National security isn’t led solely by government entities and the military. Private industry has significant influence on America’s national defense. Public-private sector partnerships often drive many of our national security decisions.
To dig into the importance of the private sector in defense of America, Fran Racioppi sat down with Dave Komendat; a 36-year Veteran of Boeing; one of the world’s largest defense contractors and a critical component of America’s economy. Dave retired after serving as The Boeing Company’s Chief Security Officer, where he ensured the safety and security of over 170,000 employees and $77 Billion in annual revenue.
Dave and Fran discussed how private companies partner with the US government, how security has evolved since 9/11, and how to build a culture of security in our companies and as a nation. They also break down the magnitude of Boeing, its impact on the aviation and defense industries, and the future of aviation security across a multitude of threats.
Dave is also the Chairman of Hostage US, a non-profit supporting the families of American hostages and those wrongfully detained, as well as hostages and detainees when they return home. They take a few minutes to unpack hostage diplomacy and how America’s adversaries are using unlawful detention as a tool to compete with American power abroad.
Watch, listen or read our entire National Security series. Follow the Jedburgh Podcast and the Green Beret Foundation on social media. Watch the full video version from Epigen Technology in Arlington, VA on YouTube as we show why America must continue to lead from the front, no matter the challenge.
The opinions presented on the The Jedburgh Podcast and the Jedburgh Media Channel are the opinions of our guests and creator and host Fran Racioppi. They do not necessarily reflect the opinions of the Green Beret Foundation and the Green Beret Foundation assumes no liability for their accuracy; nor does Green Beret Foundation endorse any political candidate or any political party.
—
#148: America’s Grey War – Former Boeing Chief Security Officer and President of Hostage US Dave Komendat
Dave, welcome to The Jedburgh Podcast.
It’s awesome to be here. Thanks for inviting me.
We’ve been planning this for a year since I saw you in 2023 at the Hostage US reception. We talked about it, and we finally made it happen.
It has taken a Herculean effort for both of us to get to the same place, but we’re here.
I’m pumped. The world is a busy place as it always is, but it seems there’s so much going on. When we think about security, the world order, and what’s going on. Death is up domestically. Geopolitical tensions are, we could argue, at an all-time high in some areas of the world. Terrorism and targeted attacks, we’re still seeing it. We saw it in Russia not too long ago. It still is in our minds.
There is kidnapping and hostage-taking, which we’re going to talk a lot about not only later in this conversation but certainly when we talk to Jose. We have him in, and then we have the Hostage US Reception. The United States also continues to lead the world in gun violence and domestic terrorism and when we talk about insider attacks like mass shootings and all things that I bring up here in this open because they play to the important role of the chief security officer in any organization.
You spent 36 years at Boeing. We’re going to talk about your career. You held the job for a very long time as the chief security officer. I figured with all this stuff going on in the world and as we take our series where we really focused on national defense and national security from the Military perspective, how does that tie into the private sector? You’re the guy who’s got to answer that question.
We’ll give it our best shot. We’ll see how it works out in the end.
I want to start with the top-line news. This peer-to-peer challenge that America seems to be in has been brewing. We as a Military specifically spent twenty-plus years in a counter-terrorism fight, a counterinsurgency fight. In the background, you had these actors who were brewing building capability, China, North Korea, and Iran, the same actors who’ve been around for a long time, but our focus wasn’t on them. We were focused on prosecuting global terrorism and defeating an enemy, which gave us a good run.
Our government uses the elements of national power, DIME, which are Diplomacy, Information, Military, and Economic levers. When we look at how we exert our influence and our power across the globe, the private sector plays into each one of those, whether it be business, statesmanship on the diplomatic end, economic industry, and even the Military aspect because of a defense contractor like Boeing who’s providing a significant amount to defense and the economy. You spent your career assessing the drivers of risk and then informing leadership and making decisions based on risk in different areas of the world. As you look across the world, what do you see happening in this global environment, and why now?
Where we’re at is we’re in a grey war. For folks who aren’t familiar with that term, it’s really a conflict that is not kinetic. You’ve got those near peers that we talked about, China, Russia, North Korea, Iran, and others in the world that have taken advantage of the time that we spent taking care of that global threat of terrorism to build their own capabilities.
During that time, they’ve been able to create industrial capability and technological capabilities in their countries where they are able to have an impact on this country. Some of it is visible, and some of it is invisible. We know it’s going on. Director Ray spoke about this several times where the Chinese have infiltrated the infrastructure of this country and have the capability if they choose to do so to have an impact. Those impacts could be very far-reaching for the average person in this country.
I don’t think most people really understand what it would look and feel like to have a denial of service from an electrical perspective or a denial of service from a water perspective. If you think about it, when we all go through a windstorm or a power outage in our neighborhoods, in 4 or 6 hours, people are losing their minds. Think about if you were going 4 weeks or 6 weeks before the grid was restored in your particular area. What would happen? Things break down pretty quickly in that setting. Those types of capabilities with any one of those countries are a real possibility. It’s something that we need to think about. It’s something we need to plan for.
From the private sector perspective, in the US industry, some of those grey war tactics are being deployed against US companies because those US companies create capability for the US government. The US government doesn’t really build or produce anything. The private sector does it all for them. Whether it’s intelligence on platforms that are used by the Military or other capabilities, it all comes from the private sector. Those countries leverage that. They know that. They know where things are built. Those companies, both overtly and covertly, can be targeted and their capabilities can be impacted. That has a real impact on the private sector. We need to think about it.
As a chief security officer, you need to understand. Are you in one of those verticals that would likely be targeted? If so, what have you done to the extent possible with your company to plan for it from a business resiliency perspective? It’s a big-time challenge out there. There are a lot of folks that do think about it. There are a lot of folks that haven’t given it any thought, and that’s what’s scary.
Let’s dig into that definition of the role of the chief security officer a little bit more. It has certainly evolved over the years. In most organizations, what you see is a senior leadership level whereas if you look back in the past, it was an add-on. People were like, “What do they do? They do gates and guards?” First, how do you define the role of the chief security officer? Second, talk about the evolution of the role over the years.
In the most simplistic terms, because I always try to find little analogies, it’s the Ray Donovan of corporations, the fixer. If anybody has ever seen that show on HBO, that’s really what the role is. I’m being sarcastic, but I’m not. Whenever there is a major issue at a corporation and it doesn’t fit neatly into a particular basket, take the pandemic for an example, those things have a tendency to end up with the chief security officer. The question is, why does that happen? The reason it happens is the chief security officer at most corporations is a thinker. They are strategists. They are risk managers. They have the desire to look over the horizon, anticipate what could happen, and then what they would do about it if it did.
As these things occur around the world, senior leaders in the C-Suite have seen that their chief security officers have been proactive and have come to them sometimes well in advance of an incident occurring and telling them, “This is something we need to pay attention to. This is something we need to invest in. Here’s why.” Over the years, many of those predictions have come true, so the confidence and the expectations surrounding a chief security officer have grown and risen to the point that it’s a very senior position in most corporations. He reports to a senior leader and plays a significant role in that company’s risk management process.
When you talk about the classification of risk, one of the primary responsibilities of the chief security officer is to inform and provide that risk classification based on threats to senior executives for decision-making. When you look across the environment that you operate in, how do you assess risk and then provide that recommendation?
