Most organizations treat security as a technology problem -- but when executives are threatened, employees are caught in disasters, or physical and cyber risks collide, the gaps in that thinking become dangerously clear. Roland Cloutier, Principal of The Business Protection Group and former Global Chief Security Officer at TikTok/ByteDance and ADP, joins Sean Martin to explore what it really means to build converged executive and employee protection programs that reflect the full scope of modern risk.
⬥EPISODE NOTES⬥
The conversation that led to this episode started with a LinkedIn post -- and it quickly surfaced a challenge that security leaders across industries are wrestling with but rarely talk about openly: who is actually responsible for protecting the people inside an organization, not just the systems they use?
Roland Cloutier has sat in some of the most demanding security leadership seats in the world -- Global CSO at TikTok/ByteDance, a decade as Global CSO at ADP, and VP and CSO at EMC -- and he now advises CISOs and CSOs through The Business Protection Group. His lens is converged security: the deliberate integration of cyber, physical, privacy, and people-risk under a unified program and leadership model.
Roland identifies three patterns that typically bring organizations to him. First, an emergent crisis -- a threat against an executive, a workplace violence incident, a travel security failure -- that suddenly exposes the absence of a coherent protection program. Second, a cost and structure conversation where the CEO is tired of receiving two different risk pictures from two different security leaders and wants a single accountable voice. Third, a board-driven inquiry where general counsel or the CEO is being asked questions about executive resilience and duty of care that nobody inside the organization can confidently answer.
What makes this conversation particularly sharp is Roland's framing of convergence not as an org chart exercise, but as a force multiplier. A unified threat intelligence picture -- one that covers cyber, physical, executive, brand, and customer risk simultaneously -- enables cleaner prioritization, better resource allocation, and a fundamentally stronger conversation with the CEO. The alternative, which he has seen firsthand, is four separate threat management platforms reporting independently with no team working across all of them.
The episode also pushes into territory that most security programs have not yet mapped: employee protection at scale. Not bodyguards for everyone, but the organizational consciousness to monitor for geographic threats, proactively check in with distributed employees during major events, and build a duty-of-care posture that extends beyond the office walls into people's home lives and total risk environment. For high-risk employees -- those with keys to the kingdom, not just C-suite titles -- that responsibility extends further still.
For CISOs and CSOs wondering where to start, Roland offers a practical crawl-walk-run framework: start with shared services rather than full convergence, open the conversation with leadership, surface the gaps the business already knows exist, and build a financial and risk model that makes sense for your specific organization. The goal is a converged security program that treats people -- not just infrastructure -- as an asset worth protecting.
⬥GUEST⬥
Roland Cloutier, Principal at The Business Protection Group | On LinkedIn: https://www.linkedin.com/in/rolandcloutier/
⬥HOST⬥
Sean Martin, Co-Founder at ITSPmagazine, Studio C60, and Host of Redefining CyberSecurity Podcast & Music Evolves Podcast | Website: https://www.seanmartin.com/
⬥RESOURCES⬥
The Future of Cybersecurity Newsletter | https://www.linkedin.com/newsletters/7108625890296614912/
More Redefining CyberSecurity Podcast episodes | https://www.seanmartin.com/redefining-cybersecurity-podcast
Redefining CyberSecurity Podcast on YouTube | https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
⬥ADDITIONAL INFORMATION⬥
On ITSPmagazine: https://www.itspmagazine.com/
On YouTube: https://www.youtube.com/@itspmagazine
On LinkedIn Newsletter: https://itspm.ag/future-of-cybersecurity
Sean Martin's Contact Page: https://www.seanmartin.com/
⬥KEYWORDS⬥
roland cloutier, the business protection group, sean martin, executive protection, employee protection, converged security, physical security, ciso, cso, duty of care, threat intelligence, workplace violence, security convergence, business resilience, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast
When Cyber Meets Physical: Building Executive and Employee Protection Programs That Actually Work | A Redefining CyberSecurity Podcast Conversation with Roland Cloutier, Principal of The Business Protection Group
[00:00:39] Sean Martin:And hello everybody. You're very welcome to a new episode of Redefining Cybersecurity. I'm Sean Martin, your host, where I have the pleasure of having conversations about a topic that I love. Years and years I've been working on security from protection and detection and response and looking at things from an operational perspective.
I've landed in a world where I believe security has a chance to do good things for the business, not just be a department of no and of controls, but to actually help drive business value and protect the growth and the revenue that it generates. And not an easy task if you're sitting in the CSO seat.
