Companies operating in hostile environments, corporate security has historically been a method to obtain confusion and sometimes outsourced to specialised consultancies at significant cost.
Of itself, that’s no inappropriate approach, although the problems arises because, if you ask three different security consultants to handle the www.tacticalsupportservice.com, it’s entirely possible to receive three different answers.
That absence of standardisation and continuity in SRA methodology is the primary cause of confusion between those charged with managing security risk and budget holders.
So, how could security professionals translate the regular language of corporate security in a manner that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology to your SRA is crucial to its effectiveness:
1. Exactly what is the project under review attempting to achieve, and exactly how is it trying to achieve it?
2. Which resources/assets are the most important for making the project successful?
3. Exactly what is the security threat environment when the project operates?
4. How vulnerable are definitely the project’s critical resources/assets for the threats identified?
These four questions needs to be established before a security system could be developed that may be effective, appropriate and versatile enough to be adapted in an ever-changing security environment.
Where some external security consultants fail is at spending very little time developing an in depth idea of their client’s project – generally causing the effective use of costly security controls that impede the project as an alternative to enhancing it.
Over time, a standardised procedure for SRA will assist enhance internal communication. It will so by improving the knowledge of security professionals, who reap the benefits of lessons learned globally, along with the broader business since the methodology and language mirrors that from enterprise risk. Together those factors help shift the thought of tacttical security coming from a cost center to one that adds value.
Security threats originate from numerous sources both human, for example military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To formulate effective research into the environment that you operate requires insight and enquiry, not simply the collation of a listing of incidents – no matter how accurate or well researched those might be.
Renowned political scientist Louise Richardson, author in the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively look at the threats to your project, consideration should be given not just in the action or activity conducted, but in addition who carried it all out and fundamentally, why.
Threat assessments should address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for your threat actor, environmental injury to agricultural land
• Intent: Establishing how often the threat actor completed the threat activity as opposed to just threatened it
• Capability: Is it able to performing the threat activity now and in the future
Security threats from non-human source such as natural disasters, communicable disease and accidents could be assessed within a similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What might be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor need to do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat need to do harm e.g. most typical mouse in equatorial Africa, ubiquitous in human households potentially fatal
Some companies still prescribe annual security risk assessments which potentially leave your operations exposed facing dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration has to be provided to how events might escalate and equally how proactive steps can de-escalate them. As an example, security forces firing on the protest march may escalate the potential for a violent response from protestors, while effective communication with protest leaders may, in the short term at least, de-escalate the potential for a violent exchange.
This particular analysis can sort out effective threat forecasting, as opposed to a simple snap shot from the security environment at any time over time.
The most significant challenge facing corporate security professionals remains, the best way to sell security threat analysis internally specifically when threat perception varies from person to person based on their experience, background or personal risk appetite.
Context is critical to effective threat analysis. All of us realize that terrorism is really a risk, but like a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in a credible project specific scenario however, creates context. For instance, the potential risk of an armed attack by local militia in reaction to a ongoing dispute about local employment opportunities, permits us to have the threat more plausible and provide a greater amount of selections for its mitigation.
Having identified threats, vulnerability assessment can also be critical and extends beyond simply reviewing existing security controls. It must consider:
1. How the attractive project would be to the threats identified and, how easily they can be identified and accessed?
2. How effective are the project’s existing protections from the threats identified?
3. How good can the project reply to an incident should it occur in spite of control measures?
Just like a threat assessment, this vulnerability assessment should be ongoing to make certain that controls not just function correctly now, but remain relevant as the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria where 40 innocent everyone was killed, made tips for the: “development of a security risk management system that may be dynamic, fit for purpose and aimed toward action. It ought to be an embedded and routine portion of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and www.tacticalsupportservice.com executive protection allow both experts and management to experience a common comprehension of risk, threats and scenarios and evaluations of these.”
But maintaining this essential process is no small task and another that requires a particular skillsets and experience. In accordance with the same report, “…in many cases security is an element of broader health, safety and environment position then one for which not many people in those roles have particular expertise and experience. Because of this, Statoil overall has insufficient ful-time specialist resources committed to security.”
Anchoring corporate security in effective and ongoing security risk analysis not just facilitates timely and effective decision-making. Additionally, it has possible ways to introduce a broader range of security controls than has previously been considered as a part of the corporate alarm system.