Companies operating in hostile environments, corporate security has historically been a supply of confusion and often outsourced to specialised consultancies at significant cost.
Of itself, that’s no inappropriate approach, but the problems arises because, when you ask three different security consultants to carry out the tactical support service threat assessment, it’s possible to receive three different answers.
That absence of standardisation and continuity in SRA methodology is definitely the primary reason for confusion between those responsible for managing security risk and budget holders.
So, just how can security professionals translate the traditional language of corporate security in a way that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology for any SRA is crucial to its effectiveness:
1. What exactly is the project under review looking to achieve, and exactly how would it be trying to achieve it?
2. Which resources/assets are the most important when making the project successful?
3. Exactly what is the security threat environment in which the project operates?
4. How vulnerable will be the project’s critical resources/assets on the threats identified?
These four questions should be established before a security alarm system could be developed that is certainly effective, appropriate and versatile enough to become adapted within an ever-changing security environment.
Where some external security consultants fail is spending little time developing a comprehensive understanding of their client’s project – generally leading to the application of costly security controls that impede the project instead of enhancing it.
With time, a standardised approach to SRA may help enhance internal communication. It can do so by boosting the understanding of security professionals, who reap the benefits of lessons learned globally, and the broader business for the reason that methodology and language mirrors that relating to enterprise risk. Together those factors help shift the perception of tacttical security from your cost center to a single that adds value.
Security threats come from a host of sources both human, like military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To produce effective analysis of the environment that you operate requires insight and enquiry, not merely the collation of a list of incidents – no matter how accurate or well researched those might be.
Renowned political scientist Louise Richardson, author from the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively look at the threats in your project, consideration needs to be given not just in the action or activity carried out, but additionally who carried it out and fundamentally, why.
Threat assessments must address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for your threat actor, environmental injury to agricultural land
• Intent: Establishing how frequently the threat actor carried out the threat activity as opposed to just threatened it
• Capability: Are they capable of undertaking the threat activity now or later on
Security threats from non-human source like natural disasters, communicable disease and accidents can be assessed in a really similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What could be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor should do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat must do harm e.g. most popular mouse in equatorial Africa, ubiquitous in human households potentially fatal
Most companies still prescribe annual security risk assessments which potentially leave your operations exposed facing dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration should be given to how events might escalate and equally how proactive steps can de-escalate them. For instance, security forces firing with a protest march may escalate the chance of a violent response from protestors, while effective communication with protest leaders may, for the short term no less than, de-escalate the possibility of a violent exchange.
This particular analysis can sort out effective threat forecasting, instead of a simple snap shot from the security environment at any time with time.
The greatest challenge facing corporate security professionals remains, how you can sell security threat analysis internally especially when threat perception varies for every person depending on their experience, background or personal risk appetite.
Context is essential to effective threat analysis. Many of us realize that terrorism is actually a risk, but as a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in the credible project specific scenario however, creates context. For instance, the chance of an armed attack by local militia responding to an ongoing dispute about local employment opportunities, permits us to make the threat more plausible and provide a greater number of selections for its mitigation.
Having identified threats, vulnerability assessment is additionally critical and extends beyond simply reviewing existing security controls. It needs to consider:
1. Exactly how the attractive project is always to the threats identified and, how easily they are often identified and accessed?
2. How effective would be the project’s existing protections versus the threats identified?
3. How well can the project respond to an incident should it occur despite of control measures?
Similar to a threat assessment, this vulnerability assessment needs to be ongoing to ensure controls not merely function correctly now, but remain relevant since the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria by which 40 innocent people were killed, made tips for the: “development of any security risk management system that may be dynamic, fit for purpose and aimed toward action. It ought to be an embedded and routine portion of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and tactical support service executive protection allow both experts and management to experience a common comprehension of risk, threats and scenarios and evaluations of those.”
But maintaining this essential process is no small task and another that requires a specific skillsets and experience. In line with the same report, “…in most cases security is a component of broader health, safety and environment position then one where not many people in those roles have particular expertise and experience. As a result, Statoil overall has insufficient ful-time specialist resources dedicated to security.”
Anchoring corporate security in effective and ongoing security risk analysis not only facilitates timely and effective decision-making. Furthermore, it has possible ways to introduce a broader range of security controls than has previously been considered as part of the company home security system.