.gif)
Unspoken Security
Unspoken Security is a raw and gritty podcast for security professionals who are looking to understand the most important issues related to making the world a safer place, including intelligence-driven security, risks and threats in the digital and physical world, and discussions related to corporate culture, leadership, and how world events impact all of us on and off our keyboards.
In each episode, host AJ Nash engages with a range of industry experts to dissect current trends, share practical insights, and address the blunt truths surrounding all aspects of the security industry.
Unspoken Security
Let’s Talk about Executive Protection Intelligence
In this episode of Unspoken Security, host A.J. Nash sits down with Jeff Daisley, Principal Security Intelligence Engineer at Comcast, to explore the multifaceted world of executive protection. Together, they unpack the growing convergence of physical and cyber threats facing high-value individuals, including executives, public figures, and their families. From cyberattacks and social engineering to physical security breaches, Jeff emphasizes the importance of a holistic approach to safeguarding these individuals in today’s volatile landscape.
Jeff shares actionable insights into building robust executive protection programs, highlighting the need for proactive measures like cyber hygiene, travel assessments, and device security. He underscores the role of trust and collaboration in integrating protective strategies that span personal and professional lives, ensuring the safety of not only the executives but also their inner circles.
The conversation also delves into real-world examples, illustrating how vulnerabilities in seemingly small areas—like smart home technologies or insider threats—can lead to significant risks. Whether you’re an industry expert or simply security-conscious, this episode offers valuable perspectives on bridging the gap between digital and physical security in a rapidly evolving world.
Let's Talk About Executive Protection
Jeff Daisley: [00:00:00] when it comes to that convergence, um, executives, physical security or physical safety, rather, and cyber security are no longer, um, separate domains. They need to be interconnected, um, and a part of this kind of security apparatus. And. Some of these proactive measures do come down to device security.
AJ Nash: [00:01:00] Hello and welcome to another episode of Unspoken Security. I'm your host, AJ Nash. I spent 19 years in the intelligence community, mostly at NSA, and I've been building and maturing intelligence programs in the private sector for about eight, nine years now. I'm passionate about intelligence, security, public speaking, mentoring, and teaching.
I also have a master's degree in organizational leadership from Gonzaga University. Go Zags! Off to a good start this year, and I continue to be deeply committed to servant leadership. Now, this podcast brings all these elements together with some incredible guests to have authentic, unfiltered conversations on a wide variety of challenging topics.
It's not your typical polished podcast. My dog makes occasional appearances. I don't think I'll have one today. Uh, people argue and debate. We even swear here. I, I definitely do. Uh, and that's all okay. So I need you to think of this podcast as a conversation you'd overhear at a bar after a long day at one of the larger cybersecurity conferences.
These are the conversations we usually have when nobody's listening. So today I'm joined by Jeff [00:02:00] Daisley. He's Principal Security Intelligence Engineer at Comcast. And while Jeff's an expert who will refer to events and make recommendations based on his years of experience, nothing he says today should be interpreted as words on behalf of Comcast or seen as representative of their current operating procedures.
So that's for all the lawyers out there. Uh, now over his 16 years in our industry, Jeff's had, uh, he served in various intelligence and security related roles in support of government and private sector organizations. Additionally, he has a bachelor's degree in intelligence studies from Mercyhurst University, where he was a star basketball player.
He is literally the tallest man I know. Uh, and the only former professional athlete in my circle of friends. Uh, Jeff, is there anything you want to add to that
Jeff: No, I think you covered it, um, AJ, and definitely glad to be here and have a conversation, um, with you about, um, executive protection,
AJ: before we go though? Jeff, how tall are you?
Jeff: uh, 7 2 on a good day.
AJ: want to make on a good day. 72 and for anybody who's never stood next to somebody who's 72. It's, uh, it's wild, man. It's [00:03:00] hard to believe we're the same species to be honest. Uh, yeah, you, you want to feel tiny stand next to Jeff sometime. Nice guy though.
Super nice guy. Uh, anyway, so today, listen, we're going to jump in here. Today's topic is, you know, let's talk about executive protection intelligence. So everybody knows my background is Intel. Like I said, and you come from, you know, a security intelligence space as well. Uh, and we've had discussions on this before we've done webinars in the past.
And so it's interesting, but now we have to kind of a more friendly, you know, laid back format. Although to be honest, for anybody who doesn't know, Jeff must've brought like 60 pages of notes to this thing today. He's the most prepared person I've ever had on the show. Uh, overwhelming content. So it's gonna be a lot of fun.
Anyway, let's jump right in, man. Uh, so we're talking about executive protection intelligence. What are we talking about? Let's, let's lay it out for people. So they know we're all on the same page on what this topic is.
Jeff: Yeah, so kind of set the tone on context here. Um, we're gonna be talking about everything from executives to other high value targets, um, that in today's kind of threat landscape, um, are definitely becoming [00:04:00] increasingly, um, at risk and targeted individuals. Um, you know, these type of threats can go anywhere from terrorism.
Corporate espionage, cyber attacks and targeted violence. So it's kind of running the spectrum of both from a physical to, um, cyber convergence. Um, so that's kind of what we're gonna be focusing on when it comes to, um, executive protection, um, as well as, you know, explore some of the strategies, technologies, um, that these individuals, um, have.
That we're protecting leverage on a daily risk daily basis and are, um, as a result, um, at a heightened risk. So when it comes to it, um, we are kind of beginning to talk about, um, you know, such things in a corporate environment. These can be threats that are physical threats. Connect kidnapping, assassination, assault, cyber threats, kind of data breaches, hacking and surveillance or psychological warfare.
This can be, um, you know, your CEO, a public smear campaign or reputational harm, um, as well as insider threats. Um, this is the employees [00:05:00] or the close associates with access to the sensitive information. So kind of, we're going to be talking about that in a nutshell to kind of, um, Look at ways to kind of further protect these individuals.
AJ: Okay, so listen, there's a lot to get through there, right? Physical threat, cyber, psychological warfare, insider threat. There's a lot there. Let's back up for a minute, though. You mentioned high value targets. Like, how are we divining? I mean, am I, am I, am I valuable enough? Like, what's a high value target?
How are we defining that one?
Jeff: Yeah. So when we look at, um, high value targets, this are, this can be the executives. This can be government officials. This can be, um, people have high net wealth, um, individuals, celebrities, or really just people, um, who are in positions of power of influence. Um, even taking this up further within a corporate environment, this can be your, um, You know, your domain admins.
