Companies operating in hostile environments, corporate security has historically been a source of confusion and often outsourced to specialised consultancies at significant cost.
Of itself, that’s not an inappropriate approach, nevertheless the problems arises because, when you ask three different security consultants to carry out the tactical support service, it’s entirely possible to acquire three different answers.
That absence of standardisation and continuity in SRA methodology will be the primary reason behind confusion between those involved in managing security risk and budget holders.
So, how could security professionals translate the conventional language of corporate security in a way that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology to any SRA is essential to its effectiveness:
1. Just what is the project under review attempting to achieve, and just how would it be looking to achieve it?
2. Which resources/assets are the most important in making the project successful?
3. What exactly is the security threat environment when the project operates?
4. How vulnerable are the project’s critical resources/assets for the threats identified?
These four questions needs to be established before a security system can be developed which is effective, appropriate and versatile enough to be adapted within an ever-changing security environment.
Where some external security consultants fail is spending very little time developing an in depth comprehension of their client’s project – generally leading to the effective use of costly security controls that impede the project rather than enhancing it.
As time passes, a standardised approach to SRA can help enhance internal communication. It does so by enhancing the understanding of security professionals, who reap the benefits of lessons learned globally, along with the broader business because the methodology and language mirrors those of enterprise risk. Together those factors help shift the thought of tacttical security from a cost center to a single that adds value.
Security threats come from a myriad of sources both human, for example military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To develop effective research into the environment for which you operate requires insight and enquiry, not simply the collation of a list of incidents – irrespective of how accurate or well researched those may be.
Renowned political scientist Louise Richardson, author in the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively look at the threats to the project, consideration should be given not just to the action or activity performed, but in addition who carried it all out and fundamentally, why.
Threat assessments should address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for that threat actor, environmental damage to agricultural land
• Intent: Establishing how often the threat actor carried out the threat activity rather than just threatened it
• Capability: Will they be effective at performing the threat activity now and/or in the foreseeable future
Security threats from non-human source including disasters, communicable disease and accidents could be assessed in a really similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What could be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor should do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat have to do harm e.g. most frequent mouse in equatorial Africa, ubiquitous in human households potentially fatal
Most companies still prescribe annual security risk assessments which potentially leave your operations exposed when dealing with dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration has to be made available to how events might escalate and equally how proactive steps can de-escalate them. By way of example, security forces firing on the protest march may escalate the chance of a violent response from protestors, while effective communication with protest leaders may, for the short term no less than, de-escalate the potential of a violent exchange.
This type of analysis can deal with effective threat forecasting, rather than a simple snap shot of your security environment at any time in time.
The biggest challenge facing corporate security professionals remains, how to sell security threat analysis internally specially when threat perception varies individually for each person based upon their experience, background or personal risk appetite.
Context is vital to effective threat analysis. Many of us understand that terrorism is actually a risk, but as a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk within a credible project specific scenario however, creates context. For instance, the chance of an armed attack by local militia in reaction to a ongoing dispute about local employment opportunities, permits us to create the threat more plausible and provide a better amount of options for its mitigation.
Having identified threats, vulnerability assessment can also be critical and extends beyond simply reviewing existing security controls. It needs to consider:
1. How the attractive project would be to the threats identified and, how easily they may be identified and accessed?
2. How effective are the project’s existing protections up against the threats identified?
3. How well can the project respond to an incident should it occur despite of control measures?
Just like a threat assessment, this vulnerability assessment should be ongoing to make sure that controls not only function correctly now, but remain relevant since the security environment evolves.
Statoil’s “The In Anemas Attack” report, which followed the January 2013 attack in Algeria in which 40 innocent people were killed, made tips for the: “development of the security risk management system that may be dynamic, fit for purpose and aimed toward action. It should be an embedded and routine area of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and tactical support service executive protection allow both experts and management to possess a common comprehension of risk, threats and scenarios and evaluations of those.”
But maintaining this essential process is no small task and another that has to have a specific skillsets and experience. In line with the same report, “…in most cases security is a component of broader health, safety and environment position and another that few individuals in those roles have particular expertise and experience. As a consequence, Statoil overall has insufficient ful-time specialist resources focused on security.”
Anchoring corporate security in effective and ongoing security risk analysis not only facilitates timely and effective decision-making. In addition, it has potential to introduce a broader array of security controls than has previously been considered as an element of the corporate burglar alarm system.