Security Professionals Grapple with Criticism, Board Mandates, and Public Anger in the Wake of Targeted CEO Attack
Midtown Manhattan, like most major metropolitan areas, has its share of crime. But the targeted violence that killed UnitedHealthcare CEO Brian Thompson last week was a new development that put the local security community on alert.
News Corp, the holding company that owns The Wall Street Journal, Dow Jones, and more, is headquartered on 6th Avenue in front of Rockefeller Center and Radio City Music Hall in Manhattan. Senior Vice President of Global Security and Safety Eduardo Jany says that after the “brazen” attack on Thompson, security peers were calling each other for advice and sharing information about what they knew.
“Within the last week and a half prior to this homicide occurring, there were about seven shootings in Manhattan and in the city. It’s not something that we’re not used to seeing,” Jany says. “We are definitely concerned that there’s been an increase in incidents related to violent crime. Having targeted incidents, this is a new thing.”
When Thompson’s suspected attacker was still at large, the relationships that News Corp’s security team built with law enforcement and security counterparts—especially in the news media industry—came into play. They shared information, discussed the attack, and reinforced the need to protect employees who work in New York City.
“Any level of situational awareness or just being alert and having an enhanced security posture is really important in a city like New York,” Jany adds. “That’s where we’re at. I think that now this has tipped the pendulum to one direction where we’re going to see some momentum towards providing more security or enhanced security for people in the Midtown area.”
Angela Osborne, CPP, PCI, PSP, vice president, risk and emergency management solutions at Guidepost Solutions, says that numerous people have reached out to her company to inquire about setting up executive protection programs or implementing additional safety measures after last week’s attack.
“This is certainly common in the healthcare space, which is to be expected because of the incident,” Osborne adds. “We’re really trying to advise our clients if they do feel like they’re in a sensitive sector like healthcare or a related field that this is a good time to increase their security measures.”
Executive Accountability
It is unclear if Thompson had an executive protection detail or what measures were in place to ensure his safety while traveling in New York. UnitedHealthcare did not return Security Management’s request for comment on this article to clarify. But the CEO of parent company UnitedHealth Group, Andrew Witty, wrote an op-ed that was published in The New York Times on Friday morning.
He explained that UnitedHealthcare is “struggling to make sense of this unconscionable act and the vitriol” that’s been directed at its employees while acknowledging that the U.S. health system does not work as well as it should, and people are understandably frustrated.
“Healthcare is both intensely personal and very complicated, and the reasons behind coverage decisions are not well understood. We share some of the responsibility for that,” Witty wrote. “Together with employers, governments, and others who pay for care, we need to improve how we explain what insurance covers and how decisions are made. Behind each decision lies a comprehensive and continually updated body of clinical evidence focused on achieving the best health outcomes and ensuring patient safety.”
Steve Crimando, founder and principal, Behavioral Science Applications LLC, explains that anger directed at a company is difficult to address because it's amorphous—it doesn’t feel like it’s going anywhere or accomplishing anything. This is why people may look to hold executives accountable for corporate decisions.
For instance, Crimando conducted a threat assessment for a client in the aerospace sector that in its strategic plan pledged to be in space in the next 18 months. But that didn’t happen because technical setbacks and issues with the company’s rockets. A stockholder became very upset about it and began threatening the life of the CEO—a very prominent figure—because he had not carried through on his promise to put the company’s flights in space.
“My point here is that when things go wrong, it’s human nature to want to hold someone personally accountable,” Crimando says. “It’s not satisfying to say, ‘I’m pissed at General Electric. I’m teed off at Ford Motor Company.’ You feel like if you’ve been hurt some way, you want to hurt somebody else back. That’s an unfortunate twist of human nature.”
This can be exacerbated when the company is in the healthcare sector, where business decisions and commodities are linked to life and death.
“You’re selling care. When you seem not to care and that perception of health care costs someone their life or their health—nothing gets more personal,” Crimando adds. “If either of those seems threatened—or both of them—it’s a recipe for retaliation.”
You feel like if you’ve been hurt some way, you want to hurt somebody else back. That’s an unfortunate twist of human nature.
Retaliation in the healthcare sector is not a new trend. The industry has some of the highest workplace violence rates, but those attacks are often directed towards frontline staff—nurses, doctors, and security personnel working in hospitals—and not towards executives until now, Osborne adds.
CEOs traditionally have been the victims of violent attacks due to personal relationships they may have had with the perpetrator. The attack on Thompson, though, appears to be targeted violence for the actions of the company that he represented.
