Companies operating in hostile environments, corporate security has historically been a method to obtain confusion and often outsourced to specialised consultancies at significant cost.
Of itself, that’s no inappropriate approach, but the problems arises because, when you ask three different security consultants to undertake the tactical support service, it’s possible to receive three different answers.
That deficiency of standardisation and continuity in SRA methodology will be the primary cause of confusion between those charged with managing security risk and budget holders.
So, just how can security professionals translate the regular language of corporate security in ways that both enhances understanding, and justify inexpensive and appropriate security controls?
Applying a four step methodology to your SRA is crucial to the effectiveness:
1. What is the project under review attempting to achieve, and the way would it be trying to achieve it?
2. Which resources/assets are the main to make the project successful?
3. Exactly what is the security threat environment wherein the project operates?
4. How vulnerable are the project’s critical resources/assets for the threats identified?
These four questions has to be established before a security system could be developed that is certainly effective, appropriate and flexible enough being adapted within an ever-changing security environment.
Where some external security consultants fail is in spending almost no time developing an in depth knowledge of their client’s project – generally contributing to the use of costly security controls that impede the project instead of enhancing it.
As time passes, a standardised approach to SRA will help enhance internal communication. It does so by increasing the understanding of security professionals, who reap the benefits of lessons learned globally, along with the broader business because the methodology and language mirrors that from enterprise risk. Together those factors help shift the perception of tacttical security from your cost center to 1 that adds value.
Security threats originate from numerous sources both human, like military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To develop effective analysis of the environment where you operate requires insight and enquiry, not merely the collation of a long list of incidents – irrespective of how accurate or well researched those might be.
Renowned political scientist Louise Richardson, author from the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively look at the threats to your project, consideration must be given not only to the action or activity conducted, and also who carried it and fundamentally, why.
Threat assessments must address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for the threat actor, environmental harm to agricultural land
• Intent: Establishing the frequency of which the threat actor carried out the threat activity rather than just threatened it
• Capability: Could they be effective at performing the threat activity now and/or in the future
Security threats from non-human source like disasters, communicable disease and accidents may be assessed within a similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What might be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor should do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat have to do harm e.g. most popular mouse in equatorial Africa, ubiquitous in human households potentially fatal
A lot of companies still prescribe annual security risk assessments which potentially leave your operations exposed when dealing with dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration has to be presented to how events might escalate and equally how proactive steps can de-escalate them. As an example, security forces firing on the protest march may escalate the possibility of a violent response from protestors, while effective communication with protest leaders may, for the short term no less than, de-escalate the chance of a violent exchange.
This particular analysis can help with effective threat forecasting, instead of a simple snap shot of the security environment at any time in time.
The biggest challenge facing corporate security professionals remains, the way to sell security threat analysis internally specially when threat perception varies from person to person according to their experience, background or personal risk appetite.
Context is vital to effective threat analysis. We all recognize that terrorism is really a risk, but as being a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk within a credible project specific scenario however, creates context. As an example, the potential risk of an armed attack by local militia responding for an ongoing dispute about local job opportunities, allows us to make your threat more plausible and offer a better quantity of selections for its mitigation.
Having identified threats, vulnerability assessment is additionally critical and extends beyond simply reviewing existing security controls. It must consider:
1. Just how the attractive project would be to the threats identified and, how easily they may be identified and accessed?
2. How effective will be the project’s existing protections from the threats identified?
3. How good can the project respond to an incident should it occur in spite of control measures?
Similar to a threat assessment, this vulnerability assessment should be ongoing to ensure controls not just function correctly now, but remain relevant since the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria by which 40 innocent people were killed, made recommendations for the: “development of the security risk management system that is certainly dynamic, fit for purpose and aimed toward action. It needs to be an embedded and routine portion of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and www.tacticalsupportservice.com allow both experts and management to experience a common understanding of risk, threats and scenarios and evaluations of such.”
But maintaining this essential process is not any small task and something that needs a particular skillsets and experience. Based on the same report, “…in many cases security is an element of broader health, safety and environment position and another for which very few people in those roles have particular expertise and experience. As a result, Statoil overall has insufficient ful-time specialist resources devoted to security.”
Anchoring corporate security in effective and ongoing security risk analysis not only facilitates timely and effective decision-making. It also has possible ways to introduce a broader array of security controls than has previously been considered as an element of the business alarm system.