This can be your executive assistant, someone who is really maybe maintaining, um, the schedule and as close proximity to your executives. Um, so these are the type of people who are those high value targets in the traditional sense. And maybe [00:06:00] people that are sometimes not even scoped into an EP program that should be.
AJ: Well, it's interesting. You mentioned, you know, executive assistants, domain admins, right? So, yeah, a lot of people don't think of that, right? So, by the way, for anybody, Who's curious? I'm well aware that I am not a high value target, but, uh, but there are people that are right. Uh, and as you said, you know, these executives, these, these, you know, high powered individuals, whether, you know, if it's in the government space, maybe it's, you know, flag officers or politicians, things like that, uh, the private sector, the C level generally comes to mind, right?
But I think you make a good point, you know, executive assistants, domain admins, uh, you know, there's, there's a, an expanse to this that I think a lot of people don't think about is, you know, if you can't get to the target directly, the person next to the person can be pretty valuable, especially if that's the person who carries, you know, all the real information, right?
EA's executive assistants. They know the whole calendar, right? They have access to every part of somebody's life a lot of times, or they may have all their finances as well. Uh, you know, it's amazing how much people will, will trust them or a domain admin has access to an entire organization. So I think it's interesting as we go through and we'll have some of these discussions.
To keep in mind that when we talk about executive protection, we got to really [00:07:00] kind of expand that out. It's not just the executive. It's really about whoever's gonna have the highest impact, right? And how to get to those folks. And that could be the person next to the person, so to speak. Um, so, all right.
So you talked about physical threats and cyber and psychological warfare, which I hadn't really thought about till today on insider threats. Let's talk about, you know, where, where we're going with some of these trends, you know, rises and digital threats, for instance, or, you know, uh, what the cyber threats are to executives.
Do you want to go down that path and kind of talk a bit about what you know there?
Jeff: Yeah, so in today's kind of threat landscape, um, in terms of cyber threats, um, you know, there are the hacking by threat actors who are targeting them, um, for financial gain, um, for access from espionage, um, to the data, um, intellectual property that these individuals may have, um, social engineering is a avenue where, um, It's the human element.
So this can come in many different ways. ways. Um, this can come from, um, you know, the leverage, leveraging of a I, um, the kind of impersonated CEO, um, their voice. So it could be even targeting, [00:08:00] leveraging the persona of an executive. To influence others. Um, so that's something that needs to be kind of taken into consideration as well as, um, the leverage of data breaches.
Everyone's information is out there. Um, so how are you gonna, what steps are going to be taken to kind of, um, further mitigate that? Um, so it's not a concern. But with that, um, you know, these are really just the kind of the gateways to these physical threats. Um, like I kind of alluded to, um, the cyber espionage, the targeted attacks, as well as even doxing, so the publishing of that personal information to, you know, enable harm, um, but, you know, taking this up further, kind of diving a little deeper into it from the cyber threat standpoint, um, you know, these can be spear phishing, these can be very kind of Targeted crafted emails to kind of have the executive to click.
They're busy. Um, but then sometimes it's their EA who's managing the inbox, who's also the one kind of, um, that could be vulnerable in that situation. Um, But, you know, there's a lot of things kind of going on in that sense, um, that we need to kind of take a look at.
AJ: Yeah, it's interesting. And so, I mean, you've [00:09:00] talked about it like there's a blend to a lot of this. It sounds like right. The physical and the cyber seems like there's a fair amount of overlap. You know, you've got you've got spear phishing and social engineering, uh, which can lead to executive impersonation as well and where I might fit in there, but also being able to use that for the next step, right?
Whether it's using social engineering to gather information necessary to create a physical attack, right? Or to understand where somebody is going to be, or maybe to understand how to how to get Into the location where they're at. Um, you know, where do you see this convergence and AI, you mentioned too, so we've got to throw it at this point.
Where do you see this convergence between, you know, the cyber component, the physical component, you know, cyber enabled, physical attacks, physically enabled cyber attacks, you know, which is less common and how AI, you know, sort of ties a lot of this together. It makes it more challenging for people to defend against some of these things.
You know, where, where do you see the components coming together?
Jeff: Yeah, so that's a good question. Um, actually, um, AJ kind of threw me off for a little bit. Uh, sorry, I'm kind of,
AJ: dude, you're fine. I'll edit it. Don't worry about it.
Jeff: yeah, I think I'm kind of losing my, uh, my, my place in my flow here. Um, so I apologize.
AJ: that's what it, I got it marked, I'll edit it. I
Jeff: kind of lost my, my, my train of thought there. Stand by. Um,
AJ: mean you could probably pick it up, like the holistic approach kind of a thing.
Jeff: Yeah. Yeah, I got it. Um, so
AJ: I'll cut it out, don't worry.
Jeff: yeah. So good question, AJ, you know, kind of looking at the integrating of cybersecurity into the executive protection program, [00:10:00] you know, really just looking at that holistic security approach, um, you know, when it comes to this, a comprehensive strategy, um, now requires, um, A lot of simultaneous consideration of both the physical and cyber risk.
So, you know, when it comes to that convergence, um, executives, physical security or physical safety, rather, and cyber security are no longer, um, separate domains. They need to be interconnected, um, and a part of this kind of security apparatus. And. Some of these proactive measures do come down to device security.
Um, you know, let's just say your executives traveling to, um, China, for instance, that's known for targeting, um, executives that are traveling overseas to their to their country. Um, you know, what we need to do there is provide, you know, an executive with a burner device, um, smartphones, laptops, tablets, um, to ensure that they're Not carrying over any kind of intellectual property that's on the device.
And then also, um, the full circle feedback for an intelligence cycle, bringing that device back to the forensics [00:11:00] team for further analysis to see if there's anything that was kind of planted or or on that device. Um, and then another another encryption, right? Kind of implementing encryption for all kind of Communication and sensitive data storage to protect against any kind of unauthorized access or potential data leaks from those, you know, from the executive or the predictor, um, as well as implementing, you know, kind of access controls and authentication, ensuring that the best cyber security practices are implemented, um, everything from MFA to biometric verification and, um, secure passwords, um, To safeguard from any kind of, um, access to both physical and also digital environments.
