The C-Suite’s Favourite Hobby: Broadcasting Operational Intelligence

Executives rarely imagine themselves as intelligence targets. This is understandable. Espionage sounds glamorous and dangerous, whereas most senior leadership work involves emails, meetings, flights, and pretending to enjoy panel discussions. Unfortunately, this is exactly why OPSEC matters in business: modern intelligence work is not glamorous either. It is mostly admin, observation, and waiting for someone important to behave exactly as they always do.

Operational Security is not about secrecy for its own sake. It is about denying adversaries easy advantages. In military terms, OPSEC stops you broadcasting where you are, what you’re doing, and what matters to you. In business terms, it stops you becoming a walking intelligence product assembled from your calendar, your LinkedIn posts, and your favourite hotel chain.

Executives sit at the intersection of decision-making, access, and influence. That combination makes them valuable. It also makes their habits visible, predictable, and exploitable. OPSEC is the discipline of noticing this before someone else does.

Predictability Is the Enemy (And Executives Are Creatures of Habit)

Executives like to think of themselves as dynamic and adaptable. In practice, senior leaders are among the most routine-driven people in any organisation. The same flights because of status. The same hotels because they know where the gym is. The same conferences because that’s where “serious people” go. The same restaurants because experimentation is exhausting.

From an intelligence perspective, this is a gift. You do not need to follow someone everywhere. You just need to observe them long enough to learn what “normal” looks like. Once you have that, you can anticipate presence, mood, priorities, and availability. Pattern-of-life analysis is not about drama; it is about reliability.

In business, predictability enables targeted approaches. If you know when an executive is tired, travelling, or operating outside their usual support bubble, you know when they are most likely to make bad decisions. If you know which environments they trust, you know where influence attempts are least likely to be questioned.

Good OPSEC does not demand chaos. It demands occasional disruption. Changing routines. Delegating appearances. Refusing to turn every movement into a ritual. The goal is not to become invisible but to become slightly harder to model. Most threats do not require you to be paranoid. They only require you to stop being boringly consistent.

Visibility Is Not the Same as Transparency (Stop Broadcasting Your Life)

Modern executive culture treats visibility as a virtue. Leaders are encouraged to be authentic, accessible, and present. Unfortunately, “present” has come to mean “documenting your location, associates, and priorities in real time for strangers”.

Social media, conference marketing, corporate comms, and personal branding all contribute to a steady leak of operational detail. Travel plans are revealed. Strategic focus areas are hinted at. Relationships are signalled. Stress and enthusiasm are telegraphed. Individually, these fragments seem harmless. Collectively, they form a remarkably accurate intelligence picture.

Executives often dismiss this concern by saying “everyone does it”. That is true. That is also why it works. OPSEC failures scale beautifully when everyone participates willingly.

The problem is not posting occasionally. It is consistency and timing. Real-time updates remove uncertainty. Predictable posting habits reinforce patterns. Over time, an observer does not need access to internal systems; they can infer what matters, when decisions are looming, and who has influence.

Operational security in this context is restraint. Not everything needs to be shared. Not every appearance needs to be publicised immediately. Delays, omissions, and selective silence are not antisocial. They are defensive.

Relationships Are the Real Attack Surface

Executives are targeted through people, not firewalls. The most effective intelligence collection in business environments happens through relationships that feel professional, flattering, and benign.

These relationships rarely begin with requests for secrets. They begin with conversations. Shared concerns. Industry insights. Introductions. Over time, trust forms. Trust reduces friction. Friction reduction is where OPSEC quietly dies.

Some of these approaches are criminal. Some are competitive. Some are linked to state interests. Most are deniable and indirect. The goal is not immediate extraction but positioning. Becoming a trusted voice. Shaping perception. Normalising access.

Executives are especially vulnerable here because relationship-building is literally their job. Saying no feels rude. Questioning motives feels paranoid. Delegating vetting feels inefficient. Unfortunately, intelligence exploitation thrives on politeness and assumed good faith.