There are a number of ways you can do it. One of the ways that I used to do it was to look at the things out there that would be most impactful to our people, our property, and our information. Once we understood what that threat landscape looked like, that was our inherent risk. What steps could we take to mitigate that risk that would become our residual risk? What were we willing to do and invest in? Once we made those investments and made those decisions, what risk level were we willing to tolerate?
You’ve got those things that are high risk and low frequency. You have those things that are low risk and high frequency in your portfolio, and then you have everything in between. It’s a balancing act. You can’t go into a CEO or the executive leadership team of a company every day and the sky is falling. You lose your credibility.
You’ve got to go in with a strategy and the way you communicate risk. You’ve got to make sure that they know exactly what they need to know when they need to know it at the level of detail that gives them the opportunity to weigh in and say, “I agree with what you’re doing. I agree with the investment. I’m going to give you more money because I think it is a risk. I agree with that position and I want to help you.”
For me, it was a learned skill. When I first started out, I didn’t have what I would consider all those skills. You learn them over time. Most of my peers would say the same thing. You come in with a thought process and a mindset. The way you assess and look at risk, the way you communicate it, and the way you influence are learned skills. Every corporation has a different culture. You have to understand and learn your culture and what’s going to be effective. When you go someplace else with a completely different culture and a completely different mindset, you have to relearn those skills all over again.
When I was a young chief security officer, I learned some of those lessons the hard way, as we all do. I would have a tendency to fight every battle. Every time someone doesn’t agree with me, I try to pin them down and say, “This is why it has to happen. You have to do it like this,” without understanding sometimes the broader picture or the broader context.
Someone who we both know very well, Ron Iden from Disney, once told me, “You have to be willing to assume risk and have an incident sometimes if people don’t agree with you after you’ve beat them up about it. You can’t go to the mat on every issue.” Talk for a second about how you accept that when someone tells you, “We get it. We’re not going to do that though.”
It goes against what you would think would be logical. You’re like, “We’ve got to mitigate everything.” That’s impossible. You can’t. There are only so many people. There are only so many dollars. You have to make the best risk decisions that you can. The best way to do that is to be transparent about what is likely.
You’re like, “What’s the likelihood that it’s going to occur? What’s the impact if it does? How will we react? What would our people say in the company if this were to occur? What will the public say? What will the government say?” All those have to be factored into that decision. Some of them are risks that you look at and you go, “We could survive that. Is it damaging? Yeah. Is it a super big deal? No.” There are other things where you say, “That’s unacceptable.” You can’t accept that risk, so you do everything you can to try to mitigate it.
Different leaders have different risk tolerances. What I tried to do all the time was my pitch if you were my CEO, would be, “I’m going to tell you what the risk is. I’m going to tell you why I think it’s a risk. I’m going to give you the information on it. You’re the risk owner and you get to decide, I’m going to give you 3 or 4 options on what we could do, and I’ll give you a recommendation. At the end of the day, you’re the risk owner. You need to tell me what you’re comfortable doing,” and then we’ll go do it.
It was always helpful to make sure that they understood that this wasn’t just my decision. This was a collaborative decision we were going to make. Whether it was the CEO of the company, the CEO of a particular business unit, or the boss of my division, it didn’t matter. Each one of those people owned some risk in some of these decisions we were going to make. It is reminding them that they played a part in it and that it wasn’t all me. I might be the execution branch of risk mitigation but they’re the risk owner. We’ve got to decide, “What are we going to do and not do?”
That is one of the most important aspects of general leadership. Why do we have a hierarchy in leadership? A lot of times, people will think, “You have a hierarchy in leadership because somebody has been there longer or someone has to be in charge.” It’s not about being in charge. Part of being in charge is your level of assumption of risk.
As you elevate up a hierarchy in an organization, what you’re being asked to do is to make a decision based on higher and increasing levels of risk. That’s why you have hierarchies in organizations. For me, that was one of the most important lessons that I learned and had to come to grips with. I’m not necessarily the one who’s always going to have to answer this if it goes wrong. I’ve provided that input but it wasn’t my decision to make. I have to be comfortable with that.
Any chief security officer goes through that growth and realization where there are certain things and certain decisions that you make as a chief security officer that you own. They’re your decisions. You don’t need to ask anybody else. You’re the subject matter expert in a particular area. The expectation is you’re going to make that decision.
There are other ones that have a much broader impact. They have an impact on the company’s reputation. They have an impact on the company bottom line. Those are decisions that you can’t make in a vacuum. You have to seek out the council and the approval of other leaders in the organization because, quite frankly, they are the ones that are going to be impacted. You don’t want to surprise them with a decision. If God forbid you have a major incident and they’re unaware of a position that you took and why you took that, that has an impact on them. That’s never a good day for chief security officers. You don’t want to surprise people.
I want to ask about the public-private partnership. One of the roles that we have as chief security officers is to embrace the private and the public sector relationship. I always took it a little bit for granted because I came from the public sector. Working with organizations like the FBI was inherent in what we did. I worked very closely with them through multiple deployments and training. I would forget that this is not common in most organizations. You don’t get to walk into an FBI field office and have a conversation about security, but you do depending on what company you lead their security operations for.
Many companies like Boeing, and for me when I was at Snapchat, you have information, risks, and threats that are at the national security level. You have to create those relationships and build those. There are organizations that we call DSAC and OSAC. Those are the Domestic Security Advisory Council and the Overseas Security Advisory Council. You’ve been very active in your career in both of those organizations. Can you talk for a minute about those organizations, why they are important, and why we as chief security officers have to go out and forge those relationships?
Yeah. Both of them play really critical roles when you talk about public-private partnerships. Let’s start with DSAC. The reason for that is because we’re going to have the DSAC annual meeting. DSAC is comprised of the FBI and Homeland Security in around 749 US corporations. The whole goal there is to help protect the economic infrastructure of the United States. To do that, you’ve got to form this trusted partnership.
The only way to protect those assets within the private sector is through information sharing. You’ve got to build a trusted relationship. That has always been the hardest part. The FBI and DHS does critical national security work. They’re out there every day protecting the citizens of this country. Yet, they have information that’s really important.
On the other side, you’ve got the private sector, which owns 80% of the security infrastructure in this country. You’ve got very qualified senior security leaders, many of which have come from all the different branches of the federal government. There has to be a forum and a way for those two groups to get together, Left of Boom, and make sure that information is being shared effectively.
The DSAC program started out in 2005 and has steadily grown to where it’s at. Is it perfect? Not yet. There’s always that push and pull on the private sector that would like to have information quicker. Sometimes, we’re able to get it. Both DHS and the FBI are trying to find ways to be more communicative with the private sector, and they’ve come a long way. The meeting that we’re going to have is a great example of that. A lot of information will be shared.
OSAC, the Overseas Security Advisory Council, has been around for a long time, 40 years. That was set up to help protect American interests and American citizens around the globe. It has got thousands of companies and individuals that are members of it. It’s the same premise. It’s about sharing the best information through the State Department with the private sector, NGOs, faith-based organizations, and educational institutions to keep all of those people whoare involved in those entities outside the United States as safe and secure as possible. It works really well.
Those two examples are the largest organizations by far, but there are a lot of grassroots, local community-type city-based organizations that do the same thing that bring the FBI and companies within that special agent in charge of their area of responsibility together. They have many DSAC meetings all the time. They’re like, “What’s going on with local crime? What’s happening here? What’s happening there?” The private sector is able to share what’s happening within their own companies. What are the trends that they’re seeing?
