I was reading a nationally known newspaper on January 3rd, 2008, that read, “Top CEOs have already earned average year’s pay.” Though I’ve been assisting security professionals and developing programs supporting such senior executives for over two decades now, the fact that it was only three days into the year and one of those days is likely a company holiday for most of us, the article really got my attention.
One of the services our band of brothers provides routinely is known to us as a Personal Security Vulnerability Assessment (PSVA®). During this effort, we routinely mine open source data to determine what kind of information is available to the public at large on the person for whom we are conducting this effort. Even though we have grown accustomed to discovering significant useful information in this manner, we are often amazed at the amount of information, specifically financial and net worth information we are able to develop. This allows us to directly articulate vulnerabilities that this can create in one’s security posture.
But after only two working days in the year, here was a published article pointing this out to the world at large. This got me thinking about what type of information is available to the public that can create or increase risk factors and liability issues for corporate executives, and what associated increases in responsibilities it creates for executive security specialists. With the world’s economies in a downward spiral, investors losing large amounts of money, and average citizens’ being foreclosed on or laid-off, reports of a corporate executive making a large salary can spark resentment. The fact that congress has focused attention on CEO compensation packages, golden parachutes, executive travel, and other issues as they respond to the seemingly ever worsening financial “crisis” our nation is in brings this issue to the forefront of the “public mind”. Reports of price gouging after natural disasters and of oil company profits driving a call for windfall taxes during our recent election campaign periods focus attention on the same issue from another perspective.
No one seems to be reporting how much in tax the oil companies are paying on their corporate profits, nor that shareholders abound who benefit from their stock distributions. By one report, the oil companies have paid over $1.34 Trillion, after adjusting for inflation, since 1977 – more than twice the amount of domestic profits earned by major US oil companies during the same period. But I digress…
Media everywhere are quick to pounce on issues and the CEOs of “The Big Three” recently did themselves and their corporations no favor by flying separate private aircraft to the same congressional hearing. Justifying their travel choices due to security reasons seems to fail a litmus test congress wants them to pass before they will consider granting their request for $25 Billion in “bail-out” money. Most everyone understands that there are other ways to skin the cat when it comes to getting safely to Washington, DC. The latest public opinion polls viewed by surfing the internet indicate some 48% of US voters say it is better to let companies like General Motors fail rather than providing government subsidies to keep them in business. Reports of AIG’s nearly half a million dollar visit to a resort and spa shortly after receiving billions in public funding only fuel this downward public opinion spiral more. The damage is done, no matter what is said to respond to these aspersions, it only seems like lame excuses and one can almost see the common man’s eyes rolling back in his head.
Though I have no crystal ball, it seems to me that all of these dynamic factors are converging and the potential risk is rising for some of the most senior executive leadership of our nation’s corporate infrastructure. The likelihood of adverse actions being directed against some of these people is likely mounting in direct proportion to the falling public opinion. These adverse actions can, and probably will, run the spectrum from being mailed letters containing unknown powdery substances anthrax hoax style, through direct telephonic threats, identity theft, direct action campaigns from a whole host of actors, embarrassing disruptions during stock holder meetings, and even kidnapping or worse. The National Institute of Justice, in their July 1988 report Protective Intelligence and Threat Assessment Investigations: A Guide for State and Local Law Enforcement Officials looked at assassins and would-be assassins of the previous 50 years and two conclusions garnered from this effort jump to my mind here:
1) Business executives were targeted 4% of the time.
2) Examination of 83 American Attackers and near-lethal approaches identified eight major motivating factors.
Those eight motivating factors are:
1) To achieve notoriety or fame.
2) To bring attention to a personal or public problem.
3) To avenge a perceived wrong; to retaliate for a perceived injury.
4) To end personal pain; to be removed from society; to be killed.
5) To save the country or the world; to fix a world problem.
6) To develop a special relationship with the target.
7) To make money.
8) To bring about political change.
It seems to me that all but three of these motivation factors potentially apply here.
