Companies operating in hostile environments, corporate security has historically been a supply of confusion and frequently outsourced to specialised consultancies at significant cost.
Of itself, that’s not an inappropriate approach, however the problems arises because, in the event you ask three different security consultants to carry out the threat assessment tacticalsupportservice.com, it’s possible to get three different answers.
That lack of standardisation and continuity in SRA methodology is the primary reason behind confusion between those charged with managing security risk and budget holders.
So, how could security professionals translate the traditional language of corporate security in a manner that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology for any SRA is critical to the effectiveness:
1. Exactly what is the project under review looking to achieve, and just how could it be seeking to do it?
2. Which resources/assets are the most important when making the project successful?
3. Just what is the security threat environment when the project operates?
4. How vulnerable would be the project’s critical resources/assets for the threats identified?
These four questions should be established before a security alarm system can be developed that is certainly effective, appropriate and flexible enough to be adapted within an ever-changing security environment.
Where some external security consultants fail is at spending little time developing a detailed understanding of their client’s project – generally leading to the application of costly security controls that impede the project rather than enhancing it.
After a while, a standardised method of SRA will assist enhance internal communication. It does so by enhancing the understanding of security professionals, who make use of lessons learned globally, along with the broader business since the methodology and language mirrors those of enterprise risk. Together those factors help shift the thought of tacttical security coming from a cost center to one that adds value.
Security threats come from a number of sources both human, including military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To build up effective research into the environment that you operate requires insight and enquiry, not simply the collation of a summary of incidents – regardless how accurate or well researched those might be.
Renowned political scientist Louise Richardson, author of your book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively assess the threats in your project, consideration has to be given not just to the action or activity carried out, and also who carried it all out and fundamentally, why.
Threat assessments should address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for your threat actor, environmental injury to agricultural land
• Intent: Establishing the frequency of which the threat actor completed the threat activity as opposed to just threatened it
• Capability: Is it able to performing the threat activity now and/or in the future
Security threats from non-human source for example natural disasters, communicable disease and accidents might be assessed in a really similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What might be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor have to do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat have to do harm e.g. most frequent mouse in equatorial Africa, ubiquitous in human households potentially fatal
A lot of companies still prescribe annual security risk assessments which potentially leave your operations exposed while confronting dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration needs to be made available to how events might escalate and equally how proactive steps can de-escalate them. As an example, security forces firing on the protest march may escalate the potential for a violent response from protestors, while effective communication with protest leaders may, in the short term no less than, de-escalate the chance of a violent exchange.
This particular analysis can sort out effective threat forecasting, instead of a simple snap shot of the security environment at any point over time.
The most significant challenge facing corporate security professionals remains, how you can sell security threat analysis internally specifically when threat perception varies from person to person based upon their experience, background or personal risk appetite.
Context is essential to effective threat analysis. All of us realize that terrorism is a risk, but being a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk within a credible project specific scenario however, creates context. For example, the potential risk of an armed attack by local militia responding with an ongoing dispute about local job opportunities, allows us to make your threat more plausible and give an increased quantity of choices for its mitigation.
Having identified threats, vulnerability assessment is also critical and extends beyond simply reviewing existing security controls. It has to consider:
1. Exactly how the attractive project is to the threats identified and, how easily they can be identified and accessed?
2. How effective are the project’s existing protections up against the threats identified?
3. How good can the project reply to an incident should it occur despite of control measures?
Similar to a threat assessment, this vulnerability assessment should be ongoing to make sure that controls not merely function correctly now, but remain relevant because the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria through which 40 innocent everyone was killed, made tips for the: “development of a security risk management system that is certainly dynamic, fit for purpose and aimed toward action. It needs to be an embedded and routine area of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and tactical support service executive protection allow both experts and management to get a common knowledge of risk, threats and scenarios and evaluations of the.”
But maintaining this essential process is no small task and something that has to have a certain skillsets and experience. In accordance with the same report, “…in most instances security is part of broader health, safety and environment position and something for which few people in those roles have particular expertise and experience. As a consequence, Statoil overall has insufficient ful-time specialist resources devoted to security.”
Anchoring corporate security in effective and ongoing security risk analysis not only facilitates timely and effective decision-making. Additionally, it has possible ways to introduce a broader range of security controls than has previously been considered as an element of the corporate burglar alarm system.