Most organizations that think they have an executive protection program actually have a personal security detail that gets deployed when the principal asks for one. Those are not the same thing.
These questions come from security directors, board-level governance conversations, and EP practitioners who are trying to build programs, rebuild or mature existing programs, that can be measured, defended, and scaled — not just activated in a crisis.
WHAT IS AN EP PMO?
What is a Converged Executive Protection Program Management Office?
An Executive Protection Program Management Office (EP PMO) is the organizational structure and governance framework through which an enterprise designs, operates, measures, and continuously improves its executive protection program.
A program has:
- A defined population it protects — which executives, under what threat criteria
- A threat intelligence cycle that informs operational posture
- Documented policies and procedures for every foreseeable scenario
- A budget defended annually with data, not just presence
- Metrics that prove value and identify gaps
- Integration with physical security, cybersecurity, and supply chain security
- A succession plan for who runs the program if the EP Leader leaves tomorrow
The PMO framework applies program management discipline to executive protection — because the informal, relationship-based approach that works for a single executive’s detail does not scale, does not survive leadership transitions, and cannot be measured or defended.
What is the difference between executive protection and a personal security detail?
Some will simplify this into the same term, but there can be suttle differences. Some see it as protection of the executive(s) and the other as employees at the same event or just a large group of employees whether or not executives are attending.
A personal security detail (PSD) is an operational component of an executive protection program. A PSD deploys people around a principal when there is a perceived threat. An EP program is the governance structure that decides when a PSD is needed, how it is staffed and trained, what its rules of engagement are, and how it integrates with everything else protecting the principal.
A PSD without an EP program is reactive protection. An EP program is proactive protection — threat intelligence, advance work, residential security assessments, travel security protocols, cyber hygiene for the principal’s devices, and a PSD as one tool among many.
Most companies that think they have an EP program actually have a PSD that gets deployed when the CEO asks for it. That is a service, not a program.
When does a company need a formal EP PMO?
When any of the following are true:
- The company has executives who regularly travel internationally to elevated-risk environments
- The company employs executives whose public profile, industry, or personal wealth creates personal threat exposure independent of company risk
- The company has experienced a credible threat against an executive
- The company is in an industry with known EP relevance — energy, financial services, pharmaceutical, technology, media
- The company is growing through acquisition and executive protection standards need to harmonize across entities
- The board or legal counsel has identified EP as a duty of care obligation
The question I am most often asked is: “How big do we need to be before we need an EP program?” The answer is not about headcount — it is about threat profile. A 200-person company whose CEO is a visible policy advocate may need a more robust EP program than a 5,000-person company whose leadership is low-profile.
WHAT IT COVERS
What does a mature EP program actually protect against?
A mature converged EP program addresses:
Physical threats: Directed violence, kidnap for ransom, opportunistic crime against the principal’s person. This is the traditional PSD domain — and it is only part of the picture.
Information threats: Intelligence collection against the principal — who they meet with, where they travel, what their schedule is, what devices they carry. Adversaries targeting an executive often want information more than they want the principal’s physical harm. Dox’ing in a common threat experienced by an executive and their family.
Cyber threats against the principal’s devices: A principal’s personal email, personal phone, home network, and family member devices are high-value targets that are rarely protected to corporate standard.
Residential security: The executive’s home is the lowest-visibility, highest-access point in most threat scenarios. Residential security assessments, camera systems, and response protocols belong in a converged EP program.
Travel security: Pre-travel threat briefings, advance work on venues and ground transportation, medical pre-deployment screening, and in-country communication protocols.
Family protection: In most threat scenarios, family members are leverage — not just collateral. A converged EP program assesses the threat to family members and documents what response looks like when a threat targets the family rather than the principal directly.
How does executive protection intersect with cybersecurity?
At more points than most EP programs acknowledge — and the intersection is where most modern threats against senior executives actually live.
Spear phishing targeted at executives with high access privileges. Social engineering through executive assistants. Compromise of personal email accounts containing sensitive business information. Device compromise when a principal connects to untrusted networks during international travel.
A converged EP program treats the principal’s digital surface as a protection domain. Specific intersections:
Device hardening: The principal’s phone, laptop, and tablet should meet a documented EP security standard — verified, not assumed.
Network security while traveling: VPN use, hotel network protocols, loaner device policies for high-risk environments.
Social media discipline: A principal’s social media reveals schedule, location, relationships, and preferences to anyone who wants to use that information operationally. A threat intelligence cycle includes monitoring the principal’s digital footprint.
Home network security: If the principal does business from home — and they do — the home network is a corporate asset that should meet a EP security standard.
The EP Leader who is not in regular communication with the CISO is running half a program.
How does the “must comply with” challenge affect EP programs?
When a corporation mandates that its executive protection suppliers — ground transportation suppliers, hotel security programs, venue advance teams — “must comply with” the company’s security and compliance requirements, those requirements flow downstream through the supply chain of the EP program itself.
The problem: most EP programs do not have a supply chain security framework. They have supplier relationships built on trust and professional reputation, not documented compliance requirements. The advance team supplier. The ground transportation company in São Paulo. The hotel approved by the travel team, not the EP team.