That two-way street is pretty powerful. Post 9/11, it has made a big difference in security both within the private sector and helping the public sector really understand and leverage the capabilities that these companies have. You know from the work you did. There are some pretty sophisticated intelligence operations within these companies with some highly skilled people. There are some great tools that are out there that rival in many cases what our own government can put on the table. When you pair those up together in an effective way, it’s a pretty powerful tool.
Let’s talk about your career. You spent 36 years at Boeing.
One small correction. Boeing slash McDonnell Douglas. I started out at McDonnell Douglas.
Who was acquired by Boeing. What’d you start out as?
I started out as an intern. I was in school and finishing up in typical athlete fashion. I was an athlete in college.
What’d you play?
I played football. I missed my internship my junior year, so in a panic, I tried to find an internship. I was a Criminal Justice major. I got connected with Douglas Aircraft in Long Beach. I started out as an intern. I did an internship with them for about six months, got brought on as a summer hire, and then was hired full-time. I came in as what was called an entry-level industrial security rep. I was responsible at the time for when you got your initial security clearance, I would give you your security briefing. I would tell you all the things you could and couldn’t do, document control, audits, and all those types of things. It was a very entry-level cut-your-teeth type of role.
From there, you worked your way up.
I did, but I had a lot of help. I had people in my corner all throughout my career who, for some reason, saw some potential in me. They gave me some different and unique opportunities, which at the time I never understood why. I didn’t necessarily like what I was being asked to do, but every one of those opportunities and every different role I took in the security organization helped me.
What it helped me do throughout my career is be empathetic with people doing jobs that don’t get a lot of fanfare in the security organization, like the security officer, the firefighter, the lock and key person, and the person in the badge room. For all of those jobs, which are really critical in the day-to-day infrastructure of a corporate security organization, most people don’t think about it too much.
When I was ultimately promoted to Vice President and Chief Security Officer of the Boeing company, one of the things that I told myself, and I remained true to it my entire career, was to never forget what it was like to do some of those other jobs. I didn’t start out as a vice president. I started out as an intern. Understanding what it took to do many of the jobs that were in the security structure at the Boeing company made me a better leader because I knew what it took. I knew that a lot of those jobs were hard. When it would come time for budget or reductions in force, I felt like I made better decisions because I knew what it would take to keep those organizations viable and what those people needed to do their jobs.
I was very lucky. I had a director early in my career at McDonnell Douglas who put us through an in-house rotational program where we would spend a couple of months in different functions within our security organization. I really got to learn what it took on the ground floor to get a lot of things done in the organization, and I always kept that with me. That was one of the best gifts somebody ever gave me from a leadership perspective. It was that opportunity. I tried to carry that throughout my career. I felt it was an important learning tool that I never wanted to allow myself to forget.
Values are really important to organizations, especially when we’re talking about the development of a culture and how leaders build a culture in an organization. Special Operations SOCOM uses what we call the SOF truth, Special Operations Forces truths. There are five of them. You hit on number five. Number five is that most SOF require non-SOF support. What do we mean? It’s great to be the cool guy. It’s great to be the pilot or the guy wearing the green beret or the Navy SEAL trident, but at the end of the day, you don’t get anything done without the backend support. That’s the lock person, the maintainers of aircraft and equipment, the communications folks, and the weapons folks. Nothing happens without those people.
It’s ingrained in great organizations to always be thinking, “This is a team effort. There’s not an I here.” Maybe that’s your job. Your job might be the one who’s out there at the tip of the spear where the rubber meets the road, but you didn’t get there by yourself. You can’t achieve your mission without everybody else.
I agree with you 100%. It’s important that when you’re a leader in an organization like that that you reinforce that point all the time. We’re one team. It takes everybody to make the team successful. You can’t have one part of the team not performing well and expect everybody else to perform well. It’s also important to take time to recognize people, dig deep into the organization, and call people out.
One of the opportunities I had when I was there was that I would do a regular webcast. It was usually once a month or once a quarter. We would talk about what was happening in the organization, the good, the bad, and the ugly. I would always leave about half an hour at the end for people to be able to call in with questions or email us questions. Everything was on the table. No matter what we were going through, if I was allowed to talk about it if I hadn’t had to sign an NDA, I would talk about it.
One of the things about leadership that was important to me, and I learned this from a number of leaders that I had the privilege of working under, was leadership, to me, isn’t that hard. It’s about treating people with respect, being honest with people, being transparent, and being humble. In a lot of these conversations, we talked about some really unpleasant things. We’re very transparent about when we’re going to have to go through layoffs. I would tell people, “Here’s the target I was given. Here’s what I did to try to achieve that target without impacting anybody’s job. Here are the number of jobs, unfortunately, I have to impact.” It didn’t make the message necessarily any easier, but people believed that what they were hearing was the truth.
I remember when I was a young security rep. I was in my mid-twenties. I had been with McDonnell Douglas for 3 or 4 years. They were going through a difficult time and I ended up on the layoff list. I remember at that time people walking by my tiny cubicle and putting their hands over their faces. Nobody would really talk to me because they all knew I was on this list. I felt like a mushroom. I didn’t know what was going on. I’ve got a wife and a kid. I’m trying to figure out, “Am I going to have a job?”
Ultimately, I didn’t get laid off, but I remember that feeling. I remember that throughout my entire career. When I got put in those positions where I was the one who had to deliver that news, I wanted to be as transparent with people as quickly as I could be so that they knew what was going on and they felt like they had some control.
When I was in that situation, I didn’t feel like I had any control because I didn’t know what was going on. I promised myself I would never do that to people. I would make sure they knew what I knew when I knew it so they could make their own decision. Did they want to stay, ride it out, and take a chance or did they want to look for a different opportunity? A long answer to your short question, but it comes down to being respectful, honest, transparent, and empathetic with people. If you can do that, you probably can be a pretty decent leader.
It could also be in the people business at the end of the day. Regardless of what we do, we’ve got to take care of people. I hear you really talking about communication strategies too. When I work with organizations, I talk about the three components of communication where you have the sender, the message, and the receiver. Too often, we as leaders will default to the first part of that, the sender.
How do we feel when we send a message when in reality, the most important part of any communication is the receiver? What feeling, what result, and what action do we want to exhibit out of the receiver of this message? When we start thinking in terms of that and put our own personal feelings and pride aside, then we can effectively communicate with people. It doesn’t matter how we feel. What matters is whether the person we’re speaking to is doing what we need them to do and feeling the way that we need them to feel. If they’re not, then we haven’t effectively communicated with them.
I agree with you 100%. What I did and what I always recommend to other leaders is you’ve got to find those truth-tellers in your organization when you deliver some type of message and you’re spot on like, “I thought it went great.” These are people who are not impressed by the org chart. They’re going to tell you what you need to hear, not what you want to hear.
I had several of those people that I grew up with in the company that I knew always had my back but would always be brutally honest with me. There were times when I thought a message had been well-delivered and I was informed pretty quickly afterward, “You missed the mark.” There were other times when I thought it was not that great and I got really positive feedback. It’s important to have people on your team who are willing to come and tell you that afterward and trust that you’re not going to shoot the messenger.
It’s easy to get caught up in your own Kool-Aid. You need those people around you who are going to come back and say, “That was spot on. We’ve got good feedback on it,” or, “You missed the mark, and here’s why. Here’s the impression that people got,” or, “It went okay. Good job.” It’s having folks like that and being willing to take that input and not get defensive about it. That’s the other thing because you can ask people for input afterward, and then if you defend yourself, you lose all that credibility. Nobody is going to give you any input.
