For companies operating in hostile environments, corporate security has historically been a source of confusion and often outsourced to specialised consultancies at significant cost.
Of itself, that’s not an inappropriate approach, but the problems arises because, if you ask three different security consultants to carry out the same security risk assessment, it’s entirely possible to receive three different answers.
That lack of standardisation and continuity in SRA methodology is the primary cause of confusion between those charged with managing security risk and budget holders.
So, how can security professionals translate the traditional language of corporate security in a way that both enhances understanding, and justify cost-effective and appropriate security controls?
Applying a four step methodology to any SRA is critical to its effectiveness:
1. What is the project under review trying to achieve, and how is it trying to achieve it?
2. Which resources/assets are the most important in making the project successful?
3. What is the security threat environment in which the project operates?
4. How vulnerable are the project’s critical resources/assets to the threats identified?
These four questions must be established before a security system can be developed that is effective, appropriate and flexible enough to be adapted in an ever-changing security environment.
Where some external security consultants fail is in spending little time developing an in depth understanding of their client’s project – generally resulting in the application of costly security controls that impede the project instead of enhancing it.
Over time, a standardised approach to SRA will help enhance internal communication. It does so by improving the understanding of security professionals, who benefit from lessons learned globally, and the broader business because the methodology and language mirrors that of enterprise risk. Together those factors help shift the perception of corporate security from a cost center to one that adds value.
Understanding threats to your security
Security threats originate from a host of sources both human, such as military conflict, crime and terrorism and non-human, including natural disaster and disease epidemics. To develop effective analysis of the environment in which you operate requires insight and enquiry, not simply the collation of a list of incidents – no matter how accurate or well researched those may be.
Renowned political scientist Louise Richardson, author of the book, What Terrorists Want, states: “Terrorists seek revenge for injustices or humiliations suffered by their community.”
So, to effectively assess the threats to your project, consideration needs to be given not only to the action or activity carried out, but also who carried it out and fundamentally, why.
Threat assessments need to address:
• Threat Activity: the what, kidnap for ransom
• Threat Actor: the who, domestic militants
• Threat Driver: the motivation for the threat actor, environmental damage to agricultural land
• Intent: Establishing how often the threat actor carried out the threat activity rather than just threatened it
• Capability: Are they capable of carrying out the threat activity now and/or in the future
Security threats from non-human source such as natural disasters, communicable disease and accidents can be assessed in a very similar fashion:
• Threat Activity: Virus outbreak causing serious illness or death to company employees e.g. Lassa Fever
• Threat Actor: What might be responsible e.g. Lassa
• Threat Driver: Virus acquired from infected rats
• What Potential does the threat actor have to do harm e.g. last outbreak in Nigeria in 2016
• What Capacity does the threat have to do harm e.g. most common mouse in equatorial Africa, ubiquitous in human households potentially fatal
Many companies still prescribe annual security risk assessments which potentially leave your operations exposed when dealing with dynamic threats which require continuous monitoring.
To effectively monitor security threats consideration needs to be given to how events might escalate and equally how proactive steps can de-escalate them. For example, security forces firing on a protest march may escalate the potential of a violent response from protestors, while effective communication with protest leaders may, in the short term at least, de-escalate the potential of a violent exchange.
This type of analysis can help with effective threat forecasting, as opposed to a simple snap shot of the security environment at any point in time.
The biggest challenge facing corporate security professionals remains, how to sell security threat analysis internally particularly when threat perception varies from person to person based on their experience, background or personal risk appetite.
Context is critical to effective threat analysis. We all understand that terrorism is a risk, but as a stand-alone, it’s too broad a threat and, frankly, impossible to mitigate. Detailing risk in a credible project specific scenario however, creates context. For example, the risk of an armed attack by local militia in response to an ongoing dispute about local employment opportunities, allows us to make the threat more plausible and offer a greater number of options for its mitigation.
How vulnerable is the project?
Having identified threats, vulnerability assessment is also critical and extends beyond simply reviewing existing security controls. It must consider:
1. How the attractive project is to the threats identified and, how easily they can be identified and accessed?
2. How effective are the project’s existing protections against the threats identified?
3. How well can the project respond to an incident should it occur despite of control measures?
Like a threat assessment, this vulnerability assessment needs to be ongoing to ensure that controls not only function correctly now, but remain relevant as the security environment evolves.
Statoil’s “The In Anemas Attack”  report, which followed the January 2013 attack in Algeria in which 40 innocent people were killed, made recommendations for the: “development of a security risk management system that is dynamic, fit for purpose and geared toward action. It should be an embedded and routine part of the company’s regular core business, project planning, and Statoil’s decision process for investment projects. A standardized, open and well-defined security risk management methodology will allow both experts and management to have a common understanding of risk, threats and scenarios and evaluations of these.”
But maintaining this essential process is no small task and one that needs a specific skillsets and experience. According to the same report, “…in most cases security is part of broader health, safety and environment position and one for which few people in those roles have particular experience and expertise. As a consequence, Statoil overall has insufficient ful-time specialist resources dedicated to security.”
Anchoring corporate security in effective and ongoing security risk analysis not only facilitates timely and effective decision-making. It also has potential to introduce a broader range of security controls than has previously been considered as a part of the corporate security system.
Paul Mercer is Managing Director and designer of award-winning HawkSight Software. He founded Hawksight SRM Ltd over a decade ago after a career in the UK Military. He has a Master’s Degree in international politics. He served as an officer in the Royal Naval Fleet Air Arm during including deployment as Head of Sector Intelligence for the United Nations Mission in Georgia, Caucasus (UNOMIG). Today he works with clients to provide continuity of security risk analysis, comprehensive risk reporting, and bespoke mitigation strategies to enable rapid and cost effective management of security risks. Contact him: [email protected]
Clown photo by Thomas Roberts on Unsplash
Building photo by July Brenda Gonzales Callapaz on Unsplash