INSSA Insights

Cyber and Physical Security Convergence for NGOs with Jack McKenna


Listen Later

In conflict zones and hostile environments, the gap between cyber and physical security is not an inconvenience. It is a vulnerability that gets people hurt. Jack McKenna has watched organizations spend money on tools, hire service providers, and still miss the threat because nobody in the building had built a relationship across the aisle.

NGO security management and humanitarian aid security have never demanded more from practitioners. The organizations doing the most critical work in international development safety are operating with siloed teams, undertrained staff, and a false sense of protection from tools that were never designed to catch the threats they actually face. Duty of care is not just a policy commitment. Understanding how to close that gap is no longer optional.

Jack McKenna is President and CEO of Prescient, a tech-enabled digital intelligence, investigation, and risk advisory firm at the intersection of cybersecurity, corporate security, and intelligence. Amaury Cooper, a former Prescient client and NGO security practitioner, leads this conversation from the field perspective, pressing Jack on what organizations can actually do with limited resources in complex environments.

Key Takeaways

Set up basic social media alerting for your organization name even without a dedicated security team, because unsophisticated monitoring is still better than none.

Threat signals online are rarely explicit. Watch for negative sentiment building over time, coded imagery, emoji and GIF usage, and slang terms rather than waiting for a direct statement.

NGO security management requires someone with a named responsibility for physical security. If it is not in anyone's job description, it will not get done when it matters.

In hostile environments, assume surveillance and work your security posture backward from that assumption. VPNs and Signal help but do not make you safe if a hostile intelligence service is targeting you.

Converged tabletop exercises covering both physical and cyber scenarios are one of the most practical tools any humanitarian aid security team can implement right now.

Jack McKenna said, "Assume that you're basically broadcasting where you are," on operating in environments with hostile surveillance infrastructure.

Jack McKenna said, "The relationship is the biggest word," on what physical security practitioners must build with their IT and cyber counterparts before a crisis hits.

Timestamps

00:00 Introduction
01:42 How to assess whether your organization is being threatened
02:48 Setting up basic social media monitoring for NGOs
03:42 Risk assessments and point-in-time chatter reviews
04:07 Cultural nuance, emojis, GIFs, and online threat signals
05:07 AI limitations in detecting coded threats and imagery
06:14 Why bad actors know they are being monitored
06:52 Closed forums and indirect threat communication
07:53 Should cyber and physical security be converged
08:51 Identifying who is responsible for physical security
09:37 Avoiding duplicative security spending
10:10 The fusion cell model and overlapping risk spheres
11:18 How physical security practitioners can learn cyber basics
11:58 Why marketing and comms monitoring is insufficient for security
12:50 Using AI tools to self-educate on cybersecurity
13:36 Stop saying you are not a technical person
14:15 What NGOs in austere environments can do proactively
14:59 Data ownership and backup access in low-connectivity environments
15:45 How personal social media activity creates professional risk
16:23 What security focal points on the ground should watch for
17:12 Treating all unwanted communications as suspicious
17:43 Converged tabletop exercises for physical and cyber scenarios
18:11 Including IT in crisis management and device lockdown protocols
19:02 How tabletops unearth duty of care gaps
19:55 The USB drive scenario and why the NGO sector is uniquely at risk
20:17 Burner phones, wiped devices, and travel to hostile environments
21:10 VPNs, Signal, and their real limitations
21:35 Mobile device management and limiting compromise blast radius
22:32 Which environments carry the highest surveillance risk
23:14 Assuming surveillance regardless of geography
24:00 Location data, marketing IDs, and what hostile states can access
24:38 Operating in extremely hostile environments
25:01 Does a VPN slow things down
25:28 Pearls of wisdom for security focal points in the field
25:58 Build relationships with IT before you need them
27:11 Closing and acknowledgment of the Robert McPherson Fellowship

Connect with Jack McKenna

LinkedIn: https://www.linkedin.com/in/jack-mckenna-3a301345/
Website: https://www.prescient.com/
...more
View all episodesView all episodes
Download on the App Store

INSSA InsightsBy INSSA