Companies operating in hostile environments, corporate security has historically been a method to obtain confusion and frequently outsourced to specialised consultancies at significant cost.
Of itself, that’s no inappropriate approach, but the problems arises because, when you ask three different security consultants to execute the tactical support service, it’s entirely possible to acquire three different answers.
That lack of standardisation and continuity in SRA methodology may be the primary cause of confusion between those involved in managing security risk and budget holders.
So, how can security professionals translate the traditional language of corporate security in a fashion that both enhances understanding, and justify inexpensive and appropriate security controls?
Applying a four step methodology to your SRA is vital to its effectiveness:
1. Just what is the project under review attempting to achieve, and exactly how would it be attempting to achieve it?
2. Which resources/assets are the most important when making the project successful?
3. What is the security threat environment wherein the project operates?
4. How vulnerable are the project’s critical resources/assets towards the threats identified?
These four questions should be established before a security alarm system can be developed which is effective, appropriate and flexible enough being adapted inside an ever-changing security environment.
Where some external security consultants fail is within spending almost no time developing a detailed knowledge of their client’s project – generally leading to the effective use of costly security controls that impede the project as opposed to enhancing it.
Over time, a standardised method of SRA may help enhance internal communication. It does so by boosting the knowledge of security professionals, who reap the benefits of lessons learned globally, as well as the broader business since the methodology and language mirrors that from enterprise risk. Together those factors help shift the thought of tacttical security from the cost center to just one that adds value.
Security threats come from a host of sources both human, such as military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To build up effective research into the environment where you operate requires insight and enquiry, not simply the collation of a list of incidents – no matter how accurate or well researched those may be.
Renowned political scientist Louise Richardson, author in the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively evaluate the threats to your project, consideration must be given not only to the action or activity completed, and also who carried it and fundamentally, why.
Threat assessments should address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for your threat actor, environmental damage to agricultural land
• Intent: Establishing the frequency of which the threat actor conducted the threat activity as opposed to just threatened it
• Capability: Could they be able to doing the threat activity now or in the future
Security threats from non-human source like natural disasters, communicable disease and accidents might be assessed in a really similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What might be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor have to do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat must do harm e.g. most popular mouse in equatorial Africa, ubiquitous in human households potentially fatal
Most companies still prescribe annual security risk assessments which potentially leave your operations exposed facing dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration should be made available to how events might escalate and equally how proactive steps can de-escalate them. As an example, security forces firing over a protest march may escalate the potential of a violent response from protestors, while effective communication with protest leaders may, for the short term at the very least, de-escalate the chance of a violent exchange.
This particular analysis can help with effective threat forecasting, instead of a simple snap shot of the security environment at any point over time.
The biggest challenge facing corporate security professionals remains, the way to sell security threat analysis internally especially when threat perception varies from person to person depending on their experience, background or personal risk appetite.
Context is critical to effective threat analysis. All of us understand that terrorism is really a risk, but as a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk inside a credible project specific scenario however, creates context. As an example, the potential risk of an armed attack by local militia in response with an ongoing dispute about local employment opportunities, allows us to have the threat more plausible and give an increased number of selections for its mitigation.
Having identified threats, vulnerability assessment is additionally critical and extends beyond simply reviewing existing security controls. It should consider:
1. Just how the attractive project would be to the threats identified and, how easily they are often identified and accessed?
2. How effective are the project’s existing protections from the threats identified?
3. How well can the project react to an incident should it occur in spite of control measures?
Like a threat assessment, this vulnerability assessment must be ongoing to make certain that controls not only function correctly now, but remain relevant since the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria where 40 innocent people were killed, made ideas for the: “development of any security risk management system which is dynamic, fit for purpose and aimed toward action. It should be an embedded and routine section of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and www.tacticalsupportservice.com executive protection allow both experts and management to have a common understanding of risk, threats and scenarios and evaluations of the.”
But maintaining this essential process is not any small task and one that has to have a certain skillsets and experience. According to the same report, “…in many instances security is an element of broader health, safety and environment position then one where few individuals in those roles have particular expertise and experience. As a result, Statoil overall has insufficient ful-time specialist resources focused on security.”
Anchoring corporate security in effective and ongoing security risk analysis not only facilitates timely and effective decision-making. It also has possible ways to introduce a broader variety of security controls than has previously been considered as a part of the business security system.