And my guest today sat in that seat for quite some time at some organizations you probably are familiar with -- Roland Cloutier.
How are you my friend?
[00:01:33] Roland Cloutier:Sean, I am fantastic and thanks for having me.
[00:01:36] Sean Martin:It's a pleasure to have you on. I forget when we chatted last, but it was a good conversation and I'm happy we have a chance to connect today. We're going to be looking at executive and employee protection programs and what that means from a security leadership perspective and a business perspective, and some of the things you're seeing and hearing in that world and perhaps how organizations and security leaders need to think about that stuff.
So excited to have that chat. Maybe a few words about the things you've done in the past that led you to where you are now, where you're up to at the moment.
[00:02:12] Roland Cloutier:Sure. Well, 30 years go by really, really quick, Sean. I think what's interesting is that I actually started out on the other side. I came from the Air Force in their security police and anti-terrorist division. And that migrated into civilian law enforcement, federal law enforcement.
And then I got a lot of cases that happened to have security risk and privacy issues associated with cyber and data and all that cool stuff. So I actually went back to school to learn about cyber and the next thing I know, I fell in love with cyber and a second career -- 20 years later, Chief Security Officer for EMC, for ADP for a decade, TikTok/ByteDance for the last few years, before coming into an advisory role supporting other Chief Security Officers and CISOs in their roles. I get to do a lot of stuff and one of my passion areas, of course, is being a converged security leader -- wrote a book on it and it has been part of me helping other organizations for the past several years.
[00:03:20] Sean Martin:It's a good natural way to establish a relationship with people and then get an understanding of what's going on -- big picture driven by real stories, reality. So what are some of the things you're seeing? What are organizations struggling with that maybe not every organization realizes they should be struggling with, or may not realize they are struggling with and can't put their finger on what it is?
[00:03:50] Roland Cloutier:So typically there are really three flavors of this. Two are from the CISO side and one is typically from general counsel when I'm working with customers in this area. The first is an emergent issue that happens with a business -- someone threatens an executive, the CEO, a workplace violence issue. It could be a travel security issue with a lack of operational expertise in place. And they turn to the CISO and say, you do this stuff for a living, why don't you help us and make sure we're doing this right? And so it becomes a sense of urgency to figure out what an organization should be doing at what level.
The second flavor is when it comes in a non-urgent way, but a CEO or the executive leadership team turns to a security executive on either side and says, yeah, we'd like to streamline. We have costings we'd like to do, and I'm tired of two different security leaders coming to me with two different sets of risk metrics and priorities. I want one throat to choke or one back to pat -- depends how you look at it -- and figure it out.
And the third one is not much different. It comes from normally non-security practitioners on either side. It comes from a CEO or general counsel that says, I'm being asked questions from the board about our ability to protect our executives, resiliency in threats to the business, their security. And I don't think we have a good handle on it. I would like an external view that has done this before for large companies to help us figure out how to do that. And that has been, over the last call it three years or so, the majority of the cases that have come to me.
[00:06:03] Sean Martin:Executive and high-level employee protection programs -- it's kind of a fairly new concept in the grand scheme of things. Security's not new, but it's relatively new compared to a lot of other things.
And I'm wondering -- do organizations recognize this risk? Or are they waiting to hear that their counterpart or the next business next door had an issue? Or some news element finally makes the mark that catches their attention? What's the awareness of this, I guess is the question?
[00:06:51] Roland Cloutier:I think it's become more and more recognized since the attacks on some business executives in the United States a couple years ago, and ongoing cases around threats to people of high net worth. I think it becomes a consistent message. And quite frankly, the level of violence perpetrated as well as attacks through technology -- on identity and whaling and all the other things that we've seen around CEO-type issues -- it just kind of all accumulates at the same time.
I think convergence -- and I'm slightly biased -- is super important when you think about our responsibilities as business protection executives. Our jobs around ensuring the continuing operations and capability and the leadership in the go-to-market of a business or an agency or whatever we do. Some of that is cyber, some of that is resiliency, and some of that is resiliency and availability of the people involved in doing it. So it all mixes together.
And I think from my standpoint, from my purview, is that we often think it's a cost lever. Often businesses will push in this direction and say, I don't need a CSO and a CISO and a director of corporate security and this and that. But I think a lot of people immediately go to cost, and there are obviously cost multiples that make sense. It is the leveraging of the expertise on both sides as a force multiplier.