It’s like, “Tell me how I did, but only tell me if I did a good job.”
Exactly. It’s a hard thing to do. Nobody likes to sit there and be told, “That wasn’t very good.” At least the longer I was in a leadership role, the more I valued when people told me, “That wasn’t very good.”
Inevitably, too, there are fewer people who are willing to tell you when you’re wrong the higher up you go.
I don’t disagree with that, but you can create a culture where people are willing to do that. If they can see that they can give that feedback or others have given that type of feedback and they still get raises, they still have a job, and you still talk to them, then they’re like, “I’ll take a shot. I’ll tell them something.” That’s really important.
There’s an aspect there too that I talk about of autonomy. People want to know that their input is valued. The organization doesn’t necessarily need to be run the way they want to. It doesn’t mean we throw out all of our policies and standards because someone doesn’t agree, but people want to feel like they have input. People want to feel like they have a voice. When they do their job, there’s some level of them being able to do it in a way that they think works. One of the best ways to show that people have autonomy in an organization is when you’re receptive to feedback.
I agree 100%.
I had a chance to sit down with Rich Davis at GSX. We talked about an organization like United with Steve Bernard. I’ll give him a shout-out because I talked to him in preparation for this. He was at Sony. These organizations are massive. Boeing is one of the largest global aerospace manufacturers. When we think of airplanes, we think about Boeing, but they also make helicopters, rockets, satellites, missiles, and everything in between that runs those things.
They’re the largest exporter in the US. They have over 150,000 employees. They had $77 billion in revenue in 2022. Yet, as we’ve seen time and time again, the airline industry writ large and the defense industry, specifically a company like Boeing, is a critical piece of the American economy and American infrastructure to the point it’s in that too big to fail box in a lot of ways. Talk about the magnitude of an organization like that. When you come in and your job is to manage security in a global company of that scale, how do you prioritize? How do you manage that? How do you build a team that can do that?
In all honesty, I don’t think I realized during my tenure the size, scale, and scope because I grew up in it. I was a 36-year employee. You’re living in that reality every single day. You get used to it. You get used to the size. You get used to the grandeur. You get used to the immenseness of the corporation and all the different things that we do from services to products to information.
It never felt overwhelming until I left. You sit back and start reflecting on your career, some of the things that the organization did, some of the people, some of the really cool things that you can talk about, and some of them that you can’t talk about, and then it sets in. It’s like, “There aren’t too many jobs in the United States, even in the world, where you have that kind of capability in your organization.” It had a $260 million-a-year budget, over 2,000 employees, and another 1,000 contractors with global reach, but it never felt that big. It felt like a team. It felt like a family. It felt that way because we had, and still do, some incredible talent within that organization.
I had some incredible leaders that I worked for that gave me the autonomy to go run my business. We ran security like a business. We tried to demystify what we did. One of the biggest mistakes that chief security officers can make sometimes is they don’t play well with their peers. Their peers know, “That’s the security guy or gal. I think I know what they do.” One of the biggest mistakes that chief security officers make is that they’re not effective communicators. They don’t tell their story effectively. They don’t talk about the value proposition that they bring to the company. They don’t have metrics that support their budgets.
When you can sit in a business meeting and your charts look the same as the lady or gentleman running a P&L, your briefings sound like it’s like any other business, and you happen to run security, that’s a pretty powerful tool. I was lucky. I was raised in that culture. That was all I knew. When you step away and look back, that’s when you go, “That was cool. That was a big job.” When you’re in the heat of the moment, it doesn’t feel that way.
People forget in security that you’re there to enhance the business, help the business function, and, in a lot of ways, make sure the business can function when faced with risk or threats. When events happen, the resiliency piece kicks in. A lot of that falls to the security department. Often, what you’ll see is security organizations and companies that operate as an impediment. They don’t ingrain themselves in the culture at the most foundational level. When you look at building a security culture, how do you get a company to embrace security as a foundational component of their culture?
You have to be a business enabler. You touched on it a little bit. You can’t be viewed as an impediment. You can’t be seen solely as a cost center. I went through a lot of different leaders during my career. I outlasted a lot of folks. The first thing I would tell them is, “My job is to say yes, and here’s how. My how might be different than your how, but I’m going to find a way.”
You’re going to give me an ask, and on very rare occasions would I come back with a hard no. I would come back with a, “We can do this, and here’s how it can look. You can do it this way or this way. Which way would you like to do it?” That’s how we would start that discussion. We would find that middle ground that worked for you and that worked for me from a risk perspective, from the perspective of keeping people safe, our products safe, and our information safe.
It’s really important that people view you as a business partner. It goes back to that last question. If you want to walk around and be the corporate cop, can you do that? Yeah. Do people listen to you? Yeah, when they have to. I always looked at it where I wanted people to view this organization as a necessity. I didn’t want to be viewed as a necessary evil. I wanted to be viewed as a necessity.
I’m like, “We’ve got to have security at the table. We’re going to make this decision. We’re going to build something here. We’re going to launch a product there. We’re going to send people to this location. Is security in the room? We’re not going to make this decision without them there.” That was the goal, to always have a seat at the table. The only way you can do that is by creating those partnerships where people feel like you’ve got their best interest at heart too.
I can’t talk about Boeing without bringing up some of the recent events that have happened in the aviation industry, specifically those that have happened in the aviation division of the company. 43% of airplanes flying in the sky are Boeing-made airplanes. Flying is the safest it has ever been. I told you before we started that I wasn’t going to ask you about maintenance, equipment, wheels, and doors because it doesn’t matter for this conversation.
What matters is the interrelatedness of safety and security. In a lot of organizations, they may fall under the same chain of command. Sometimes, the chief security may also own safety depending on the scale of the organization. How do you work and build a positive relationship with a safety department when you’re running security in a manufacturing space like you’re in?
It’s super critical because there are so many similarities between the functions in certain situations. At Boeing, I had the country’s largest private fire department. We had EMTs responding every single day throughout the country to incidents that were occurring inside our facilities. Those could be a workplace injury where somebody injures themself on a tool. It could have been a hazmat spill. It could have been a small fire or whatever the case would be.
Our partners from safety would always be there also. They would probably be the next on the scene other than us. In many cases, they would be responsible for conducting the investigation and making sure that whatever occurred was not repeated again. We would assist them in making sure that they got all the information and details that they needed to do that well.
I looked at that relationship as a real necessity. We didn’t want to surprise each other. If something had happened, we wanted to make sure they were aware and vice versa. We knew for Boeing to be successful, our organizations needed to work together effectively. We were in the same vertical but they had a senior leader also for the corporation.
It’s really important to forge that bond at the top so the teams below see, “There’s no gap in between these two organizations.” All of our teams understand the expectations. If you see somebody from safety or on the other side, if the safety people see somebody from security and fire, that’s your partner. The expectation is you’re going to collaborate, whatever the issue is.
I always put a lot of time into training security officers in safety-related tasks because safety by and large often doesn’t have personnel spread throughout a campus or a facility, but security does. When we talk about workplace injuries or workplace events, it’s most often the security personnel who’s the immediate first responder to those things. They’re the ones who are calling EMS. They’re calling the fire department. They’re calling the police or local law enforcement.