And then, um, another thing to kind of consider is the remote, um, surveillance and monitoring, um, using, um, digital tools to monitor both, um, physical security cameras and access points, making sure that they're secure, um, Wi Fi networks are secure, um, so that there is no, um, opportunity for a cyber attack, um, in real time, kind of, [00:12:00] you know, thinking along the lines of intrusion detection and network monitoring.
AJ: Well, and so a couple of things come to mind as you're going through this. I mean, first of all, a lot of these things require executives that actually participate, uh, executives aren't notorious for wanting to follow all the rules, right? So, um, you know, I'll ask you two questions. So don't ask this one cause I'm going to kind of go through two at the same time, but I'm curious your thoughts on that, on challenges that you either know personally or have seen others experience in how do you get executives who don't want to.
You know, be encumbered by security, right? And of, you know, multifactor authentication and things like that. You know, how do you, how do you mitigate that? If they say, I'm just not doing that. And then you got to, you know, work around, you know, they're the boss or whatever it might be. Um, but also, you mentioned encryption, you know, and you mentioned device security, right?
So device security, sending burners, if you're going to China, for instance, but at the same time, the encryption component could be a challenge because. You got to know where in the world you're allowed to use some of those things, right? As an Intel guy, I've done travel briefings for folks and said, Hey, listen, in this country, you can't bring anything in encrypted.
It's a crime. You'll, you know, you're gonna have an issue, you know, they're gonna check you at security [00:13:00] admin when they're gonna make you show them stuff. And it could be even worse. So, you know, how does that figure into that? Was that part of a pre brief going in? In some places it's not encrypted, but it's, Hey, you know, we'll give you a device and just here's the things you can and can't say, because, you know, the stuff's all gonna be available.
So, I mean, how do you handle those two things together? Getting them to cooperate and working through international laws. All
Jeff: yeah. And kind of when a lot of that stuff is covered, you know, when when they are traveling to certain locations, um, really conducting a, um, travel assessment, um, looking at everything from, like you said, um, Are they allowed to bring in an encrypted device? Some countries don't allow that, like you like you alluded to.
Um, but but also kind of knowing the environment there, knowing, um, any kind of concerns from a logistical standpoint, um, you know, you really have to have a whole kind of, um, brief there, uh, prepared for the executive. And, you know, where's the closest hospital medical? Um, what do they need to have with them that, um, you know, for that particular Individual that predict the, um, is there any medication they need?
Um, but also having contingency plans for, um, you know, the rest of the [00:14:00] traveling, um, knowing if there's any kind of major events that may kind of, um, be a concern during that trip, whether while they're in country, um, or anywhere for that matter. Um, but when, but, but kind of circle back also to, you know, an executive does need to buy into this and you need to kind of instill that level of trust, you have to be a trusted confidant, um, to them.
Um, you know, you are kind of coming into their circle, their family, their personal lives, and, you know, sometimes that's a tough sell. Um, but you know, there, I think that level of building trust starts with such things as, um, You know, starting small baby steps and you build from there. Um, and some kind of circumstances that could be, um, security awareness campaigns.
Um, if you get there by and maybe you're going to start sending spear phishing campaigns to him and use that as a learning opportunity and a conversation starting point, um, to kind of build, um, that kind of executive protection program from starting from a cyber, um, standpoint and [00:15:00] going from there, um, to And also, um, dry runs.
You can do, um, a tabletop exercise or an incident response drill, um, really kind of, um, in partnership with a corporate security kind of, um, Personnel, um, in a corporate environment, um, to kind of train them and show them how to react to, um, physical security threats. But from a cyber security point, um, how do they respond?
How do they alert to ransomware? How do they alert and notify efficient campaigns? B. C. Campaigns, stuff of that nature. Yeah.
AJ: it's interesting, like differently, sorry to cut you off, but differently from a lot of things we do with training, right? A lot of our cyber training. Is, you know, I mean, you mentioned, you know, phishing campaigns. We do that with everybody. So that's, that's sort of the norm, at least, but most of our cyber training is, is employees, right.
It's people in the company and we're teaching them, you know, security, physical security, cybersecurity, annual training, ongoing training, whatever it is, but in this case, it seems like, I mean, you've got a team, you've got to do the protection team has to have their job, right. And they're, they're trained and protected just like cyber defenders are trained and protected, uh, or physical security, you know, uh, it's [00:16:00] trained and protected.
They've got their own thing. But you mentioned it, you kind of alluded to it. It's not just the protectees, the executives, you know, and we talked obviously about the EAs and some of those, but also their families sometimes. Right. So being able to actually, you know, are there different challenges in, in finding, I mean, there's, I assume there are in how do you communicate this?
You know, it's not just, you're protecting, you know, the CEO, but maybe it's the CEO's wife and three kids of various ages. Um, you know, so this is a whole different group of people, you know, how, how do How is that different? How do you, how do you manage those challenges of having to get multiple people, you know, and find that balance between, hey, you don't want to scare them too much, uh, but at the same time, you do want them to understand this needs to be taken seriously, you know, real things happen.
I know we have some war stories we'll talk about later on scary stuff. You know, how do you balance that out to make sure that you get the right buy in from, from everybody? Because if the CEO totally buys in, but the CEO's 12 year old son or daughter doesn't, that's, that's, that's the avenue, right? That's the way in the door.
That's a problem. So how do you, how do you see managing those things?
Jeff: Yeah, I mean, and from a security apparatus standpoint, sometimes, um, you [00:17:00] know, those around them are the weakest link, um, towards the protectee. And, you know, logically, you do need to kind of scope that in, but it does open up a lot of, um, kind of privacy concerns and, and things that may limit their freedom, um, you know, for their family members and stuff of that nature.
Um, But there's there's different things that you can kind of do, um, to kind of scope in. Um, right. You know, you can kind of start to consider, um, You know, are they going to be monitored 24 7 or just when they're on business hours and business travel, you know, you can start to kind of limit it and limit the scope, um, until you kind of get by that trust, um, for the auxiliary members, but for an effective, um, Program.
It is kind of essential that you do begin to the scope of that. And, you know, there is a difficulty in maintaining, um, security without making the executive or the high value target, um, target by their public exposure. So sometimes, um, the public versus private life, um, social, social media can be a double edged sword there.
