By Daintry Duffy
CSO - The Resource for Security Executives
Terrified, haggard and frostbitten, Karen McMullan refused to give police the details of her ordeal until she knew her husband Kevin was safe. Twenty-four hours earlier, men dressed as police officers had talked their way into the McMullan's home. Once inside, they held a gun to the head of Kevin McMullan, the assistant bank manager for Northern Bank in Belfast, Northern Ireland, and explained that he would help them carry out a daring robbery. To ensure his cooperation, they kidnapped his wife.
At the same time just a few miles away, armed men entered the home of another bank employee, supervisor Chris Ward, and conscripted him into their plan by taking his mother, father, brother and brother's girlfriend hostage. Per the kidnappers' instructions, the next evening McMullan and Ward used their security passes to enter Northern Bank's inner vault and packed up bags of banknotes. The cash was loaded into a white truck and driven away. Hours later, Karen McMullan staggered out of a Northern Ireland forest and into the first house she found.
Many companies pay lip service to the notion that employees are their most valuable assets, but few have actually done the math. In the case of Northern Bank, the use of the McMullan and Ward families in that December 2004 robbery cost approximately $50 million—and that is just the thieves' take. Add to that the public relations costs (worldwide headlines, inquiries by prosecutors and British intelligence), and the tab runs considerably higher.
The threats facing an executive vary widely depending on the size of the company, the industry it belongs to and the individual executive's profile. CSOs in oft-targeted sectors such as the financial services, pharmaceutical and energy industries, and those with executives based overseas, worry about kidnapping, carjacking, mail-borne explosives, biological agents and ecoterrorism. Threatening letters and e-mails and workplace violence fill out the list.
Given the range of risks involved, CSOs who have managed executive protection programs know that protecting an individual is a very different discipline from securing a facility. A top executive not only can't be locked down but, unlike a building with a single gate, there are numerous ways for an attacker to get to an executive, including through family members, as in the Belfast example. Executives will also rebel against onerous security restrictions. CSOs face the challenge of calibrating protection that serves their company's needs while also making that security palatable to the executives who have to live with it.
We spoke with security executives and protection specialists, including former and current agents from the U.S. Secret Service, and gleaned their advice on building an executive protection (EP) program. These tips apply whether you are spending millions to protect all your top executives or you hire the occasional security provider when your CEO travels. Following this advice can make an enormous difference in your executives' safety—and transform the executives' idea of personal protection from a barely tolerated hassle into a perk.
Whether you are starting an EP program or just looking to tune up a preexisting plan, the first step CSOs should take is to conduct a thorough risk analysis. You need to identify the individuals who are critical to your organization, assess the impact to the corporation if they were lost and examine the risks that each of those people faces. Is there a history of threats against any of these individuals? Do they travel regularly to dangerous places? To what kinds of crimes or dangerous situations are they most vulnerable? Some executives keep a very low profile. Others, such as Donald Trump and Richard Branson, aggressively court media attention and risk attracting the notice of undesirables as well as fans.
Once you have determined the individuals who need protection, you need to know everything about their public and private lifestyles. This is called creating a "principal profile," and it requires the executive's full cooperation. You need to know everything about his work and home lives—everything from detailed information about his home, his family's habits and any organizations and clubs he frequents. It's also important to investigate how easy it is for outsiders to get information on your principal and his family.
Arnette Heintze, director of security with a Fortune 100 company and a retired U.S. Secret Service special agent in charge, advises doing a little online surfing. "Some companies are way too proud about putting everything they can about their executive and his family up on their website," says Heintze. "If someone is stalking a certain CEO, he can find out a lot of information on the Web." (If there is a lot there, the protection team needs to educate the marketing and communications staffs about what publicized personal details could put an executive at risk.)
Based on what the protection team learns about its subjects, CSOs will start to get a picture of what kinds of security measures you'll need to take. Some companies find that their executives need very little protection. Others need a 24/7 command post set up in their home. You should also consider whether your industry has a standard for executive protection. Companies in high-risk industries might find that there are some common levels of protection used for their executives. For example, executives at large financial services companies might have panic alarms in their homes as a standard security protocol. Researching common protective measures in your industry can enable you to benefit from others' experience.
