Companies operating in hostile environments, corporate security has historically been a source of confusion and frequently outsourced to specialised consultancies at significant cost.
Of itself, that’s no inappropriate approach, however the problems arises because, should you ask three different security consultants to handle the tactical support service, it’s entirely possible to acquire three different answers.
That insufficient standardisation and continuity in SRA methodology is the primary cause of confusion between those arrested for managing security risk and budget holders.
So, just how can security professionals translate the standard language of corporate security in a way that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology to your SRA is crucial to its effectiveness:
1. Just what is the project under review attempting to achieve, and just how could it be trying to do it?
2. Which resources/assets are the most important in making the project successful?
3. Exactly what is the security threat environment where the project operates?
4. How vulnerable are the project’s critical resources/assets towards the threats identified?
These four questions should be established before a security alarm system can be developed that may be effective, appropriate and flexible enough being adapted in an ever-changing security environment.
Where some external security consultants fail is in spending little time developing an in depth understanding of their client’s project – generally resulting in the use of costly security controls that impede the project as opposed to enhancing it.
Over time, a standardised strategy to SRA can help enhance internal communication. It can so by improving the knowledge of security professionals, who benefit from lessons learned globally, and also the broader business as the methodology and language mirrors those of enterprise risk. Together those factors help shift the perception of tacttical security from your cost center to 1 that adds value.
Security threats originate from a host of sources both human, like military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To formulate effective research into the environment in which you operate requires insight and enquiry, not simply the collation of a listing of incidents – regardless of how accurate or well researched those can be.
Renowned political scientist Louise Richardson, author in the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively measure the threats to your project, consideration should be given not just to the action or activity performed, but in addition who carried it out and fundamentally, why.
Threat assessments must address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for the threat actor, environmental problems for agricultural land
• Intent: Establishing how often the threat actor performed the threat activity rather than just threatened it
• Capability: Could they be capable of undertaking the threat activity now or in the future
Security threats from non-human source including disasters, communicable disease and accidents may be assessed in an exceedingly similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What may be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor should do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat need to do harm e.g. most frequent mouse in equatorial Africa, ubiquitous in human households potentially fatal
Most companies still prescribe annual security risk assessments which potentially leave your operations exposed while confronting dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration should be provided to how events might escalate and equally how proactive steps can de-escalate them. For instance, security forces firing on the protest march may escalate the potential for a violent response from protestors, while effective communication with protest leaders may, in the short term no less than, de-escalate the chance of a violent exchange.
This sort of analysis can help with effective threat forecasting, as opposed to a simple snap shot of your security environment at any point over time.
The biggest challenge facing corporate security professionals remains, how to sell security threat analysis internally specially when threat perception varies from person to person depending on their experience, background or personal risk appetite.
Context is crucial to effective threat analysis. All of us realize that terrorism is really a risk, but like a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in a credible project specific scenario however, creates context. As an example, the chance of an armed attack by local militia in reaction to an ongoing dispute about local employment opportunities, allows us to make the threat more plausible and provide a larger quantity of selections for its mitigation.
Having identified threats, vulnerability assessment is additionally critical and extends beyond simply reviewing existing security controls. It has to consider:
1. The way the attractive project is to the threats identified and, how easily they could be identified and accessed?
2. How effective are definitely the project’s existing protections versus the threats identified?
3. How good can the project answer an incident should it occur despite of control measures?
Similar to a threat assessment, this vulnerability assessment has to be ongoing to make sure that controls not merely function correctly now, but remain relevant as the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria through which 40 innocent people were killed, made tips for the: “development of your security risk management system that is dynamic, fit for purpose and aimed toward action. It ought to be an embedded and routine area of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and tactical support service allow both experts and management to have a common knowledge of risk, threats and scenarios and evaluations of such.”
But maintaining this essential process is no small task then one that needs a certain skillsets and experience. In accordance with the same report, “…in many cases security is part of broader health, safety and environment position and another that very few people in those roles have particular expertise and experience. Because of this, Statoil overall has insufficient ful-time specialist resources committed to security.”
Anchoring corporate security in effective and ongoing security risk analysis not merely facilitates timely and effective decision-making. Furthermore, it has potential to introduce a broader selection of security controls than has previously been considered as a part of the business alarm system.