Um, [00:18:00] so you kind of start to see, you know, that auxiliary, that family member, that person in their core, um, You know, if they're not scoped into the program, sometimes they can be a vulnerability, um, and that by unintentionally disclosing location, um, or plans, and that kind of can put that predictee, um, in harm's way in some cases, um, and that kind of goes to a thought of, you know, the insider threat or, or trust issues as well, um, when they are When the predictee does, you know, for instance, um, hire the, the lawnskeeper or the driver, um, or, um, a nanny for that instance, um, these close kind of associates to the predictee, um, you need to kind of start to vet them too, though, um, you know, ensure that you kind of, not only doing a assessment or background on them, but, um, You know, kind of checking in and, you know, having multiple, um, kind of, um, checks into them.
Um, what this does is allows to kind of ensure that there's no, um, it avoids like the insider threats, the, you know, selling of access, the [00:19:00] kind of concerns around that, um, and establishing, um, Layers of security, even within that inner circle, um, while respecting the executive's privacy. So you're starting to kind of ensure that everyone else in that inner circle is kind of covered, um, and assessed and ensure that they are not an immediate threat, um, from from a background standpoint, too.
AJ: So that's, I mean, that's interesting when you talk about background checks and so on, like most companies do some kind of a background check. Right. But obviously it's very different here. Again, you're talking about people who have really close access and it's not, it's not a corporate employee necessarily.
It could be the, you know, the nanny or the, you know, the groundskeeper or whatever it is, as you said. Where does it come in, you know, the connection between the, the protection team and say, you know, local law enforcement or federal law enforcement, external agencies. Like how do, how do, how have you seen that in the past, you know, building those relationships, you know, maintaining those relationships.
How important is that, you know, how do those, how do those work in real time? Like how, how easy is it to work with, you know, local and national federal law enforcement, maybe international too, for all the tra you know, for all the travel. How, how hard [00:20:00] or easy is that to do? How do teams put that together?
Mm-Hmm.
Jeff: Yeah. So, you know, from, from that perspective, you know, it is kind of important to kind of put that, um, as a part of your executive protection protocol. Um, you know, a lot of times, law enforcement will always be the first responder. They're the quickest to get there. Um, so you need to make sure that you, A, have a good relationship, and B, know how to, um, kind of ensure, you know, But you can't have them 9 1 1, right?
But, um, but, you know, other agencies can kind of help assist, too, for international travel, um, you know, State Department and such, um, kind of ensuring that you check in with them when you're traveling, um, as well, and having those kind of, um, connections, even with local enforcement where you're traveling, right?
Um, you know, kind of letting them know, like, hey, um, you know, being able to be able to get in touch with them. Maybe if it is a high profile, um, predicting, um, letting them know that they're going to be in their jurisdiction as well. Um, and any kind of steps that may need to be taken there.
AJ: Interesting. So we didn't mention it at the open, but, uh, you know, I, I just kind of [00:21:00] glanced over the idea that, you know, you've, you've done all this for a long time, obviously in your private sector, you know, government space as well. I mean, you work with the U S secret service. So, I mean, when I, when I, I glossed over it a bit, but secret services kind of, everybody knows what secret service does.
I mean, that's protective of the highest value, you know, targets we have in the country. Right. So, but I know you've done a lot of this private sector space too. What do you see as. I don't know some of the some of the differences between them like is is one group generally easier to get buy in from like I would assume, you know, high level, you know, uh, uh, The president, for instance, I would assume they understand there's threats to their lives, right?
You know, high level people at those levels. I imagine you don't spend a lot of time selling them on the idea that security is a thing, right? But have you seen, you know, more or less uptake? Is it easier or harder with government versus private sector? Is it just individualized? Are there are there different, you know, levels or industries where it's easier or harder?
Jeff: Um, I, I would say, you know, obviously, um, from a government perspective, that's a, that's an easier sell. But, um, when it, when it comes to, um, the corporate environment, um, You know, I feel like it is a little bit. It goes both ways, right? Um, but [00:22:00] I've had experience where it is an easy by, um, an easy sell, especially with the increased threat landscape and the high targeting from a cyber perspective.
Um, and the cost of the business that they are overseeing. Um, so there is an easier, um, buy in, um, from that perspective, um, to kind of incorporate that into an EP program. Um, but, you know, sometimes. Unfortunately, um, I've also seen that it is, um, retroactive. Um, something's happened, um, where they need the, you know, they, they, now they understand the real risk and they're willing to kind of buy into it now.
Um, I've also seen that happen multiple times and then that's the trickle down effect, right? You know, from top down within corporations where it's kind of a mandate for them to buy into it.
AJ: hmm. Mm
Jeff: But on the other other side, you know, you kind of do have in some cases have to, you know, like I said, the baby steps and slowly roll out a program, um, where they might be a little bit more adverse [00:23:00] to, um, allowing, um, folks within the company to kind of dive into their personal life, um, help, although, you know, because you do, uh, it's a very intimate personal matter.
And, um. You know, when you kind of begin to scope it in, knowing those intimate details about an executive will only further, um, harden the program, you know, by knowing everything from, you know, the cars, the vacation homes, their travel plans, um, all of that stuff, the more that you know, the better you're able to protect them, right?
Um, but if they're not willing and able to share all those details, um, it does kind of allow you kind of playing, um, with one hand, um, and doing the best you can.
AJ: Yeah, I mean, that makes sense. I mean, if you've got to protect the who, you know, has a hobby. Mm hmm. That they're, you know, uh, they, they do, you know, I don't know, they do clay, uh, sculptures, you know, every Wednesday and they sneak away and nobody knows. I don't know why that would be their secret, but I'm trying to be, you know, kind in this case, uh, you need to know, right?
Hey, Wednesday night's clay molding night [00:24:00] at, you know, at this place, right? I mean, it's a predictable, you know, Pattern for an adversary, like, you know, every Wednesday night, you know, our target's going to be at this location, but if they're not willing to share that with you, because they're, I don't know, they don't want people to make fun of them for the terrible clay models they make or whatever it is.
It's, you know, it's a problem, right? So like you said, you got to be able to build that, that trust factor so that they're able to to tell you all the secrets, the things they don't want to tell other people. You know, I talked about the show being unspoken security. We're gonna talk about your secrets later.
Uh, it's people don't want to share, right? People, people want to hold things back until they built that trust. So in building the trust, building the relationship. So. I'm curious. I mean, you've done this a long time, obviously, and we talked about the cyber component, this physical component. So if you were going to build a team, you're going to build an executive protection team today from scratch.