Of course, none of this comes cheap. So it's critical that you're comfortable with your recommendations because you have to be able to justify them. "Security is always negotiated in the private sector," says Joe Russo, the vice president of special operations with T&M Protection Resources in New York City, who spent 20 years with the U.S. Secret Service. "You have to be able to articulate why you are going with certain procedures and justify heavier doses of security. It's big dollars, so they're not going to take it lightly."
For example, according to the Jan. 6, 2005, proxy statement that Disney filed to its shareholders, in 2004, Disney spent $716,335 on security advice and personnel for CEO Michael Eisner, and $18,663 on security systems and equipment for his safety. For COO Bob Iger, the company spent $471,646 on security advice and personnel and $2,470 on security systems.
It's important to realize that risks are ever-changing. CSOs need to establish a baseline level of security for their executives that can be increased when warranted. "Good executive protection professionals understand the threat level and analyze it constantly," says Tim Horner, associate managing director at security consulting behemoth Kroll. A CEO might get 25 threatening e-mails a week without the threat level spiking. But if a threatening letter is tucked under the front door of the CEO's home, that signals someone is taking extra pains to deliver their venom, and security may need to be increased.
The term "executive protection professional" should tell you all you need to know about the evolution of executive security details. No-neck goons in black turtlenecks and lumpy suit jackets are fine if you want to hit a dance club with a posse, but they are not effective for executives. An effective EP program has to be based on research and preparation rather than sheer muscle.
"That's the difference between a bodyguard and a protection professional: One specializes in muscles and has a gun, and the other may be less physically imposing but is better prepared to identify threats before they materialize," says David Katz, president and CEO of the Global Security Group, which provides training and consulting for executive protection details.
Whether you are using proprietary staff or outsourcing, the CSO must ensure that protection professionals are properly trained, advises Heintze. They need to have experience in defensive driving, emergency medical training, the ability to defend against an attack on a principal, a conspicuous pride in staying fit, and the good judgment to assess threats and employ the appropriate countermeasures. Today's protection professional also has to be a mirror image of his principal in professional dress and demeanor.
"You need to know how to walk, dress and talk like your executive," says Ilan Caspi, executive vice president of the Global Security Group and a former member of Shin Bet, the Israeli counterintelligence and internal security service. Blending into the executive's milieu is critical to ensuring his safety and minimizing the impact of a security detail on his daily life.
So who is the executive protection professional? "These men and women are educated, trainable, respectful and dedicated professionals," says Robert L. Oatman. Oatman, author of a book on executive protection, founded R.L. Oatman & Associates, which specializes in executive protection operations and training. "They know how to blend into their environment and carry on an intelligent conversation, and they understand that they represent the executive." Many companies hire former police officers, secret service agents and military officers to fill this role, but experts like Oatman point out that it's also possible to find people within a corporate security organization who have the right character for the role. The physical skills necessary to do protection can be taught, but the dedication, discretion and integrity necessary to do the job well are often harder to find. "This job is not for everyone," says Oatman.
Protection professionals have to be great communicators. They have to be able to establish a good rapport with their principal without getting too close. "You want to make sure that you keep everything on a professional keel," says Tim Koerner, deputy assistant director in the office of protective operations for the U.S. Secret Service. "When you are in close proximity for a long period of time, people sometimes let down their guard and become more chummy. The best results are when things are utterly professional."
The CSO's role is to identify promising protection professionals (both within the company and outside of it), and to mentor them and make sure they receive the appropriate training. That training can include skills such as choreography (knowing how to stand, walk and get out of a car with a principal), conducting advance work to prepare for trips and events ahead of time, effective countermeasures to deal with an attack or security threat when it materializes, proficiency with home alarm and access control systems, familiarity with armored vehicles, and firearms training.