I always wanted to assess and understand in each of my facilities what the response time is. I don’t need to train a security officer to be an EMT or a doctor, but I need to know that when I pick up the phone, it’s 7 minutes, 5 minutes, or 15 minutes before I’m going to have a first responder here. I need to make sure that I’ve trained my security personnel to bridge that gap.
It’s the same for something like an active shooter. When we brought in armed security personnel at critical times, it was always, “We’re not going to handle the entire incident.” Since we would test it, bring law enforcement in, and run those tests, I know I need four minutes. Can I have enough protection and security apparatus in place to get me to four minutes? I always thought that was important.
I agree. You go back to how you create trust and senior leadership in the company. One of the things is being able to tell your story effectively and have the metrics to back it up. Within our company, when I was there, we could put an EMT next to someone going through a cardiac event within three minutes. That was from the time an employee picked up the phone and called the emergency number of our GSOC in Mesa, Arizona. That GSOC to dispatch the appropriate fire response at that site and that firefighter response team and/or security officer to be next to that employee is within three minutes.
Why is that important? We would have a number of those at Boeing over the course of the year because we have a tenured workforce there. The average age is mid to late 40s. In some facilities, it’s older than that. Having an EMT next to somebody going through a cardiac event within three minutes gives them a 70% survival rate whereas if we had to rely on the local municipalities who have a 6 to 9-minute response rate and then have to try to find them in our facility because they’re not familiar with them, that drops down to less than 40%.
The impact that that has on employee morale when that team who is watching their coworker in distress sees those EMTs roll in and start to work on that person using an AED potentially or doing CPR on them and that person leaving the facility alive and coming back to work 2 or 3 weeks later from a positiveness is immense. Those are the kinds of things where that help you tell your story.
I used to be asked, “Why do we spend so much money on a fire department every year?” There are a million reasons why. I can talk about the contractual language in Air Force contracts and how we have to have standbys and all that. The one that won all the time is, “We’re going to have X amount of heart attacks this year and we’re going to save Y amount of people. That’s the value of it.” I never had to have that argument with senior leadership. People got it right away.
You could talk to our CEO, several of them, and they could repeat that metric. That’s when I knew I won. It was when that little metric resonated enough with them that they would remember it. With all the things they had to do every single day and all the different organizations in the company, they would remember that we would have a firefighter next to you within three minutes on average.
I was saving it for later, but I’m going to bring it into the conversation. Duty of care. How do you define duty of care?
You have a responsibility to take care of your people wherever they are, whether they’re in your factory on rent in Washington, Charleston, South Carolina, Philadelphia, Shanghai, China, or in some forward operating base embedded with a Special Forces team supporting an activity in a hazardous country.
You have a responsibility to make sure that when an employee comes into work, they leave the workplace in at least as good a condition as they walked in. Whether that workplace is 10 minutes from their home or 3 plane trips and 10 time zones away, you have the same responsibility. We took that very seriously. That was one of the things that was really important to me when we would put people in harm’s way. Since we do support special operations teams out in the field in countries all over the world, I made it a point to go visit those teams and see the actual conditions that they were living in. Who was protecting them? Was it US forces? That’s a good thing.
Sometimes, it’s not.
Many times, it’s better than third-country guardian angels where you walk in and you’re like, “I’m not so sure I’m comfortable with what I’m seeing right now.” Yet, you might have 10 to 20 people that are relying on that team, whoever it is, to take care of them and make sure that they’re going to come home.
I never bought into getting a report. I always wanted to see it for myself because I felt like if there was ever an incident in one of these countries, and there was, I wanted to be able to look directly into that business unit leader’s eyes and say, “I’ve been there. This is what it looks like,” or, “This is what we need to do differently. They need to do X. We’re not doing that, and by not doing that, we have people at risk.” It’s important. Duty of care is a major responsibility not only for the chief security officer but for every leader in a company.
We saw a shift in the definition of duty of care a little bit after COVID because we’ve changed a bit of the way that the workforce engages with the office environment. In our episode from GSX ‘23, I had a chance to have this conversation with Kelly Johnstone, someone you know very well at International SOS. We talked about where duty of care ends. If you have employees who are working at home, they’re not coming to the office, and they’re on Zoom calls all day, where does it end? Does it extend to somebody’s home when their workplace is their home?
I would argue it does because we’ve given employees the opportunity to work virtually, but they’re still our employees. You know what the norm is. If you see somebody that for the last few years always on time and always got a spiffy shirt on or blouse on, and all of a sudden, they’re always late, they’re never on camera, and when they are on camera, they don’t look squared away, that should give people cause to pause. There should be a reach-out to find out, “What’s going on?”
When you have people physically come into the workplace, you have an opportunity to assess them. You’re sitting next to them for 6 to 8 hours. You have a chance to sit down and talk with them. You get a sense of what’s going on. Maybe there’s something going on at home. Maybe there’s an issue with a coworker. You get a chance to see that.
You have to be a little bit more intuitive from a duty of care perspective when you’ve got a lot of people still working virtually. The signs may not be as clear. They might be more subtle. It’s incumbent on all of us to take a look at those signs and go, “Something’s not right, so we’re going to dig a little deeper. We’re going to have him or her come in,” or, “I’m going to meet him for lunch one day. We’re going to sit down and talk because I want to make sure everything’s okay.”
As you’re talking about that, I’m thinking about insider threat. As we define insider threat or we think about insider threat, the metric that is always talked about is the fact that it’s the other employees who are often the first ones to identify that somebody has an issue for a lot of the reasons you mentioned.
Security is also involved a lot of times because you may have people who used to come in at the same time or are badging at the same time every day and then they’re not. Maybe they’re trying to get into areas where they don’t normally try to get into or they don’t have access to. There are people within the organization who can start to identify when something doesn’t look right.
For an organization like Boeing and anything that works in critical infrastructure, these large defense contractors, insider threat is a huge issue for many of the reasons you mentioned when we started. Countries like the Chinese have infiltrated a lot of our organizations. How do you look at and classify the insider threat risk that exists? When you think about programmatically developing something that allows you to understand what’s happening inside your walls, how do you do that? What do you think about that?
We were blessed because we had some senior leadership back in 2013 who was very open to having an insider threat program. We had a CIO at the time who was proactive and understood that we were no different than any other company and that we had these types of risks and activities going on within our fence line. They were supportive of putting together a program that ultimately was led by our organization, the security organization, but heavily supported by the IT organization. We had many different segments of the company that had representatives on the team that would help us.
We made some very significant investments in tools and capabilities to make sure that the technology that we were creating in the company both for commercial and defense use was not going to end up in other parts of the world where it shouldn’t be. We were blessed to have an exceptional program, and they still have an exceptional program there.
I can’t go into the sausage-making data, but what I will tell you is it has world-class capabilities. The results are that lots of information has been prevented from leaving the company and lots of information has been prevented from ending up in some of those nation states that we talked about early on in their hands because of the investment the company made.
The whole goal when we started the program was to not have a program anymore. It was to create an understanding and a culture within the company where people understood that the information that was being created and worked on within the company was the company’s. In many cases, it was critical to protect the warfighter and that that information, leaving the company and going to an unauthorized and unapproved source, could have a critical impact on someone or a product.
The worst thing you can do is deliver a product that’s already been compromised to the warfighter. He or she’s, depending on that platform, that system, that sensor, or that communications tool to protect themselves or to execute a mission. If it’s already been compromised by the time it hits the field, people’s lives are at risk. Being able to tell that story internally resonates with people.
