Companies operating in hostile environments, corporate security has historically been a supply of confusion and quite often outsourced to specialised consultancies at significant cost.
Of itself, that’s not an inappropriate approach, although the problems arises because, if you ask three different security consultants to execute the tacticalsupportservice.com, it’s possible to obtain three different answers.
That insufficient standardisation and continuity in SRA methodology may be the primary reason behind confusion between those responsible for managing security risk and budget holders.
So, how do security professionals translate the traditional language of corporate security in a manner that both enhances understanding, and justify inexpensive and appropriate security controls?
Applying a four step methodology to your SRA is vital to the effectiveness:
1. Exactly what is the project under review trying to achieve, and exactly how would it be attempting to achieve it?
2. Which resources/assets are the main for making the project successful?
3. What is the security threat environment where the project operates?
4. How vulnerable would be the project’s critical resources/assets on the threats identified?
These four questions has to be established before a security alarm system can be developed that is certainly effective, appropriate and versatile enough to be adapted within an ever-changing security environment.
Where some external security consultants fail is at spending bit of time developing an in depth understanding of their client’s project – generally contributing to the application of costly security controls that impede the project rather than enhancing it.
With time, a standardised strategy to SRA will help enhance internal communication. It does so by enhancing the comprehension of security professionals, who take advantage of lessons learned globally, and the broader business since the methodology and language mirrors that relating to enterprise risk. Together those factors help shift the perception of tacttical security from a cost center to one that adds value.
Security threats originate from a number of sources both human, like military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To develop effective analysis of the environment that you operate requires insight and enquiry, not simply the collation of a long list of incidents – regardless of how accurate or well researched those might be.
Renowned political scientist Louise Richardson, author of the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively look at the threats to the project, consideration needs to be given not only to the action or activity conducted, but additionally who carried it out and fundamentally, why.
Threat assessments need to address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation to the threat actor, environmental injury to agricultural land
• Intent: Establishing how frequently the threat actor performed the threat activity rather than just threatened it
• Capability: Is it able to undertaking the threat activity now or down the road
Security threats from non-human source for example disasters, communicable disease and accidents might be assessed in a really similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What could possibly be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor have to do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat should do harm e.g. most typical mouse in equatorial Africa, ubiquitous in human households potentially fatal
Most companies still prescribe annual security risk assessments which potentially leave your operations exposed when confronted with dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration should be given to how events might escalate and equally how proactive steps can de-escalate them. For instance, security forces firing over a protest march may escalate the potential of a violent response from protestors, while effective communication with protest leaders may, for the short term no less than, de-escalate the possibility of a violent exchange.
This particular analysis can help with effective threat forecasting, as opposed to a simple snap shot of your security environment at any time soon enough.
The biggest challenge facing corporate security professionals remains, the way to sell security threat analysis internally specifically when threat perception varies for every person based upon their experience, background or personal risk appetite.
Context is vital to effective threat analysis. We all recognize that terrorism is really a risk, but as a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in a credible project specific scenario however, creates context. For instance, the potential risk of an armed attack by local militia responding with an ongoing dispute about local job opportunities, allows us to create the threat more plausible and give a better number of selections for its mitigation.
Having identified threats, vulnerability assessment is also critical and extends beyond simply reviewing existing security controls. It needs to consider:
1. Exactly how the attractive project is to the threats identified and, how easily they can be identified and accessed?
2. How effective are the project’s existing protections against the threats identified?
3. How good can the project reply to an incident should it occur despite of control measures?
Such as a threat assessment, this vulnerability assessment needs to be ongoing to make certain that controls not only function correctly now, but remain relevant as being the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria through which 40 innocent everyone was killed, made tips for the: “development of a security risk management system that may be dynamic, fit for purpose and aimed toward action. It ought to be an embedded and routine portion of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and executive protection tacticalsupportservice.com allow both experts and management to get a common understanding of risk, threats and scenarios and evaluations of such.”
But maintaining this essential process is not any small task and one that needs a unique skillsets and experience. According to the same report, “…in many instances security is a component of broader health, safety and environment position and another that very few people in those roles have particular experience and expertise. As a result, Statoil overall has insufficient ful-time specialist resources focused on security.”
Anchoring corporate security in effective and ongoing security risk analysis not simply facilitates timely and effective decision-making. Furthermore, it has potential to introduce a broader array of security controls than has previously been considered as an element of the corporate home security system.