Some people come into the protection business imagining they'll be like Clint Eastwood, firing off magnum clips and cool one-liners in rapid succession. But opportunities for gun-play are hard to come by if the job is done well. In fact, the job can seem quite dull when success is measured by how uneventful the executive's routine becomes. Nerdy as it may sound, good organizational abilities and excellent research skills will prevent the lion's share of problems. These things also carry an ancillary benefit: helping an executive eliminate many of the usual annoyances of travel.
When an executive deviates from his routine in order to travel, the protection professional needs to be in a position to prevent a dangerous encounter rather than simply respond to it, says Koerner. Before attending an event, the protection professional should examine the principal's travel logistics and create a contingency plan for every conceivable possibility. Without this kind of preparation, protection professionals could find themselves frozen by the onset of a medical situation or attack. "You know you have done a really good advance job if you are able to answer all the questions [about an event] that are asked of you," says Koerner. It's also easy to tell the protection professionals who have not done their homework. They're the ones who are constantly standing within a foot of their principals. "By not having done the proper advance work, the untrained professional ends up smothering the CEO and destroying his credibility," says Heintze.
Advance work is also more than preventing a planned attack. "A lot of times you don't have to worry so much about kidnapping as you do regular criminal activity, car accidents and serious illness," says Mark Cheviron, corporate vice president, corporate security and services of Archer Daniels Midland (ADM). If an executive has a history of heart problems, facilitating a prompt EMT response might be the top priority for ensuring his health and safety. At ADM, corporate offices and planes are all equipped with defibrillators, and the company keeps track of critical health information—such as allergies and blood type—about its executives. When Caspi worked security for President Clinton's visit to the Israeli embassy in Washington, he recalls one of the biggest concerns was that Clinton not trip on steep stairs.
Joe Russo spent the last 18 months of his Secret Service career heading up the security detail for former President Clinton and Sen. Hillary Clinton. Clinton's postpresidential schedule had him visiting approximately 54 countries during that time. Without the phalanx of security that accompanies a sitting president, Russo's advance work was critical.
For every Clinton event at home or abroad, Russo looked at the geographic location and purpose of the former president's visit. Russo and the Secret Service's Clinton Protective Division sent out security personnel in advance to lock down all the details of the president's visit and hammered out a tight schedule that left little room for the unexpected. With Clinton, that was a particular challenge because "he would still attract crowds of thousands, most of whom had good intentions," says Russo. "People wanted to touch him, grab him and hug him, and with fewer resources [than when he was in office] and unscreened crowds, that meant less control." In those situations, Russo had to be extra vigilant about his advance work, directing the advance team to ensure that 10-foot buffer zones between Clinton and the crowd were preserved and that all pathways to vehicles and emergency exits were kept clear. In many countries, Russo worked closely with local law enforcement to beef up his security team, but that did not always run smoothly. At one event in Israel, the Israeli police officers tasked with maintaining a clear path to Clinton's vehicle actually blocked his exit because they were all crowding in to try to shake his hand. This kind of incident occurred in several countries.
Good advance takes time; it could require three weeks to plan a five-day overseas trip. But it's also an opportunity to make protection seem more of a perk than a pain for the principal by speeding things up. The protection professional is the CEO's man Friday, doing all the grunt work ahead of time to ensure his experience is seamless. "If executive protection is done professionally and correctly, it can afford an executive an extra hour and a half to two hours a day," says Oatman.
When executives rebel against their protection—a fairly common phenomenon—it's the CSO who has to make the case for security.
CSOs need to educate the executive about security recommendations while arguing for his buy-in. It can be helpful to use terms that the executive feels comfortable with, like cost-benefit and return on investment. It can also be effective to boil down the protection program's efforts into a quarterly executive summary that lists the perceived threats and the steps taken to mitigate them. Robert Siciliano, a personal security expert who has advised British Petroleum and Best Western, refers to it as cultivating a "healthy paranoia" in your executive populace. "They should be aware of the risks they face and always informed of the worst-case scenarios." The more that executives know about the role of their protection detail, the better they will understand their role in helping the protection professionals keep them safe.