You could have anybody you want. It's like a fantasy draft almost. Um, you know, I know you'd want me, but I'm not available. No, I'm just kidding. But in terms of talent, like in types of talent for the cyber and the physical component, you've also got, you know, this global, you know, You know, geopolitical piece comes into play and all this stuff.
What would you build? Like, what were the skills you would look for if you were going to put together, you know, a team? Um, and I won't ask [00:25:00] how big, cause I'm sure it depends on the organization, but you know, what are the skills you're looking to have? You know, what are you looking people to have on your team?
Jeff: Yeah. So, um, that team, that dream team would, would kind of include, um, corporate security, um, folks with former law enforcement, um, background, um, connection, um, And kind of the experience of dealing with, um, physical security situations where they need to kind of, um, take action. Um, but from a cyber perspective, um, you would want to kind of partner with a threat intel shop, um, as well as, um, a threat hunter to kind of, um, assess, um, you know, um, their external threats, um, that may kind of present there, um, but also, um, When it comes to cyber security, you also need a trusted, um, I.
T. professional, um, who can ensure that when they are traveling, um, to certain places and maintain their their own corporate equipment. So you need a trusted kind of, um, entity there, um, So, I mean, it does kind of run the gamut. There's a lot of a lot of folks that, um, [00:26:00] would kind of incorporate that. But I think the most important part is someone who has the soft skills, um, to be able to communicate and, um, and be that trusted confidant to the executive, to the, um, high, um, net value individual, um, who can also, um, ensure that they have, um, solid relationships with their inner circle too, um, and, and build their trust.
And let them know that you are a trusted advisor and have the best interest for them.
AJ: How do you, I said, I wouldn't ask how many people and I'm going to kind of go down that path because I'm just curious, but not exactly. But so assume you're a fortune 500 company, right? So we talked about high value targets. Aren't just like the CEO, right? There's several C levels. It could be some admins, et cetera.
I assume you don't have a team for each one of them. I don't think you're going to have, you know, giant, you know, you're not going to have 150 people doing, you know, executive protection. I would imagine. So, you know, how hard is it to, to balance that out, to fragment it out? Is it, are some of the briefings just sort of standardized across the board?
Like we have a bunch of stuff on, on the table, ready to go. We can train people the same way. And then just customizing as it comes, [00:27:00] like, how do you, how do you manage that workload when you're dealing with, you know, it could be dozens of, of people that are considered part of the program to protect at such a deep level.
And, and I can't imagine you're going to have, you know, a lot of people to work with in terms of the program.
Jeff: Yeah, I mean, that's a tough question, right? Um, it is actually kind of tough to answer. Um, because, you know, it varies, right? Um, it varies on the sense of how intimate are you? Um, how much is the company investing into it? Or how much is And into a corporation, a corporate executive or even a high net value, um, individual.
Um, sometimes it can be very limited because you are so close. So you don't want, um, you know, the kind of the face of these initiatives may be limited, but there will be an army behind it. Um, you know, whether it be from, you know, the cyber security standpoint, the I T standpoint, um, or the corporate security standpoint.
Um, but, you know, yeah. The face, um, you know, face to face kind of interactions is limited to a select few. Um, but there are people kind of supporting that individual who's the [00:28:00] face.
AJ: Got it. I mean, at the government side, and I don't know if you can share this, by the way, but like for Secret Service, the high value target, the high value targets, the protectees, they have a team, right? I mean, those don't actually rotate. I mean, I'm sure over time they do, but like, if I was, you know, pick a title in the government, which I'm not any of those, I would have the same team for a period of time, right?
Um, in that case, the government actually invests and has teams for individuals, I assume.
Jeff: Yeah, it's very similar, you know, where you'll have, um, you know, individuals kind of very close to the predict the and, um, You know, sometimes they are, um, kind of selected by the predictor, um, due to the fact that they have a good relationship and they're kind of leading those teams. Um, on that end.
AJ: Hmm. Interesting. Do you ever see the show House of Cards?
Jeff: I sure have. It's a good one.
AJ: I'm going to go ahead and assume that that's not a common occurrence with
Jeff: Yeah. Yeah.
AJ: their detail. Uh, for anybody who hasn't seen the show, I recommend watching it. And if you have and you find that to be not an amusing joke, then that's on you. Uh, cause I think it's hilarious. But anyway, um, good [00:29:00] show.
So, all right, cool. So listen, we've talked about like how to build a program. We've talked about the convergence of cyber and physical. And some of the challenges of, of extending this protection to more than just your protective at the family. And so there's differences between the corporate environment and the government space.
But I think what people really want, and this is, this is the question I like asking, you know, you more than anybody probably is, let's talk about some, some cool things, right? Do you have some cool war stories you could share? Obviously not specific names, groups, companies, that kind of thing. If anybody's looking for that dirt, this is the wrong place, but.
Talk to me about how, you know, when the rubber meets the road, we've talked to all these threats and all these risks. And I, do you have some cool stories that you're able to tell today that you probably used to help, you know, build some credibility with executives on things in the past, you know, what's the, what are some of the cool things, man?
Jeff: there. There is one that kind of comes to mind. Um, it is a historical example, um, takes place and DC. Um, it was a financial, um, Executive financial services executive living in D. C. And it was a scenario where, um. Proactive intelligence and an executive [00:30:00] protection program wasn't implemented, um, for this individual, unfortunately, and, um, was not aware that there was a angry mob, um, in the hundreds approaching their, their residents.
Um, at this time, that executive was going, um, to go pick up their, um, Their child at a t ball game, um, and had left, um, their, their child alone, um, at home. So as this mob approached, um, child was kind of cut off guard. Um, there's no future, um, kind of, um, Um, early alert signs to this. Um, and unfortunately, um, it did kind of have to be, you know, there was no actions that are able to be taken to kind of, um, prevent this law enforcement wasn't kind of, um, there to kind of block it is kind of really raw, unfortunately.
Um, so lessons to take away from that, though, you know, this, these are the kind of things that kind of can give you that early alert, um, have an executive protection program. Um, You know, removing your P. I. I. Um, when you can from places, um, online on [00:31:00] the open source, you know, some things are kind of, um, mandated and needs to be reported.
Um, but in those cases, such as like political donations, right? You can use appeal. You can use appeal box. You can use different means to kind of mask your. Home address. Um, but also to kind of ensure that the information that you can have removed or expunged, um, but help limit your tech service. So that.
