Companies operating in hostile environments, corporate security has historically been a supply of confusion and frequently outsourced to specialised consultancies at significant cost.
Of itself, that’s not an inappropriate approach, although the problems arises because, should you ask three different security consultants to undertake the www.tacticalsupportservice.com threat assessment, it’s possible to acquire three different answers.
That insufficient standardisation and continuity in SRA methodology will be the primary source of confusion between those involved in managing security risk and budget holders.
So, just how can security professionals translate the standard language of corporate security in a manner that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology to the SRA is critical to its effectiveness:
1. Just what is the project under review looking to achieve, and exactly how would it be seeking to achieve it?
2. Which resources/assets are the most crucial when making the project successful?
3. Just what is the security threat environment where the project operates?
4. How vulnerable will be the project’s critical resources/assets on the threats identified?
These four questions has to be established before a security system can be developed which is effective, appropriate and versatile enough to become adapted within an ever-changing security environment.
Where some external security consultants fail is at spending very little time developing an in depth knowledge of their client’s project – generally leading to the use of costly security controls that impede the project as an alternative to enhancing it.
After a while, a standardised procedure for SRA may help enhance internal communication. It can do so by increasing the comprehension of security professionals, who reap the benefits of lessons learned globally, and also the broader business as the methodology and language mirrors that of enterprise risk. Together those factors help shift the thought of tacttical security from your cost center to one that adds value.
Security threats come from a host of sources both human, for example military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To produce effective research into the environment in which you operate requires insight and enquiry, not merely the collation of a listing of incidents – no matter how accurate or well researched those may be.
Renowned political scientist Louise Richardson, author of your book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively evaluate the threats in your project, consideration should be given not only to the action or activity conducted, but additionally who carried it out and fundamentally, why.
Threat assessments must address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for the threat actor, environmental problems for agricultural land
• Intent: Establishing how many times the threat actor conducted the threat activity rather than just threatened it
• Capability: Are they able to doing the threat activity now and/or later on
Security threats from non-human source including natural disasters, communicable disease and accidents can be assessed within a similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What may be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor must do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat must do harm e.g. most frequent mouse in equatorial Africa, ubiquitous in human households potentially fatal
Most companies still prescribe annual security risk assessments which potentially leave your operations exposed when dealing with dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration has to be presented to how events might escalate and equally how proactive steps can de-escalate them. For example, security forces firing on the protest march may escalate the potential for a violent response from protestors, while effective communication with protest leaders may, for the short term at the very least, de-escalate the potential for a violent exchange.
This type of analysis can sort out effective threat forecasting, rather than a simple snap shot from the security environment at any time soon enough.
The greatest challenge facing corporate security professionals remains, the way to sell security threat analysis internally specially when threat perception varies individually for each person based upon their experience, background or personal risk appetite.
Context is vital to effective threat analysis. We all realize that terrorism is really a risk, but being a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk inside a credible project specific scenario however, creates context. By way of example, the risk of an armed attack by local militia in response with an ongoing dispute about local job opportunities, allows us to create the threat more plausible and offer a larger variety of alternatives for its mitigation.
Having identified threats, vulnerability assessment can also be critical and extends beyond simply reviewing existing security controls. It has to consider:
1. Exactly how the attractive project is always to the threats identified and, how easily they can be identified and accessed?
2. How effective will be the project’s existing protections versus the threats identified?
3. How good can the project react to an incident should it occur despite of control measures?
Just like a threat assessment, this vulnerability assessment should be ongoing to make certain that controls not only function correctly now, but remain relevant as being the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria in which 40 innocent individuals were killed, made tips for the: “development of the security risk management system that may be dynamic, fit for purpose and geared toward action. It needs to be an embedded and routine part of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and tactical support service allow both experts and management to experience a common understanding of risk, threats and scenarios and evaluations of such.”
But maintaining this essential process is no small task and something that has to have a unique skillsets and experience. In line with the same report, “…in most cases security is part of broader health, safety and environment position and another where few people in those roles have particular expertise and experience. As a result, Statoil overall has insufficient ful-time specialist resources focused on security.”
Anchoring corporate security in effective and ongoing security risk analysis not simply facilitates timely and effective decision-making. Furthermore, it has potential to introduce a broader array of security controls than has previously been considered as an element of the company burglar alarm system.