Since the release of the video footage showing the shooting of UnitedHealthcare CEO Brian Thompson on December 4, many security professionals in the media have pointed out potential security failures that may have made it easier for the killer to carry out this horrific crime. While many facts of the case are still being processed, we know at a minimum that Thompson was walking alone without a security detail despite having received recent threats and was targeted by the killer. Shooting suspect Luigi Mangione was arrested in Altoona, Pa., on December 9. In time, we’ll learn more about what other security lapses could have contributed. Still, for now, this tragic event has driven corporations and the public to consider the necessity of robust executive security programs.
Unfortunately, in the time since the murder, we have borne witness to a disturbing tolerance – even encouragement – of violence across swaths of the American populace. Many are celebrating the suspect as a hero across social media. According to the Network Contagion Research Institute, following Thompson’s killing, a surge of highly engaged posts across social media, generating impressions in the tens of millions, glorified the incident and called for additional acts of violence. Merchandise went for sale online, including hats, T-shirts, and pint glasses bearing the words “delay,” “deny,” and “defend” – the same words etched on the killer’s bullet casings. Wanted Posters for other executives have been hung on the streets of New York City, some show Thompson’s face with an “X” to indicate that he is the first “villain” to be eliminated.
This vitriol has heightened the threat of violence against corporate executives across a wide range of industries and is driving companies to enhance security measures for their top executives. According to reports, some health insurers are temporarily closing their headquarters out of an abundance of caution. Others are adding or expanding armed security protection for executives and reducing or deleting executives’ digital footprints. While some of these measures may be short-term, the impact of this event should drive companies to take a hard look at the threats facing their top executives. The board of directors will likely weigh in and demand more investment to implement appropriate security measures.
The hard truth is that short-term security surges or simply hiring a security detail are more performative than substantive, and security theater is more than actual security. These quick and easy fixes are not a substitute for a well-planned executive protection (EP) program that is thoughtfully designed and horizontally integrated with other security functions, including intelligence, physical security, cyber security, and crisis management, supported by clear policies, procedures, and training.
The hard truth is that short-term security surges or simply hiring a security detail are more performative than substantive, and security theater is more than actual security.
Unfortunately, there is presently no industry standard for executive protection. This makes the design of an EP program less straightforward. However, the Board of Executive Protection Professionals is developing a standard and hopes to have one approved by the American National Standards Institute (ANSI) sometime next year. In the meantime, many best practices are available, which any future Standard will likely codify. Throughout my forty years as a senior security executive, I was able to draw upon many of these practices and successfully apply them when building EP programs for my organizations.
Threat assessment is the critical first step in any EP program. Identifying credible threats to senior executives—both at program initiation and continuously—determines the appropriate scope of the EP program, the level of protection needed for certain executives, and whether protection should extend to certain less senior employees or family members.
Continuous threat assessment should take into account all possible risks to the executive and consider risk factors related to the executive, such as their public profile and organizational or political affiliations; factors related to the company, such as controversial products and practices, corporate downsizing, negative media, and past or pending criminal, civil or regulatory issues; and factors related to the broader environment, such as political turbulence, geopolitical dynamics, macroeconomic hardships, and emerging trends and technologies.
Threat assessment should be complemented by vulnerability assessment, which involves reviewing a wide range of locations and activities undertaken by the executive daily. These include the executive’s workplace, homes, travel itineraries, transportation, family, children’s schools, digital footprint, media appearances, and corporate and public events attendance.
Attacks against corporate executives can have dire consequences not only for the executives and their loved ones but also for the financial and operational stability of the company. Therefore, updates on the risk environment should not be shared only with the security team but also put on the radar of the C-suite and Board as appropriate.
You can build a comprehensive EP program based on a solid assessment of the threats and vulnerabilities. These programs typically cover various preventative measures to provide a 360-degree defense-in-depth of the executive. While not a complete list, the following are some areas for consideration when evaluating your EP requirements and building a program. All should be based on continuous risk assessment.
· Physical Security: EP programs should include written standards for protecting executive office suites and residents. Standards should outline the application of electronic security, remote monitoring, bullet-resistant doors and windows, panic rooms, and the use of security personnel. Guidelines should also be developed for secure transportation to and from the office using trained drivers and hardened vehicles.
· Event Security: Procedures for securing executives at high-profile corporate or public events should be developed. These should include assessing threats and ensuring coordination between security teams, event planners, venue security, and law enforcement to identify vulnerabilities and required security measures.
· Travel Security: A travel security program should be in place to identify and analyze threats within the visited locations. Considerations for additional security on the ground should include aviation security (private aircraft), secure ground transportation, hotel security, and measures to protect the executive and organization from espionage. Travel security services that provide traveler tracking capabilities and medical or security evacuation services should be considered. Emergency and communication protocols for travel emergencies should include coordinating with law enforcement, embassies, emergency services, and other stakeholders to ensure rapid response to potential threats, enable emergency evacuations, and ensure effective 24/7 communications during emergencies.
· Digital Footprint: Executives’ digital footprints should be reviewed to limit public information and photos of their home location and layout, family trips, children’s schools/camps/sporting events, memberships, and any other information that could be used by individuals seeking harm.
· Crisis Management: All companies should have emergency response and incident management procedures in place to deal with elevated threats or actual incidents that may occur. This should also include guidelines for responding to incidents involving kidnap-for-ransom events.
· Training and Awareness: Security training and awareness should be developed and provided to executives, administrative staff, and families. Depending on the executive and the environment, this may include tactical skills, counter-surveillance, survival skills, emotional and psychological preparedness, cybersecurity awareness, and other forms of training.
· Vendor Analysis: Companies should carefully analyze existing and potential EP vendors – including armed security personnel services, intelligence services, electronic security integrators, cyber protection firms, travel security services, and executive car services – to ensure professional, discreet, and cost-effective service. This vendor analysis must be informed by a current understanding of the threat to ensure contracted services are purpose-fit to the organization and do not create unnecessary costs.
In the days following any crisis – certainly one that has received the media attention of the Thompson murder – it can be tempting to make quick and reactive decisions. Hire a security detail. Take the executives’ photos off the website. Lock down the HQ. However, these measures are scaled back in the following weeks and months – judged too invasive or costly to maintain. A better approach is thoughtful, strategic, and methodical – doing things the right way, not the easy way. For that, companies will need to take a deeper and more time-intensive look at their organization, their culture, and their budget to build an EP program that lasts.
Rick Mercuri is Senior Advisor for Corporate Security at Rebel Global Security. Rick has served as senior security executive at two of the largest U.S. banks. For four decades in corporate security, Rick has demonstrated strong leadership and strategic decision-making for global and domestic organizations. Rick is a trusted advisor to C-level executives and a thought leader with expertise in mitigating complex physical security risks and developing threat intelligence capabilities. Rick is a Certified Protection Professional (CPP).