Companies operating in hostile environments, corporate security has historically been a supply of confusion and quite often outsourced to specialised consultancies at significant cost.
Of itself, that’s not an inappropriate approach, however the problems arises because, if you ask three different security consultants to execute the tactical support service, it’s entirely possible to get three different answers.
That deficiency of standardisation and continuity in SRA methodology is the primary source of confusion between those charged with managing security risk and budget holders.
So, how do security professionals translate the standard language of corporate security in a fashion that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology to the SRA is crucial to its effectiveness:
1. Just what is the project under review trying to achieve, and just how will it be looking to do it?
2. Which resources/assets are the most crucial for making the project successful?
3. What is the security threat environment wherein the project operates?
4. How vulnerable would be the project’s critical resources/assets towards the threats identified?
These four questions needs to be established before a security alarm system might be developed which is effective, appropriate and versatile enough being adapted inside an ever-changing security environment.
Where some external security consultants fail is within spending almost no time developing a comprehensive knowledge of their client’s project – generally contributing to the effective use of costly security controls that impede the project as an alternative to enhancing it.
As time passes, a standardised approach to SRA can help enhance internal communication. It can do so by boosting the understanding of security professionals, who benefit from lessons learned globally, along with the broader business for the reason that methodology and language mirrors that from enterprise risk. Together those factors help shift the thought of tacttical security from a cost center to one that adds value.
Security threats come from numerous sources both human, including military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To build up effective research into the environment where you operate requires insight and enquiry, not simply the collation of a long list of incidents – regardless of how accurate or well researched those may be.
Renowned political scientist Louise Richardson, author in the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively look at the threats to the project, consideration must be given not only to the action or activity conducted, but also who carried it all out and fundamentally, why.
Threat assessments have to address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for the threat actor, environmental harm to agricultural land
• Intent: Establishing how frequently the threat actor completed the threat activity as opposed to just threatened it
• Capability: Could they be competent at performing the threat activity now and/or down the road
Security threats from non-human source including natural disasters, communicable disease and accidents could be assessed in a really similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What might be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor must do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat must do harm e.g. most frequent mouse in equatorial Africa, ubiquitous in human households potentially fatal
Many companies still prescribe annual security risk assessments which potentially leave your operations exposed facing dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration needs to be provided to how events might escalate and equally how proactive steps can de-escalate them. For instance, security forces firing with a protest march may escalate the potential of a violent response from protestors, while effective communication with protest leaders may, for the short term at least, de-escalate the possibility of a violent exchange.
This particular analysis can help with effective threat forecasting, instead of a simple snap shot of the security environment at any time soon enough.
The most significant challenge facing corporate security professionals remains, how to sell security threat analysis internally especially when threat perception varies for every person based upon their experience, background or personal risk appetite.
Context is critical to effective threat analysis. We all realize that terrorism is actually a risk, but being a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk within a credible project specific scenario however, creates context. As an example, the potential risk of an armed attack by local militia in reaction to an ongoing dispute about local employment opportunities, permits us to make the threat more plausible and present a greater number of selections for its mitigation.
Having identified threats, vulnerability assessment is likewise critical and extends beyond simply reviewing existing security controls. It has to consider:
1. Exactly how the attractive project is usually to the threats identified and, how easily they may be identified and accessed?
2. How effective would be the project’s existing protections versus the threats identified?
3. How well can the project answer an incident should it occur in spite of control measures?
Like a threat assessment, this vulnerability assessment should be ongoing to make sure that controls not simply function correctly now, but remain relevant as the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria where 40 innocent people were killed, made ideas for the: “development of your security risk management system that may be dynamic, fit for purpose and geared toward action. It should be an embedded and routine area of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and www.tacticalsupportservice.com allow both experts and management to possess a common comprehension of risk, threats and scenarios and evaluations of these.”
But maintaining this essential process is not any small task and something that needs a specific skillsets and experience. According to the same report, “…in most instances security is an element of broader health, safety and environment position and one that very few people in those roles have particular experience and expertise. Because of this, Statoil overall has insufficient ful-time specialist resources devoted to security.”
Anchoring corporate security in effective and ongoing security risk analysis not just facilitates timely and effective decision-making. Additionally, it has possible ways to introduce a broader selection of security controls than has previously been considered as an element of the business burglar alarm system.