“I think that’s another shift for people to think about. You know that as the figurehead of the organization you often do represent the decisions of that organization,” Osborne explains. “As organizations, just as you might have placed additional security protections in the event of having a layoff at your organization or different significant policy changes, so too I think we need to look at the risk situation that organizations might face as they change different protocols, different methods of interaction with their clientele, and see how that might impact people.”
Executive Relationships
One of the major challenges that the executive protection practice faces today is whether it is a board-mandated or board-approved program. Board-mandated programs require the executive to work with the executive protection team and cooperate with certain practices to keep them safe. Board-approved programs, however, allow the executive to have the final say on whether he or she wants the protection team present or to follow certain security practices.
“This creates a unique challenge because you have a protective team that is in the area but not visible to what the client needs,” says Caleb Gilbert, president of White Glove Protection Group and vice chair of the ASIS International Executive Protection Steering Committee. “It’s a completely reactive posture—not knowing what the client’s doing next. And so, you really can’t protect from that posture effectively.”
No one Security Management spoke with for this piece predicts that there will be a major push to make executive protection a board-mandated feature. Gilbert did say that after attending an International Protective Security Board (IPSB) conference this past week with nearly 700 other executive protection practitioners, attendees noted that CEOs do seem to be more open to protection.
“It is an extremely challenging barrier to entry to get a CEO [onboard] unless the risk is so egregious that they have no choice—they just understand that if they go out there, they’re going to be impacted by a bad actor,” he adds.
Learning how to navigate working with the executive to get their cooperation and buy in on executive protection is paramount. Sometimes it requires leveraging the language of business.
The individuals on the company’s U.S. Securities and Exchange Commission (SEC) forms—those in the C-suite and in prominent leadership positions—are “inextricably connected to the financial health of the company,” Jany adds.
“When you tell them that, ‘Look, if something happens to you, anything happens, even if it’s a reputational thing where a protestor comes up and throws something at you, that causes reputational harm which could have an impact on the company stock and on the public perception,’ that’s the message they understand,” he continues. “That’s something we have to communicate.”
Sometimes that communication also involves relaying threat intelligence that reinforces why the executive protection team needs to act a certain way. News Corp’s executive protection program utilizes threat intelligence, threat analysis, and vulnerability assessments, especially for the CEO and key personalities on TV or in the news media.
“We want to know where they’re going and whether we need to adjust our security posture,” he adds. “That constant review of threat intelligence and risk analysis is really important. It doesn’t necessarily have to be something that you’re paying a ton of money for.”
For instance, News Corp uses a variety of resources—paid and unpaid—and works with corporate security counterparts from other companies to find out if there are similar threats or activities the company should be concerned about.
“It’s a matter of liaising and working in tandem with your partners from the local, state, federal law enforcement side—DSAC, OSAC—and then our ISMA colleagues, our ASIS colleagues, and constantly chattering to make sure that we’re aware of what’s going on in their world and they’re aware of what’s going on in ours,” Jany says. “Using the resources we pay for and also have for free to determine if there’s a threat of any kind. If so, what does the threat posture need to be on our part? Do we need to enhance security?”
News Corp also looks at online information, including social media, related to the people that work for the company and places where staff might be headed for work.
“Wherever our people are going, transitioning through, we try to keep as aware as we can,” Jany says. “I think that’s a really good way to do things—just be as proactive as possible because being reactive after somebody’s already attacking or after somebody’s already threatened you is not going to be very helpful.”
At the same time, assessing threat intelligence and sharing it with principals requires a practiced skill set so that you maintain trust. Security practitioners have to provide information without sounding alarmist or scaring people unnecessarily, which might cause them to tune you out in the future.
“I think we really have to strike a balance, and just be careful about how we communicate in creating that trust with the people that work with us and around us,” Jany explains. “The executive assistants (EAs) are a really key player in what we do because they’re the ones that manage our VIPs and our senior leadership C-suite people’s schedules.”
There are times, though, when security needs to be more vocal—such as in preparation for a shareholder meeting where the stock performance isn’t doing well or a controversial merger occurred.
“There’s going to be some animus, so whether the boss wants it or not, you have to let them know we will be providing security at this,” Jany adds.
Next Steps for Security Practitioners
The attack on Thompson is a wake-up call for organizations and executives who thought they might be under the radar, Osborne says. But there are concrete steps security practitioners can take to assess risk after the incident.
“Right now, there’s a strong focus on sending out executive protection agents or getting people armed on the ground as soon as we can,” she adds. “In the interim, that makes sense for some organizations to do that based on their risk situation.”
