Conspiracies and the Competency Crisis: The Kirk Assassination with Toby Houchens

On July 13, 2024, a lone gunman climbed an unsecured roof with a long rifle. He managed to fire several shots at then-presidential candidate Donald Trump, grazing his ear, and killing Corey Comperatore, a member of the audience. Soon after, on September 15, 2024, a lone gunman approached Donald Trump on his golf course, only 64 days later, and was caught by pure luck, as a passing Secret Service agent spotted a rifle barrel protruding from a fence. Less than a year after this incident, on September 10, 2025, a lone gunman gained access to an unsecured roof with a long rifle and fired a single shot at Christian political activist, Charlie Kirk, killing him.

Following the July assassination attempt, Republicans in Congress began to focus on DEI as the cause of the decline in Secret Service competency. While there is a real case that DEI eroded the Secret Service’s competence, it cannot account for the successful assassination of Kirk, as his security team did not practice DEI. DEI does not explain the glaring, obvious mistakes in the security plans before and during the events. Leaving roofs unsecured near controversial figures seems like a simple enough thing for anyone to avoid, so why wasn’t it—twice? To understand what has been going wrong in the security industry within the subdomain of “Executive Protection” (EP), I contacted Dr. Toby Houchens. Toby is the CEO and Founder of Omega Wolf Solutions and Alpha Recon. He served for over a decade in the U.S. Army Special Forces as a Green Beret across the Middle East, Africa, and other environments, and continues to support Special Operations to this day. He helped create the initial guidelines for Enterprise Security Risk Management (ESRM). He presented them for the first time at the ASIS International Global Security Exchange in 2019. ASIS is a standards-setting, education, and professional development body for security leaders—not a law-enforcement or government agency. Toby’s team released an initial study on how effective risk assessment could improve interagency communication and operations and potentially help prevent assassinations like this from occurring, which you can read here.

In this conversation, we discuss the Kirk and Trump assassinations, the problems in the security industry, and how a failure to take accountability has encouraged conspiratorial thinking. To this date, despite the large amounts of media coverage, few people understand that the same institutional problems were behind each assassination attempt, institutional problems that better training, risk assessment, and interagency collaboration could overcome.

What’s Gone Wrong in Executive Protection

Thanks for speaking with me, Toby. You argued in your white paper on the assassination of Kirk that it was preventable. Could you provide an overview of your argument for why?

Yes. So, you’re looking at a couple of key factors that are probably the most revealing; there’s probably more, but the two you have to focus on are risk assessment and the lack of interagency coordination.

The main job of a close protection team or executive protection team is to keep your principal alive. Principal is an industry term for who you’re supposed to protect. When you don’t do that, it’s an absolute failure. The things that make that preventable are a comprehensive risk assessment; some people call it a site survey, some people call it an advance. In the executive protection (EP) world, there are all sorts of names for it. But the core concept is that you have to understand the risk environment in order to put together a proper, effective security program. In the Brian Harpole interview with Shawn Ryan, he says, “We did an advance, we were there, we were making arrangements a month ahead of time.” Anybody can put together a site visit or do a quick recon and say, “Oh yes, I did my site survey.” It could take five minutes or five days, depending on the depth of the risk assessment. The purpose of a risk assessment is to identify vulnerabilities and the things you need to protect against, manage, mitigate, or remove.

Throughout this conversation, Toby references an interview that Brian Harpole, Charlie Kirk’s head of security, did with Shawn Ryan. I have embedded key clips into this interview when referenced by Toby. This is the best publicly available source for understanding what went wrong on the UVU campus to date.

However, it’s very clear through the interview, and simply using common sense, that vulnerabilities were missed, and if they weren’t missed, they were completely ignored. It’s one of the two, right? Risk assessments are not just looking for high ground right, there’s a lot that goes into a risk assessment, if you do it properly, I mean you’re looking at all of the factors and the conditions on the ground, the human factors, the physical factors, the area, the emergency first responder, the interagency, the quantitative trends online and threats, and a proper risk asssement will truly shape your security strategy

In this case, it’s clear that there was a kind of risk assessment done. However, it seems to have been an impromptu or brief understanding of some of the general risks to Charlie Kirk, and no exhaustive risk assessment was done that included all the factors that needed to be covered. I stand by that assessment.

