We know that organizations are fundamentally different and understand that very few have a standardized approach to protective intelligence—one size does not fit all. Threats are highly contextual and are based on numerous factors, including industry type, company culture, geographic areas of operation, and media attention focused on our organizations, whether positive or negative. What’s more, those of us in the corporate security and executive protection space are often confined to the operational constraints that our principals unknowingly establish for us, with executives often inadvertently dictating the protective movements and coverage protocols for security teams. As security professionals, we must remain fluid and adapt to any environment which happens repeatedly, with virtually no advance notice.

Let’s get tactical

What if a client broadcasts their most important travel plans? Or the address of an executive office is released as public knowledge. What if the security team discovers that their office is easily accessible by unauthorized persons? We know that many corporate campus entry points are less strict, and guests are left relatively unchallenged upon arrival. These types of conditions hamper any security team’s efforts. Working without much high-level context, teams must often rely on training, intuition, and remote intelligence support. They are simultaneously asked to remain “low profile,” focus on various facilitation requirements, and be ambassadors for the companies they represent.

By addressing some of these pain points, we hope to answer two critical questions:

To effectively address these pain points, we need to ensure that our protective security teams are:

• Speaking the same language when it comes to protective intelligence and early threat detection
• Communicating more effectively on the basics
• Establishing a professional baseline, or minimum standard when gathering or sharing intelligence, so that we aren’t working in the blind

To learn how some of these issues have already been addressed, you can read our previous article on the versatility of protective intelligence and its application to protecting assets beyond dignitaries, high net-worth clients, and C-Suite executives. We also shed more light on intelligence sharing between field operators and remote intelligence teams.

Defining a “Minimum Viable Process” for Protective Intelligence

At Ontic, as we worked to establish a minimum standard for gathering or sharing information, three opportunities emerged.

We’ve found that an important security decision does not always require the most exhaustive investigative profile on every single person of interest (POI) that we encounter—many times, it requires ‘just enough’. In the technology industry, this is what we call the “MVP,” and it may not mean what you think.

Delivering a Minimum Viable Product or MVP means that as we build technology, we look to understand and solve the user’s basic needs. It’s trading perfection for pretty darn good. In automotive terms, you should start by building, for example, a Dodge or a Ford and then seeing where that gets you. You don’t exhaust valuable time and resources to build a Ferrari—at least not at first. To start, you ensure that the car meets the user’s needs, will work as designed, and works pretty darn good. No development team wants to retroactively deconstruct a technology platform because they made numerous flawed assumptions about what the end state should look like. By focusing on building an MVP, the development team establishes the baseline from which to build future improvements.

Allow us to draw a parallel analogy here for the protective intelligence space, but let’s instead use our acronym MVP to stand for Minimum Viable Process. Currently, a standardized minimum viable process for the protective intelligence workflow does not exist in our industry—so we’d like to rectify that gap.

Before we built the Ontic Platform, we were asked countless times what our manual investigative process looked like. We would like to offer the following workflow that we’ve tested over time. Recognizing that one size does not fit all, this isn’t the definitive playbook for every team. Nor do we believe that investigations and threat assessment cases can be reduced to a checklist—gut instinct will always come into play. This workflow does, however, provide a broadly applicable baseline framework. Coming back to our MVP, security teams don’t necessarily need an exhaustive due diligence investigation on every single POI that appears on their radar. They simply need a foundational level of understanding of the background of potential threat actors. This prevents the waste of significant human and financial resources.

Resource-Effective Triaging of POI Investigations

All protective security teams work with limited resources (time, team size, budget, etc.). The workflow below is mindful of how we allocate time to our investigative projects: investigators should focus on each stage’s outcomes, as these define success. The means we use to achieve these outcomes will always change with the situation and with the practitioner.

While we believe that the entire workflow is critical to better understanding your person of interest data, we’ve defined stages 1-3 of our investigative workflow as the tactical MVP (see diagram). For a POI investigation, we consider these three stages pretty darn good to form a baseline—and should be conducted on every person of interest. These stages are defined by identity resolution, geo-location insights, open-source analysis, and social media intelligence, among other criteria. It generally provides enough detail for us to assess where this POI falls on the threat spectrum—low threat vs. high threat—and what the return on our investment would likely be if we dedicated more resources to a deeper investigation. As the threat level increases, we can always choose to conduct a deeper investigation and continue to stages 4-6 in this workflow. We believe defining these boundaries will maximize the use of finite team resources.

Workflow Stages

In this step, the analyst or investigator must confirm who they are actually investigating. Example: Who is the person behind the harassing email and phone communications? Who owns the vehicle in that suspicious location near the principal’s residence?