You’ve got different types of insiders. You’ve got the people that are disgruntled and are intentionally going to do things. You’ve got the careless insider who isn’t very tech-savvy, does something foolish, and ends up exposing something. You then have somebody who has been socially engineered. They have no ill intent at all. They’re maybe a little bit too trusting and they get socially engineered.
You’ve got to figure out what you have when you identify a person of interest. What is their real intent? Was it a mistake? Are they intentionally trying to take this information? Over time, if you do this long enough, and we’ve been doing it for a long time, you get pretty good at identifying what’s going on. You get pretty good at identifying who made a mistake, who’s a real problem, and when it is time to pick up the phone and call the FBI.
I want to ask about 9/11. All four planes that were involved in the 9/11 attacks were Boeing airplanes. 9/11 we all know changed the nature of the world in every respect but certainly advanced aviation security decades in one instant immediately. Can you talk for a few minutes about specifically 9/11 and being a part of the company on 9/11, and then the immediate changes that you saw in how we build airplanes?
Yeah. It was even more impactful to the Boeing Company because we had three employees on the plane that went into the Pentagon and they were killed. We knew early on that day in addition to everything else that was going on that we had lost at least three employees. We have people traveling all the time, so we weren’t sure that we didn’t have other people on some of those other flights.
9/11 was a seminal moment not only for our company but for many companies around the world. When you looked at aviation in particular, it was very clear that things had to be done differently going forward. It starts from when you pull up to the curb at the airport to the time you sit down in the airplane. Every one of those concentric circles of security had to be looked at, assessed, changed, and improved because it didn’t work the first time around. Could another 9/11-type incident on an aircraft occur that’s passenger-led? Maybe but unlikely because we’ve already seen that people will make a stand.
There are a couple of things that were enhanced. The security of the cockpit door was an area that was worked on. Significant improvements were made to that and to the security of the infrastructure of the aircraft. What I mean by that is those airplanes are flying networks. The amount of information that is moving around that airplane in flight and the amount of information that’s being transmitted to the ground and being received from the ground back and forth, that digital risk had to be addressed also because there was a potential risk and threat associated with that. There have been millions of hours and dollars spent on ensuring that that part of the aircraft is also safe.
As a company, and not just with Boeing but with Airbus and all the airframe manufacturers, that was such an impactful moment to have something that was built and developed to move people around the world, to be able to go see friends and family, to go on vacations and do something really special, and make a meaningful, connecting event getting on a commercial flight and going somewhere. To have them turned into an article of war in the most horrific way possible was unbelievable.
From a company perspective, there was always the question of whether it was coincidental or intentional that it was all Boeing aircraft used that day. I have my own personal opinion. I find that it would be highly coincidental that it was. My personal belief is it was intentional. It was a message. Boeing is an iconic US company. In a day of trying to attack many iconic things in this country, we were not a small part, but someone made an intentional decision, I believe. That’s my personal opinion. It has never been backed up. If it has been backed up, I’ve never seen the information that says it has. I would find it unusual that it was by chance that it happened to only Boeing aircraft.
You brought up the flying network. Modern planes and avionics, these things fly themselves.
Everything. Think of your Tesla.
Everything is networked. There’s an incredible amount of data coming off this. We saw a lot of correlation as we had the incident with the Francis Scott Key Bridge and the cargo ship, Dali, in Baltimore. They talked about how the network infrastructure on a cargo ship is almost nothing. We expect when you have a transportation incident, “Pull the black box. It’s going to tell you everything that was going on.” They don’t have one. It’s not like an airplane. I’m going to give you a conspiracy theory here to frame this up.
Do I have to answer it?
You don’t have to answer it.
Can I take the fifth if I don’t like the question?
You can, but then you can parlay it back into the broader cybersecurity question.
I’ll give it my best shot.
MH370 disappeared over Southeast Asia in 2014. A Boeing 777, the airplane, has not been found. There are a lot of theories. Terrorism, pilot error, or some sort of mechanical issue. One of the theories, and I would argue, for me, the scariest one that I’ve heard in certain circles, is that it was the target of a cyber attack and that it was taken control of. It was taken somewhere or was flown into the ocean.
I don’t need you to answer the question of what you think about what happened to it, but it brings up this question, this very real thought of the cybersecurity of the aviation industry writ large. We understand, especially up here in the Northeast, which is the most active outside of probably Western Europe. We have the most active aviation industry with routes in the world. What if somebody were to take control of the aviation infrastructure network and down several hundred airplanes all at once across the US?
If that happened, that would be a really bad day for a lot of people. I’m going to be careful how I answer this question for a whole bunch of reasons. It would be highly unlikely because there has been a lot of effort and energy for years put into making sure that that could never happen both on an individual aircraft and systematically. All of the airframe manufacturers have aviation security groups. That is their job, whether it’s physically hardening the cockpit or looking at that onboard network and how that information flows on the network, what are the access points within the aircraft, how to protect that network, and how information is encrypted and decrypted as it leaves the aircraft, hits ground, stations, and comes back up.
For all of those things, there are a lot of smart people who look at that every single day to make sure that that doesn’t happen. I would argue the aviation industry is not the only industry that would be potentially impacted by that. When you look at a cruise ship, a cruise ship is another huge, large floating data center. That’s what it is. You look at the size and scale of some of these ships.
The Icon of the Seas is ridiculous.
I’m not going to mention any names, but I’ve had this conversation with a CISO on one of the prominent cruise lines. We’ve had this dialogue about the uniqueness of the products that we build and use because of how much capability there is. I’ll end it with this. It’s highly unlikely. I have my own theory on what happened with 370, and it’s not yours. Yours is okay, but I don’t believe that people should be worried that that is a possibility. There has been an immense amount of effort put into making sure that that’s not a possibility.
You’ve been in the industry for a long time. Guys like me got shotgunned into the industry out of previous careers in the Military and people coming from all sorts of federal law enforcement stuff.
That previous career that you had, you know a lot of what’s going on too, so let’s not sell that short.
It was a good time being there. I’ve enjoyed being in the private security industry. We’ve looked up to you. The guys like me have looked up to you. We’ve looked up to Rich Davis and Steve Bernard. That’s a lot of the reasons why they’ve been on the show. The best part is I get to go find those mentors and those folks who I’ve been able to have conversations like this with that I thought were impactful to share with a broader audience. What do you look for in the next generation of security leadership? There is so much that is evolving so rapidly. You get to say you’re “retired” although I will tell you that you’re probably busier than you were when you were not really retired. What do you look for in the next generation?
I wrote something on LinkedIn. The next generation of security leaders is going to be fantastic. I’m lucky because I have a son who’s in the security industry. I’ve watched his career since he’s gotten out of school and what he’s been able to do very quickly, working an internship at Microsoft. He worked for a company called AECOM. He worked for Apple. He works in a law firm. He started out working in a business resiliency field and now he’s a cyber architect. He is self-taught. He is CISSP certified. He took the test. He had no formal cyber training.
Young people have such agile minds. They’re agile thinkers. We will go back to the very first question you asked me about, “The world is in this poly and permacrisis mode. What’s going to happen next?” There are a lot of people that are more my tenure that are linear thinkers in the security industry and they have a hard time adapting to the frequency and the pace of change that occurs.
