This article was originally published in FM Encore Magazine.

As it relates to terrorism, one thing is clear: bad actors are extremely resolute. This resolve gives them the patience they need to methodically identify both ideal targets and effective, and sometimes new, means by which to attack those targets.

As witnessed in recent attacks around the world and documented in open source government intelligence reports, bad actors have continued to find new methods to administer their terror, including, but not limited to:

  • Vehicle ramming;
  • Unmanned aerial vehicle (UAV);
  • Cybersecurity;
  • Insider threats;
  • Food tampering; and
  • Sniper attacks.

Some methods are unsophisticated and cost-efficient, while others are complex and require great coordination and resources. Unfortunately, when your main objective is to attack innocent people, the opportunities are endless.

Thus, it is imperative that as bad actors continue to meticulously find ways to evolve their methods of attack, so must a venue operator (VO) thoughtfully consider his/her mitigation strategies. However, this process can be a daunting task that often leave VOs understandably questioning almost everything, such as: what the best commercially available technology might be, what policies and procedures they should adopt, is it even legal to respond to a threat in the first place (e.g., UAV), or simply…how much is enough? After all, by its very nature, emerging threats are new or unprecedented giving the industry very little time to identify effective technologies or to establish accepted best practices. All the while, peers in the industry or solution providers in the marketplace share – usually with good intention – scores of opinions for how to address the issue, which can create even more confusion or exacerbate the feeling of being lost.

With all the disruptions that come with emerging threats, a lot of noise is generated. And that noise further intensifies the confusion and frustration; a vicious cycle.

However, I often find solace in taking small and measured steps toward confronting an issue such as emerging threats. Taken one at a time, these small and measured steps may not appear like much, but collectively, not only are they the most effective way for a VO to address an emerging threat, but they also bring about another powerful advantage: Quieting the Noise.

Quieting the noise is way of life. How can you focus on what needs to happen if you are constantly distracted by companies advertising products that may or may not work or by industry peers who heard that something is working in a different industry or in a different part of the country, maybe even the world.

While not complicated, the following is a simple overview of steps you can take to address an emerging threat and “quiet the noise.”

You must first establish the emerging threat. This can be accomplished in a number of ways, but primarily, this should be performed in coordination with an independent, third-party (the independence ensures an unbiased approach that uses intelligence or empirical data not otherwise available to you). Here, you may also leverage industry peers such as counterparts at other organizations, associations or league offices, etc. Learning from others’ successes and/or lessons learned is helpful.

Once you identify an emerging threat, understand how it might manifest itself at your property and exposure you have to it.

Once you have identified what vulnerabilities you have to the emerging threat, you need to lay out your needs requirement. In other words, what are the capabilities or resources you need to address the aforementioned vulnerabilities, thereby allowing you to effectively deter, prevent, and/or mitigate the emerging threat.

Assuming the strategy requires the procurement of products and/ or services – and not just an internal policy and procedure enhancement – an RFP should be considered. The needs requirement will serve as the backbone for an RFP. The selection criteria will establish the means by which you will evaluate companies who may have a solution to help you address the emerging threat.

As a result of the RFP, you will be presented with options to choose from, which could be overwhelming if you didn’t already establish your selection criteria. The selection criteria help maintain order and focus in your process.

Considering options such as cost, availability, maintenance, etc., to make a procurement decision and integrate. The integration should be performed in such a way that leverages the manufacturer’s (or service provider’s) guidance, but also considers your realities on the field.

The process should be documented. By documenting your process, you can better establish the rationale for the decision-making process. Think of it as plotting out your navigational chart. In fact, it is helpful to memorialize your process using work flow diagrams that indicate the steps in your process. Although this might seem like more work, by defining the selection criteria and administering an RFP process to solicit options, you can slow the amount of information barreling down on you to ensure it not only is relevant information, but that it comes to you in a streamlined manner that makes it easier to digest.

Another compelling benefit is that by demonstrating adoption of this process, through said documentation, a VO will better position themselves for consideration by the U.S. Department of Homeland Security (DHS) Office of SAFETY Act Implementation. What has now become a de facto industry standard, the Support Anti-Terrorism by Fostering Effective Technologies Act of 2002 (SAFETY Act) provides critical third-party liability protections to VOs that can demonstrate they deploy an effective security program. By DHS’s own evaluation criteria, implementing a formal procurement process that includes the measures listed above is an important element to an effective security program.