Once we resolve their identity, we need to know what our team and associates have already discovered about that person—is there a baseline already existing on this POI, or is this one brand new to us? Do we have an initial understanding of the possible threat level based on the context of the interaction? When a security team makes an observation, how do they know what the enterprise already knows about the subject? Does Human Resources consider this person a serious threat due to comments he or she made in an exit interview, or does Corporate Security know that this subject is part of a retail crime ring? Moving forward, how do we quickly identify the person again when they surface? To do this, we will need to learn about the person’s additional identifiable attributes, including other personal identifiers: address, registered vehicles, social handles, phone number, employment, etc.

This step is all about location, location, location. It’s simple physics—the further away from your principal or workplace a POI is, the less risk they pose for causing physical harm (there are some exceptions to this rule, of course, e.g., package bombs, chemicals mailed to a principal, IT vulnerabilities, and so on. We call this threat context by geo proximity. Is the POI on the other side of the country and just making noise, or are they actively engaged in the attack cycle? Where is this person right now?

There are so many sources to review and steps an analyst or investigator can take to determine where a person is at any given time. Some are quick reference searches through social media or incarceration records, while other methods include human intelligence and pretext calls, to name a few.

This step is one of the most critical because of its immediate impact on time and resources. If there’s little physical distance between the POI, you may need to mobilize resources quickly. If the opposite is true, the team could relax while maintaining a vigilant posture. In essence, determining the geo-location can help a backlogged team effectively prioritize threatening communication from a POI amongst all other tasks. For example, if it is determined that a POI is a thousand miles away from the general area of the principal, the case can be deprioritized (for the time being) while other urgent tasks are attended to.

Undoubtedly, there’s a deluge of information online that can be cultivated while assessing the threat of a POI. Key issues we typically look for are mode of living, mental state, access to weapons, past behavior, fascination with violence, and fixation / unhealthy pursuit of the principal or their family. For those instances where the POI practices digital privacy, it is often easy to target by proxy and investigate the online activity of those close to them, including friends and family. We also review Deep Web forums for information on the POI’s potential affiliation with fringe groups, radical ideologies, and malicious protest activity.

We can access public record repositories to formulate a deeper background story of a POI. These indexes provide exceptional access to case information, including criminal arrests, civil litigation, bankruptcies, liens, judgments, foreclosures, divorce, child custody, intellectual property, and trademark infringement claims.

During stages 5 and 6, we move on from preliminary data gathering to more accurately assessing risk, communicating our findings with those who need to know, and implementing security protocols for that case. At this point, investigators need to get their team leadership involved to review the facts of the case and then develop a plan consistent with the culture and mission of the organization.

As analysts layer in all the information discovered in prior stages, they can make greater sense of the data points, identify potential trigger events, more formally assess risk, and prioritize other dates/events of importance for the threat actor (anniversary of termination, copycat workplace violence incidents, etc.). With this connected information at the fingertips of security professionals, they are empowered to make informed decisions about assigning a more accurate threat level to a case and move on to the next step.

There are many excellent resources about assessing potentially violent actors and developing case management strategies, such as those endorsed by the Association of Threat Assessment Professionals (ATAP Body of Knowledge). After working with corporate clients, this is our philosophy: Intelligence in a vacuum is useless, and inaction in light of it actually becomes a major liability.

For example, if “Corporation A” knew a great deal about a POI who was harassing a workplace, making veiled threats, or displaying an unhealthy interest in C Suite executives and then chose to do nothing with that information—what does that say about the company’s duty of care?

When information is shared, it becomes actionable. Note: sharing of information is not limited to this step of this workflow—it can and should happen throughout the process. We also find that after this much information is obtained and assessments are made, contracted professionals can be retained for guidance. For example, does this case get escalated? Does Law Enforcement become involved? Or does the corporation engage with the threat actor and their family to help the person get treatment from a trained mental health professional?

Understanding the Bigger Picture

With a holistic approach, we can now layer in all pertinent information to more accurately understand the evolution of a POI. We can even uncover potential trigger events in their life, e.g., the anniversary of termination, a death in the family, or perhaps a tense legal case involving a child custody battle. By surfacing this type of information, teams can better identify a trend or anomaly in behavior and more accurately assess threat levels.

As the timeline above illustrates, a threat assessment professional can see that all of the various data points—when visually connected—create a much bigger story. Here you see the evolution of a POI:

• The subject makes a veiled threat of departure from the organization
• GSOC notices a direct threat to the brand on social media
• Campus safety notices a suspicious vehicle loitering near corporate HQ
• Public record research reveals a contentious divorce, and a residential bank foreclosure
• LPR cameras detect a subject’s vehicle driving past the residence of the CEO at 3:00 AM
• The security team escalates the matter, generates a BOLO report, and shares intelligence with relevant parties

What could otherwise be cataloged by siloed teams as independent events now clearly demonstrate the evolution of a serious issue.