Before the IPO: When to Think About Security

• Most CEOs of companies undergoing an IPO don’t know what they need.
• Understand the holistic threat before buying security software and systems.
• When it comes to physical security systems and programs, many get sold a Cadillac when all they need is a Chevrolet, so work with a trusted vendor.

Over the years, I’ve been asked to provide security advice to several companies engaged in their Initial Public Offering (IPO) — which corresponds with their C-suite leaders experiencing new fame and new figures to their bank accounts. This, coupled with my experience providing advice to some of the world’s wealthiest families, allows me to reflect on some common threats. Concerns for kidnapping young children or significant others has to be a clear front runner. However, most all threats can easily be mitigated with basic security measures and awareness.

This new-found wealth and media attention can drive unique challenges for the company and the CEO, often resulting in very reactionary security measures. For example, security teams have recommended a 24×7 executive protection detail to a CEO, which included a follow car with armed officers or encouraging the new billionaire to arm their daily driver to reduce the kidnapping risk. On a practical level, it’s rare for the threat to be that high for any new IPO executive inside the United States. Plus, the optics are horrible for modern business executives; not to mention the stress and constraints that would place on any family.

Rest assured — this setup can be avoided, and risks can be easily mitigated by following some simple guidelines. Here are three steps to follow.

1. Seek threat-driven security programs. Security programs and systems should be threat-driven, taking into consideration a holistic and comprehensive view of the risk, i.e., fixated persons, general crime, public sentiment, extremist group targeting, counter-intelligence, and even access to web-based collaborative documents. Thus, in order to understand the risk to your company and CEO, the first step is to hire a reputable firm to do a Baseline Threat Assessment, along with a social media assessment of the founder, to hunt for adverse intelligence, negative sentiment or targeted threats.
2. Conduct a physical security review and assessment of the primary office and the founder’s residence. This can be performed by the same vendor who does the threat assessment, or out-sourced to a second firm to seek an independent assessment. I’ve seen it done both ways and recommend receiving 2 to 3 estimates from vendors for the work to ensure that you are comparing apples to apples on equipment when the bids are returned.
3. Organize a security awareness briefing. The third step is a general security awareness briefing for your founder, executive administrators and key executives to ensure everyone in the C-suite understands the potential risks. Ideally, the briefing should be done by the vendor who put together the baseline threat assessment.

Final Thoughts

Once these three steps are followed, it’s important to think about how you intend to manage security and potential threats going forward. Even on a security analyst’s best day, they can’t depend on remembering where a file is located or assume that everyone has access to the right information. Technology that enables collaboration can prevent teams from manually searching for new information, and shifts the mentality to a proactive, always-on approach that is scalable.

To learn more about baseline threat assessments and establishing a complete picture of the existing threat level, read our complete whitepaper here: The Role of Baseline Threat Assessments in Protective Intelligence.