Executive protection is evolving from traditional bodyguard work to a more intelligent, data-driven discipline that enables organizations to prevent threats before they materialize.

Steve Hernandez, CEO of The North Group, shares how modern executive protection programs rely on predictive intelligence, thorough threat assessments, and a clear understanding of the organization’s risk profile.

Listen to learn:

1. Why risk assessments are the foundation of effective executive protection
2. How organizations can rethink who needs protection as threats extend beyond the C-suite
3. What factors to consider when choosing between in-house support and external protection partners
4. How sharing an executive’s full risk profile helps overcome resistance to protection

The Employee Safety Podcast is hosted by Peter Steinfeld, SVP of Safety Solutions at AlertMedia.

You can find this interview and many more by following The Employee Safety Podcast on Spotify or Apple Podcasts.

Get every episode delivered straight to your inbox by subscribing at https://www.alertmedia.com/podcast/.

Hello and welcome to the Employee Safety Podcast from AlertMedia, where you'll hear advice from experienced industry leaders on how to protect your people and business. I'm Peter Steinfeld.

Today we're exploring how executive protection has evolved from traditional physical security to a proactive discipline built on intelligence and digital risk awareness. Joining us is Steve Hernandez, CEO of the North Group, a global security firm helping organizations and executives manage risk with precision and foresight.

Steve shares his perspective on the current state of executive protection, what trends leaders prioritize, and how to build protection programs that align with today's complex risk environment. Here's our conversation. Hey, Steve, thanks for being here.

Good morning, Peter. How are you?

I am doing well. Well, let's go ahead and get right into it.

To start us off, how do you define executive protection and what does it mean in today's corporate risk landscape?

I think executive protection is a nuance of a service that is evolving today from what it used to be, where it used to be, a body man or a driver or an individual that was more of a chauffeur.

I think we're seeing an evolution of the thinking and more protective intelligence based protector, the individual that kind of handles both travel risk, personal matters. I think it's moving beyond what we've seen historically. I think we're seeing more of an industry shift, if you will.

Well, speaking of that industry shift, what changes or trends have you observed over just the last few years that are really influencing corporate executive protection? We're seeing a lot of folks that.

Are focused on more of that protective intelligence, as I said. Right. That digital footprint protection. Right. Identifying the threats pre incident versus being more reactive or post incident.

We're seeing a lot more protectors that are elevating their game and getting more training in both protective intelligence, digital sanitization, tactical surveillance, countermeasures. I think we're seeing more of the technical protector than we've ever seen in today's.

So how are all these shifts really influencing the role of security leaders? Or maybe more likely the expectations that are placed on protection teams today?

From the client standpoint, the client wants the best. I think the client is willing to pay for the best.

I think the problem is the gatekeepers to those executives that pick and choose the security that try to do it within budget. What we do when we look at this is we look at the liabilities, fragments of a circumstance or an issue. Right.

We're looking at legal liability, financial liability, life safety, liability, insurance liability, and then we're really working to couple all of those things into a dynamic assessment. And I think that's what both the providers that are experienced and the customers are looking for.

Is that dynamic fruit to say, okay, here is why you should do this. Maybe you shouldn't do ARM security here. Maybe you shouldn't do residential security. Maybe you need to do this?

And it's all based on kind of the matrix, right, that gets put together by a firm or by the protective detail.

And I imagine it can be different based on the executive. So that's actually one thing I'd love for you to define. Like what does executive mean? Is it just the CEO?

Does it also include any other people in the C suite? Does it also include maybe a VP who's working on a sensitive project that could require some protection?

What does it really mean to be an executive that would need protection?

I think we want to branch that out beyond just the C suite. We want to look at duty of care here, right? And we want to say we what individuals in an organization have a liability or a threat against them?

It could be the HR director of an organization.

Maybe it's not the VP of hr, but it's that first line HR director that dealt with the adverse employee who then became hostile and is now making, you know, digital domain threats. And how are we going to respond to that?