You can't have, you don't have angry mobs coming to your home.
AJ: Was that mob, like, was it, it wasn't, oh, so it was their home. I was gonna say it wasn't coincidental that they were actually, were specifically targeting this individual
Jeff: They're, they're specifically targeting.
AJ: there for that purpose.
Jeff: Yeah. They're, they're, they're, they're targeting that executive.
AJ: that's not good. What I mean, listen, we, you've got a few others. I think they're really interesting. So I'm going to prompt you on some of these examples that I'm aware of. At least listen, smart homes, let's use that one as an example. Right? So I have, I've gone all in on, well, almost all in, at least on a lot of the smart home technologies, right?
So, you know, and people have asked like, you know, is it safe? Is it not safe? You know, how do you, how do you handle that? Like most people I know have [00:32:00] something in their smart home, whether it's, whether it's just an Alexa or whether it's, you know, Google or whether they've got, you know, locks or whatever.
You know, but the further down that path you go, the more you have to worry about the security components. So when you talk about executive protection, you know, what have you, have you got any cool stories on that? What have you seen in the past or sad stories or scary stories, whatever it is on how people have either protected well, or not protected the systems well enough and what the risks were.
Do
Jeff: standpoint, um, when you start kind of talking about the technology within the home, um, I mean, there's basics that kind of need to be implemented, right? Um, Your home router, you know, let's not leverage, um, the out of the box kind of, um, default passwords. Um, let's harden. Let's harden these devices a little bit.
So it doesn't make it easy for adversaries to kind of do very easy kind of scanning for those default passwords and devices. Um, because when that does happen, it does put you at risk. Um, you have all these devices that are connected Um, and they can be points of vulnerability for an individual or a family, um, [00:33:00] especially when it comes to, um, devices on the doors for access, um, as as well as, um, you know, your home networks.
So, um, but yeah, you know, we have seen situations where maybe these protect these aren't really tech savvy, and they need to kind of, um, go through, you know, basic cyber hygiene, um, um, Because, you know, maybe in their in their day, you know, they jobs, they hire people to do it for him. Um, so, you know, sometimes that kind of goes into inviting them into the home or intimate setting to kind of ensure that everything's, um, up to standard.
AJ: have a smart locks and cameras in your house?
Jeff: I do have a fortified. I do have some cameras around here.
AJ: Well done. Yeah, I do. I do as well. I have lots of discussions with people. There's always the debates right about what what is or isn't secure. Um, I also do. Uh, so another one that was curious about, um, because I've seen stories like this is like the, the, this is movies, right? About, you know, kidnappings, you know, people use cyber to track down like, you know, we're, we're, we're, you know, You know, pattern of life analysis, for instance, and where the kids are gonna be and where the executives are gonna be.
Have you seen any of this? And is this real? First of all, do you know anything [00:34:00] about it? And like real life? Does this happen? Is it common? Like, you know, how do you protect yourself? And you mentioned some of it, obviously keeping things, keeping your personal information off of social media or at least locked down.
But I mean, is this something common? That is something that is commonly being protected against, you know, with these teams or is this more of an outlier?
Jeff: Um, it is definitely something to be concerned about. Um, I have heard, um, of a lot of scenarios where I mean, think about it when these high value individuals or executives are traveling, have, they bring attention to them. Um, they're kind of easy to spot out sometimes. Um, and if they don't take security seriously, if they aren't implementing plans, um, to do so, um, with the right personnel around them, um, they can be easy targets.
Um, but with that said. Sometimes, um, it is not the actual predictee. Sometimes it is, um, family members that they leverage. Um, you know, uh, you see it in sports. Um, a lot of sports athletes, um, they'll target family members, unfortunately. Um, and so that's something you really need to kind of consider, um, when, when, and why it is so important to kind of, um, [00:35:00] scope in, um, family members and bring them in to ensure that they are, um.
They don't fall victim to such, you know, kind of situations there.
AJ: Well, it's a good point. I mean, I haven't thought about with athletes, right? So a lot of athletes we have, uh, I'll use baseball. I think it's probably the best example, right? Baseball has a lot of athletes that have come from other countries that have a lot more turmoil, uh, you know, economics and and political etcetera.
Um, and and places where kidnapping for profit is just a really Mhm. Common thing. You know, I don't want to overstate it. I'm not trying to make this into some political discussion, but there are places where it's more common than others. Um, and we have a lot of folks that happens to be, I think our baseball league is, is probably most affected by this Latin America has a lot of issues with, with kidnap, uh, as a, as a business space, as a, you know, as an ongoing enterprise.
Um, so, you know, it's interesting that you mentioned that because I don't know, I don't know if you have any ideas on this, I don't know how MLB handles this and I'm not going to. Call them out or anything like that. But I'm curious, like, how do you deal with that when you're, when you're talking about, Hey, the family members live in a totally different country.
Uh, you know, they're not with the protectee. Um, you know, how far can you extend the umbrella to try to [00:36:00] protect folks that are just so far away? I don't even know if there's an answer to that one, by the way. So if there's not, I apologize for the impossible question.
Jeff: Yeah. I mean, that that is a tough question and and hopefully one that they are taking into consideration. Um, you know, when they are outside of the U. S. Vulnerable. Um, and, you know, sometimes it's a scenario where someone's coming from a certain situation and, um, they're getting a lot of money and maybe not all the time.
Not everyone around him has the same, um, Economic situation and that they do kind of, um, unfortunately,
AJ: Well, yeah, I mean, you're talking about players that make millions and millions of dollars, you know, who've come from places where hundreds of dollars is, you know, a really solid living. So, yeah, this is a challenge, you know, listen, we have that in the US too. And there are people make millions of dollars get extorted, you know, in the US or kidnapped too.
So, yeah. Uh, I got one more technology. Uh, I'm looking for a case study on it. Cause I have, I have this, but I haven't done anything with it. I'm embarrassed to say. So a few years ago, this, this tool came out flipper zero, which is the super cool little handheld tool for those who don't know. And I'm sure most people listening probably do, but [00:37:00] if you don't, you can Google the term flipper zero.
It's a really cool little tool. You can do a ton of stuff with, I have one that's literally still in the box. I've had it since they were new and hard to get ahold of. And I'm too dumb to know how to use the damn thing. But, uh, but I know you know a little bit about this and how it works in terms of proximity and some of the risks that go with it.