During the time that I spend with young people in the security field, I look at their mental agility and their ability to multitask and not be freaked out when I say, “Yesterday, I told you I needed you to work on this. I know this morning I asked you to work on that other thing but now, I need you to do this.” For some people that are more my tenure, that is a source of huge frustration for them. Their mind explodes. They can’t do it. For many of the people I see that are more my son’s age, 30-ish, it’s no problem. They’re still doing that with their AirPods on, listening to a podcast, and doing whatever they’re doing.
Their minds have been trained since the day they were born to be able to multitask effectively. That bodes well for security leaders. You’ve got all these young people who can take all this information, process it, categorize it, risk evaluate it, and make decisions on where they’re going to spend their time and energy. I don’t worry about it all. I’m excited about it.
When I go to some of these forums and I see some of these newer faces and talk to some of these people, they’re so bright and they’ve got great ideas. Can somebody like me offer some advice, some experience, and some situational awareness of things that have occurred? Yeah, but I think the field is well-positioned going forward. It’s such an interesting field.
The one thing that we don’t do well in this field, and this is one of the things that we’re working on through The Security Foundation, is most young people have no idea that corporate security is a great career path. We don’t spend enough time at the high school level. We don’t spend enough time in technical schools to let young people know, especially young people who have diverse backgrounds, that you don’t have to be a cop.
You can be in this corporate security field. These are six-figure jobs, and they’re long-tenured jobs. You can do so many different things with them. That’s one of the things that we’re working on. How do we go out and communicate effectively, “Here’s a great career path. When you’re 17 or 18 still in high school trying to figure out, “What do I want to be when I grow up?” This is an option for you. It’s a great field.”
I agree with you. My daughter is a freshman in high school. We got an email a couple of months ago from the school to the parents. It said, “We have a senior internship program. If you have a company and you’re interested in participating in the senior internship program, sign up.” I immediately, to my daughter’s dismay, signed up.
I signed up twice. One is for the show because journalism is important. We want to build that at the young level. The other is for my security company, FRsix, which I don’t talk a tremendous amount about especially on the show because we do mostly critical infrastructure projects for government work. I said, “I need an intern,” for a lot of the reasons you said. We’ve got to show people that this is such an important industry, and it’s only becoming more important. We got to train them young.
I got to tell you. These interns that we’ve had over the last few years before I retired, we’d try to go and bring anywhere from 8 to 10 in. We would put them in our cyber program. We’d go to historically Black colleges and universities, be intentional about recruiting young people there in their freshman and sophomore year, try to hold onto them for 2 or 3 cycles of internship, and then hire them. We’d give them projects to do outside of their wheelhouse stuff.
At the end of their internship, we would create triads. Three of them would put on a presentation of something that they worked on. I was constantly blown away by the presence that these young people would bring, by their thought process, and by what they were able to get done in a relatively short period of time. If you can tell, I’m super pumped about what’s out there. We need more of them. That’s the problem. We need to let more people know, “Come join this profession. We need you. We need your thoughts. We need your energy. We need your talents.” We have to do better. We’re not good at telling our story.
You’re the President of Hostage US. I had the honor. Several years ago, I sat at an event at Sony headquarters. I had first met Steve Bernard and he said, “Come down to this event.” It was that night. I’d been introduced to him that morning. He said, “Come down to this event.” I said, “What’s the event?” He said, “Hostage US.” I was like, “I’ve never heard of it, but I want to meet you. I’ll come down to Sony.” I drove down. I rode a motorcycle so it was only 10 minutes, but it could have been 1 hour going from Santa Monica. I showed up, and then up stands this author. He starts talking about his time as a hostage in Somalia.
As he’s speaking, I’m listening to him and I’m like, “I know that story.” It had been about three years or so since I had left Africa. I realized about five minutes into his story that I had been briefed on this guy every day for six months because one of my jobs in East Africa revolved around understanding the environment and then developing capabilities for search and rescue. Michael Scott Moore was on a ship. They would talk about him in the intelligence briefings.
I thought I was looking at a ghost. He was home and told his story about 977 days when he was held captive. Immediately, I’d beelined to him when the thing ended and introduced myself. I said, “We talked about you every day. I want you to know we were looking for you. You weren’t alone out there. It may have felt like that, but we were looking for you.” He hadn’t been home that long. He said I was the first person he met who’d ever worked on his case. We developed a great relationship from that point on and stayed in contact. When I started this show, he was one of the first people I reached out to. He was episode nine. We talked about it.
I then got involved with the organization and started going to the annual reception. I became friends with Liz and developed a relationship with her, telling the story about what the organization is and what they are doing. We then subsequently had Jess Buchanan in 2023. She and Liz came on together. We talked about the organization, what it does, and what its focus is, and then we told Jess’ story. It’s similar yet very different from Michael’s. Hers ends with a hostage rescue by SEAL Team Six. Michael was released thankfully not for the $25 million they initially wanted but a much lower number many years later.
We’re going to talk to Jose Pereira. He has a different story. He was a political prisoner. Every one of these cases is so different. About 200 Americans are taken hostage or kidnapped as political prisoners every single year. We have some that we’ve talked about in the last couple of years, Brittney Griner, the Wall Street Journal reporter who continues to be held by the Russians. This is real. It’s happening every day all over the world. Talk about Hostage US. Why is Hostage US important? In your role as the president, why do you continue to advocate for this organization?
It’s important because of the impact it has on not only the hostage or the detainee’s life but also their families. You mentioned the number. It’s roughly 200-ish a year. For most people, they’ll never know anyone or anyone’s family who was a detainee or a hostage, but for those people who are impacted by it, their lives have changed forever. They will never be the same. Whether they were in captivity for 3 days or 3 years, their life has been fundamentally changed. Their family’s life has been fundamentally changed. I came into the organization through a really unique circumstance that I was completely unprepared for. If you give me a minute, I’ll give you 30 seconds.
Yeah, please.
I received a call a number of years ago from a colleague who was based in the UK. He told me about a hostage family that was based in Seattle and that one of their loved ones had been held by Al-Qaeda. The negotiations were not going well. The family was running low on money and needed some help. They needed some assistance to continue the negotiations.
Long story short, I got in the car that night after hearing the story. I didn’t know anything about this young man. I grabbed my wife and told her, “We’re going to go operational tonight. You’re going to see what we do.” We ended up going into the U District in Washington State and delivered some money to this family to help them get another cell phone. They had run out of cell phone dollars.
We delivered the phone and had the opportunity to meet for probably less than five minutes with the captive’s younger brother and his mom. His mom was probably 5 or 6 years younger than my wife. She’s quite young, but she looked twenty years older than my wife. His younger brother looked shell-shocked. I gave him the money and my business card and said, “If you need more, call me. I’ll come back tomorrow, the next day, or however many days in a row you need something.” That was on a Thursday night.
I woke up on a Saturday morning and had a full-page email from a lady that you also probably know, Rachel Briggs. Rachel was the original Executive Director for Hostage US at the time. She was the Executive Director for Hostage International. She shared with me early that morning, and I’m not going to give the individual’s name because his family is still dealing with this, that during a rescue attempt, he and another captive were killed during the rescue attempt. The SEALs went in. A dog tipped off that they were on their way. During the firefight, both the hostages were shot. As the US person was being transported out on the helicopter, he was still alive, so he knew that people had come to get him.
That one did not have a happy ending. Unfortunately, a number of them don’t. That five minutes that we spent with his family, both my wife and I, was life-altering because I’d never seen that kind of pain and despair on anybody’s face before in my entire life. Several months later, they decided they were going to open a chapter of Hostage International called Hostage US and I was asked to join the board, which I did. A year and a half later, I was asked to take over as the president, which I did.