But over time, Osborne says it’s important to conduct a risk assessment to identify what the risk is, what the organization’s risk appetite is, and then put in place a program that accounts for those areas. Internal Revenue Service (IRS) deductions might also be available to help U.S. organizations plan for an executive protection program, which can be extremely expensive to stand up and maintain.
Jany emphasizes, however, that enhanced security does not have to be hugely expensive.
“You don’t necessarily have to have a team of people walking with your CEO to go in and out of a building or having him or her have constant escorts and armored vehicles,” Jany explains. “You don’t necessarily need that everywhere you go. What you do need is good eyes and ears ahead of time to determine if there’s a threat and what the potential threats are and how you will respond. I really believe in being proactive rather than reactive.”
Jany recommends getting some form of threat intelligence for the locations where your company is located and the places that key leaders or recognizable personnel that might be your most vulnerable live and operate. Security practitioners should do a vulnerability assessment and consider how those chief individuals get to the office or home, what the closest trauma centers are, and what the plan would be to evacuate them in case of an emergency?
In the wake of the tragic death of UnitedHealthcare CEO Brian Thompson, there are ongoing concerns about potential follow-on violence, especially in the healthcare and healthcare insurance industries. https://t.co/zXtbJMbyIs
— Security Management (@SecMgmtMag) December 6, 2024
This assessment should also include if there are other businesses in the area the organization operates that could also create a vulnerability—for instance an embassy or consulate for a particular country that individuals might have a grievance with. Benchmarking with corporate counterparts to understand what they are doing and if there are resources that can be shared can also be helpful.
“We try to share as much as we can and be forthright,” Jany adds. “We’re obviously not going to give away the keys to the kingdom on how exactly we operate, but we’re certainly going to be able to share what resources we have, what threats we see, and be very proactive about that.”
What you do need is good eyes and ears ahead of time to determine if there’s a threat and what the potential threats are and how you will respond.
Jany also suggests doing drills and exercises to understand what needs to be enhanced within your security posture.
“If you have to elevate the security to an enhanced level, how are you going to move people around? What are you going to do if there is some type of emergency?” he reflects. “War game it out, plan it out, talk it through, almost like an incident management business continuity exercise.”
This even goes for reputational harm, practicing how the organization would manage that process and mitigate for it.
“Exercising that stuff out will define how well you are able to respond to a given threat,” Jany says. “Analyze the threat and the vulnerability, benchmark, and then exercise and test it.”
Taking these steps is important because the threat landscape towards executives will continue to evolve and copycat style attacks may occur.
“In the future, we are likely to see… incidents of people reaching out more directly to executives or to organizations they might have disagreements with, and I think we need to take note of that,” Osborne adds. “Think about how we’re providing privacy protection for those individuals.
“And it’s a two-way street. You know if you are an executive, you are representing the organization, but you also have an obligation to your board, your employees, your shareholders, and your family to take reasonable steps to maintain safety and security, and to increase those measures when the risk changes,” Osborne continues.
Executive Protection Resources
For more information about executive and close protection, check out these resources from ASIS International and our partners across the industry.
ASIS International Resources
ASIS International has a robust set of resources and educational tools for security professionals across all fields, including executive protection.
- Essentials of Executive Protection Certificate Program
- Executive Protection Community (ASIS members only)
- Protection of Assets manuals, particularly the volume on personnel
- ASIS Webinars
ASIS International is also developing a new standard on executive protection, expected by the end of 2025. The sector-agnostic standard aims to provide minimum criteria for the development, implementation, operation, and maintenance of an effective executive protection (EP) program utilizing industry accepted risk management principles. It will provide guidance for the assessment of threats, vulnerabilities, and risks to the protected person(s), the identification and justification of protective services, and delivery of support based on industry-driven guidance. Read more about ASIS Standards and Guidelines here.
International Protective Security Board (IPSB)
ASIS International and the IPSB signed a Memorandum of Understanding last month to promote collaboration and information-sharing. Read more about the MOU here.
Read peer-reviewed research and articles from the field of close protection in the IPSB’s Close Protection and Security Journal.
Security Management Coverage
Security Management covers a wide variety of security topics, including close protection and threat assessments. We have collected a few related articles below for additional insights:
- Building a Methodology for Proactive Close Protection
- When Second Homes are a Primary Concern
- Modernizing Your Approach to Executive Digital Risk Management
- Executive Protection in the Age of Technology: Addressing the Risks
- How to Improve Your Situational Awareness