I think what we're seeing is the evolution of that, right, because it's transcending downward into the employer tree and we're not prepared for that as an industry. Right. We're very fixated on the CEO, needs security, the coo, the board of directors.

But at the end of the day, we're seeing more radicalization, we're seeing more of the fixation and the grievance ideology that are spanning across one organization down to its middle management almost. And I think that's dangerous.

I think that if we don't pay attention to the threat and really define that, then we create more liability than we mitigate.

I think that's really important for a lot of our listeners to understand. And it's not just the C suite.

I remember years ago, gosh, this must have been 20, 25 years ago, I was working somewhere and there was a manager who had to let someone go and it didn't go well. And he woke up the next morning and looked in his driveway and all four of his tires were slit. And this is someone that's just a first level manager.

So to your point, you have to think like who's at risk and why in your organization? And let's see if we can get them the appropriate protection.

You know, there's so many of these situations, right. I can't even begin to tell you how many we deal with in a year. But what I can say is every single one of them has a different attribute to it, right?

There's a different why behind it. There's a different circumstance, there's different atmospherics, there's different personalities.

I think everything needs to start with an assessment, right? Whether it's a behavioral threat assessment, a risk assessment, a corporate assessment.

We need to really get back to the basics on assessing risk and liabilities and then bring that in totality to the customer market and say, okay, here's what we believe and I'll give you an example of this. If there's a client that's doing something in Zimbabwe and I don't have a good footprint there, I know a company that does.

I'm going to give that to the company that does it. Well, I'm not going to try to cost plus that up and sub it out.

Because what's really needed is the detail of that firm on the ground to actually figure out what the liability of that organization is.

I think the other side of it is how do we gauge what the threat matrix of an organization looks like when we aren't performing those risk assessments?

How do we dictate that to the protective detail teams, the gsocs, these global security operations centers that are supposed to monitor a residence, but we haven't really told them? I hear this all the time. My protection detail has never seen a threat report from my protective intel team.

And I actually hear that a lot where those two aren't. It's like the CISO and the CSO not talking to each other. Right, because they're siloed.

And I think what we need to do as, as a industry is really work on crossing both the physical, digital and cyber domains into one converged ideological understanding of it doesn't really matter where risk comes from. We are assessing all of these domains and we are looking at the criticalities of each one, the exposures, and then liability values.

So how does executive protection fit into a broader enterprise security risk management strategy?

That's a great question, Peter. So where I would start is if you're a corporation, there's some tax advantages to doing what's called a 132 assessment.

So you can write off executive protection by doing that assessment as an organization. And what I would say is if an organization feels that they need security, why not save money on the tax advantage side of it?

First and foremost, the next side is who is running the enterprise security versus the executive's personal security. Is there a need for personal security based on risk? Again, I go back to, and not to sway the question, but I go back to what's the risk assessment?

Say, what's the threat assessment? Say, is there one? Have we done one?

Because when we start to look at enterprise level security, we have to understand, obviously cost, reward, return on investment, these type of things.

So the way we do this is we go back to that liability formula and we look at that from the standpoint of what's the return on investment, what's the cost of those potential liabilities? And I think that organizations are looking at this from two ways.

They're looking at it from the standpoint of if we do this, is it a cost center, or are we putting it towards something that is ultimately reducing our legal liability, financial liability, life, safety liability? Ultimately, I think those are the conversations.

Now for organizations that want to start an enterprise security program and say they want to do ep, where I would start is understanding, well, what's the reason, what's the why?

I mean, just to make it plain and simple, and organizations that have a critical threat, I think that it's sometimes okay to just jump right into putting somebody on that executive or that C suite member, that board member, based on the information that we're seeing. Sometimes that happens right where we'll get the call, or an organization gets a call, hey, we need a guy here by 5 o' clock today.

My issue is a lot of times it's there's no why. So we send an agent to a location, maybe armed or unarmed, and then there's really no reason.

