What your CISO can’t see in your executives’ public footprint.
A walkthrough of how the same multi-source scoring pattern applies to a problem most organizations don’t actively measure — the cyber-risk exposure inside their leadership team’s public social presence — with governance built into the pipeline, not bolted on afterward.
A LinkedIn bio is biographical. A tagged conference photo is geographical. A 2017 breach record is credential history. A press release is professional context.
Apart, each one is unremarkable. Combined, they’re a spearphishing kit — and almost every breach playbook starts the same way.
Public doesn’t mean unimportant.
When the subject is a person, governance isn’t a feature — it’s structural. Consent, retention, redaction, and audit either ship in the pipeline, or you don’t get to ship.
The output isn’t a number. It’s a number plus a trail that explains every signal, every retention decision, every source.
Eight signals, none of them secret.
Every signal on the right is publicly accessible. The work isn’t access — it’s combining them honestly, weighting them against a stated risk model, and doing it inside a pipeline that treats “the subject is a real person” as a hard constraint, not a footnote.
Different signals carry different risk — a known credential exposure is not the same as a public conference talk. The intensity dot on each tile is the source’s posture, configured by policy, not inferred by a model.
Governance isn’t a stage. It’s four of them.
Three of the eight stages on the left are the scoring work. The other four are governance — consent posture, PII redaction, retention tagging, and the audit log that records every read and write. They’re first-class stages, not wrappers, not middleware, not someone else’s problem.
That choice is the entire point. When the subject is a person, the audit trail is the product as much as the score is. A board, a regulator, or the subject themselves can ask why and get a defensible answer at every layer.
Defensible to a board. Defensible to the subject.
The output is a score, a band, and the top contributing signals — but the object on the right is never returned alone. Every read carries an audit reference: which sources, which retention class, what was redacted, when it last refreshed.
If anyone — the board, legal, the executive themselves — asks “why MEDIUM?” the answer is in the same call. That’s the bar. Anything less and the pipeline shouldn’t exist.
Four decisions that make scoring people defensible.
None of these are about accuracy. They’re about whether the output can be reviewed, questioned, and changed — by the board, by counsel, or by the subject — without rewriting the system.
Consent-aware
Every source carries a consent posture — what was authorized, by whom, for how long. A source out of posture is dropped, not silently used.
Retention-tagged
Every signal lands with a retention class and a TTL. When the clock runs out, the data leaves the pipeline — including the derived score that depended on it.
Source-traceable
The score never travels without its sources, its weights, and the audit reference. Anyone authorized to see the score is authorized to see why.
Subject-disclosable
The executive being scored can ask for, and receive, the same view the security team sees. If the system can’t produce that, the system isn’t finished.
The architecture isn’t about executives.
The subject changes, the signals change, the policy changes. The pattern — multi-source, governance-first, transparent reasoning, full audit trail — doesn’t.
Vendor & supplier exec exposure
Same scoring, applied to your critical third parties — whose own people are a path into your environment if compromised.
M&A target screening
Pre-deal diligence on the leadership team being acquired — reputational risk, prior breaches, public stance, exposure trajectory.
Board & trustee protection
Independent directors have public profiles by design. The system tells you whose profile is becoming a credible attack surface, and why.
Insider-threat triangulation
Combined with HR and access-control signals, public-footprint changes are a leading indicator some security teams already watch — informally.
A methodology, not a deployed engagement.
This piece describes a methodology and a system architecture, not a customer engagement. OSINT scoring and executive protection programs already exist — what we’re documenting is the design discipline of building one where governance is a first-class stage rather than a compliance review at the end.
A real deployment for any organization would involve a counsel-led consent and retention workshop, source selection against policy and budget, weighting calibrated with the security team and counsel together, and an audit-trail integration with whatever incident-management or governance platform is already in use. Those steps are part of the engagement, not skipped over.
The reason this writeup exists at all is the same reason the property piece does — the thinking is portable. The data sources change. The governance constraints change. The architecture, and the discipline of treating audit as a feature rather than a deliverable, doesn’t.
Risk scoring people, done defensibly.
If you’re scoring executives, vendors, board members, or third parties — or you should be, and it’s currently scattered across security, legal, and HR — a short conversation is enough to know whether this approach fits.