What Companies Should Be Asking Their Security Teams Right Now

The shocking killing of United Healthcare CEO Brian Thompson in midtown Manhattan on December 4 has corporate boards and executives asking hard questions of their security teams.

Workplace violence driven by disgruntled employees or job-site disputes is unfortunately too common in the United States. Deliberate targeting of CEOs for assassination, however, is relatively rare. In the 1970s, ideologically driven groups, including Italy’s Red Brigades and Germany’s Bader Meinhof Gang, perpetuated kidnappings and killings of business executives. Corporate leaders today are more likely to see shareholder meetings disrupted by extremist groups with tactics designed to produce outrage and publicity, not casualties.

But in a year of febrile politics, rising popular frustration with institutions, and two separate attempts to assassinate President Trump, the risks to executives in just about any industry cannot be minimized. The presence of an estimated more than 400 million firearms in the United States, combined with easy access to personal location data, schedules, and life patterns only adds to the danger.

“C-suite executives of every Fortune 1,000 company are valuable assets that need to be protected,” says Dale Buckner, CEO of the security firm Global Guardian. “In an age of increasing political and social division, where so much information is available through the internet and social media platforms, anyone with the potential to commit violence has an alarming level of access to the location of residences and the whereabouts of your personnel when traveling or participating in corporate events. This gives those with the inclination to commit violence a much easier path to follow through.”

Given this, what framework might C-suites and boards use to balance competing interests of need, efficacy, and cost to ensure executive protection? How does a company strike the right approach in preventing the low likelihood, but very high consequence of an attack on a CEO?

One common and effective assessment tool used in military, law enforcement, and corporate security circles is to examine three simple factors of risk: threat, vulnerability, and consequence. By looking closely at each component, companies can assess the nature, degree, and seriousness of virtually any risk. Most importantly, this assessment can guide the all-important decisions about which resources to employ to reduce it.

Threat

Threat is a combination of capability and intent. A man holding a pistol represents capability. The decision to pull the trigger is intent. Capability might be manifest (a visible weapon) or hidden (a concealed pistol.) Intent is harder to divine and, critically, can transform in an instant.

To assess threat levels, executives and boards should ask:

• What individuals or groups intend to harm the company or its leadership?

• What drives their intentions?

• What factors may trigger a change in those aims?

• Are there actions the company can take which may alter the intentions?

• Does the capability of the threat actor match up with intentions? Can they do what they say?

• Do changing capabilities indicate changing intention?

To identify threats companies should mine and track the nature and frequency of client or customer communications — whether on social media or in direct correspondence. Sentiment analysis and prioritization of written or uttered threats is critical. Most will be noise, but attuned security analysts empowered with rich data and AI can separate threat wheat from chaff.

Once individuals or groups have been identified as threats, a security team should look at their past actions, social media presence, and evidence of previous criminal activity. At a minimum there should be an assessment as to whether a particular actor may engage in violence, cyberattacks, social media rants, or other actions that may harm a firm or its employees.

“Because the world is filled with technology and social media, leadership in corporate America has a level of exposure like never before,” said Mark Post, chief operating officer of Global Guardian. “The simple fact is that if you are a leader of a large organization, you are inevitably going to make decisions that upset people every day — which automatically makes you a target.”

Vulnerability

Vulnerability is simply a measure how good your defenses are. A building with gates and guards is more secure and less vulnerable than one without. With a good understanding of the threat environment, security team can assess the weak points in in the defense and build more robust one, preferably with multiple layers.

In some ways, vulnerability is easier for a security team to review for the simple reason of access. Security assessments of executive residences, workplaces, travel plans, and public schedules are de rigueur for professional security teams.

Pathways to reduce vulnerability include the use of physical barriers, adaptable protocols, bodyguards, and comprehensive security planning for travel or events. In addition, a threat intelligence collection program which tracks bad actors as well as the overall security environment should inform any vulnerability assessment. Forewarned is forearmed.

In my experience, protection against vulnerabilities is hindered by two self-limiting factors. The first is when executives either don’t perceive a threat or they don’t want to be hindered by bodyguards or restrictions on movements or activity. If an executive tells his close protection to go home for the night, they can’t provide protection.

But the more pervasive corporate self-limitation in vulnerability reduction is money. Corporate security teams face perpetual cycles of cost cutting, must continually justify their existence, and face resistance in implementing sound risk-based plans. Companies fall into the trap of believing that because something hasn’t happened in the past, it won’t occur in the future.

“Companies have a very hard time understanding low likelihood, high-consequence risk,” says James Hamilton, creator of the FBI Close Protection School and Founder of Hamilton Security Group.

Risks also aggregate. For an insurance company, Hamilton notes, “every claim denied is a potential threat.”

To assess vulnerability levels, executives and boards should ask:

• Do we understand the strengths and weaknesses of our access controls, physical barriers, and security assessment process?

• Do our executives have public or social media profiles which may cause controversy, or which provide valuable targeting information to an attacker?

• Do we have the capability to collect general and specific threat intelligence?

• Do we have relationships with law enforcement, security providers, and industry organizations that will maximize our ability to protect our people?

• Do our executives listen to and accept security guidance?

• What additional resources or processes will provide the most important security enhancements?

Consequence

It’s vital that chief security officers (CSOs) work hand in hand with business leaders so that each is not only acutely aware of what could happen, but what it means if it does. Too many companies neglect to assess the actual impact — whether measured in lives or the bottom line — of a given security event.

But understanding the potential consequences is essential to effectively prioritize the nature and level of security measures to employ. It makes little sense to expend huge resources to mitigate low-consequence events — but when the impact is high, actions and preventative measures should ramp up accordingly.

Measuring consequence can be tricky and imprecise, but tools like war-gaming can forge better understanding of knock-on effects. When done well, such exercises invariably reveal hidden business vulnerabilities. As one example, when an oil company conducted a tabletop exercise simulating a cyber-attack, execs who had expected to deal with an IT problem quickly found themselves grappling with a global business paralyzed by the collapse of its payments and inventory systems. A real-world example can be seen in the Colonial Pipeline ransomware attack which cascaded into a shutdown of fuel deliveries on the U.S. east coast.

To help assess consequence, boards and executives should ask themselves a series of “what if” questions — and be particularly mindful to examine second- and third-order effects.

• For any given security issue, what are the worst-case scenarios? What are the various impacts they may generate across the company? Remember to not reject scenarios because you don’t see them as likely. The discussion is on consequence, not probability.

• What pre-planned responses can the firm take that will mitigate the impact of an event when it occurs? Active-shooter drills, evacuation plans, crisis management exercises, and rehearsed responses can help minimize the bad effects of a terrible day.

• In the event of an incident, are we ready with a communications strategy for our employees, shareholders, regulators, and the public?

In today’s world of grievance and anger, easy access to weapons and information, and high-profile attacks on public figures, companies must take seriously their duty of care for executives and employees alike. Appropriate resources, thoughtfully conceived and effectively implemented risk-based security plans, and ongoing conversation with your security team will help anticipate threats before they manifest, and to deal with them when they do.

Copyright 2024 Harvard Business School Publishing Corporation. Distributed by The New York Times Syndicate.

Explore AAPL Membership benefits.