I'll give you a couple of examples. Most people, especially in what we do, understand that physical security and facilities defense and public safety now has a lot of technology embedded. Whether it's gates and guards -- technical security, whatever you want to call it -- or it's the management of certain intellectual property defense or our phones, there's an aspect of technology involved in physical security. And our DevSecOps and engineering teams have been doing this stuff for a long time.
So giving them yet another discipline -- from the SOC or the CSIRT or the threat intel platform or an operational control platform to physical security device control management, PSIM integration -- it makes sense. You have a set of engineers that can provide a set of services in the existing infrastructure and architecture that they know, lead, and manage. And so you get a better quality product faster to a global initiative.
Secondly, you get a better threat picture. Because there can be a threat to the business, but often you can have a threat to people and the implications of that. Are people trying to steal data through an individual? Are they trying to get through their homes into corporate devices or just get information to hold someone hostage, or blackmail them? I've seen companies have up to four different threat management platforms -- including cyber, executive, brand, and customer -- and they all report differently. There's no single threat view and no team working all the threats.
If I go in with a clear picture about the totality of risks associated with security to the organization and sit down and step through them and their implications with the CEO or an executive security counselor, it's a much better conversation than the head of risk, the head of cyber, and the head of physical security coming at different times to talk to different groups without a standardized way to prioritize, manage, and address those threats.
[00:11:10] Sean Martin:For me, the natural course would be that the executive leadership team would have a question or set of questions that are not siloed like the teams are. They have the business view -- tell me as a leadership team, are we at a point where executives know how to ask that question cross-silo? What do some of those conversations sound like?
[00:11:54] Roland Cloutier:I think they're getting better. I think they know what they don't know, and they're asking people to get the answers. For other people, it is just another G&A function that they have to have -- there's a reality to that in many cases.
But most organizations have an informed board, especially public organizations or those around critical infrastructure, or those that have critical jurisdictional oversight from different regulators. And those organizations are starting to hear questions from their board about the resiliency of their people. Threats to executives, threats to the company.
When YouTube had the shooting several years ago, they did a great job in sharing what went well, what went wrong, and what they would do differently with other folks in the industry. So you saw other social media companies, competitors actually listening and learning and doing certain things. You see this industry by industry, many times. Unfortunately, some of it pops up when there's a negative impact event. We saw that a couple years ago with the shooting in New York. And so that industry took a clear and different view and learned.
But to answer your question, yeah, I think people are asking the right questions. One of them is: what's the right level of security for the threat to the business and the type of people that we have working for us? The second one is: how do we care for our employees when they're working on our behalf around the globe? Think about how many people this week happened to be working somewhere in the Middle East for their organization and found themselves in a tough situation. Do we have the ability to provide the capability to remove our people as necessary, protect them, facilitate transport, get medical evacuation if they need it?
And people are seeing this as part of duty of care. And the last component I would say people are learning well is: do we have the right organizational structure? Are we set up to succeed? Most informed CEOs and general counsels I talk to don't have the knee-jerk reaction. They're taking a step back and saying, how do we measure the risk, apply a lens that's appropriate for our organization and that we can carry forward, continue to do that view, and make those right decisions. And I think that's a great approach.
[00:14:35] Sean Martin:I remember it was around the time of the pandemic and there was a lot of unrest. I was speaking with a security leader at one of the large banks here in the US and she was describing this need to not just protect the banking systems, but to protect the banking people.
She wanted to ensure that her employees at the bank were safe online, but also at home -- because they were all working from home and perhaps in areas where there was unrest as well. And so they took this total view of how do we protect our employees digitally and from a cyber perspective, but also from a physical and even a health perspective when you tie the COVID stuff into that.
It doesn't seem like a lot of organizations have that view, right? There's the system, the person gets rights to access that system, and that's the stuff we're going to protect. And unless you're an executive, then maybe you get some additional coverage -- if you're traveling into a risky place, we might monitor your stuff online to make sure you're not being targeted for ransomware, extortion, whatever.
But where do we sit in terms of softening things from the pure tech perspective to really understanding and caring about our people?
[00:16:21] Roland Cloutier:I believe that the best-in-class companies that do this well do it with a risk lens but a broader discussion on employee protection -- not just executive protection. That doesn't mean have a bodyguard for every employee. What I'm talking about is having the consciousness and capability to understand the environments that the people work in and where they live, and having programs that provide a level of continuity and capability that ensures that their employees are safe -- the best that the company can provide.
