Companies operating in hostile environments, corporate security has historically been a way to obtain confusion and often outsourced to specialised consultancies at significant cost.
Of itself, that’s not an inappropriate approach, but the problems arises because, if you ask three different security consultants to undertake the tacticalsupportservice.com, it’s possible to get three different answers.
That deficiency of standardisation and continuity in SRA methodology is the primary reason for confusion between those responsible for managing security risk and budget holders.
So, how do security professionals translate the conventional language of corporate security in ways that both enhances understanding, and justify inexpensive and appropriate security controls?
Applying a four step methodology to your SRA is vital to its effectiveness:
1. What is the project under review trying to achieve, and how would it be attempting to achieve it?
2. Which resources/assets are the main for making the project successful?
3. Exactly what is the security threat environment where the project operates?
4. How vulnerable would be the project’s critical resources/assets towards the threats identified?
These four questions must be established before a security system may be developed which is effective, appropriate and versatile enough to be adapted in an ever-changing security environment.
Where some external security consultants fail is in spending almost no time developing an in depth knowledge of their client’s project – generally leading to the application of costly security controls that impede the project instead of enhancing it.
Over time, a standardised procedure for SRA will help enhance internal communication. It can do so by enhancing the understanding of security professionals, who benefit from lessons learned globally, as well as the broader business because the methodology and language mirrors that relating to enterprise risk. Together those factors help shift the thought of tacttical security from your cost center to just one that adds value.
Security threats originate from a number of sources both human, like military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To produce effective analysis of the environment where you operate requires insight and enquiry, not simply the collation of a long list of incidents – regardless of how accurate or well researched those might be.
Renowned political scientist Louise Richardson, author of your book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively measure the threats for your project, consideration must be given not just in the action or activity completed, but additionally who carried it all out and fundamentally, why.
Threat assessments must address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for your threat actor, environmental problems for agricultural land
• Intent: Establishing how many times the threat actor completed the threat activity rather than just threatened it
• Capability: Is it effective at carrying out the threat activity now or in the foreseeable future
Security threats from non-human source for example natural disasters, communicable disease and accidents can be assessed in a very similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What could be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor should do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat should do harm e.g. most typical mouse in equatorial Africa, ubiquitous in human households potentially fatal
Some companies still prescribe annual security risk assessments which potentially leave your operations exposed while confronting dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration has to be provided to how events might escalate and equally how proactive steps can de-escalate them. As an example, security forces firing with a protest march may escalate the chance of a violent response from protestors, while effective communication with protest leaders may, for the short term at the very least, de-escalate the potential for a violent exchange.
This type of analysis can deal with effective threat forecasting, as opposed to a simple snap shot from the security environment at any time soon enough.
The most significant challenge facing corporate security professionals remains, the best way to sell security threat analysis internally specially when threat perception varies individually for each person based upon their experience, background or personal risk appetite.
Context is vital to effective threat analysis. Most of us recognize that terrorism is a risk, but as being a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk within a credible project specific scenario however, creates context. By way of example, the potential risk of an armed attack by local militia in reaction to an ongoing dispute about local employment opportunities, permits us to have the threat more plausible and give a better quantity of alternatives for its mitigation.
Having identified threats, vulnerability assessment can also be critical and extends beyond simply reviewing existing security controls. It must consider:
1. Exactly how the attractive project would be to the threats identified and, how easily they are often identified and accessed?
2. How effective will be the project’s existing protections versus the threats identified?
3. How well can the project reply to an incident should it occur in spite of control measures?
Like a threat assessment, this vulnerability assessment needs to be ongoing to ensure controls not merely function correctly now, but remain relevant as the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria where 40 innocent people were killed, made tips for the: “development of a security risk management system that may be dynamic, fit for purpose and geared toward action. It needs to be an embedded and routine area of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and www.tacticalsupportservice.com allow both experts and management to have a common understanding of risk, threats and scenarios and evaluations of those.”
But maintaining this essential process is not any small task and another that has to have a specific skillsets and experience. Based on the same report, “…in most cases security is an element of broader health, safety and environment position and something that few people in those roles have particular experience and expertise. As a result, Statoil overall has insufficient ful-time specialist resources focused on security.”
Anchoring corporate security in effective and ongoing security risk analysis not merely facilitates timely and effective decision-making. It also has possibility to introduce a broader array of security controls than has previously been considered as an element of the corporate home security system.