Companies operating in hostile environments, corporate security has historically been a source of confusion and frequently outsourced to specialised consultancies at significant cost.
Of itself, that’s not an inappropriate approach, although the problems arises because, in the event you ask three different security consultants to handle the tacticalsupportservice.com, it’s entirely possible to receive three different answers.
That absence of standardisation and continuity in SRA methodology will be the primary source of confusion between those charged with managing security risk and budget holders.
So, how do security professionals translate the standard language of corporate security in a fashion that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology to any SRA is crucial to the effectiveness:
1. Exactly what is the project under review trying to achieve, and how would it be looking to achieve it?
2. Which resources/assets are the most crucial for making the project successful?
3. Just what is the security threat environment where the project operates?
4. How vulnerable are definitely the project’s critical resources/assets on the threats identified?
These four questions has to be established before a security system could be developed which is effective, appropriate and flexible enough being adapted inside an ever-changing security environment.
Where some external security consultants fail is at spending very little time developing a detailed knowledge of their client’s project – generally contributing to the application of costly security controls that impede the project as an alternative to enhancing it.
With time, a standardised method of SRA will assist enhance internal communication. It can do so by improving the knowledge of security professionals, who make use of lessons learned globally, as well as the broader business because the methodology and language mirrors that relating to enterprise risk. Together those factors help shift the thought of tacttical security coming from a cost center to just one that adds value.
Security threats come from a host of sources both human, including military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To produce effective research into the environment where you operate requires insight and enquiry, not merely the collation of a list of incidents – irrespective of how accurate or well researched those can be.
Renowned political scientist Louise Richardson, author of your book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively measure the threats for your project, consideration needs to be given not just in the action or activity carried out, but in addition who carried it all out and fundamentally, why.
Threat assessments must address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation to the threat actor, environmental injury to agricultural land
• Intent: Establishing how frequently the threat actor carried out the threat activity rather than just threatened it
• Capability: Are they competent at performing the threat activity now and later on
Security threats from non-human source for example disasters, communicable disease and accidents can be assessed within a similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What may be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor should do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat should do harm e.g. most popular mouse in equatorial Africa, ubiquitous in human households potentially fatal
Most companies still prescribe annual security risk assessments which potentially leave your operations exposed while confronting dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration has to be provided to how events might escalate and equally how proactive steps can de-escalate them. For instance, security forces firing on a protest march may escalate the possibility of a violent response from protestors, while effective communication with protest leaders may, for the short term no less than, de-escalate the potential of a violent exchange.
This type of analysis can deal with effective threat forecasting, rather than a simple snap shot of the security environment at any point in time.
The biggest challenge facing corporate security professionals remains, how you can sell security threat analysis internally specifically when threat perception varies individually for each person based upon their experience, background or personal risk appetite.
Context is critical to effective threat analysis. We all recognize that terrorism is a risk, but being a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk inside a credible project specific scenario however, creates context. For instance, the danger of an armed attack by local militia in response to an ongoing dispute about local job opportunities, permits us to make your threat more plausible and offer a greater number of selections for its mitigation.
Having identified threats, vulnerability assessment is likewise critical and extends beyond simply reviewing existing security controls. It needs to consider:
1. How the attractive project is usually to the threats identified and, how easily they may be identified and accessed?
2. How effective will be the project’s existing protections against the threats identified?
3. How good can the project answer an incident should it occur despite of control measures?
Like a threat assessment, this vulnerability assessment needs to be ongoing to make certain that controls not simply function correctly now, but remain relevant because the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria in which 40 innocent individuals were killed, made tips for the: “development of the security risk management system that may be dynamic, fit for purpose and aimed toward action. It should be an embedded and routine section of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and www.tacticalsupportservice.com executive protection allow both experts and management to experience a common idea of risk, threats and scenarios and evaluations of such.”
But maintaining this essential process is not any small task and another that really needs a unique skillsets and experience. In accordance with the same report, “…in many instances security is a component of broader health, safety and environment position and another in which few individuals in those roles have particular expertise and experience. As a result, Statoil overall has insufficient ful-time specialist resources dedicated to security.”
Anchoring corporate security in effective and ongoing security risk analysis not merely facilitates timely and effective decision-making. In addition, it has potential to introduce a broader variety of security controls than has previously been considered as part of the business security system.