Companies operating in hostile environments, corporate security has historically been a source of confusion and frequently outsourced to specialised consultancies at significant cost.
Of itself, that’s no inappropriate approach, nevertheless the problems arises because, if you ask three different security consultants to handle the tactical support service, it’s possible to obtain three different answers.
That deficiency of standardisation and continuity in SRA methodology may be the primary reason for confusion between those charged with managing security risk and budget holders.
So, how can security professionals translate the regular language of corporate security in a way that both enhances understanding, and justify inexpensive and appropriate security controls?
Applying a four step methodology for any SRA is critical to the effectiveness:
1. Just what is the project under review seeking to achieve, and the way would it be trying to achieve it?
2. Which resources/assets are the most significant to make the project successful?
3. Exactly what is the security threat environment where the project operates?
4. How vulnerable will be the project’s critical resources/assets towards the threats identified?
These four questions should be established before a security system could be developed that is effective, appropriate and versatile enough being adapted in a ever-changing security environment.
Where some external security consultants fail is within spending very little time developing a comprehensive comprehension of their client’s project – generally causing the effective use of costly security controls that impede the project rather than enhancing it.
After a while, a standardised strategy to SRA may help enhance internal communication. It does so by boosting the comprehension of security professionals, who reap the benefits of lessons learned globally, and also the broader business since the methodology and language mirrors that from enterprise risk. Together those factors help shift the thought of tacttical security from a cost center to 1 that adds value.
Security threats originate from a number of sources both human, like military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To produce effective research into the environment where you operate requires insight and enquiry, not merely the collation of a long list of incidents – no matter how accurate or well researched those can be.
Renowned political scientist Louise Richardson, author in the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively measure the threats for your project, consideration must be given not just in the action or activity carried out, but also who carried it out and fundamentally, why.
Threat assessments need to address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation to the threat actor, environmental problems for agricultural land
• Intent: Establishing how often the threat actor completed the threat activity rather than just threatened it
• Capability: Is it capable of doing the threat activity now or in the foreseeable future
Security threats from non-human source for example natural disasters, communicable disease and accidents might be assessed in a very similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What may be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor need to do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat must do harm e.g. most common mouse in equatorial Africa, ubiquitous in human households potentially fatal
A lot of companies still prescribe annual security risk assessments which potentially leave your operations exposed while confronting dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration must be given to how events might escalate and equally how proactive steps can de-escalate them. For instance, security forces firing with a protest march may escalate the chance of a violent response from protestors, while effective communication with protest leaders may, for the short term no less than, de-escalate the possibility of a violent exchange.
This particular analysis can help with effective threat forecasting, rather than a simple snap shot of your security environment at any time with time.
The greatest challenge facing corporate security professionals remains, how you can sell security threat analysis internally specially when threat perception varies for every person based on their experience, background or personal risk appetite.
Context is critical to effective threat analysis. Most of us know that terrorism is really a risk, but being a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in the credible project specific scenario however, creates context. As an example, the danger of an armed attack by local militia responding to a ongoing dispute about local employment opportunities, allows us to make the threat more plausible and provide a better amount of selections for its mitigation.
Having identified threats, vulnerability assessment can also be critical and extends beyond simply reviewing existing security controls. It needs to consider:
1. Just how the attractive project is to the threats identified and, how easily they are often identified and accessed?
2. How effective would be the project’s existing protections against the threats identified?
3. How good can the project respond to an incident should it occur in spite of control measures?
Like a threat assessment, this vulnerability assessment should be ongoing to ensure that controls not just function correctly now, but remain relevant as the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria by which 40 innocent people were killed, made tips for the: “development of a security risk management system that is dynamic, fit for purpose and geared toward action. It should be an embedded and routine section of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and executive protection tacticalsupportservice.com allow both experts and management to experience a common knowledge of risk, threats and scenarios and evaluations of these.”
But maintaining this essential process is no small task then one that really needs a specific skillsets and experience. In accordance with the same report, “…in most instances security is a component of broader health, safety and environment position and something for which very few people in those roles have particular expertise and experience. As a consequence, Statoil overall has insufficient ful-time specialist resources focused on security.”
Anchoring corporate security in effective and ongoing security risk analysis not simply facilitates timely and effective decision-making. In addition, it has possible ways to introduce a broader variety of security controls than has previously been considered as an element of the corporate home security system.