Of course, executives can come to view these conversations about lurking dangers as scare tactics. That's why it's critical that the CSO and not the individual security provider manage this communication. "I wouldn't try to talk my CEO into taking karate or judo," says one security executive for a Fortune 50 company in the aerospace industry. "But I think it's important that they're aware or sensitive to what's going on [within their peer group]. Threats or activity against other executives are a good opportunity to tweak them about security."
Also, CSOs should have answers ready for executives' most common concerns about security in their lives. For example:
Giving your executives a little training of their own can also make them better partners. Some take defensive driving courses and learn what to do if attacked by armed assailants, and what they should do if they are being watched. This might all sound very cloak and dagger, but Russo notes that these are not unheard-of occurrences in the business world. For example, a business competitor who was hoping to gather information about his daily meetings placed one of Russo's executive clients under surveillance. Companies that are in litigation have used surveillance for intimidation purposes. If you get executives thinking about these kinds of situations and taking some ownership of their security, you'll discover an enthusiastic partner. "When they start to see the benefits [of security], they start to like it," says Caspi. "Eventually you get to the point where they can't think how they would get along without security."
Good information is the lifeblood of an EP program. It pays to work closely with executive assistants, hotel personnel and event organizers. But that's only part of the information network a protection professional needs. Other important resources come from law enforcement and fellow security professionals.
When other executives gather for an event, it can be a good opportunity for security personnel to network as well. These connections can be helpful, but their cooperation depends on the protection professional's powers of persuasion and pleasing. (It also pays to return their calls when they ask for advice.) "These people don't owe you anything," says Caspi. "They can help you if they want, but nobody will hold them accountable if they don't. Fellow protection professionals can also provide a wealth of helpful information. When traveling abroad or to an unfamiliar city, the best information on where to go and which in-country security providers to trust will likely come from peers that have worked security in the area before.
Within the company, the EP professional's network should include the executive assistants who manage the schedules and the HR managers who in many companies ensure that everyone who works in proximity with the top executives are screened and given background checks. But it should also include the security department. Often, executive protection operates outside the boundaries of the regular security department, but that is a mistake, says Oatman. The CSO is a critical advocate to an executive protection program, and EP should work closely with the CSO and his team to ensure a free flow of communication and to facilitate the acquisition of additional resources when necessary.
The most vulnerable people in the corporation are not the executives under the protection of corporate security, but their spouses and children who are far more accessible and are often left out of security planning. "The family should be a huge concern," says Russo. "If someone has bad intentions and they recognize that an executive has 24-hour security at the office and when he travels, they'll think of an easier way to get to them."
Harming a spouse, child or another member of the executive's family is an easier way to get to that executive compared with trying to harm an executive surrounded by a security detail. Oatman is familiar with a recent case where an individual was fired from his job and was really upset about it. "That employee's son, who had a prior criminal conviction for assault, showed up at the CEO's home and threatened retaliation against the executive," says Oatman. The family called the police. Although no charges were pressed, the executive and his family lived with security for three months after that until the investigation was completed.
While a security detail at the executive's home may not be necessary, the protection team should evaluate the principal's home and examine whether family members should receive any training or additional protection. At ADM, Cheviron deals with everything from threats from disgruntled employees to the occasional crazed individual who reads something about ADM in a newspaper and goes on a crusade of harassment. The company supplies all its officers with a home alarm system that is monitored at the corporate office. He also considers options like home safe rooms where executives and their families can wait for police and fire assistance to arrive, and armored vehicles with trunks that contain a release in case the car is stolen and the executive is placed inside the trunk.
Sometimes the simplest steps can make a big difference to an executive's security. Many companies provide excellent facility security but omit the basic precautions of conducting background checks on the employees that work in close proximity with the CEO. Some executives have buttoned-down security with an armed driver five days a week, but nothing on the weekends. Examine your security for these kinds of commonsense gaps. The benefits of nothing going wrong are worth the costs of safekeeping your company's most valuable assets.
Daintry Duffy is a freelance writer based in Southborough, Mass.