If your company is expanding into new markets overseas how do you evaluate the physical security risk to your employees and assets? If you are working in the developing world how do you monitor events and assess the potential threat to your personnel and operations?
Looking at year 2012 so far we have seen two notable coups in Africa – one in historically unstable Guinea-Bissau and another in Mali – once considered a bastion of stability and relative democracy. In 2011 (although it technically began in December 2010 in Tunisia) we saw the speed with which the Arab Spring spread across the Middle East and North Africa unseating heretofore stable governments and changing for many the notion of trip wires or trigger points – or at least their expected timeline.
- The first key element is recognizing and assessing the threats that exist.
- The second is looking at your operations in the context of the threat environment.
- The third is identifying vulnerabilities in your operations.
- The fourth is considering probability and criticality of the threat as it relates to your company’s business and operations.
- The most important element in identifying and initially addressing these elements is good intelligence.
Good intelligence can come from:
- Paid security intelligence providers
- Government agencies and public-private partnerships
- Local sources in the area in question
- Your professional network in other companies, industries and organizations
- Open source resources such as media, government and private publications
- Paid or unpaid sources you develop specifically to provide intelligence
- Area specialists, academics and consultants
- Ideally you should be drawing from at least several and possibly many of these different resources. There are pros and cons to each of these and we will discuss some of them at greater length in future posts.
Next you need to have a firm understanding of your company or organization’s operations in the location in question. Are you building a factory, operating a mine or oil field, providing training? Where are your personnel located and what do they do? How does this activity match up against the threat information?
To take this contextual look a step further – what vulnerabilities exist for your employees and company assets? Do your personnel establish patterns that can be exploited to conduct a targeted attack? Are your facilities in close proximity to high value targets?
What is the probability or likelihood of certain types of security events occurring? Which are more likely than others? What is the criticality or consequence of being the victim of a particular type of security event. As a rough example: in a given location pickpocketing and petty theft may be a common occurrence (high probability) but the impact on your organization’s operations would be low. The threat of a coordinated terrorist attack using multiple vehicle bombs may be a lower probability but the impact on your operations – especially if you are specifically targeted – might be catastrophic.
By looking at the threats that exist in the context of your operations, identifying vulnerabilities and determining the probability and criticality of various events you can begin to make more educated business decisions and develop security countermeasures and mitigation steps to better support your operations.