The Art of Situational Awareness

All multinationals with operations abroad should be performing the task of updating your situational awareness daily. Whether you are just beginning to consider international operations or already have many years with an overseas presence in dozens of locations, this article should provide you with considerations on how to make your efforts more efficient, cost-effective, and benchmark activities to best practices.
 

What is Situational Awareness? In layman’s terms, situational awareness (SA) is knowledge of one’s surroundings, and specifically understanding “events” and “things” which could have an adverse effect on you, your organization and objectives. Many different professionals use SA in performance of their jobs. Computer techs use SA to track computer viruses; the safety team uses SA to monitor hazards within the workplace; health professionals might use SA to track the spread of human viruses; while security professionals are generally concerned with monitoring threat actors around the globe.   
 

Why Perform Situational Awareness? If you’re a senior executive, risk or security practitioner, then the biggest reason for having situational awareness is to keep your organization proactively aware of those risks to your people and the organization. Like all other operational aspects of your business, if you’re not monitoring the road ahead, then “things” will pop-up unexpectedly in front of you without warning.

The logic is pretty straight forward. If you desire to know and manage the RISKS to your organization, then you first have to understand something about the sources of risks. Safety professionals look for hazards, but for security professionals the “hazards” are people who act aggressively against the organization. Therefore, you have to first know something about those THREAT ACTOR GROUPS which exhibit both the capabilities and intentions to act against you. So, the objective of knowing your risks really hinges upon performing SA for your operational locations. It’s about knowing what groups are active, and what types of actions they are most likely to do, which could pose harm your people and business. The better your SA, the better your understanding of your risks - resulting in safer and more secure environment for your people and organization.
 

Why All The Focus On Being Proactive? Well, it’s like the old saying, “you can pay me now, or you can pay me later”. Meaning, organizations that lack SA are more likely to be reactive. They will be forced to deal with security incidents that surprise them far more often than organizations that monitor, detect and proactively take actions to mitigate risks. Too often in my career I was hired by companies in the wake of a major crisis, situations which included mass kidnappings and multi-million dollar terrorist acts against property. In those incidents all the indicators were present for management to detect and act BEFORE those crises occurred.

Unfortunately too often management doesn’t detect the early indicators of rising risk, and failures can most often be traced directly back to the lack of ongoing situational awareness. Generally speaking, the cost of reacting to a crisis will be in the range of 20X or more what the cost of proactive mitigation would have been. Those realities don’t even begin to include hidden costs of reputational damage and legacy issues which often linger long after the crisis has been “resolved”. SA is the key to staying proactive and protecting your people. And, it doesn’t have to be a costly proposition either! 
 

Where to Get Security Information for SA? There are a number of great products in the marketplace to choose from. As a security manager I’ve used many of them, and each has their strengths and gaps. One of the principal gaps in many products is that they attempt to provide the same 80 to 100 pieces of headliner security news across the globe, or Tier I Information as I call it (See graphic). The broad global coverage comes with the tradeoff of depth of coverage in any one country. This broad focus is necessary when supporting travel security management. However, the lack of granularity in providing a deeper amount of security information within any given country can be a disadvantage.   

While head of security and now for my own clients I try to incorporate several subscription services into the mix of overall SA. Yet, on average only about 5% of that information on any given day or month turns out to be “relevant” to our operations. Threat actors generally can only project their activities within “tactical” distances, which might be something like 40 KM in rural areas, or maybe 40 city blocks in urban areas. So, the actions by a militia group some 300KM away in a far corner of the country X where you operate probably isn’t relevant. Yes, threat actors are agile, mobile, and adaptive. This highlights the importance of having tools, especially digital maps at your disposal. Plotting and monitoring geographic proximity of security events in relation to your operational locations is important.
 

Tier II Data & Drilling Down for More Information – When subscription based services don’t provide sufficient amounts of relevant information, what might you consider? The best next step is to begin looking for additional security information in the public domain. This includes key word searches and reviewing news from blogs within the countries where you operate. Sometimes you may have to review news published in another language too. Sure, it’s a bit of additional work, but it’s certainly not overkill. I routinely perform those efforts for clients and it produces about 400% to 600% more relevant information as compared to a subscription service.  Keep in mind, that’s not a criticism about all those great subscription products. Rather, it’s an observation about the limits of what they were designed to do. Without a sufficient amount of relevant security information you will be challenged to generate accurate risk assessments.   
 

OSINT – Open Source Intelligence or OSINT by the acronym is a new field which is rapidly evolving. Many companies are developing ways to harvest and analyze ever greater volumes of information and data streams from the web, including from social media. But, there are limits to what OSINT can provide. Keep in mind, from the perspective of the security or risk manager, the purpose of SA is to proactively detect indicators of rising risks. If the OSINT application doesn’t help you do that, then it’s background noise.

It’s also important to note that, as the recent terror incidents in Paris and San Bernardino have again reminded us, there are a range of security events for which no SA tools will likely be able to detect in advance. SA will never know everything, and that should not be the goal. Rather, SA is about trying to know as much as one reasonably can or should know within your operational areas.  
 

The Holy Grail for SA - Tier III Data - Years ago as a security manager, my security coordinators routinely went out into the local areas, meeting with local state security representatives and tribal leaders to get additional information. They generally came back with plenty of great information. Those nuggets of intelligence or puzzle pieces were invaluable. Ironically, most of information was not “newsworthy”. Alone individual pieces of information don’t merit a story in the press by Reuters. Therefore most, if not all pieces of information would never be found in the public domain or via web searches, or with OSINT tools. I call this type of information Tier III data (See caption). It is all but “invisible” to anyone not in the local area. And for that reason, it’s more difficult to obtain.

Including that type of information into your SA is an important task, especially for companies operating in higher risk, more rural environments. Intelligence agencies for developed nations have highly organized programs to cultivate human sources of information, which then provides human intelligence (HUMINT) for their countries. But as multinationals, we often lack those same skills and resources to mount those efforts.

At some point in the near future, the opportunity to crowd-source HUMINT between like-minded multinationals, NGOs and even state security entities, where mutual trust exists, could provide a bounty of new, relevant security information. On a side note, we actually pioneered and commercially beta launched such a technology, (Chatter) in 2011, which provides those functionalities for users.
 

Conclusion - SA is a critical task that all multinationals should perform daily. Performing SA requires a reasonable quantity of security information RELEVANT to your organization, and likely will require some technological tools. SA is absolutely essential in order to generate accurate risk assessments for your organization, which will keep your business safe and secure – proactively protecting your people, assets, and business objectives. The efforts need not be expensive, and the benefits to your organization will be significant.

Contact Information

Mike Faessler

President

Oversight Security Management & Consulting, LLC

(1) (503) 575-9424

mike@oversight.us.com