Companies operating in hostile environments, corporate security has historically been a source of confusion and quite often outsourced to specialised consultancies at significant cost.
Of itself, that’s not an inappropriate approach, nevertheless the problems arises because, in the event you ask three different security consultants to undertake the tactical support service, it’s possible to obtain three different answers.
That absence of standardisation and continuity in SRA methodology is the primary cause of confusion between those involved in managing security risk and budget holders.
So, how could security professionals translate the conventional language of corporate security in a manner that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology to any SRA is vital to its effectiveness:
1. What is the project under review attempting to achieve, and exactly how is it attempting to do it?
2. Which resources/assets are the main when making the project successful?
3. What is the security threat environment where the project operates?
4. How vulnerable are the project’s critical resources/assets on the threats identified?
These four questions has to be established before a security alarm system can be developed that is effective, appropriate and flexible enough to get adapted inside an ever-changing security environment.
Where some external security consultants fail is spending little time developing a comprehensive idea of their client’s project – generally causing the effective use of costly security controls that impede the project rather than enhancing it.
After a while, a standardised approach to SRA may help enhance internal communication. It can do so by enhancing the idea of security professionals, who benefit from lessons learned globally, along with the broader business for the reason that methodology and language mirrors that relating to enterprise risk. Together those factors help shift the thought of tacttical security coming from a cost center to a single that adds value.
Security threats come from a host of sources both human, including military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To produce effective research into the environment that you operate requires insight and enquiry, not merely the collation of a long list of incidents – regardless how accurate or well researched those might be.
Renowned political scientist Louise Richardson, author in the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively measure the threats in your project, consideration has to be given not just to the action or activity performed, but also who carried it all out and fundamentally, why.
Threat assessments have to address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for your threat actor, environmental injury to agricultural land
• Intent: Establishing how often the threat actor completed the threat activity rather than just threatened it
• Capability: Could they be competent at performing the threat activity now and/or later on
Security threats from non-human source for example disasters, communicable disease and accidents can be assessed within a similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What may be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor must do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat need to do harm e.g. most popular mouse in equatorial Africa, ubiquitous in human households potentially fatal
Most companies still prescribe annual security risk assessments which potentially leave your operations exposed when confronted with dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration has to be given to how events might escalate and equally how proactive steps can de-escalate them. By way of example, security forces firing on a protest march may escalate the chance of a violent response from protestors, while effective communication with protest leaders may, in the short term at the very least, de-escalate the potential of a violent exchange.
This sort of analysis can deal with effective threat forecasting, as opposed to a simple snap shot of your security environment at any point over time.
The largest challenge facing corporate security professionals remains, the best way to sell security threat analysis internally especially when threat perception varies from person to person depending on their experience, background or personal risk appetite.
Context is vital to effective threat analysis. Most of us know that terrorism is actually a risk, but like a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk within a credible project specific scenario however, creates context. For example, the chance of an armed attack by local militia in response to a ongoing dispute about local employment opportunities, allows us to have the threat more plausible and provide a larger variety of options for its mitigation.
Having identified threats, vulnerability assessment is additionally critical and extends beyond simply reviewing existing security controls. It has to consider:
1. How the attractive project is to the threats identified and, how easily they are often identified and accessed?
2. How effective would be the project’s existing protections against the threats identified?
3. How well can the project answer an incident should it occur in spite of control measures?
Such as a threat assessment, this vulnerability assessment should be ongoing to ensure that controls not merely function correctly now, but remain relevant since the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria by which 40 innocent people were killed, made tips for the: “development of the security risk management system that may be dynamic, fit for purpose and geared toward action. It should be an embedded and routine part of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and tactical support service allow both experts and management to get a common knowledge of risk, threats and scenarios and evaluations of such.”
But maintaining this essential process is not any small task and another that has to have a certain skillsets and experience. According to the same report, “…in many instances security is part of broader health, safety and environment position and something that very few people in those roles have particular expertise and experience. Because of this, Statoil overall has insufficient ful-time specialist resources devoted to security.”
Anchoring corporate security in effective and ongoing security risk analysis not merely facilitates timely and effective decision-making. In addition, it has possibility to introduce a broader selection of security controls than has previously been considered as an element of the corporate security system.