Does the fact that some executives’ salary and compensation packages are found in open source, public domain venues constitute security related vulnerability? In a word: yes. Corporate Security Directors and Risk Management personnel should take the release and availability of this information seriously, because money makes people targets, plain and simple!
If the company your executive works for is publicly traded then there will be some financial information available to the public, as mandated by the Securities and Exchange Commission. What can the corporate security specialist do to limit this information or mitigate its potential to create vulnerability for executive personnel? The answer to the first part of the question is; there’s really not too much that can be done to limit release of this sensitive information, when dealing with a publicly traded company – disclosure of some very personal information is the law of the land. You have to recognize it is out there and that it can be used by those who possess nefarious intent. In this case, look at how best to reduce and mitigate the potential for risk and associated vulnerabilities.
However, if your executive works for a privately owned company, then restriction of this sensitive information is more easily managed. There are no requirements for private corporations to divulge their company holdings, financial summaries, salaries, compensation packages, or other sensitive personal information. Control of personal information is much easier within a private corporation, and utilizing best practices to maintain that control should be a priority in any executive security program.
In either case, control of information practices should be actively utilized and information releases monitored – it is the only way to limit disclosures and maintain awareness of the potential for vulnerability in this regard.
Having sensitive information pertaining to the boss’ income and wealth published in business periodicals, federal trade commission reports, corporate financial statements, or other public forums, and then posted on the internet creates a potential threat to the safety and security of your executive as well as their family members. Just publishing an executive’s profile alone, whether in the printed media or on the internet, begins the process of exposing them to potential threats. Adding the financial information to these publications increases the risk even more, from both external and internal sources.
There are three ways one can become the victim of a crime:
1. Be a victim of a planned, targeted attack – someone desires to commit a crime against you personally. It is important to remember that they may not formulate this intention because they dislike you personally but this can also be a result of something you represent. We call this a “figurehead” factor in our line of work. A CEO of a defense contractor can be specifically targeted because they might represent the “military-industrial complex” for example. Another factor that can come into play is what we term the “media recognition factor.” The more media exposure that one encounters, the more recognizable the personality is and the more media value criminal acts will bring to the perpetrator(s) of such crimes.
2. Be a victim of a crime of opportunity – the perpetrator(s) of these crimes use “profiling” in their plans. Someone must meet certain conditions or profile components when they are encountered and then the criminal act will be initiated. An example of this are thieves who watch bank doors to see if they can observe people carrying out more in terms of baggage or purse content than they carried in. For a couple of years now, anything made in Detroit was subject to being attacked in Iraq in much the same manner. I would also note that someone who has the media exposure factor mentioned above might have more risk of this from certain categories of motivation – those who kill because they want to become famous for example would fall in this arena. If they see someone who is a recognizable personality, they are likely to act if/when an opportunity presents itself.
3. Be an innocent bystander when a criminal act occurs in your airspace. No intent to harm you directly is formed by the perpetrator(s) of this act. The term “collateral damage” comes to mind when describing this kind of event.
Executives can become victims, as can we all, in any one of those three ways. However, the more information pertaining to their financial standing that exists, the more likely they are to become specifically targeted or targets of opportunity. Generally speaking, to become a specifically targeted victim, the people intending to do you harm need information on you that makes you time and place predictable. When your salary, compensation package, property records, home address, home phone numbers, vehicle descriptions, and overhead photographs of all your properties are published on the internet, they don’t need to do a lot of surveillance to develop their plans because the amount and type of information they need is readily available. Having wealth or perceived wealth, and someone else wanting that wealth, means there is a good potential for your executives to become vulnerable to criminal actions. Planned criminal acts run the gamut and can include car-jacking, kidnapping, extortion or home invasion, all of the direct action campaigns, and even murder.
I would also note that family members are a part of the equation when dealing with an executive’s wealth and notoriety. There is an increased risk of kidnap for ransom, extortion, harassment, and / or other threatening actions, especially when some public release of information includes their photographs, school locations, club affiliations, and a whole myriad of other issues. Parents who may fit the mold as the kind of senior executive we are speaking of here should also closely monitor any personal website (such as “facebook.com” or “myspace.com”) participation by their children who may not be as sensitive to this aspect of our world as their parents and may well be posting sensitive family information that can be exploited by those so inclined.
