Executive protection will always be physical, but cyber threats must now be an integrated element of risk mitigation, too.
During the last few years, enterprise security risk experts have shed a fair amount of ink on the “convergence” of physical and cybersecurity. As physical security progressively takes advantage of and relies on digital technology (for example, a majority of major US and European companies already use biometric access control), cyber vulnerabilities quickly turn into physical vulnerabilities. The flip side is also true: even small physical security breaches, such as plugging a thumb drive into a networked computer, can result in massive cybersecurity problems.
What’s true at the enterprise level is also true at the personal level. Executive protection will always be physical, but cyber threats must now be an integrated element of risk mitigation, too. We have crossed the digital Rubicon, and there’s no turning back to a time when a purely analog approach to security was sufficient.
Cyber threats come in many shapes and sizes, but they keep on growing
On any given day, our principals are exposed to a wide variety of cyber-related threats that could expose their personal or corporate information to bad actors. These include getting their personal (phones, tablets, computers) or IoT devices hacked/hijacked as well as being surveilled by bugs (cameras, microphones, data capture) in their own homes, vehicles, and offices as well as in outside facilities (planes, hotels, conference centers, etc.).
Consider, for example, the personal risk implications of the Internet of Things (IoT). An estimated 20 billion devices will be connected to the IoT by the end of 2020. While many of these “things” will keep supply chains and infrastructures humming, with little direct exposure to our principals, a growing share of these always-online devices will be embedded into our lives. We will increasingly rely on smart vehicle maintenance systems, doorbells, vacuum-robots, voice assistants, and who knows what else will show up at the next CES. Unfortunately, all of these helpful things can also be hacked for harm.
To claim that the huge number of IoT devices that are part of our lives have no consequence for executive protection is naĂŻve.
Likewise, how is it possible that the record number of data breaches in 2019, when an estimated 8.5 billion records were exposed, mean nothing for the safety of our principals, their significant others, or children? Or that the time and place predictability of prominent CEOs who are expected to be permanently plugged into social media is the same in 2020 as it was in 2010?
We need to start training and hiring the first executive protection technology officers (EPTOs) to make sure risk mitigation keeps up.
Some large, well-funded EP teams have access to corporate IT experts who routinely support the principal’s personal digital security. A few even incorporate corporate or third-party TCSM teams into a schedule for regular sweeps of offices, cars, planes, buildings, conference rooms, etc.
What is far more common, however, is that the CEO gets little more IT security assistance than anyone else in the company, and TSCM sweeps, if they ever happen, do so only in an emergency situation or once or twice a year. This results in a situation in which the gaps in personal cyber protection for the CEO are far more prevalent than the rare moments of coverage.
We need executive protection technology officers (EPTOs) to step in and cover these cyber protection gaps. The EPTO will not be able to completely prevent bad things from happening; no one can. Well-trained EPTOs will mitigate the risk of cyber threats and hostile surveillance in far more situations than dedicated IT and TSCM experts will be available for, at home and on the road.
Job description: Executive protection technology officer (EPTO)
The first job description for EPTOs has yet to be written, but we imagine it would include a number of the bullets below:
Summary:
As executive protection technology officer (EPTO) for a major corporate executive protection program, you will combine your solid executive protection experience with your ever-evolving technological expertise to help provide world-class personal cyber protection for a busy principal. Based in X, you will also travel frequently, sometimes at short notice.
Responsibilities:
- Understand the latest tech that our principals use and are surrounded by
- Stay abreast of personal cyber threats and vulnerabilities and know the basics of risk mitigation
- Participate in EP advances to look beyond the usual physical security shortcomings, determine what the team can and can’t do to mitigate cyber and surveillance risks, and assess at what point to bring in more dedicated expertise
- Perform basic to intermediate TSCM sweeps, evaluate network status, look for fake cell tower signals, and scan and screen people with a device like the SWORD
- Select, brief, and perform quality control for TSCM vendors worldwide
- Guide principals, their families and business entourages – and executive protection colleagues – on best practices for personal cybersecurity
Qualifications and skills:
- 3-5 years of experience as an executive protection agent
- Working knowledge and basic experience of TSCM methods and technology
- Proven ability to learn how to use new tech gear and enable others how to learn, too
- Experience with vendor management
- Excellent communication skills
One of the toughest challenges in training the EPTO is keeping up with technology developments. The basic training curriculum will probably have to be updated every six months. Sustainment training will be necessary at least once a year. Instructors will have to be at the top of their game – and work hard to stay on top, non-stop.