Each of those suppliers is in the EP supply chain. Each of them has access to the principal’s schedule, location, identity, and movement patterns. If any of them has a security failure — a compromised employee, a data breach, an undisclosed subcontractor — the exposure flows directly to the principal.
A mature EP PMO applies the same supply chain security rigor to its own supplier ecosystem that it would apply to any other high-risk supplier relationship, especially the flow down.
METRICS AND MEASUREMENT
How do you measure executive protection program effectiveness?
Metrics is where EP programs most commonly fail. The traditional EP measure is “nothing happened” — which is neither a metric nor a proof of effectiveness.
A measurable EP program tracks:
Input metrics: Budget (USA teams, don’t forget IRS reporting requirements) per protected principal. Training hours per EP agent per year. Percentage of high-risk travel environments where advance work was completed.
Process metrics: Time from threat identification to protective action. Percentage of principal travel itineraries that received a threat brief. Supplier compliance rate against EP supply chain security requirements.
Outcome metrics: Number of identified threats against protected principals. Number of those threats that triggered a protective response. Trend over time — which requires a multi-year baseline.
Program health metrics: Agent licensing, training, certification currency and renewal status. Date of last residential security assessment per protected principal. Succession readiness — who runs the program tomorrow if the EP Leader is unavailable?
The goal is to walk into a board meeting and answer “how do you know your EP program is working?” with data — not stories.
In my book on Converged Security Metrics, we have a chapter on this specific area. If you are this level of maturity and you see this FAQ, email me and I will email you that chapter for free.
What certifications matter for EP professionals?
…..whether internal or supplier based.
The credential landscape has expanded significantly — not all of it uniformly credible. What matters:
IFPO CPO (Certified Protection Officer): Broadly recognized baseline for protection professionals. Demonstrates foundational knowledge across physical security and protection disciplines.
ASIS CPP (Certified Protection Professional): Broad converged security credential. Demonstrates program management competence, not EP-specific skills.
Active assailant response / ALERRT / H.E.A.T.: Scenario-based tactical training. Should be a baseline for anyone on a personal security detail.
Tactical Emergency Casualty Care (TECC) or Tactical Combat Casualty Care (TCCC): Trauma first aid. A non-negotiable standard for any protection professional. Non-negotiable.
Texas Level IV Personal Protection Officer (or equivalent in your jurisdiction): State-issued protection officer licensure. Know what your operating jurisdiction requires — unlicensed EP work in regulated states is a liability problem, not just a compliance one.
What matters less without practical verification: examination-only certifications with no field component, from organizations with no enforcement mechanism for ongoing competency.
BUILDING FROM SCRATCH
How do you build an EP PMO from nothing?
In sequence:
1. Threat assessment. Who are you protecting, from what, and based on what intelligence? If you cannot answer this question, you are building a program around a threat you have not defined. “Solution Looking for a Problem” (Thanks MM)
2. Population decision. Which executives and/or key personnel, require protection, at what level, and under what circumstances? Document the criteria. Protect against the temptation to let the org chart drive this — the highest-compensated executive is not necessarily the highest-risk one.
3. Policy framework. Travel (not just on airplanes) security policy. Residential security standards. Device security requirements for protected principals. Advance work protocols. Incident response and escalation procedures.
4. Supplier selection. Ground transportation. Advance teams. International security partners. Apply supply chain security standards to all of them before you need them in an operational scenario.
5. Technology baseline. Threat intelligence platform. Principal device management. Residential security systems. In-country communication protocols. Panic alarms.
6. Metrics baseline. Establish what you are measuring from Day 1 — so you can demonstrate program improvement over time.
7. Integration. Connect the EP PMO to physical security, cybersecurity, and supply chain security. Brief the CISO. Brief the CSO. Brief the GC. Brief the Risk/Insurance Executive. Make sure the EP program is not an isolated function.
The most common mistake is building Steps 4 and 5 before Steps 1 and 2. Technology and suppliers should serve a defined threat model — not precede it.
What is the biggest thing most EP programs get wrong?
Scope. They protect the wrong things, in the wrong ways, for the wrong reasons.
Wrong population scope: Protecting only the CEO. Most threat models extend to the COO, CFO, CIO, General Counsel, and board members — all of whom make decisions that generate adversarial interest, and most of whom have significantly lower protection posture than the CEO.
Wrong threat scope: Preparing for physical threats while ignoring information threats. The most likely threat against a senior executive in most corporate environments is an information operation — not a person with a weapon.
Wrong location scope: Protecting during travel while not at residence. Most violence against executives occurs at predictable, low-variability locations — typically near the home. Air travel vs. local travel. Business vs. Vacation.
Wrong population scope for the family: Protecting the principal and not their immediate family. A threat actor who cannot directly reach the executive will often approach through family members.
Wrong scope on the supply chain: Building a protection program that does not apply security standards to its own supplier ecosystem — and leaving the principal’s schedule, location, and movement patterns in the hands of suppliers who have not been assessed.
Written by Jim McConnell — 36+ years of converged security practice, including executive protection program design and operations, Texas Level IV Personal Protection Officer, and teaching executive protection curriculum internationally. See also: Converged Security FAQ, Converged M&A Security FAQ.