Companies operating in hostile environments, corporate security has historically been a method to obtain confusion and frequently outsourced to specialised consultancies at significant cost.
Of itself, that’s not an inappropriate approach, although the problems arises because, in the event you ask three different security consultants to handle the www.tacticalsupportservice.com, it’s entirely possible to get three different answers.
That deficiency of standardisation and continuity in SRA methodology may be the primary reason behind confusion between those responsible for managing security risk and budget holders.
So, just how can security professionals translate the standard language of corporate security in a fashion that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology to the SRA is essential to the effectiveness:
1. What is the project under review trying to achieve, and the way could it be trying to achieve it?
2. Which resources/assets are the most important for making the project successful?
3. What is the security threat environment where the project operates?
4. How vulnerable are definitely the project’s critical resources/assets for the threats identified?
These four questions should be established before a security alarm system may be developed that is effective, appropriate and flexible enough to be adapted within an ever-changing security environment.
Where some external security consultants fail is within spending little time developing an in depth understanding of their client’s project – generally causing the use of costly security controls that impede the project rather than enhancing it.
Over time, a standardised procedure for SRA will help enhance internal communication. It can so by boosting the understanding of security professionals, who reap the benefits of lessons learned globally, and also the broader business since the methodology and language mirrors that from enterprise risk. Together those factors help shift the thought of tacttical security coming from a cost center to one that adds value.
Security threats come from a host of sources both human, including military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To build up effective analysis of the environment where you operate requires insight and enquiry, not simply the collation of a summary of incidents – regardless how accurate or well researched those might be.
Renowned political scientist Louise Richardson, author of your book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively assess the threats for your project, consideration needs to be given not only to the action or activity conducted, but additionally who carried it and fundamentally, why.
Threat assessments should address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for your threat actor, environmental injury to agricultural land
• Intent: Establishing how many times the threat actor carried out the threat activity as opposed to just threatened it
• Capability: Could they be effective at performing the threat activity now and/or down the road
Security threats from non-human source for example natural disasters, communicable disease and accidents could be assessed within a similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What could possibly be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor must do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat have to do harm e.g. most typical mouse in equatorial Africa, ubiquitous in human households potentially fatal
Some companies still prescribe annual security risk assessments which potentially leave your operations exposed facing dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration needs to be given to how events might escalate and equally how proactive steps can de-escalate them. As an example, security forces firing on the protest march may escalate the chance of a violent response from protestors, while effective communication with protest leaders may, for the short term at the very least, de-escalate the chance of a violent exchange.
This type of analysis can help with effective threat forecasting, instead of a simple snap shot from the security environment at any time in time.
The greatest challenge facing corporate security professionals remains, the best way to sell security threat analysis internally specifically when threat perception varies from person to person depending on their experience, background or personal risk appetite.
Context is essential to effective threat analysis. Most of us know that terrorism can be a risk, but as a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk within a credible project specific scenario however, creates context. As an example, the danger of an armed attack by local militia responding to a ongoing dispute about local job opportunities, permits us to make the threat more plausible and give a greater quantity of alternatives for its mitigation.
Having identified threats, vulnerability assessment is likewise critical and extends beyond simply reviewing existing security controls. It needs to consider:
1. How the attractive project is usually to the threats identified and, how easily they can be identified and accessed?
2. How effective are definitely the project’s existing protections against the threats identified?
3. How good can the project answer an incident should it occur in spite of control measures?
Such as a threat assessment, this vulnerability assessment must be ongoing to make certain that controls not merely function correctly now, but remain relevant as being the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria where 40 innocent individuals were killed, made strategies for the: “development of the security risk management system that may be dynamic, fit for purpose and geared toward action. It should be an embedded and routine section of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and executive protection tacticalsupportservice.com allow both experts and management to have a common idea of risk, threats and scenarios and evaluations of those.”
But maintaining this essential process is no small task and another that requires a certain skillsets and experience. Based on the same report, “…in many instances security is an element of broader health, safety and environment position and something for which not many people in those roles have particular experience and expertise. As a consequence, Statoil overall has insufficient ful-time specialist resources focused on security.”
Anchoring corporate security in effective and ongoing security risk analysis not simply facilitates timely and effective decision-making. Furthermore, it has potential to introduce a broader range of security controls than has previously been considered as part of the business home security system.