarios and evaluations of such.”
But maintaining this essential process is not any small task then one that has to have a certain skillsets and experience. Based on the same report, “…in many instances security is part of broader health, safety and environment position and another where very few people in those roles have particular experience and expertise. As a result, Statoil overall has insufficient ful-time specialist resources devoted to security.”
Anchoring corporate security in effective and ongoing security risk analysis not only facilitates timely and effective decision-making. Furthermore, it has potential to introduce a broader selection of security controls than has previously been considered as a part of the corporate alarm system.