Jeff: yeah. Um, this is something that's kind of come out, you know, it's a right teaming tool, um, but it's become very, um, I want to say very accessible, but, um, it is accessible to maybe folks that aren't really in that space, but it's also accessible to adversaries and people with, um, with bad intentions. And.
You know, this is just kind of a use case, um, where, you know, let's just say, um, you know, you have to be in close proximity to the individual, um, for a lot of these use cases. But, um, if you're traveling at a hotel and maybe your hotel card, maybe they're able to pickpocket it, or maybe you just leave it out.
They can scan it, um, you know, get the, um, Get access to your hotel. Um, or it could be your badge. Um, maybe not so much for an executive, but maybe an E. A. Maybe someone might have left it on their desk, whatever the case might be. It's that close [00:38:00] proximity use case where access could be jeopardized, um, as well as, um, Other multiple use cases that Flipper has.
Um, but those are two that, you know, in the case that if someone is kind of tailing someone, they could probably potentially, uh, have a, particularly at a moment of weakness where they leave something behind like that.
AJ: Well, yeah, I mean, I know you can use it to, to clone key fobs, for instance, for like cars and things like that. Um, which, so I guess, I mean, I guess it's obvious, like a lot of people think about it, you know, we see executives, we see, you know, high value folks, you know, politicians, whatever it is. And generally people keep a distance, you know, there's, you know, security's job.
And, and I feel bad for the security folks. Cause a lot of times, you know, especially with politicians, they want the opposite, right. They want to get close to the people that are, you know, that's part of their gig. And meanwhile, the, you know, the, For secret service person is trying to keep them from doing that.
And it's not just about, Hey, you're going to get stabbed, or you're going to get shot, or you're gonna get attacked or something. But it could be something as simple as this, you know, something could get cloned or copied and, and, you know, information could be stolen. There's a lot of technology. Flipper zero is just one that comes to mind, but there are others out there where people can quickly, you know, steal data from you, from your phone, from your credit [00:39:00] cards, whatever it might be.
Um, and I don't know if, if executives all understand or, or take that seriously, which is what makes your job so hard, basically.
Jeff: I did have another interesting use case that I kind of wanted to throw out there, and it really kind of highlights the cyber to physical kind of overlap there, and it kind of comes down. It's a feature on Google. It's Google's location history. It is an opt in feature, and I do recommend that you disable it.
Unless you have a good use case for it, but what what this use case on the present kind of highlights is if an adversary is able to get access to your gmail, um, you know, maybe your gmail address and password and able to get access to your google account, they now will have access to your google location history, which tracks, um, you know, your movement and kind of does a nice little breaks everything down.
Speaking of pattern of life, speaking of, you know, the time and they can really get a good idea of your movements. Um, things you like, um, to [00:40:00] go to where you travel to all that kind of stuff. Um, so it's something where they may be tracking you without knowing. So, um, that's just something that I kind of wanted to, you know, when you start to think of different ways adversaries may kind of target you from a cyber perspective, which can affect your physical, um, you know, kind of security.
AJ: Yeah, it's a good point. I mean, I spent a lot of time talking to folks about, about turning off, you know, technologies on all sorts of apps. Google obviously is a great example, right? A lot of other apps that people don't realize can track them. They don't, they don't notice the, they don't bother to notice the, uh, the permissions that they give, you know, we download apps and, you know, you got to look and go, well, why does this app have to know my location?
Why does this app have to know, you know, have to have access to my account, my calendar or my, uh, camera or, you know, my microphone? Yeah. Yeah. Uh, because a lot of apps ask for all sorts of accesses that don't seem to really tie to what you got the application for. Um, and unless you dig into it there, they're already there because you've approved it, right?
Um, so I mean, that's another good example is, you know, turning off history, turning off, you know, some of these tracking features, which can be useful sometimes, but the [00:41:00] risk is, uh, significant, right? And I think a lot of people don't, don't take that into account. So I think that's a really good point. So.
Listen, we got, we're going to start wrapping up here. Uh, you know, it's, I know, you know, we could go on. There's, there's a lot of good stories to this. There's a lot of, I mean, this is, there's layers and layers to this, but it seems like ultimately, you know, it's the physical cyber component are, are.
Overlapping. Uh, when you talk about executives, you know, having teams that are capable of handling and understanding all these different sides and going beyond just the protectee, as you said, the executive to the families to the second, third layers to the technical component to the, you know, the the corporate admins.
It's a big job, right? It's a big and challenging job. And I appreciate you being able to come in and talk about it a bit, you know, at a high level, how to build a program and some things to focus on. And also, you know, getting some of these You know, use cases and real life stories so that people understand, you know, this is real.
Like, this is not a hypothetical. This is not a, you know, a fantasy. These aren't all movie scenarios, um, and everybody isn't going to have a superhero, you know, that's going to be able to save them. So, you know, we kind of have to proactively protect ourselves, but. Now that we're getting [00:42:00] near the end of the show, you know, the last question I always ask everybody, uh, the name of the show is unspoken security.
And with that in mind, uh, you don't get a pass just because you're a friend of mine. So with that in mind, you know, I need you to tell me the audience, which is probably three people, uh, you know, tell us something you, you never told anybody before something that so far has gone unspoken.
Jeff: Well, one thing I would say, um, I, I do have a nice little hobby. I've, I've done a few acting, um, gigs. Um, one of them, yeah. Um, one of them was for Nike where I was, um, a body double for Dirk Nowinski. Um, and then I did another one with Adam Sandler, um, here in Philadelphia, um, where I was, it was background work, but, um, It was on the movie Hustle, Netflix Hustle, and, uh, you know, I was able to spend some time with, um, with Adam Sandler and Mark Cuban and, and everyone who's on that, on that set.
So it's, it's kind of interesting. It's something I like to kind of do on, on the side. Um, But I haven't got any speaking roles yet though. [00:43:00] Yeah,
AJ: like, was Dirk taking fouls and you get, now you're taking all the charges for him, like what, what was the reason for needing a body double for a, for a commercial for Nike?
Jeff: was, and it's really interesting how, how long they actually have and how many scenes they have to fill and how long it takes. It took like all day. Um, so basically I kind of step into the things he doesn't want to do. Uh,
AJ: So it was taking fouls then you're
Jeff: yeah, yeah, yeah, yeah, yeah, exactly. Uh, but, uh, it was definitely, it was definitely, it was definitely interesting though.