Let’s discuss the family member part of this equation for a moment. A lot of corporate leaders and boards don’t think about family members as being a vulnerability or liability to their company, but if an executive’s spouse or child is kidnapped, for example, it will have a direct impact on the company because an event of this nature will engulf every waking moment of the affected executive. This must be taken into account in planning security programs, kidnap and ransom (K&R) plans, and the ability to maintain business continuity.
Earlier, I mentioned that risks and threats can come from both external and internal sources. Corporate Security Specialists & Risk Management personnel should keep in mind that not all threats come from outside the company walls. There have been several incidents of employees, former employees, stock holders, and others taking out their aggressions on corporate leadership, blaming them for everything from falling stock prices to losing their jobs, their wives leaving them, demotion at work, etc.
When a financial summary, which includes annual salary and stock compensation packages of your executive is published, some individuals in the company may think the boss is getting paid entirely too much. Couple that with today’s global financial crisis and the risk becomes exponentially greater.
The incident of the former CEO of Exxon, Mr. Sidney Reso, who was kidnapped and subsequently killed in 1992 by a former security specialist of Exxon, Arthur Seale, and his wife serves as a good case study for consideration of both internal and external threats.
When he worked for Exxon, Seale was an integral part of the development of the company’s K&R planning and knew that Exxon reportedly paid out $15 million for another executive who had been kidnapped in South America. He possessed a copy of an Exxon corporate directory, which had telephone numbers as well as addresses of Exxon executives. Sometime after leaving Exxon’s employ, he developed a need for money.
Seale did not have a grudge against Mr. Reso. Nonetheless, Reso became the focus of a planned, targeted attack anyway. Regardless of his intentions or reasons, Seale selected Mr. Reso because of his position in the company, the fact that Seale believed Exxon had paid a previously paid a large ransom, and the intimate knowledge of Exxon’s K&R plan and responses. All of these factors combined made Mr. Reso the perfect target for Seale.
Seale subsequently utilized methods of surveillance and information gathering to prepare and execute his plan of kidnapping Mr. Reso. Obviously, that old copy of the Exxon corporate directory made it easier for him to locate his target and begin the conduct of his surveillance.
Did Seale having this sensitive information fall under Control of Information guidelines? Granted, Seale had been a security employee of Exxon, and in that position, one would think he could be trusted with this type of information. But what type of accountability controls were in place to ensure sensitive information of this nature did not leave the office? Did his position within the company require him to have this information for him to be able to do his job? Probably. Were accountability controls requiring him to return all such documents and information to Exxon upon ceasing employment with them enforced, if they existed at the time? Probably not. Were there indications that Seale would develop into a threat to the CEO at the time he departed Exxon? We do not have enough information to determine that. It is clear, however, that Seale formed criminal intent, created a criminal conspiracy with his wife, and specifically targeted his previous boss. This kind of story is not unique in the American experience, is it? The point of this story is to emphasize that even before today’s public disgust with executives and their wealth, internal threats are possible. Hopefully, security leaders and executives themselves are recognizing this fact.
Mitigation of potential and known threats and vulnerabilities is a full time job for corporate security specialists and risk management personnel. Policies and procedures covering the full spectrum of executive security and corporate (enterprise-wide) security, along with pro-active programs, budgets, logistics, personnel, and other factors must be developed, reviewed, approved, implemented, and enforced. They should also be updated regularly as risk assessment is a never-ending necessity.
Training of not only security personnel but also identified “at risk” corporate personnel must be conducted on a regular basis. This training should include topics pertinent to personal safety and security, identity theft, surveillance detection, and the whole gamut of security awareness issues. The more information about the person concerned that exists in the public domain, the more important this issue becomes. When dealing with this issue, especially for people who have extensive amounts of personal information published about them, you must go a step further than just recognizing that it is a potential vulnerability factor. You must also take immediate, positive action that prevents the identified vulnerability from being exploited.
