Companies operating in hostile environments, corporate security has historically been a supply of confusion and frequently outsourced to specialised consultancies at significant cost.
Of itself, that’s not an inappropriate approach, however the problems arises because, if you ask three different security consultants to handle the threat assessment tacticalsupportservice.com, it’s possible to acquire three different answers.
That deficiency of standardisation and continuity in SRA methodology is definitely the primary reason behind confusion between those involved in managing security risk and budget holders.
So, just how can security professionals translate the standard language of corporate security in a fashion that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology to any SRA is crucial to the effectiveness:
1. What exactly is the project under review trying to achieve, and just how is it attempting to do it?
2. Which resources/assets are the most significant when making the project successful?
3. What is the security threat environment wherein the project operates?
4. How vulnerable are the project’s critical resources/assets on the threats identified?
These four questions needs to be established before a security alarm system could be developed that is effective, appropriate and versatile enough to be adapted inside an ever-changing security environment.
Where some external security consultants fail is at spending almost no time developing a comprehensive understanding of their client’s project – generally leading to the use of costly security controls that impede the project as opposed to enhancing it.
Over time, a standardised strategy to SRA may help enhance internal communication. It will so by improving the knowledge of security professionals, who reap the benefits of lessons learned globally, and also the broader business since the methodology and language mirrors that from enterprise risk. Together those factors help shift the perception of tacttical security from a cost center to a single that adds value.
Security threats originate from numerous sources both human, for example military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To build up effective analysis of the environment where you operate requires insight and enquiry, not merely the collation of a listing of incidents – no matter how accurate or well researched those could be.
Renowned political scientist Louise Richardson, author of your book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively look at the threats for your project, consideration should be given not only to the action or activity conducted, but additionally who carried it and fundamentally, why.
Threat assessments need to address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation to the threat actor, environmental damage to agricultural land
• Intent: Establishing how many times the threat actor carried out the threat activity rather than just threatened it
• Capability: Are they competent at doing the threat activity now and in the foreseeable future
Security threats from non-human source for example disasters, communicable disease and accidents could be assessed in a really similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What may be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor should do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat must do harm e.g. most popular mouse in equatorial Africa, ubiquitous in human households potentially fatal
Many companies still prescribe annual security risk assessments which potentially leave your operations exposed when dealing with dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration needs to be made available to how events might escalate and equally how proactive steps can de-escalate them. For example, security forces firing with a protest march may escalate the potential of a violent response from protestors, while effective communication with protest leaders may, for the short term no less than, de-escalate the potential of a violent exchange.
This kind of analysis can deal with effective threat forecasting, as opposed to a simple snap shot of the security environment at any time soon enough.
The greatest challenge facing corporate security professionals remains, how to sell security threat analysis internally specially when threat perception varies individually for each person based on their experience, background or personal risk appetite.
Context is essential to effective threat analysis. Many of us understand that terrorism is a risk, but being a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk inside a credible project specific scenario however, creates context. As an example, the risk of an armed attack by local militia in response for an ongoing dispute about local employment opportunities, allows us to have the threat more plausible and offer a larger quantity of choices for its mitigation.
Having identified threats, vulnerability assessment can also be critical and extends beyond simply reviewing existing security controls. It has to consider:
1. The way the attractive project is always to the threats identified and, how easily they are often identified and accessed?
2. How effective are definitely the project’s existing protections versus the threats identified?
3. How well can the project react to an incident should it occur despite of control measures?
Such as a threat assessment, this vulnerability assessment should be ongoing to ensure that controls not merely function correctly now, but remain relevant since the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria in which 40 innocent individuals were killed, made strategies for the: “development of any security risk management system that is dynamic, fit for purpose and geared toward action. It needs to be an embedded and routine area of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and www.tacticalsupportservice.com allow both experts and management to possess a common idea of risk, threats and scenarios and evaluations of the.”
But maintaining this essential process is no small task and one that needs a certain skillsets and experience. Based on the same report, “…in many cases security is a component of broader health, safety and environment position and another in which very few people in those roles have particular experience and expertise. As a result, Statoil overall has insufficient ful-time specialist resources committed to security.”
Anchoring corporate security in effective and ongoing security risk analysis not merely facilitates timely and effective decision-making. In addition, it has possible ways to introduce a broader variety of security controls than has previously been considered as an element of the company security system.