Companies operating in hostile environments, corporate security has historically been a method to obtain confusion and frequently outsourced to specialised consultancies at significant cost.
Of itself, that’s not an inappropriate approach, but the problems arises because, when you ask three different security consultants to execute the threat assessment tacticalsupportservice.com, it’s possible to get three different answers.
That deficiency of standardisation and continuity in SRA methodology is the primary cause of confusion between those responsible for managing security risk and budget holders.
So, how do security professionals translate the conventional language of corporate security in a way that both enhances understanding, and justify inexpensive and appropriate security controls?
Applying a four step methodology to your SRA is vital to its effectiveness:
1. Just what is the project under review seeking to achieve, and exactly how would it be trying to do it?
2. Which resources/assets are the most significant in making the project successful?
3. Just what is the security threat environment wherein the project operates?
4. How vulnerable are the project’s critical resources/assets on the threats identified?
These four questions should be established before a security system can be developed which is effective, appropriate and flexible enough being adapted in an ever-changing security environment.
Where some external security consultants fail is at spending almost no time developing an in depth comprehension of their client’s project – generally resulting in the effective use of costly security controls that impede the project rather than enhancing it.
Over time, a standardised method of SRA will help enhance internal communication. It does so by boosting the understanding of security professionals, who reap the benefits of lessons learned globally, and the broader business for the reason that methodology and language mirrors that from enterprise risk. Together those factors help shift the thought of tacttical security from the cost center to just one that adds value.
Security threats come from a myriad of sources both human, such as military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To produce effective analysis of the environment that you operate requires insight and enquiry, not merely the collation of a summary of incidents – irrespective of how accurate or well researched those could be.
Renowned political scientist Louise Richardson, author in the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively evaluate the threats for your project, consideration has to be given not only to the action or activity completed, but in addition who carried it and fundamentally, why.
Threat assessments should address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for the threat actor, environmental problems for agricultural land
• Intent: Establishing the frequency of which the threat actor conducted the threat activity as opposed to just threatened it
• Capability: Will they be effective at undertaking the threat activity now or in the foreseeable future
Security threats from non-human source for example natural disasters, communicable disease and accidents may be assessed within a similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What may be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor need to do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat must do harm e.g. most popular mouse in equatorial Africa, ubiquitous in human households potentially fatal
Some companies still prescribe annual security risk assessments which potentially leave your operations exposed while confronting dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration has to be presented to how events might escalate and equally how proactive steps can de-escalate them. For example, security forces firing on a protest march may escalate the potential of a violent response from protestors, while effective communication with protest leaders may, for the short term a minimum of, de-escalate the possibility of a violent exchange.
This sort of analysis can help with effective threat forecasting, rather than a simple snap shot in the security environment at any time soon enough.
The greatest challenge facing corporate security professionals remains, the way to sell security threat analysis internally specifically when threat perception varies for every person according to their experience, background or personal risk appetite.
Context is essential to effective threat analysis. All of us realize that terrorism is a risk, but like a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in a credible project specific scenario however, creates context. For instance, the potential risk of an armed attack by local militia in response for an ongoing dispute about local employment opportunities, permits us to make the threat more plausible and give an increased quantity of options for its mitigation.
Having identified threats, vulnerability assessment is additionally critical and extends beyond simply reviewing existing security controls. It needs to consider:
1. Exactly how the attractive project would be to the threats identified and, how easily they are often identified and accessed?
2. How effective are definitely the project’s existing protections versus the threats identified?
3. How good can the project respond to an incident should it occur despite of control measures?
Such as a threat assessment, this vulnerability assessment must be ongoing to make certain that controls not simply function correctly now, but remain relevant as the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria in which 40 innocent individuals were killed, made recommendations for the: “development of a security risk management system that is certainly dynamic, fit for purpose and aimed toward action. It ought to be an embedded and routine portion of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and executive protection tacticalsupportservice.com allow both experts and management to experience a common comprehension of risk, threats and scenarios and evaluations of those.”
But maintaining this essential process is no small task then one that needs a particular skillsets and experience. In accordance with the same report, “…in most instances security is part of broader health, safety and environment position then one for which few people in those roles have particular experience and expertise. As a consequence, Statoil overall has insufficient ful-time specialist resources devoted to security.”
Anchoring corporate security in effective and ongoing security risk analysis not only facilitates timely and effective decision-making. Additionally, it has possibility to introduce a broader variety of security controls than has previously been considered as a part of the company home security system.