And this is kind of the issue that I see growing in our industry that we're moving away from.

We're moving towards that proactive protective intelligence approach to EP now, which I think is great because we've had so many instances in the last year where we've seen that executive targeting, we've seen that grievance ideology grow very quickly, where the pathway to violence has been taken so abruptly and the shift is there, but no one identified the mitigation strategies. So I think both communication, organizationally, why are we deciding to do security?

I think also organizations have to look at this from the perspective of is this the right time to evaluate or is the right time to put somebody on the ground and then we'll evaluate later?

You know, it's not the same as working a rope line with a celebrity at a red carpet event, right it's not that when we talk about corporate security, there's general counsels that need to be involved in that conversation. There's CFOs that need to be involved in that conversation.

The hardest person to sell all the time is a cfo because they typically don't understand the why. And that's not typically articulated well, from what I hear from the CFOs that I've talked to.

So ultimately, showing that return on investment, I think is number one for an organization. Even if they're doing it internally. Say they're starting a gsoc, they're starting an EP program. Is it better to go in house or out of house?

I think that really depends on the organization's risk appetite, number one. And then number two, the why. Go back to the why, unpack the why, and then understand if we do this, what are we mitigating?

If you answer those questions on a whiteboard, almost always, you'll have an enterprise security program in a few months that's rolled out and operating well, and then ultimately who you put in charge of it.

I think that understanding the why is so critical, not only can it satisfy the CFO potentially, but it also makes that security person more effective in whatever it is they're doing. Imagine if you were told to go to the grocery store and just go buy some stuff. You're like, okay.

But if you were told very specifically, here's the recipe I'm trying to cook and I need these seven things, you're going to be much more effective. So overall, that why is huge.

I think that there's a big issue in our space with this because sometimes we go to fix a problem, but we create a gap, right? So let's say, and I'm going to use the CISO CSO model, right? So you have physical and cyber.

Let's say we have the best cybersecurity as an organization. We're Fortune 10, right? We've got the best, our physical security, because we have a lot of remote people.

We're not, but we have a lot of digital footprint work that we do. Pharmaceutical, something like that. We do research and development. My physical is met by industry standard and that's it.

And we see a lot of regulatory, industry standard security guidelines that are met, say pharmaceutical critical infrastructure, things like that. But ultimately, if I can't get into that cyber component, I can always make my way through the physical side. I think it's a give and take.

And that's one of the big issues I see is if I want to exploit an executive. All I need is time.

So what we do to build most of our enterprise level security programs is we will red team and we will see what the vulnerabilities are and we'll look at both the physical, the cyber.

And we didn't start doing that until about five, four or five years ago where we started saying, hey, we're going to red team this before we actually go in and do our risk assessment. If you look at an organization, how many people come in and out of that organization, what do they do, what are their services? Right?

And I look at those avenues from an adversarial standpoint and now I start to create vulnerabilities, I start to create approaches. If I want to get to that executive, I'm never going to go directly to the executive.

If I'm a well trained adversary, I'm going to look at those second and third order avenues of approach and figure out how to exploit that individual based on that. My point is we have to broaden our horizon. When we look at enterprise security. We can't just say, hey, we got a guy, we got a driver, we're done.

Because do we have a driver for the children, do we have a driver for the wife?

So from all the red team exercises you've done over the years, from your experience, what are the most important components of an effective program to close some of those gaps?

One, who is in the circle, how big that circle is? I'm more concerned about social engineering than anything. I can lock down the digital domain.

I can give you a phone that cost X and that phone's secure until you go somewhere across the pond, then it's probably not. We probably need to get you a new one. I think that's another issue, right?

Is digital standardization with travel for executives, when they go abroad and when they come back. But I would say that it's really looking at that circle because that to me is always my greatest concern.

And I look at it from the ones that say started with nothing and then made it and they still have that started from nothing circle. And that concerns me because what I've watched over the last 15 years is I've watched money change people.