I find it one of the most meaningful things I do. We are blessed with some amazing family support volunteers who work with these individual families. We are blessed with pro bono partners that provide medical help, legal help, and financial help, things that people can’t even imagine not only for the family but for the detainee or the hostage when they return.
What’s been really interesting in the last few four years is we’ve seen the paradigm shift. When I first took over, for about 75% of the families that we were helping, their loved one was taken hostage, and 25% were wrongful detainees. It has completely flipped. It’s about 90/10 where it’s wrongful detainees versus hostages. The reason for that is these governments use it as a political ploy. It’s a bargaining chip to be impactful with the US government. It goes back to what we talked about in the very beginning. It’s a way to try to leverage policy and sentiment in this country.
There are phases to this. There’s initial detention, capture, or whatever the circumstance is, and then there’s the negotiation piece. Hostage US really focuses on the families during that time. They’re not involved in the negotiations. At the back end, assuming they come home, the difficulty that these folks have was beyond anything I could have comprehended. I heard that from Jess. I heard that from Michael. It could be simple things like you have no money and you have no credit cards. Jess talks about things like your credit report and student loans. There’s no mechanism by which to go into a system and fix your credit report.
Think about it. You’ve been gone for two years. You haven’t filed your federal tax return. Your credit’s ravaged. When you fill out your tax, you call the IRS and say, “I was a captive for two years. There’s no box to check under your form to do that.” Since you talked to Jess, I’m sure she made this comment. She said the hardest part is surviving survival.
You had everything taken away from you, every bit of dignity and every horrible thing that could happen to you. All your decisions are made for you. In an instant, it all comes back. With the quickness in which we can get people back to their home country and in and out of the hospital, three days later, you’re back in your home and your little community. Everybody is so happy to see you and you’re not ready for that. You are not ready and may not be ready for that for a long time.
Most of the returning hostages and their family members will talk about the real challenges when they return and try to figure out how to get on with their lives. The little things that you or I find either trivial or easy to do become monumental tasks emotionally and in some cases physically for people because they have no patience. They struggle to come back. Most of them ultimately do, but they come back at different times. For some people, it happens relatively quickly. Other people have been back for years and they still struggle.
One of the great parts too is you’re building a community. In my work with transitioning veterans, we talk a lot about the community. You lose a community when you transition out. Can we create a community on the outside of people who’ve gone through the same experiences? Things like the Annual Reception bring everyone together and give folks who’ve experienced these things other people that they can talk to.
It’s like a club you don’t want to be part of.
You need to.
If you have to be in the club, it’s nice to know that there are other people that you can talk to. That’s one of the great things about what Hostage US is able to do. It is being able to connect with people who are willing to have that conversation, share their experience, and be able to tell someone, “What you’re feeling right now, or what you’re going through is normal. It’s okay. I went through the same thing. Give yourself some grace. If you’re having a hard time connecting with your family or you’re having a hard time reconnecting with your friends and they are irritating you, that’s okay. That’s normal.”
It’s nice to be able to have people who have lived that experience that can let you know that you’re all right. They’re like, “Take a deep breath. You’re all right. It takes time. You’ll get through it. What you feel right now is a normal feeling.” It’s unfortunate that we have to have an organization like this, but I’m glad we do. I’m thankful for the volunteers that we have, the sponsors that we have, and the pro bono partners that we have, because they make such a difference in these people’s lives.
This is the last question. It’s a test question. Elite organizations and elite performers, those who operate at a high level, always talk about habits. These are certain sets of skills that exist that they routinely do. When we think about the Jed burghs of World War II, they had to be able to shoot, move, and communicate. Those are three common terms, especially if you come out of the Military or law enforcement, but to me, those are foundational habits. If they could do those three things effectively without having to think about it, then their attention could be focused on more complex tasks that came their way on any given day. What are the three things that you do every day to set the conditions for success in your world?
For me, number one is I need to take care of myself physically. It’s important every day before I start my workday that I do something physical because that has a positive impact on the rest of my day. Whether it’s treadmill, Peloton, bike, and weightlifting, I have to do that. If I don’t do that, then I don’t necessarily feel like I’ve done what I’m supposed to do for that day. If I can get that out of the way first and get that physical element, it helps me clear my mind. It helps me reset and gets me ready for whatever I’ve gone on that day.
The next thing is being able to take a breath during the day, take a pause, look around, and be thankful for what you have. I’ve been incredibly blessed in my life with my family situation, where I live, what I get to do, and the people I work with. There are times when I never want to allow myself to take that for granted because it could be gone in an instant. Being able to stop a couple of times during the day, look out the window, and look at the view I have or get in the car and go to Costco with my wife because I can, which for years I couldn’t do, and I can carry the waters in for her and stuff like that, that’s important to me.
The other thing that’s really important is I like to reach out to people unsolicited, call them, and be like, “What’s up? I haven’t talked to you in a long time. What’s going on with your family? How’s the job? What’s happening here? What’s happening there?” That’s important to maintain grounding relationships. Many times, we all build these relationships and they’re purpose-based. We’re like, “I have to talk to this person because I work with them,” or, “I have to do this because of that.” Some of that’s true with me too, but there are people who have been really impactful in my life, whether they’ve been a mentor, a coworker, a long-time friend, or somebody I know might be having a hard time.
It is reaching out and asking them, “How are you doing?” It doesn’t have to be a long conversation. It could be 3 minutes or 15 minutes. It’s impactful to me in a positive way. I hope it’s impactful to them too. For me, it is not nearly as high-tech and high-speed as what you shared, but at this stage in my career and my life, those are the things that are important to me. Those are what keep me grounded and keep me going.
Those are great. Physical care, take a pause and be thankful for what you have, and reach out to people. I saw something and it said that if you only call people when you need something, you don’t have a relationship with them.
We all know people who are like that. You see that number pop up and you’re like, “Ugh,” because you know. I’m sure a lot of people in the security community feel that way about me because I ask people for money all the time for different things that we’re doing. A relationship has to be based on more than just, “I need some help.” That can be part of it, but if the only time I’m hearing from you is when you need help, then that’s probably not the best situation. It doesn’t mean I’m not going to help, but I’d like to hear from you more often.
I’ll call you more often.
That’s cool.
You’ve been around the industry for a long time. I told you that there are a lot of folks in the industry that look up to you. You’ve mentored, whether you knew it or not, a lot of us. We’ve learned a tremendous amount from watching you work. We are at an exciting time. in the world. There are challenges, but any generation faces their challenges. A lot of those challenges are known and some of those challenges are unknown.
It’s incumbent upon us as security leaders to think about all of those things out there that may or may not happen, what we are going to do, how we are going to set the standard, and how we are going to create the
example or the model by which we’re going to respond better more than react to certain things. If we do have to react to them, do we have a foundation that’s been built?
Watching programs and learning from programs that you’ve built at Boeing, your career, and the work you’re doing at Hostage US and through your consulting business continues to motivate a lot of us. It certainly does for me. I appreciate you so much for taking the time to come down here. I know you had a long flight. You came in late but you made it down here. We were late too, so that’s fine.
It has been a real honor to join you on this. It has taken some time, but it was time well spent. I really enjoyed it. Thank you for the opportunity.
We’ll be in touch more often.
Thank you.
