Companies operating in hostile environments, corporate security has historically been a source of confusion and sometimes outsourced to specialised consultancies at significant cost.
Of itself, that’s no inappropriate approach, nevertheless the problems arises because, should you ask three different security consultants to undertake the threat assessment tacticalsupportservice.com, it’s entirely possible to receive three different answers.
That lack of standardisation and continuity in SRA methodology will be the primary reason for confusion between those charged with managing security risk and budget holders.
So, how do security professionals translate the regular language of corporate security in a way that both enhances understanding, and justify inexpensive and appropriate security controls?
Applying a four step methodology to your SRA is essential to the effectiveness:
1. Exactly what is the project under review seeking to achieve, and exactly how is it attempting to achieve it?
2. Which resources/assets are the most crucial for making the project successful?
3. Exactly what is the security threat environment when the project operates?
4. How vulnerable are definitely the project’s critical resources/assets for the threats identified?
These four questions needs to be established before a security system may be developed that is certainly effective, appropriate and flexible enough to be adapted in a ever-changing security environment.
Where some external security consultants fail is in spending little time developing a detailed comprehension of their client’s project – generally leading to the application of costly security controls that impede the project rather than enhancing it.
With time, a standardised procedure for SRA can help enhance internal communication. It does so by increasing the comprehension of security professionals, who reap the benefits of lessons learned globally, and also the broader business as the methodology and language mirrors that of enterprise risk. Together those factors help shift the thought of tacttical security from a cost center to 1 that adds value.
Security threats originate from a myriad of sources both human, such as military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To develop effective research into the environment that you operate requires insight and enquiry, not merely the collation of a listing of incidents – regardless how accurate or well researched those can be.
Renowned political scientist Louise Richardson, author of the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively evaluate the threats to your project, consideration has to be given not only to the action or activity performed, but in addition who carried it all out and fundamentally, why.
Threat assessments must address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for that threat actor, environmental damage to agricultural land
• Intent: Establishing the frequency of which the threat actor performed the threat activity as opposed to just threatened it
• Capability: Could they be capable of performing the threat activity now or in the future
Security threats from non-human source including disasters, communicable disease and accidents may be assessed in an exceedingly similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What could possibly be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor should do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat need to do harm e.g. most typical mouse in equatorial Africa, ubiquitous in human households potentially fatal
A lot of companies still prescribe annual security risk assessments which potentially leave your operations exposed facing dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration needs to be given to how events might escalate and equally how proactive steps can de-escalate them. By way of example, security forces firing with a protest march may escalate the potential of a violent response from protestors, while effective communication with protest leaders may, in the short term at least, de-escalate the potential for a violent exchange.
This type of analysis can sort out effective threat forecasting, as opposed to a simple snap shot of your security environment at any time in time.
The greatest challenge facing corporate security professionals remains, how you can sell security threat analysis internally specially when threat perception varies for every person based upon their experience, background or personal risk appetite.
Context is critical to effective threat analysis. All of us realize that terrorism can be a risk, but like a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in the credible project specific scenario however, creates context. By way of example, the chance of an armed attack by local militia in response for an ongoing dispute about local job opportunities, permits us to create the threat more plausible and offer an increased number of options for its mitigation.
Having identified threats, vulnerability assessment can also be critical and extends beyond simply reviewing existing security controls. It must consider:
1. Just how the attractive project would be to the threats identified and, how easily they are often identified and accessed?
2. How effective will be the project’s existing protections against the threats identified?
3. How good can the project respond to an incident should it occur despite of control measures?
Like a threat assessment, this vulnerability assessment has to be ongoing to make certain that controls not simply function correctly now, but remain relevant since the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria where 40 innocent people were killed, made strategies for the: “development of a security risk management system that may be dynamic, fit for purpose and aimed toward action. It must be an embedded and routine part of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and www.tacticalsupportservice.com executive protection allow both experts and management to experience a common comprehension of risk, threats and scenarios and evaluations of the.”
But maintaining this essential process is no small task then one that has to have a particular skillsets and experience. In line with the same report, “…in most cases security is an element of broader health, safety and environment position then one that not many people in those roles have particular expertise and experience. Because of this, Statoil overall has insufficient ful-time specialist resources dedicated to security.”
Anchoring corporate security in effective and ongoing security risk analysis not merely facilitates timely and effective decision-making. It also has potential to introduce a broader range of security controls than has previously been considered as a part of the corporate burglar alarm system.