I've seen it at a crazy rate where all of a sudden now that circle that they grew up with in the old neighborhood and then it starts to convert into I'm actually needed by this person. So I always see, I look at mice, right? So what's people's motives to exploit? Right. It's money, ideology, coercion and ego or Compromise and emotion.

So if you look at that acronym and you look at what people's motives are, that's the avenue where I see. It's not like the weather is a concern, right? We know that. We know that. Okay. If there's a tornado, that's a concern.

We're worried about those human behavioral atmospherics, right? Or group atmospherics and personalities that are less likely to be identified by that corporate team because they know that corporate team exists.

So if an organization is just starting to think, hey, we need some executive protection, we have a great physical security program, but now we need to apply something for our executives. Specifically, what are the top factors that it should consider first?

Well, I think, number one, they need to consider the why. We talked about that a little bit, right? Why do we need this? I think two is let's do the residential security assessments and the lifestyle.

We call it a lifestyle assessment. We're going to look at that executive's travel patterns, behavioral patterns, who's around there.

We really understand where that could really branch out into what type of risk factors. I think the next thing is going to be, you know, how do they travel? Are they doing private to the fbo? Are they doing commercial still?

That's a big factor too, right? Because some boards require an executive to take private due to, you know, liability issues. They want to refrain from having any of those issues.

So they put them on a private plane. And that's. And it's funny, the first time I saw that, I thought that was weird that a board is willing to mandate that a CEO travels privately.

I thought that was really interesting. I also think, where are they speaking? What are they doing? I think these are all considerations.

If you're a healthcare executive today and you're speaking at 10, 12 conferences next year, you definitely need security.

I think if you're in the financial services market, I think if you're in politics, these are all areas that we're seeing that balloon of that grievance ideology on both sides of the political and ideological spectrum, where we're seeing people just completely radicalized with their belief systems. And ultimately what we're seeing is that lone wolf piece that we started looking at Years ago, after 9, 11 start to really come back alive today.

I think an organization has to also look at the duration or need beyond the duration, because a lot of times an organization could say, hey, this is going to cost us 300,000amonth to get these people staffed and get the driver and the residential security. They've got four homes this and that. But what's beyond that? And for us, we start looking at that immediately.

Because I want to understand and help forecast both from a budget standpoint and a risk standpoint.

Because just think of this past Thanksgiving or Christmas, you know, when people are going to grandma's house, do they want to have the EP guy sitting in the driveway? Is the EP guy going to go advance grandma's house? You know what I mean?

And a lot of times what you'll hear is the executives like I don't need anybody. But this is the other issue. And the second thing they need to consider what is the liability of doing nothing.

Because I can tell you of a couple circumstances in the last 12 months where I think families, individuals, organizations wish they would have done more, without a doubt.

And do people need to bring this in house? Should they work with external providers? Is there some kind of nice blend you can do between the two?

Depending on the situation and thinking about the out cases in the future, I.

Look at this two ways. And not to push people away from obviously an organization like ours, private sector.

But I think it depends on the structure of your organization and what the depth of the program is. Now we follow a blend, right? Sometimes we'll work for a COO and we'll embed a director of security.

But what that director gets is the entire depth of our organization and every divisional leader beyond it.

But I also have told organizations you need to hire this director or this chief security officer or this director of executive protection in house due to these factors. And sometimes it's dealing with different compliancy and regulatory issues.

So if you're looking at an organization that's governed by the, you know, the SEC or financial services, you know, they have compliance and regulatory requirements that they have to meet. Same with different pharmaceuticals, same with different critical infrastructure.

It's not to say we wouldn't, but at the same time we might actually do an executive headhunt for them and then help vet that person.

And like a couple organizations we have embedded protective intelligence programs with and they still call us for their executive protection, but we work in overtime to find them the right people for their in house side as well. Because I think it's important, depending on the need and depending on the depth of the organization, that they have to look at both options.