For example, the fact that that there was no confirmation of any high ground, there was no understanding who covered it and what the what line of sight threats there were, specifically I mean even in the interview, Harpole talks about the areas directly behind Charlie Kirk, the raised area with rocks, but they don't really talk about nearby buildings at all. Even when he’s asking for coordination with campus police, they’re not really talking about the nearby buildings; they’re talking about the one directly behind Charlie.

You know there was no comprehensive risk assessment because that would have caught that there were rocks above him before, rather than the day of.

For example, let’s take the high ground because that’s the most obvious issue, right? That what everybody’s pointing to, and even non-security people are looking at that, right, thinking, “How did that get left out?” There’s so many ways you could have had cameras monitoring nearby vulnerable buildings, to make sure nobody’s getting on them at a minimum you could have—they had twelve personnel—instead of having everybody on the plaza you could have had people on the periphery making sure that there wasn’t any anybody trying to sneak in or get some kind of a vantage point from a distance. There was the opportunity for drones, and though Harpole says he could not have drones, it’s clear that if you go to the campus website, you can have drones. The video team was using small drones. And again, a risk assessment would have informed them of the legality, because you would know what your options are.

That said, I want to emphasize that the “high ground issue” was not the only issue. There were multiple other areas missed in the risk assessment. Constraints and limitations of security operations are part of a risk assessment

I don’t believe a formal risk assessment was done. I think if there were, they would have shown it by now. I don’t think there’s anything proprietary or anything secret that’s in a risk vulnerability assessment that can’t be shared. In his interview with Shawn Ryan, Brian Harpole talks about an app where people are putting in observations, that is not a formal risk vulnerability assessment, and that’s where standards need to be in place.

And the second factor, besides the lack of a comprehensive risk assessment, is the lack of interagency coordination?

One of the things that a threat vulnerability assessment would do is provide a baseline document of your findings that you can share to brief your team and the interagency. This is supposed to be a collaborative effort; this shouldn’t be siloed in groups. I helped to write the guidelines for enterprise security risk management, and one of the principles of security risk management is that you need to break down silos. You can’t have different departments or different organizations working in a vacuum because you get blind spots, vulnerabilities, places that are not covered; it’s the classic three outfielders going for a fly ball, right? It drops at their feet, and they stare at each other, unsure what to do.

One thing we see in the Shawn Ryan interview is a lack of interagency coordination. Again, I can’t say for certain, like what didn’t happen, as far as ahead of the event but, I’ve gleaned up to this point, and from the animosity between the interagency after the event, it appears that there wasn’t satisfactory, clear communication.

There’s this tendency for security teams to kind of wing it, you know, they show up, they do their site survey, if they know who’s on the ground, they might shake a couple of hands when they get there, and then they rely on SOPs (Standard Operating Procedures) and TTP tactics (Tactics, Techniques, and Procedures) and they think that’s going to be enough to save the day.

You can’t just cram it into the last minute or when your team shows up. That’s not the time to be having your first or second conversation with the other elements on the ground. You got your local law enforcement, your campus law enforcement, whatever federal entities are involved at the time, plus your team, Turning Points team, that’s a lot of moving parts, and if you did do the coordination properly, you know and briefed teams on these vulnerabilities, maybe they can help if you have low resources, right?

Harpole said that at one point, one of the campus police officers arrived in an area behind Charlie Kirk, and Harpole was surprised. You should know where everybody is.

He seemed surprised by that. That’s how you know it wasn’t coordinated. It might not be all the security teams’ fault; I don’t know to what extent it’s anyone’s fault. Still, it’s clear that interagency coordination wasn’t happening; you know that there wasn’t a good enough interagency coordination effort.

Is it a standard operating procedure, as Brian Harpole says in the interview, to be “only responsible for the first 30 meters” around a principal and pass off security 30 meters out?

There are different schools and approaches, and strategies. In some schools, they teach the concentric circles approach, and I think that’s an unfortunately outdated approach, as we’re seeing. Yes, you could have zones of coverage to make it simple for your team and have areas of responsibility, that’s great, but you can’t think like a robot, you’ve got to have a more of a dynamic risk management approach. Having areas of responsibility is important, but this goes back to the point I just made: if you have a proper interagency approach, you can have some of those areas covered by externals. If you really feel like with the twelve people have, you need them right around the X, and you can’t afford anybody to be roving or to be covering high ground or to have binos or to be monitoring cameras, or you can’t afford for them to do any of that stuff (which I don’t agree with, I don’t think that the main vulnerability was the crowd rushing Charlie Kirk, and so I don’t think that they needed to have every single person that close, or they could have at least been multitasking), you could have the campus police be part of the solution.