OPSEC does not require executives to distrust everyone. It requires awareness that not all interest is neutral and not all expertise is altruistic. Asking “why me?” and “why now?” should be a habit, not an accusation. Influence almost always precedes information loss, and by the time that becomes obvious, the damage is already done.

Devices, Travel, and the Myth of the Exception

If you wanted to compromise an organisation efficiently, you would target its executives. Their devices are high-value, their behaviour is permissive, and their tolerance for inconvenience is low. This is not a moral failing; it is a structural one.

Executives are often granted exceptions. Different phones. Broader access. Fewer restrictions. Faster approvals. These exceptions exist to enable productivity. They also create asymmetry. An attacker who compromises an executive endpoint does not just gain data; they gain context, authority, and reach.

Travel amplifies this risk. Airports, hotels, and conferences are environments where security assumptions degrade. Networks are shared. Conversations blur. People overshare. Executives are tired, distracted, and outside their normal controls. This is not when people make their best security decisions.

OPSEC here is about discipline rather than deprivation. Purpose-built devices. Clear boundaries on what is discussed where. Reduced reliance on convenience networks. Acknowledging that some environments are simply hostile, even if they serve decent wine.

The idea that risk only exists in “dangerous” countries is comforting and wrong. Some of the most sophisticated intelligence activity happens in places executives feel safest. Familiarity breeds complacency, and complacency is exploitable.

OPSEC Is a Governance Issue, Not a Technical One

The final uncomfortable truth is that executive OPSEC failures are rarely technical. They are cultural. They happen because no one feels empowered to challenge senior behaviour, and because security is treated as an operational detail rather than a leadership responsibility.

Boards often focus on cyber risk in abstract terms. Systems. Controls. Compliance. Meanwhile, the most valuable attack surface, executive behaviour, goes largely unaddressed. This is not because it is unimportant, but because it is awkward.

OPSEC requires setting expectations for leaders. Not just policies for staff, but standards for those at the top. It requires admitting that seniority does not confer immunity from manipulation, and that experience does not negate cognitive bias.

The goal of executive OPSEC is not to instil fear or to reduce effectiveness. It is to increase the cost of targeting. To introduce uncertainty. To remove unnecessary signals. Most adversaries are pragmatic. When exploitation becomes difficult, they look elsewhere.

Executives do not need to become invisible. They need to stop being effortless.

Closing Thought

Operational security is not about secrecy, paranoia, or pretending the world is more dangerous than it is. It is about acknowledging reality without dramatics. Influence exists. Intelligence collection is mundane. And senior leaders are, by design, attractive targets.

If OPSEC feels excessive, that probably means it is working. Comfort is rarely a good security metric.

References:

Khan, N., Sharples, S. & Houghton, R.J. (2025). Reflective interventions for cybersecurity: insights from a sociotechnical framework application and assessment. Cogn Tech Work. Available at: https://doi.org/10.1007/s10111-025-00833-6 (Accesed: 14 January 2026).

Safa, N.S., Maple, C., Watson, T., Von Solms, R. (2018). Motivation and opportunity based model to reduce information security insider threats in organisations. Journal of Information Security and Applications, 40, 247-257. Available at: https://doi.org/10.1016/j.jisa.2017.11.001 (Accessed: 14 January 2026).

Khan, N., Houghton, R., and Sharples, S. (2022). Understanding factors that influence unintentional insider threat: a framework to counteract unintentional risks. Cognition, Technology and Work, 24, 393-421. Available at: https://doi.org/10.1007/s10111-021-00690-z (Accessed: 14 January 2026).

Tabahriti, S., Macaskill, A., and Holden, M. (2025). MI5 warns UK lawmakers Chinese spies posing as headhunters. Reuters, 18 November. Available at: https://www.reuters.com/world/uk/uk-security-service-warns-lawmakers-chinese-spy-risk-2025-11-18/ (Accessed: 14 January 2026).

Sabbagh, D. (2025). China’s power play: MI5 warns of relentless espionage attempts in Britain. The Guardian, 19 November. Available at: https://www.theguardian.com/world/2025/nov/19/china-mi5-espionage-britain (Accessed: 14 January 2026).