As the co-founder and managing director of The Gate 15 Company (Gate 15), based in Leesburg, Virginia, Andy Jabbour has been a supportive friend to IAVM in high-end safety and security information sharing, panel participation, conference participation, AVSS instructor and serving on the Venue Safety & Security Committee. Jabbour brings a wealth of knowledge from his perspective in leading his company’s risk management and critical infrastructure operations with focus on Information Sharing, Threat Analysis, and Operational Support & Preparedness Activities. He spent a few minutes recently sharing some of his work and specifically how it relates to IAVM and the public assembly venue management industry.
How did you get involved in your current field?
I started my professional career in the U.S. Army. I initially separated in 2004, was kindly called back … and then returned to work to civilian life as a contractor with Department of Defense and then at Homeland Security and the Office of Infrastructure Protection about 10 years ago. While there, I had the opportunity to lead and be a part of several teams in support of a variety of preparedness and operational activities – planning, training, exercises, and responding to real events like hurricanes and other incidents. I had the good fortune of being able to be a part of a lot of broad events bringing together entities from across the federal government and from the private sector critical infrastructure community. Through those experiences and relationships, I was able to go to work directly in the private sector information sharing and analysis community, where I first had the opportunity to meet IAVM during the 2014 Ebola outbreak. From those experiences and opportunities, I was able to bring some unique perspective and approaches together to what my teams are doing today to apply a “threat-informed, risk-based approach to analysis, preparedness and operations.”
How do public assembly venues differ from other types of facilities/structures that you work with in addressing safety and security?
There are obviously a lot of similarities – the general threats that are common across the Commercial Facilities and Transportation Sectors, and the increasing risks associated with technology we’re seeing in many facilities, for example. With the exception of transportation perhaps, there aren’t a lot of facilities that have as much exposure to low-tech terrorism attacks. While with the Public Assembly Subsector there are some facilities that are designed more securely or tend to have more security personnel present, from the mass gathering of people, easy pedestrian (and in some cases vehicle) access, and the design and construction of many of the venues themselves, public assembly venues have some challenging physical security requirements.
It might be natural to assume, for example, a stadium is at greater risk of an attack than, say, a performing arts center. Can you dispel that assumption?
Absolutely. A few weeks back, most wouldn’t have thought of the two UK attacks – the Manchester Arena at a pop singer’s concert and the London Bridge attacks – as highly likely. We tend to think of the higher profile events and facilities but we need to think from an attacker’s perspective. There are reasons why we’ve seen a shift in the Islamic State attacks from focusing on military and government facilities and targets toward civilians. While terrorists would love to attack a nuclear facility, we don’t see that. That’s largely because they want to be successful and know that they’ll get ample media attention and raise anxiety for the shock of their attacks – such as attacking young children in Manchester – and the success of the attack, meaning they want open, easy targets. A stadium may have some areas that are more vulnerable than others but it’s a harder target than a venue or facility where an attacker can relatively easily walk into a large crowd. I don’t want to promote types of attacks here but leaders need to think about things from an attacker’s perspective and should exercise those scenarios.
What are some new types of threats you see on your radar that our members should be aware?
I don’t know if there are a lot of new threats that are “real” – in the sense that we are anticipating attackers would use innovative tactics, techniques and procedures. Probably the biggest “new threats” come in the potential for employing drones into attacks on the physical side and in attacks that may focus on poorly secured facility technologies – new “smart,” Internet of Things (IoT) devices. More likely, we’ll continue to see facilities exposed to the enduring threats of low-tech terrorism and other Hostile Events (active shooters, workplace violence, etc.) and innovate ways to employ cyberattacks we’re already seeing elsewhere – such as innovative cyber extortion aimed at venues’ and other Commercial Facilities’ technology. But there are subtle changes that occur in how those attacks manifest themselves and leaders need to keep an active pulse on what is happening.
Could an incident like outside the Manchester Arena have been prevented? How or how not?
In some ways, sure; in other ways, not really. Physical attacks – those that are not common crime or acts of passion but terrorism or other deliberate attacks, tend to follow what we refer to as the Hostile Events Attack Cycle. That process allows for astute individuals, whether friends and family, that are seeing something that looks off in behaviors and activities, or venue personnel that observe an individual involved in suspicious behaviors to potentially disrupt plans for hostile activities. There are multiple points to see something that alerts them and to intervene, personally or by notifying the appropriate authorities or leaders, to frustrate plots and schemes. For them to do so, they need to be educated, trained, and able to act. On the other end, we can’t expect a zero-success environment for our adversaries. The reality is a determined attacker whose goal is to cause harm and fear can find ways to do so. Whether using a gun, a knife, a bomb, a car, a pipe, or other simple means, if someone wants to approach a crowd and hurt people, that is very hard to prevent. We can reduce risks through preparedness and equipment, we can push out perimeters and harden facilities but, 100% security is neither sustainable nor desirable. If events become so burdensome for patrons, they’ll stay home or find something else to do. It is important that leaders do everything they reasonably can with respect to their time and budgets to prepare and secure their facilities and personnel, but we can’t impose unreasonable expectations on them either. Leaders should be able to demonstrate a reasonable level of investment and preparedness in security and then do their best to manage whatever incidents may occur.
Any common words of advice or counsel for our members to remain vigilant?
The threat environment isn’t getting easier but don’t get overwhelmed. Take it seriously, not in fear but in a measured way. Develop a plan, and work on it in a sustainable, manageable way. Risk management – preparedness and security – is a lot like trying to get and stay healthy. If you’re coming out of winter and find you enjoyed a little more turkey and eggnog than you thought, you’re not going to trim up to your beach body in a week. It takes articulating a goal, developing a plan, and being serious in investing the time week in and week out to lose those pounds and harden that body. This is the same thing. If your risk management program is out of shape, don’t expect to be perfect tomorrow! Come up with some realistic goals, maybe some for now and some down the road, and develop a reasonable plan to achieve those goals by investing a little bit of time and resources in a sustainable approach.