Companies operating in hostile environments, corporate security has historically been a way to obtain confusion and frequently outsourced to specialised consultancies at significant cost.
Of itself, that’s no inappropriate approach, although the problems arises because, in the event you ask three different security consultants to execute the threat assessment tacticalsupportservice.com, it’s possible to obtain three different answers.
That insufficient standardisation and continuity in SRA methodology is the primary reason behind confusion between those responsible for managing security risk and budget holders.
So, how could security professionals translate the standard language of corporate security in ways that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology to your SRA is critical to the effectiveness:
1. Exactly what is the project under review seeking to achieve, and exactly how would it be seeking to achieve it?
2. Which resources/assets are the most crucial in making the project successful?
3. Exactly what is the security threat environment wherein the project operates?
4. How vulnerable are the project’s critical resources/assets to the threats identified?
These four questions must be established before a security system might be developed that is effective, appropriate and versatile enough being adapted inside an ever-changing security environment.
Where some external security consultants fail is within spending little time developing a comprehensive idea of their client’s project – generally causing the use of costly security controls that impede the project rather than enhancing it.
With time, a standardised strategy to SRA will help enhance internal communication. It can so by enhancing the comprehension of security professionals, who benefit from lessons learned globally, along with the broader business since the methodology and language mirrors that relating to enterprise risk. Together those factors help shift the perception of tacttical security coming from a cost center to just one that adds value.
Security threats originate from a host of sources both human, for example military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To produce effective analysis of the environment in which you operate requires insight and enquiry, not simply the collation of a listing of incidents – irrespective of how accurate or well researched those might be.
Renowned political scientist Louise Richardson, author of the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively assess the threats for your project, consideration should be given not only to the action or activity conducted, but additionally who carried it and fundamentally, why.
Threat assessments need to address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for the threat actor, environmental injury to agricultural land
• Intent: Establishing the frequency of which the threat actor performed the threat activity rather than just threatened it
• Capability: Is it able to undertaking the threat activity now and later on
Security threats from non-human source like disasters, communicable disease and accidents might be assessed in a really similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What may be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor need to do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat should do harm e.g. most frequent mouse in equatorial Africa, ubiquitous in human households potentially fatal
Some companies still prescribe annual security risk assessments which potentially leave your operations exposed when dealing with dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration has to be given to how events might escalate and equally how proactive steps can de-escalate them. For example, security forces firing over a protest march may escalate the potential for a violent response from protestors, while effective communication with protest leaders may, in the short term no less than, de-escalate the potential for a violent exchange.
This sort of analysis can deal with effective threat forecasting, instead of a simple snap shot in the security environment at any point over time.
The biggest challenge facing corporate security professionals remains, how you can sell security threat analysis internally specifically when threat perception varies for every person depending on their experience, background or personal risk appetite.
Context is critical to effective threat analysis. Many of us understand that terrorism is actually a risk, but as being a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk within a credible project specific scenario however, creates context. For example, the danger of an armed attack by local militia in response with an ongoing dispute about local job opportunities, allows us to create the threat more plausible and give a better amount of choices for its mitigation.
Having identified threats, vulnerability assessment is additionally critical and extends beyond simply reviewing existing security controls. It needs to consider:
1. Just how the attractive project is to the threats identified and, how easily they can be identified and accessed?
2. How effective are the project’s existing protections versus the threats identified?
3. How well can the project reply to an incident should it occur in spite of control measures?
Such as a threat assessment, this vulnerability assessment should be ongoing to make sure that controls not merely function correctly now, but remain relevant as being the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria in which 40 innocent everyone was killed, made strategies for the: “development of any security risk management system which is dynamic, fit for purpose and aimed toward action. It needs to be an embedded and routine portion of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and tacticalsupportservice.com allow both experts and management to have a common knowledge of risk, threats and scenarios and evaluations of these.”
But maintaining this essential process is no small task and one that really needs a particular skillsets and experience. Based on the same report, “…in many instances security is an element of broader health, safety and environment position and another that not many people in those roles have particular experience and expertise. As a result, Statoil overall has insufficient ful-time specialist resources devoted to security.”
Anchoring corporate security in effective and ongoing security risk analysis not merely facilitates timely and effective decision-making. Additionally, it has possibility to introduce a broader variety of security controls than has previously been considered as part of the corporate burglar alarm system.