COMMENTARY: Executive protection used to feel like a corner office perk, right alongside the company car, or the premium health club membership.It was frequently categorized in public filings and tax codes as a “fringe benefit,” which unintentionally set the wrong tone. This perception – that security is a luxury rather than a necessity – has created a dangerous blind spot in corporate America.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Today, the line between digital and physical risk has completely vanished. For a modern organization, protecting its leadership has become a matter of business continuity and fiduciary responsibility. Just ask UnitedHealthcare what they think of this issue in the wake of the alleged fatal shooting by Luigi Mangione of CEO Brian Thompson, which also opened up widespread criticism of UnitedHealthcare's business practices, and followed the February 2024 Change Healthcare breach.Cybersecurity has evolved from an IT cost to a fundamental aspect of governance, and so will executive protection. By using the language of risk, resilience, and fiduciary responsibility, we can systematically reduce the digital attack surface for our highest-value assets: our leaders.When leaders feel secure, they can lead: that’s just good business.Trinity Davis, chief security officer, 360 PrivacySC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
AI accelerates the attack surface
We live in a world in which threat actors are smarter, faster, and more precise than ever before. Their initial attack vector rarely consists of a front door or a firewall: it's the publicly available data about a leader.Think about how much information exists across public records, professional networking sites, and social platforms. Individually, a property listing, an old corporate bio, or a social media check-in might seem harmless. But tools powered by AI have fundamentally accelerated the velocity of correlation. These models can process and cross-reference data from hundreds of sources simultaneously, identifying patterns that would have taken weeks of manual work just a few years ago: An executive’s travel patterns become predictable through professional event attendance and check-ins. A residential address gets linked via property records and public business filings. Or, family details, job history, and social connections are consolidated into a comprehensive exposure profile within minutes.This consolidated intelligence creates exploitable pathways, a digital exposure that represents the first step toward physical targeting, social engineering, and fraud. As security leaders, we know that when exposure expands, both the probability attackers can target someone and the information available to do it increase. Since risk operates as a function of threat likelihood and impact magnitude, reducing exposure directly influences likelihood calculations.In fact, ASIS research demonstrates that digital intelligence now reveals physical vulnerabilities, requiring integrated security assessment approaches. The expertise has shifted from manual execution to workflow design, compressing timelines from weeks to minutes. AI has eliminated the friction that kept fragmented data fragmented.Transitioning from perks to governance
The issue isn't always about budget; it’s how it's framed. When boards view security as a way to protect themselves from a possible personal mistake, they'll often shy away from making a decision. But when they view security as a cost to ensure their ability to continue leading the organization in the face of high-level threats, it becomes an indispensable element of the overall governance strategy.A CFO does not cancel the company's cyber insurance coverage simply because they view it as too costly. A CEO does not dismiss the corporate lawyer because of the negative perceptions many people may have of lawyers.So why has personal security become the one area where fear of "optics" stands in the way?In almost every other area of corporate risk, we wouldn't even consider allowing that type of thought process. And yet time after time, I have seen senior leaders decide not to accept protection based upon credible threat intelligence, solely because they did not want the staff to see them taking a car service to work.If a senior leader gets compromised, whether through a targeted digital attack, a publicized scandal, or a physical threat, there’s often a significant impact on the organization's operations, employee morale, and, ultimately, shareholder confidence. Protecting leadership continuity has become just as important as protecting data and physical assets.From my decades of experience in the security industry, we need to stop viewing executive protection as a standalone function and to incorporate it into our overall risk assessment frameworks.Change the discussion in the boardroom
By speaking the language of governance, we can demonstrate that executive security represents a necessary means to mitigate risk, not a mere luxury. We must create a continuous, data-driven methodology that focuses on the correlation between data elements, not just individual elements.In doing so, we must focus on the correlation between data elements rather than on individual data elements. Here’s how to start:- Lead with data: Link each security dollar spent to a measurable, data-backed risk profile tied to a specific asset. We use evidence-based insights on threat intelligence, travel patterns, and media exposure to convert subjectively perceived comfort into objectively quantifiable risk reduction.
- Correlation disruption: Since artificial intelligence enhances the speed of which fragmented data elements are linked together, we need to disrupt those linkages. Therefore, we must establish systematic processes to identify and remove data elements that enable comprehensive profiling. Use data minimization methodologies to reduce available assets and, which can decrease the frequency of interactions, thereby decreasing the likelihood of a successful threat event, constitutes a form of avoidance control.
- Align with governance: Define protection as a form of avoidance control that systematically reduces risk. Therefore, work with legal, HR, and investor relations to define protection as a component of responsible governance, rather than a secondary or peripheral topic.