Again, they didn’t know what campus police were doing because they were surprised by the fact that they were in one of their areas of responsibility behind Kirk, and you know, and there were just a lot of other things, you know? There seemed to be a lot of people involved with the team and in the area right around Charlie Kirk, including camera people, including cars that were staged there, and people milling around. I mean, it just didn’t strike me as a really super controlled environment. It’s not hard to see that there’s a direct line of sight from a nearby building. I think everybody admitted that and recognized that. Why not have one of the security members focus on external threats or ingress routes, or areas that would potentially pose a threat? In the military, this is just day one stuff, you’ve got to control the high ground, and if you’re the security, you know protecting him, nobody cares about your area of responsibility. You can’t sit there and say, “Oh, this is my area of responsibility, and nothing happened from my area of responsibility, so that’s good.” He died. He died because there was no coverage, there was no area of responsibility that covered the vulnerability that ultimately took his life, and that’s a failure of the security team. You can say that it’s the campus police’s fault because they didn’t cover it, or because a text message should have been enough. But in a security operation, there’s no reason why, with that many people, with over a dozen security people, we couldn’t cover, at least with some kind of visual, all of the surrounding area of the campus.

The training that you only focus on your area, I get it, you have to focus on the minute details, look at the crowd, and know the risks immediately around the principal, absolutely, there are reasons why that training exists and why people have come to areas of responsibility. But if you’re not thinking outside of those circles and you’re not thinking about the risk and you’re not thinking about what possible or most likely courses of action or those vulnerabilities that are most likely to happen, and where are the blind spots, or where the areas are that you’re not sure are being covered… As a security team lead, that’s what you should be thinking about. You should be thinking about that. It’s not just standing right next to the principal. You need to be thinking about where the risk is going to come from dynamically.

Why do you think people are so hesitant to blame security for obvious security failures?

Unfortunately, there’s a little bit of protectionism in the industry. Some of the training programs and schools that are out there are most likely inadequate, and they’re probably not teaching a dynamic risk management-based approach (though we are developing an EP training pipeline that maximizes dynamic risk-based approaches). I’ve seen security teams actually admit, even if they were on the ground, the same outcome would have happened in this case. That’s telling. That’s an institutional problem. The assassination should not have happened if you had the right security team. This should be impossible with all the tools we have.

That this happened in the same way as the attempted assassination of Trump, like, you would think that we would learn, right? But the problem is the mindset of “Oh well, it just happened, and we did everything we could, and sometimes those things are going to happen,” well, we can’t have that mentality. That’s number one.

Second, there’s this kind of culture, I want to say good old boy, or you know there’s this hidden code to kind of cover up things or to not highlight failures because we don’t want to pinpoint other people we want to try to help or we don’t want to ruin someone’s career or they want to support the “security industry” because when things like this happen it gives the whole security industry a black eye. So what’s weird is that instead of just pointing to what happened and what could have been done better, they protect the institution’s failure.

And I’d say, third, there’s a lack of accountability these days in general. I just think people don’t accept responsibility for failure, and with my background, that was never even a possibility. You could not avoid taking responsibility for your actions. In this whole 2 1/2 hour interview, it was completely about him blaming circumstances or other people for the failure; not at any point in that whole interview did he take responsibility at all. A leader accepts responsibility, especially when they’re responsible for the safety of their principal, and they say “I failed,” and maybe there are mitigating circumstances why I failed and why my team failed, but it was a failure, and I did all of these things to prevent it from being a failure, but ultimately, I was not successful.

That’s the message that should have been put out there. That’s what helps an industry get better.

With the failed Trump assassination, a lot of people [in the security industry] who were pointing out the failures were almost chastised and seen as negative Nancys and seen as counterproductive. But I think there’s enough of this happening that even non-security and non-industry people are looking at it and seeing abject failures by almost any measure. I don’t know how this isn’t a failure of the security team. However, there are still holdouts: people in the security industry who are practicing security, training EP teams, and running close protection teams, yet still lack accountability or will see this as a failure.