Something you said earlier too caught my attention and I want to discuss it just a bit more. Sometimes executives resist having protection, as you mentioned. So how do you approach that conversation when leaders just don't think they need it?

So I think a lot of Times this is done with a middleman where there's somebody in between, I would say most, I would say, let's say 8 out of 10, somebody in between the executive and the provider of the ep. Right. Whether it's an individual in house or an external partner or whatever.

I think a lot of times what's best to do and what I like to do, whether it's a celebrity client, a list client, corporate client, I like to sit down and just understand what they're concerned about. And my number one question is, what's keeping you up at night? And that's where I start. Right.

Ultimately, I think it's the in between person that will a lot of times say, ah, they don't want it, they're good. But I also have seen it to where they get time back having that driver.

They don't have to worry when they're out to dinner because somebody has set up that private room underneath an alias, set up that hotel booking underneath a pseudonym. Part of the job of an EP agent too is to make sure that there's no brand reputational risk to the client.

And I think that's another piece that's overlooked a lot because it's not just physical. Brand reputational risk is just as dangerous and that can ultimately create more physical risk if not addressed.

So I think that's the biggest issue that I see with the executive not really knowing what they're getting. I also don't think people should have security if they don't need it. I think assess your risk and determine what your physical risk profile is.

Maybe you need more digital risk management than you do physical. As organizations evolve, as executives evolve, what we have to do is help them understand what is their risk profile.

Because if I look at you as an executive, Peter, and I say, Peter, here's your threat assessment. These are the five individuals we've identified. Two of them live within close proximity to two of your speaking engagements.

Going to go, steve, I need security. What are you doing? Give me a team. But if I don't tell you that, just say, hey, you should think about security.

In a board level meeting, the executive is going to be like, why? Well, it's dangerous out there, but the world's dangerous. I mean, these are the kind of conversations that I hear.

I think a lot of it is also, we don't spend the time to help the executive understand where this could go and how it could escalate and what is the patterns that we're identifying. What concerns me is when no one's telling the Executive what their risk is and why we're suggesting it.

And I think, to answer your question, that's where the decision gets dropped.

And that's the hard thing to do. And I think what really differentiates the pros from the amateurs is really sitting down and figuring out what is the why, what are the specifics?

And let's protect against that instead of just, oh, hire a guy with a gun.

I want a thinker, I want somebody that. And this has always been my philosophy in ep, right? If I have to pull that weapon.

I failed at understanding the risk profile before I stepped off, before I stepped off the tarmac, before I stepped out of the vehicle. And that to me is the most critical piece of it is also whether I'm back left or front right of the vehicle. My job is not to watch the principal.

I'm looking through the principal, say we're on a rope line, or I'm looking away from the principal in a position or an advantage to be able to move to the principal to egress them out of the area should a situation arise.

Also, a lot of times I see when we talk about crisis response with some of our different EP clients, one of the things that comes up is like, well, where do we go if there's an active shooter in our building? Things like that. Well, every building we go into, we establish a hard room, right? That's just common practice. What's the hard room?

Where are we pushing? How are we going to defend it? All of those things over the years it's been funny, right?

Working with some different venues and different folks and they're like, what do you mean? Why? Why would you take them into the bathroom? What's the only door we could lock right in the venue?

But I think that if you plan for everything, you'll never work a day in your life. And that's the way I look at it, right.

Recently I was speaking at GSX and somebody in the crowd called me Doomsday Steve that I've done some work with. And it was funny, right? I mean, they were like, yeah, we referred to Steve as Doomsday Steve.

And one of the things that I responded with was, I would rather be ready than wish I had planned.

Yeah.

And that's all in order. I mean, to me, I go to bed just fine. I don't really overthink any of it. Only when I feel like we missed something.

And I think when you overanalyze the concerning factors of an executive's what I would call threat matrix, become obsessed with that so they don't have to. I think that's the key factor.

Well, I bet you're full of stories. Is there one that you can actually share with us that highlights the value of executive protection and inaction in the.