In reviewing a VO’s SAFETY Act application, DHS is charged with evaluating whether the security program is effective. As much as we may want, DHS cannot just rely on the fact that the venue has not been successfully attacked by terrorists as evidence that the security program is effective. Therefore, DHS must evaluate other components of the security program, such as the manner in which the VO procures security-related products and/or services. If you think about it, it is very logical given that that third-party solutions (e.g., incident management platform, video management software, event security service providers) represent a great deal of the security program itself. The more thought and scrutiny applied in the procurement process, the more likely that the solution procured will have its intended effective outcome. Again, DHS recognizes that bad actors take their time in assessing targets and attack types, and it is not a large leap to expect that VOs do the same in considering their mitigation strategies.

To help illustrate this process in motion, we can apply this methodology to an emerging threat that has become prevalent over the past several years: vehicle ramming. As evidenced in attacks around the world and here in the homeland (e.g., see attacks in London, U.K., Berlin, Germany, Nice, France, and New York City, New York), bad actors have increasingly grown fond of the vehicle ramming attack. The reason is simple: the attack is low cost and low sophistication. In theory, the mitigation strategy is simple. Bad actors aim to injure or kill innocent people by ramming them with a large vehicle, such as a box truck. The solution should be to implement a crash-rated hardened perimeter. However, as those who have experienced such projects already know, implementing the solution is not so simple.

The following steps illustrate the process:

A VO can leverage a number of available resources to identify the emerging threat. For example, a VO could leverage its local law enforcement agency, local Federal Bureau of Investigation field office, or even your local DHS Protective Security Advisor (PSA). Notice the emphasis on the local! Or, you can obtain the subject matter expertise of qualified security consulting firms who spend every day sharpening their understanding of emerging threats, so you don’t have to. In consultation with law enforcement agencies or security consultants, you can identify the attack mode (e.g., size of vehicle, speed of vehicle for which you should be concerned).

Does your venue already have a complete crash-rated perimeter hardening system in place? Unless your venue has been built in the last several years, most likely the answer is no. You may have a mixture of crash-rated and non-crash-rated structures around your perimeter, or you may not even know if the structures have a crash-rating level at all. If you either know you do not have a complete crash-rated perimeter hardening system or not sure, then you will need to complete a Vehicle Vector Analysis (VVA) and engineering study to ascertain your current state. Again, don’t forget to ask around from those who already have a complete crash-rated perimeter.

The VVA, which includes high-end software modeling, will identify those locations around your perimeter at which your organization has the largest vulnerabilities. In conducting this VVA, it is important that members of your organization provide venue-specific information to help inform the VVA such as the location of large queuing areas or high pedestrian traffic. Additional engineering studies will help ascertain the current crash-rating (if any) of the structures already on your perimeter. From these analyses, you will be able to determine where your vulnerabilities exist and begin designing a completed hardened perimeter. Your needs assessment should conclude that you need a structural and security engineering firm to assist in this process.

Your selection criteria, built off the needs assessment, should include requirements for a structural and security engineering firm. The RFP must elicit from bidders their experience in performing VVAs and whether they have the in-house capability to ascertain the crash-rating of existing structures based on architectural and construction drawings. You should also vet structural and security engineering firms that can assist in the design and construction phases, if it is determined that you have vulnerabilities in your perimeter that need resolving. Having one firm perform work in both phases is ideal.

RFP responses are submitted to your organization for review. Establish an internal working group to review and consider the RFP responses. This working group provides multiple benefits, primarily, having the benefit of multiple subject matter experts who can help think through the project from different perspectives.

Based on a number of factors, including cost, you choose a vendor and execute the program.

The processed laid out above should be adopted for all security-related procurements, but it is especially helpful when addressing emerging threats. Each step on its own may not seem like a lot, but before you know it, you lowered the amount of white noise coming at you and worked through your problem.

Akmal Ali is a principal at Catalyst Partners, supporting domestic and international clients in working with the federal government and business development, with an emphasis on technology growth. Read More