And the second part of that is, when there is a higher level of threat against an executive, a threat against a key employee, or a key employee who would be targeted because they have the keys to the kingdom, or they are the only people that understand a very sensitive part of the business -- the business takes a special view of that and understands that the employee's ecosystem is not within the four walls of the building or the office that they operate in, but rather it is part of their home life. What we call their total life -- how they operate, the risks on their family and their home and other things.
And they take an approach with higher risk issues -- whether they be episodic or permanent because of an individual's role -- that they offer a reasonable level of due care and assistance to ensure that they have the necessary help that the company has put them in because of the position that they hold.
Now getting back to the employee area, I'll give you some pragmatic views. Maybe an organization has a capability that's watching for major events in large populous areas where their employees live. Maybe they have a branch in New York, a branch in Nashville, a branch in Atlanta, a branch in the Bay Area, whatever it may be, and their threat intel group or employee protection teams monitor for significant events. And so not just when do they have a fire in the building -- when there is something in a geographical region that impacts a significant employee population, they send out "are you okay?" Maybe it's everyone, and they have great automation in play that says, hey, I know you live within two miles and you're a work-from-home employee -- are you okay? -- and have assistance and operations available to help those out, whether through third parties or through their own internal managed service.
I've worked in the past for a large multinational that specialized in human capital management and technology that focused on making sure their people were up and able to help and support their customers. They had a massive capability initiative to be able to roll out in a FEMA mode when something major happened -- a hurricane or a massive disaster -- to go into those areas, set up capabilities to get their people out of harm's way, get them to a location where they and their families were safe, and get operations back up and running. And it wasn't just about the business getting up and running -- it was making sure their people and their families were safe and they were able to do their jobs in a safe location. The two helped each other. The employees were really appreciative of that, and so were the clients.
[00:20:16] Sean Martin:Absolutely. We have a few minutes left here, and I want to bring this back to the security leaders who listen to this -- and perhaps even some of the practitioners who may see things in logs that didn't trigger anything from a tech security perspective, but now hearing this conversation, perhaps there's an employee human perspective we should be looking at as well.
Some thoughts and comments for CISOs and CSOs that may be thinking about this area and may not know how to approach it with their executive leadership team. And are there ways to tap into the board perhaps to make some change here as well?
[00:21:06] Roland Cloutier:Let me start at the easiest level. Maybe it's not a segmentation in a converged program -- maybe it's a shared program. Maybe we become service providers to each other. There's a CISO on one side and a director of corporate security or a CSO on the other side, and the CISO provides engineering and threat intel platform services. Maybe there's an opportunity for the CSO and CISO to marry up risk and threat services from a prioritization standpoint together as they go in and look at these things. Maybe there are opportunities for the organization to leverage executives going across each side so they have more rounded teams. I see really great leaders and executives coming from cross programs.
Number two is: start thinking about what your business needs, where they feel gaps -- they're going to tell you. Have an open conversation with your leadership. Have an open conversation with your CEO or whoever. And ask: are you getting everything you want? Do you think that security, risk and privacy, and physical security can be providing more? And if so, what?
And then do a planning session -- sit back and say, if I'm going to jump into this, what are the things the business is asking for? How does it help our go-to-market, our customers, our employees, and our shareholders? And then do a crawl-walk-run view. Get someone who's done it before and sit back and say, what are the things I can do with existing people and existing programs? What are short-term things that we can do as an organization to plan for a next step to create the level of service capability that they want? And then start talking about the importance of convergence, and how to have a standard management umbrella -- risk view, service delivery, and financial model -- that makes sense for your business.
I think that's the best way to start.
[00:23:34] Sean Martin:This was spurred by a post that you made on LinkedIn, and I love following what you put up there. So I'll link to that article/post in the show notes. Hope everybody connects with you and follows along with all the other stuff that you put out there. It's good to see it. And thanks for giving back to the community.
[00:23:57] Roland Cloutier:Hey Sean, thanks for having me. I'm glad it caught your eye and happy to always have these chats with you. So thanks so much for having the podcast.
[00:24:04] Sean Martin:Likewise. I appreciate you taking the time and thanks everybody for listening and watching this episode of Redefining Cybersecurity. Hopefully it opened your mind a little bit more like it did for me, and get you to think a bit and perhaps take some actions to change how we approach security in your organization.
Thanks again, Roland. Thanks everybody. Stay tuned for more.