Companies operating in hostile environments, corporate security has historically been a supply of confusion and often outsourced to specialised consultancies at significant cost.
Of itself, that’s no inappropriate approach, but the problems arises because, should you ask three different security consultants to undertake the threat assessment tacticalsupportservice.com, it’s possible to acquire three different answers.
That lack of standardisation and continuity in SRA methodology is the primary reason behind confusion between those involved in managing security risk and budget holders.
So, just how can security professionals translate the traditional language of corporate security in a way that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology to your SRA is vital to its effectiveness:
1. Just what is the project under review looking to achieve, and the way could it be trying to do it?
2. Which resources/assets are the main to make the project successful?
3. What exactly is the security threat environment when the project operates?
4. How vulnerable are the project’s critical resources/assets to the threats identified?
These four questions should be established before a security system may be developed which is effective, appropriate and versatile enough to be adapted in an ever-changing security environment.
Where some external security consultants fail is at spending little time developing an in depth knowledge of their client’s project – generally contributing to the use of costly security controls that impede the project as opposed to enhancing it.
After a while, a standardised strategy to SRA can help enhance internal communication. It can do so by boosting the knowledge of security professionals, who reap the benefits of lessons learned globally, and also the broader business for the reason that methodology and language mirrors that from enterprise risk. Together those factors help shift the perception of tacttical security coming from a cost center to 1 that adds value.
Security threats originate from numerous sources both human, including military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To develop effective research into the environment where you operate requires insight and enquiry, not merely the collation of a listing of incidents – regardless of how accurate or well researched those may be.
Renowned political scientist Louise Richardson, author from the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively look at the threats for your project, consideration must be given not only to the action or activity carried out, and also who carried it all out and fundamentally, why.
Threat assessments need to address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for your threat actor, environmental harm to agricultural land
• Intent: Establishing the frequency of which the threat actor carried out the threat activity as opposed to just threatened it
• Capability: Will they be competent at performing the threat activity now or in the future
Security threats from non-human source such as disasters, communicable disease and accidents can be assessed within a similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What could be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor need to do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat should do harm e.g. most typical mouse in equatorial Africa, ubiquitous in human households potentially fatal
Many companies still prescribe annual security risk assessments which potentially leave your operations exposed when dealing with dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration has to be given to how events might escalate and equally how proactive steps can de-escalate them. For instance, security forces firing over a protest march may escalate the chance of a violent response from protestors, while effective communication with protest leaders may, for the short term no less than, de-escalate the chance of a violent exchange.
This sort of analysis can sort out effective threat forecasting, rather than a simple snap shot of the security environment at any time soon enough.
The biggest challenge facing corporate security professionals remains, the best way to sell security threat analysis internally specifically when threat perception varies individually for each person depending on their experience, background or personal risk appetite.
Context is vital to effective threat analysis. Many of us understand that terrorism can be a risk, but like a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in the credible project specific scenario however, creates context. For instance, the risk of an armed attack by local militia in reaction with an ongoing dispute about local employment opportunities, permits us to create the threat more plausible and present an increased amount of options for its mitigation.
Having identified threats, vulnerability assessment is additionally critical and extends beyond simply reviewing existing security controls. It needs to consider:
1. Exactly how the attractive project would be to the threats identified and, how easily they could be identified and accessed?
2. How effective are definitely the project’s existing protections up against the threats identified?
3. How well can the project react to an incident should it occur despite of control measures?
Like a threat assessment, this vulnerability assessment has to be ongoing to ensure that controls not only function correctly now, but remain relevant because the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria through which 40 innocent people were killed, made tips for the: “development of your security risk management system that is dynamic, fit for purpose and aimed toward action. It should be an embedded and routine portion of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and www.tacticalsupportservice.com executive protection allow both experts and management to get a common knowledge of risk, threats and scenarios and evaluations of those.”
But maintaining this essential process is not any small task and one that requires a certain skillsets and experience. According to the same report, “…in most instances security is an element of broader health, safety and environment position and one in which very few people in those roles have particular expertise and experience. As a result, Statoil overall has insufficient ful-time specialist resources committed to security.”
Anchoring corporate security in effective and ongoing security risk analysis not simply facilitates timely and effective decision-making. Furthermore, it has possibility to introduce a broader selection of security controls than has previously been considered as a part of the company home security system.