It was interesting. Um,
AJ: how tall is Dirk? Is he six, seven, two as well? Is he
Jeff: yeah, he's like, he's 7 1, 7 1, 7 2. Yeah.
AJ: You're taller than Dirk Novitsky. You actually, you actually look down on Dirk Novitsky in
Jeff: Yeah, yeah,
AJ: Hunched down a little bit for his benefit. That's nice. I like that. And then, so, I'm gonna ask, I don't know if anybody else, I mean, I assume anybody would.
So, is Adam Sandler, you know, Mark Cuban, are they cool in person? Like, is, is, Sandler has this reputation as just being a really laid back, normal, [00:44:00] you know, guy, right? I've seen him do stand up. I've seen him, you know, just talk to whatever. He seems like he's just like you and me, except he has fame and money.
But Is that true? Like, is that how he is?
Jeff: yeah, it really is. Like, he was so humble, kind of like the person you see in the characters he plays is the guy he is, um, just really down to earth. He even, he even had his daughter on set, um, so she was kind of like the director, um, for that scene. He kind of, he kind of like let her be the director, um, which was kind of cool.
It was cool to, you know, see that family dynamic and then Mark Cuban, um, He's hilarious, super humble. Um, funny. Um, it was, it was just great spending time with him and he's a cybersecurity, um, kind of guy too.
AJ: Yeah, right. He came out of our industry right before he, he seems to have done a little better for himself. And I, I assume it's just coincidental that you, uh, you body built for Novitskiy and that, you know, Novitskiy played for, you know, Cuban's team. I assume that's just coincidental, but, um, but it's, it's a small world, I guess.
So you, you, you got these guys numbers? Can I, can I get Cuban on the, on the show? Can I get, do you think you can get Sandman to come on the show or? I
Jeff: was, it was [00:45:00] a missed opportunity.
AJ: I really was hoping like that was going to be the big push, right? I'm sure, you know, Mark Cuban and Adam Sandler have nothing better to do with their time than, than come on, you know, unspoken security and talk at least Cubans in the industry, but, um, yeah, that's fine, man. I mean, that's fine. I figured you couldn't hook me up, but I got to ask the question.
You just never know. So, uh, are you still doing more acting? Like you, you, you chasing these things? You have a, do you have an agent? Do you look for these? Or they just come to you or
Jeff: Yeah. So like I, I signed up for like some, um, Kind of agencies, I guess. And whenever they are looking for, um,
AJ: foot two guy? It's a niche.
Jeff: yeah, like within proximity of Philadelphia or DC, there's no, I
AJ: I mean, the good news is if they need a seven foot two white guy, I imagine the competition is very, very small. Like, there aren't a lot of guys lining up for those roles, right? Like, I can't get that gig. And like, if I get up in there in stilts, I still probably couldn't get it. [00:46:00] So,
Jeff: Yeah, I found my niche. I found my niche.
AJ: With, uh, I'm going to ask, listen, what scene in Hustle should I be looking for you?
And I haven't seen it yet. It's actually on my list of things to watch, interestingly
Jeff: It was, it was, it was one of the opening. It was the opening, um, scene. Um, it was a funeral for the, um, owner of the Philadelphia 76ers. Um, so, you know, all the, everyone, all the major main characters were on that set. So it's kind of cool to get to meet everyone like Dr. J, Kenny the Jet. Um, like everyone, everyone was on the set.
AJ: That's cool. Listen, that's one of the better, like, tell us something that goes unspoken stories. I've had a lot, you know, you're, this is the, I don't know, 26th episode. I think we've done this and, uh, you know, some of them are more interesting than others. I don't want to call anybody out. Some of them are less exciting, but, uh, this is actually one of the better ones to be honest.
I mean, that's pretty neat. You got to hang out with cool people. That's a, that's a pretty cool hobby. Uh, that, you know, in your free time, you just go out and hang out with famous people and, and, you know, Be the 7 foot 2 body double that takes a beating for Dirk Davidzki so he doesn't have to hurt his, his knees or whatever anymore.
Jeff: it's a good, [00:47:00] it's a good use of it's a good use of PTO.
AJ: Yeah, I, I would think so. I, uh, I don't, I don't have that going for me. Unfortunately. Um, all right, cool. Listen, again, I want to thank you. I think we're pretty much up on time, but I want to thank you, you know, for coming for coming in on the doing this. You know, this is, um, you know, I appreciate it. Like you, you've got a very cool background, very interesting background.
You're a busy guy. I know that. Um, but there aren't a lot of people that have it. Do what you do, right? There aren't a lot of people that have such a depth in the cyberspace. Also in the physical security component. I don't know any of them who are also seven foot two basketball players who hang out with Mark Cuban, but there aren't a lot of guys like you.
So I appreciate you taking the time to come in and talk a bit about, you know, executive protection and what this all means and these holistic approaches. Um, you know, before I do let you go though, is there anything you want to say? Is there anything we left out? Is there anything you want to talk about?
Any pet projects, any plugs, anything at all, you know, that you want to say before, before we call it a show?
Jeff: No, I mean, I think we covered a lot and obviously we could go on and on about this topic and, and the importance of it, but just continue to be doesn't out there. [00:48:00] There aren't. You know, out there in this world. Not everyone's the good guy. So let's let's all be mindful of those out there so that they don't take advantage of us and take the steps you can to further protect yourself and and harden from a cyber and physical standpoint.
AJ: That's, I mean, it's good advice. It's a good point. You know, people who don't think they're at risk are probably mistaken. It's a dangerous world. And most of us have something that somebody wants. So again, I just want to thank you for coming on and spend some time today, Jeff. Really appreciate it. Uh, for everyone else who's watching or listening, you know, if you like the show, please, you know, like it and give good reviews and, you know, make sure you subscribe and tell all your friends and neighbors and see what you can do to help grow the show.
If you don't like the show. Don't tell anybody ever, um, you know, but feel free to reach out to me. I'm happy to take, you know, feedback and try to make it better. Uh, cause the show isn't about me. The show is about guests and it's about the audience. And I appreciate everybody taking the time to listen and watch.
So with all that said, uh, it's been great being here and it's been great having you on the show and for everybody else, this is another episode of Unspoken Security.
[00:49:00]