By Martin Nielsen & Christian West
The EP industry is not exactly known for its culture of innovation. If you compare us to many of the disruptive and highly successful companies and individuals we serve, it would be fair to call the industry “conservative.” To be more accurate, if less politically correct, some parts of the executive protection look a lot like out-to-pasture dinosaurs just waiting for extinction.
Agents still train in the core areas of executive protection TTP’s, advances, driving, medical and shooting. Nothing wrong with that, of course: all of these skills are vital tools for agents and we must all keep them keep these perishable skills sharp. But are these time-tested skills sufficient to deal with the everchanging threat scenarios facing our clients? We don’t think so.
To be fair, it’s not that the EP industry has been completely bereft of innovation. Changing client expectations have increased the demand for skillsets like covert protection and surveillance detection, and training in these areas has increased significantly in recent years. We also came up with the first app for EP professionals, Protection Manager, because we got tired of the old way of preparing advances: spending hours keeping track of Word documents, pictures and other files. Still, R & D costs are not the biggest line item for any EP company we’ve ever heard of.
Executive protection professionals aren’t the only ones who are conservative. CSOs and security directors can also be as leery of change as our clients are willing to try and pay for something new.
Some of this resistance to the new has to do with poor framing and standardization. We are firm believers in technical surveillance countermeasures (TSCM), for example, and believe TSCM should be a much more regular element of many more personal protection programs. But when TSCM experts come off like the nutty professors in tinfoil hats, and most EP agents can’t tell the good ones from the bad ones, we have a problem.
Executive protection will always be physical, but cyber threats must now be an integrated element of risk mitigation, too
During the last few years, enterprise security risk experts have shed a fair amount of ink on the “convergence” of physical and cybersecurity. As physical security progressively takes advantage of and relies on digital technology (for example, a majority of major US and European companies already use biometric access control), cyber vulnerabilities quickly turn into physical vulnerabilities. The flipside is also true: even small physical security breaches, such as plugging a thumb drive into a networked computer, can result in massive cybersecurity problems.
What’s true at the enterprise level is also true at the personal level. Executive protection will always be physical, but cyber threats must now be an integrated element of risk mitigation, too. We have crossed the digital Rubicon, and there’s no turning back to a time when a purely analogue approach to security was sufficient.
Cyber threats come in many shapes and sizes, but they keep on growing
Not all bad guys are standing still. Some are actually highly innovative and very open to developing inventive ways to breach new vulnerabilities. If we are to deal effectively with these risks, personal protection stakeholders can’t stand still, either.
On any given day, our principals are exposed to a wide variety of cyber-related threats that could expose their personal or corporate information to bad actors. These include getting their personal (phones, tablets, computers) or IoT devices hacked/hijacked as well as being surveilled by bugs (cameras, microphones, data capture) in their own homes, vehicles, and offices as well as in outside facilities (planes, hotels, conference centers, etc.).
Consider, for example, the personal risk implications of the Internet of Things (IoT). An estimated 20 billion devices will be connected to the IoT by the end of 2020. While many of these “things” will keep supply chains and infrastructures humming, with little direct exposure to our principals, a growing share of these always-online devices will be embedded into our lives. We will increasingly rely on smart vehicle maintenance systems, doorbells, vacuum-robots, voice assistants, and who knows what else will show up at the next CES. Unfortunately, all of these helpful things can also be hacked for harm.
Likewise, how is it possible that the record number of data breaches (in 2019 alone, an estimated 8.5 billion records were exposed) mean nothing for the safety of our principals, their significant others, or children? Or that the time and place predictability of prominent CEOs who are expected to be permanently plugged into social media is the same in 2021 as it was in 2010?
We need to start training and hiring the first executive protection technology officers (EPTOs) to make sure risk mitigation keeps up
Some large, well-funded EP teams have access to corporate IT experts who routinely support the principal’s personal digital security. A few even incorporate corporate or third-party TCSM teams into a schedule for regular sweeps of offices, cars, planes, buildings, conference rooms, etc.
What is far more common, however, is that the CEO gets little more IT security assistance than anyone else in the company, and TSCM sweeps, if they ever happen, do so only in an emergency situation or once or twice a year. This results in a situation in which the gaps in personal cyber protection for the CEO are far more prevalent than the rare moments of coverage.
We need executive protection technology officers (EPTOs) to step in and cover these cyber protection gaps. Of course, the EPTO will not be able to completely prevent bad things from happening; no one can. But well-trained EPTOs will mitigate the risk of cyber threats and hostile surveillance in far more situations than dedicated IT and TSCM experts will be available for, at home and on the road.
Job description: Executive protection technology officer (EPTO)
The first job description for EPTOs has yet to be written, but we imagine it would include a number of the bullets below:
As executive protection technology officer (EPTO) for a major corporate executive protection program, you will combine your solid executive protection experience with your ever-evolving technological expertise to help provide world-class personal cyber protection for a busy principal. Based in X, you will also travel frequently, sometimes at short notice.
- Understand the latest tech that our principals use and are surrounded by
- Stay abreast of personal cyber threats and vulnerabilities and know the basics of risk mitigation
- Participate in EP advances to look beyond the usual physical security shortcomings, determine what the team can and can’t do to mitigate cyber and surveillance risks, and assess at what point to bring in more dedicated expertise
- Perform basic to intermediate TSCM sweeps, evaluate network status, look for fake cell tower signals, and scan and screen people with a device like the SWORD
- Select, brief, and perform quality control for TSCM vendors worldwide
- Guide principals, their families and business entourages – and executive protection colleagues – on best practices for personal cybersecurity
Qualifications and skills:
- 3-5 years experience as an executive protection agent
- Working knowledge and basic experience of TSCM methods and technology
- Proven ability to learn how to use new tech gear and enable others how to learn, too
- Experience with vendor management
- Excellent communication skills
One of the toughest challenges in training the EPTO is keeping up with technology developments. The basic training curriculum will probably have to be updated every six months. Sustainment training will be necessary at least once a year. Instructors will have to be at the top of their game – and work hard to stay on top, non-stop.
So, what do you all think? Does the EPTO concept make sense to you? What kinds of training do you think would be required? Is anyone out there ready to write his or her own job description? Ping us on social media to join the discussion.