In episode 64 of The Cyber5, we are again joined by John Marshall, Senior Intelligence Analyst at Okta.

We discuss building a threat intelligence program to protect executives, particularly on nuances of being a “solution-side security company”. We discuss a risk-based approach for protecting executives and the data that's important to aggregate and analyze. We also talk about success metrics for intelligence analysis when building an executive protection program.

Three Key Takeaways:

• Plans, Actions, and Milestones

Regardless of industry, connecting with your executive team on a personal level to establish trust is the first step in any executive protection program. Communicating plans, actions, and milestones are critical. Within these three segments, intelligence requirements should be tiered into 3 groups - strategic, operational, and tactical.

• Strategic: Security of the people, security of places, and security of the brand
• Operational: Methodologies and means a security team is going to use to monitor for threats to the brand. Specifically, collecting intel on current events, private investigation, travel tracking for executives, and company-wide messaging system to track employees
• Tactical: Day-to-day implementation of integrating the strategic and operational methodologies

2) Distinguishing Between Targets of Opportunity and Targets of Attack

Typical items to review when protecting executives:

• Weather that’s going to impede movement
• Social media activity that reveals plans for protests or riots near a location of interest
• Natural disasters
• Geo-political events

The primary mechanisms to protect against targets of opportunity:

• Background checks
• Social media monitoring, includes OSINT monitoring and analysis

When mechanisms to flesh out targets of opportunity appear to escalate, where they become a target of the attack, often private sector security teams lack an action arm to dispel that threat and have to rely on law enforcement for investigations.

Intelligence analysis and determination of facts should be pursued on any threat so that security teams can effectively request law enforcement intervention - equipped with more information that will allow faster response.

3) Articulating Success Metrics

Pinpointing the right event is the most critical of success criteria. Executing the intelligence cycle of planning, collecting, exploiting, analyzing, and disseminating information that an executive can use to answer a “so what?” is still a nuanced concept for many private sector organizations.

Documenting “wins” and “losses” are equally critical. Security is a risk management function that exists to keep the workforce safe and doing their jobs.

Whether it's getting an executive out of a traffic jam or informing a team of a hurricane happening during a conference that mitigates injury, these should be documented for value-based metrics.