Companies operating in hostile environments, corporate security has historically been a source of confusion and quite often outsourced to specialised consultancies at significant cost.
Of itself, that’s no inappropriate approach, although the problems arises because, if you ask three different security consultants to undertake the www.tacticalsupportservice.com, it’s possible to acquire three different answers.
That absence of standardisation and continuity in SRA methodology may be the primary reason behind confusion between those involved in managing security risk and budget holders.
So, how could security professionals translate the conventional language of corporate security in a way that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology for any SRA is essential to the effectiveness:
1. What is the project under review trying to achieve, and exactly how could it be trying to achieve it?
2. Which resources/assets are the main to make the project successful?
3. What exactly is the security threat environment wherein the project operates?
4. How vulnerable are definitely the project’s critical resources/assets for the threats identified?
These four questions has to be established before a security system could be developed which is effective, appropriate and flexible enough to get adapted within an ever-changing security environment.
Where some external security consultants fail is in spending bit of time developing an in depth idea of their client’s project – generally contributing to the effective use of costly security controls that impede the project rather than enhancing it.
Over time, a standardised approach to SRA may help enhance internal communication. It can so by increasing the idea of security professionals, who make use of lessons learned globally, as well as the broader business because the methodology and language mirrors that from enterprise risk. Together those factors help shift the thought of tacttical security from a cost center to a single that adds value.
Security threats originate from a myriad of sources both human, like military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To develop effective analysis of the environment for which you operate requires insight and enquiry, not simply the collation of a long list of incidents – regardless of how accurate or well researched those may be.
Renowned political scientist Louise Richardson, author of the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively evaluate the threats for your project, consideration must be given not just to the action or activity performed, but also who carried it all out and fundamentally, why.
Threat assessments have to address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for your threat actor, environmental harm to agricultural land
• Intent: Establishing how often the threat actor carried out the threat activity rather than just threatened it
• Capability: Are they competent at performing the threat activity now and later on
Security threats from non-human source including disasters, communicable disease and accidents might be assessed in a really similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What could possibly be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor must do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat must do harm e.g. most frequent mouse in equatorial Africa, ubiquitous in human households potentially fatal
A lot of companies still prescribe annual security risk assessments which potentially leave your operations exposed facing dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration needs to be provided to how events might escalate and equally how proactive steps can de-escalate them. By way of example, security forces firing over a protest march may escalate the possibility of a violent response from protestors, while effective communication with protest leaders may, in the short term no less than, de-escalate the potential for a violent exchange.
This sort of analysis can deal with effective threat forecasting, rather than a simple snap shot of your security environment at any point in time.
The biggest challenge facing corporate security professionals remains, how you can sell security threat analysis internally particularly when threat perception varies individually for each person depending on their experience, background or personal risk appetite.
Context is vital to effective threat analysis. We all realize that terrorism is actually a risk, but like a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in the credible project specific scenario however, creates context. For instance, the danger of an armed attack by local militia responding to an ongoing dispute about local employment opportunities, allows us to make the threat more plausible and give a larger amount of selections for its mitigation.
Having identified threats, vulnerability assessment is likewise critical and extends beyond simply reviewing existing security controls. It should consider:
1. How the attractive project is always to the threats identified and, how easily they may be identified and accessed?
2. How effective are the project’s existing protections up against the threats identified?
3. How well can the project respond to an incident should it occur in spite of control measures?
Such as a threat assessment, this vulnerability assessment needs to be ongoing to make sure that controls not just function correctly now, but remain relevant as the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria by which 40 innocent everyone was killed, made strategies for the: “development of any security risk management system that is certainly dynamic, fit for purpose and geared toward action. It needs to be an embedded and routine area of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and www.tacticalsupportservice.com allow both experts and management to get a common idea of risk, threats and scenarios and evaluations of the.”
But maintaining this essential process is not any small task and another that requires a particular skillsets and experience. In accordance with the same report, “…in most cases security is a component of broader health, safety and environment position then one that few people in those roles have particular expertise and experience. As a consequence, Statoil overall has insufficient ful-time specialist resources focused on security.”
Anchoring corporate security in effective and ongoing security risk analysis not simply facilitates timely and effective decision-making. Furthermore, it has potential to introduce a broader array of security controls than has previously been considered as a part of the business home security system.