Myriad of threats that I've seen? One particular client, very well known political commentator, we had this individual in Michigan.

And I went to the stadium where they were speaking as an advance detail and I met with the manager of operations at the stadium. I had a set of binoculars on the advance and I had a rangefinder. And I remember she scoffed and laughed at me. Why do you have a range finder?

This is about two years ago now. And now I look back at that and this job for me isn't just a job.

I mean, it was a calling because I feel like I've never really been good at anything else and I was good at this and I figured out the business side of it as well.

But to protect someone, to be the person that is dedicated towards running towards the fire when everybody else is running the opposite direction, I don't think there's a greater legacy to live on than that. And to do it for no fame, no glory, which none of that is why I do it. Ultimately, that detail was very successful.

I brought in a county SWAT team to support it. I had a counter sniper team for that detail. And the greatest threat ultimately came from the rope line.

We were very focused two years ago on the high angle concerns. And now look at where we're at today.

And that's where I want everybody to understand that adversaries know the quick and easy ways to get to the executive. And depending on that adversary's mindset, whether they want to leave that incident or not will depend on a lot of their actions.

But if you look beyond the rear view mirror, beyond the windshield, and actually look at what's outside, everywhere you are, you're going to be pretty successful in this space.

It's definitely an honor to work with the people that I've worked with over the years and see the tremendous depth of our industry and the knowledge and the experience behind some folks. I'm sure you have the same stories as well. It's rewarding.

It absolutely is. As we wrap up, what's your advice for organizations that just want to elevate their executive protection programs?

You've offered a lot of great advice so far, but what are the top things you would say an organization should focus on immediately?

So I'll give you three.

Start at where you want to see this in five years what's that end state one, you don't want to be the organization that's hiring a CSO or a director every eight months. Give the expectation to either the contracted firm, the embedded firm or the individual that you hire.

Give those expectations for what you want five years from now. I think the next thing is what's the return on investment? And that's not going to be dollars and cents, Right.

It's really weird because you're going to spend dollars and cents to get a non, I guess, mechanical return on investment. Right.

For nothing to happen.

Yeah. Well, and how do you value that? Yeah, how do you value nothing went wrong?

So you have to kind of re engineer that into, well, if this went wrong, but you can't. What if it to death?

Well, if there's a hundred foot tsunami off the coast of California, if anybody remembers this past summer, there was going to be a massive tsunami for about 35 minutes.

Right.

And then it calmed down. Right. Well, that sent our world into chaos for about 35 minutes because I had to figure out how to get people out of these areas.

And then finally I'm like, the state of California. How can you mess that up? How can you tell everybody there's going to be a hundred foot tsunami?

So, and that's my next point is don't listen to the noise. Take the fox. Just because there was this incident doesn't mean your executive is at risk.

What that means, okay, pharmaceutical industry giant has been assassinated or killed or robbed and you're the next giant in line in that industry. That doesn't mean your executive is being targeted.

What it means is we need to do a threat assessment, we need to do a risk assessment and we need to determine where that correlates. And I'll say the last thing is believe in not just theory of how security works, but watch for the facts of what security actually is.

Security is supposed to be invisible. It is supposed to be something that you see only when you need to. Don't overdo security and keep your culture intact.

Don't change your culture to build your.

Security because it won't work.

It won't.

Well, Steve, thank you so much for being on the show. Tremendous advice. Thank you for unpacking what executive protection really means.

Thank you, Peter. Thank you everyone.

To learn more about Steve and his work with the North Group, click the links in the episode description. You can also watch video highlights from this episode On Alert Media's YouTube. Don't forget to subscribe, rate and review the show.

Wherever you get your podcasts Stay safe out there.

Thank you for listening to the Employee Safety Podcast from Alert Media, the industry's most intuitive emergency communication and threat intelligence solution. To learn more about how to protect your people and business during critical events, visit alertmedia.com until next time.