If this is your situation, then the entire security posture for the person concerned must be examined in detail. Vulnerabilities in office, transportation, and residential security programs can generally be identified by even the most rudimentary surveillance or penetration testing event conducted by a potential threat source. If the intent has been formed based upon the easy availability of information, one can make a good bet that other vulnerabilities will be identified and exploited by the person or group forming this intent. Since there is always more than one approach to correcting identified vulnerabilities, conducting a realistic threat assessment will assist in identifying appropriate, cost effective solutions designed to provide deterrence and mitigate potentially harmful effects of criminal acts.
Preparation and implementation of policies and procedures, training seminars, and threat briefings, as well as the conduct of risk assessments, both personal and enterprise wide, is a major undertaking, and can be costly in the initial phases. Since security departments can be viewed as cost centers and not profit generators, security leaders must form a realistic, threat-based business case for the implementation of security programs that generate understanding and agreement from board members, senior executive staff, and financial management personnel.
Once the right steps have been taken to prepare and put in place the qualified measures for a good security program, then maintenance and up-keep have to be done on a regular basis. Think of it this way: you would not put oil in your car once and then run it for years without changing it again, right? Regular review and updating of policies and procedures, continued training, threat information gathering, and revisits of vulnerability assessments are part of the maintenance of any security program. It should be remembered that, over time, the only constant is change. Personnel, positions, the security environment, threat conditions, and individual’s lives and family situations all change constantly. Therefore, security must evolve as well in order to keep up and stay prepared.
During my career I have conducted many vulnerability assessments and no one project has ever been for the same reason. I have had security professionals from different companies tell me they want to implement changes or upgrades but couldn’t get the approval or funding for upgrades or modifications they desired. Truth be told, almost every time that I have stepped into this role I have found the modifications they desired to be realistic and based on common sense. I don’t believe I have ever encountered a recommendation that they were making that I completely disagreed with. Sometimes I have assisted them in modifying the approach or solution to some extent, but there has never been one that I have totally disagreed with. The problem lies in a couple of areas – 1) they haven’t found the right ability to articulate justification, or 2) competing demands on corporate financial resources have trumped them because the business case for their needs either wasn’t made, or wasn’t made in business language. In almost every case, I have been able to assist them and bolster their business case simply because I am an outside, independent consultant. While often identifying vulnerabilities and solutions that had not been recognized before we began our efforts, we also serve as validation for many of the solutions that have already been internally recommended and considered.
In a business where services, such as cars and drivers, provided to a senior executive can be determined by the IRS to be a part of that executive’s compensation package if not based on realistic security concerns (read as, “the executive can find himself or herself paying personal income taxes on this corporate support”) having independent, external validation of the security program plan is vital to the success of the security leader.
I know that I have talked at length about the need for vulnerability assessments, training, threat assessments and the fact that threats can come from both internal and external sources. I have also highlighted justifying your position by making a business case in order to secure additional necessities or simply convince your boss of the need to increase his or her security posture. These are all good and prudent security measures that can and should be taken. But the most important issue I wanted to raise was the fact that money can make your executive a target and current events indicate that this single information factor is growing in importance – RAPIDLY.
The public dissemination of an executive’s salary and compensation package is a threat to his or her safety and security, bottom line. If preventive measures cannot be taken to limit or stop this information from being made available to the public, then appropriate security measures should be taken to reduce and mitigate the potential threats, known or perceived, that can manifest themselves due to the release of this information. Think outside the box, stay informed, and keep pushing. Even if you only get a portion of what you desire for your executive security program, that is certainly better than nothing and any positive changes create a good start in reducing vulnerabilities and preparing for threats. Doing so will help you to develop more resources and demonstrate to your bosses how important security is to them, the company, and their families.
Gale Ericksen, CPP is Vice President of ITG® Consulting Services. He has over 20 years of experience in providing executive and personal security services in both the US military and private sector on a global scale. He has been conducting high level threat and vulnerability assessments over the last 12 years for a wide range of clients, large and small, public and private, who have unanimously lauded and appreciated his effort. Contact him at [email protected]
Image courtesy of Sira Anamwong @ FreeDigitalPhotos.net