I think it is a pervasive problem. When you choose to get into executive protection and or close protection, you know that there’s no margin for failure. That’s just the way it is. You’re accepting that when you get in there, any number of things could happen. Sometimes things happen, and it’s completely not the fault of the security team, It’s just extenuating circumstances that happened, but there’s always something to learn, there’s always something that could have been better, there’s always something that could have reduced the probability of a successful attack, and that’s the way you have to think about it: what can I do to reduce the probability to the maximum amount and the first thing is just being accountable and being objective about it and going back and trying to improve whether it’s as an industry as a team or as a person.

We could all see the similarities between the Kirk shooting and the July attempt on Trump’s life. I’m interested in any parallels you see between the roof shooters and the failure of interagency communication in both cases.

If you go back to the Trump report, you’ll see it was largely similar issues. Returning to the risk vulnerability assessment, the presence of an uncontrolled building nearby that provides a perfect line of sight to the principal is a threat. If it’s covered in the risk assessment but not in practice, it’s either ignored or goes uncovered due to poor interagency coordination. I don’t understand how it happens in this day and age, with all the technology we have, there’s doctrine, there’s standards for this stuff. People have this idea of the Secret Service that is not entirely true to life, as internally, training and experience vary wildly. Some come from the military, and some are ex-police; some may have inadequate or concentric circles training.

In security, unfortunately, there’s no quality control, and when you’re a private security firm dealing with the government, it’s completely ambiguous. In many cases, like the Trump assassination, it’s unclear who is the ultimate shot-caller; you can ask 100 people, and you’ll get 100 responses.

There should be collaboration, and that’s not happening. It’s just these siloed organizations with their siloed training and their siloed understanding and their siloed risk assessments trying to protect a principal, and you see what happens when you do that. If some gaps and assumptions are made that ultimately are false, the risk goes way up. They’re completely preventable. In this day and age, you should not, with the technology we have, with drones, something like this should be impossible. It should literally be impossible.

That’s why it’s important to understand this is a systemic problem with the industry.

After the Trump assassination attempt, a large number of people on the right decided to look at DEI as the fundamental cause of the decline in the competency of the Secret Service. However, DEI is obviously not the problem with the Kirk team, so the competency crisis must run a little bit deeper.

One of the first things I’ll say before I get into the failures of private security is that silos still exist. Everybody thinks that they’re in charge, but when something bad happens, they don’t want to be in charge. Everybody wants status, and they think their training in skills is somehow superior, yet they don’t want to take responsibility. There are no standards, only silos, and a culture of competition and ego.

In the private sector, there are some groups that are trying to establish standards. ASIS has recently released a standard, and another is being worked on that is ANSI (American National Standards Institute) certified. The reason that these standards are starting to emerge is because you’re seeing this quality control problem with security teams. So what makes somebody qualified to be an EP professional? What is the minimum criteria? That is a big unanswered question because you’ve got EP teams that come from all walks of life. You’ve got people coming from law enforcement, so former cops like Brian Harpole. He was a cop for 12 years. It didn’t seem that he had any SWAT training. Is somebody being a cop for twelve years and doing some undercover operations, is that enough? I don’t know if that’s the kind of training that’s necessary. Was it exhaustive? What other things were they training on? It is arguable if that is the right kind of experience.

The other issue is that these are closed systems due to ego and protectionism. You could see that throughout the whole interview, he was talking about how it’s a very strict recruiting process and how you had to be invited in, and you had to go through some vetting process that was largely more about the trust factors than actual competency.

Didn’t he say they all got matching tattoos at one point?

Yeah, [laughs] it’s like a club. This is a pervasive problem in the security industry. There is no consistent standard; there are organizations of varied sizes, and sometimes new people can be shunned in organizations, or if your training differs, they may reject it as a threat. This perpetuates incompetence.

In the security industry, at large, egos prevail in closed systems, buddy groups, and networks. It comes down to a lack of quality control… There is no quality control. Anybody can get a license, so the licensing system does not select for quality control. They are not standards for dynamic risk management or knowing how to operate in a firefight.

Most people don’t have a well-rounded education on all the topics that go into security, and if you’ve got a whole team of people that are good at being big bodies and blocking and controlling access, that’s all you can do. You need a dynamic team with different skill sets and to look at things a little bit more holistically. The concentric circle training is rather simple; thinking in terms of areas of responsibility can become limiting, and yet, because you have to speak with that language and you have to be part of it, it continues to propagate it, and then nothing new can break in.

Even after failure, clearly, nothing has broken in. They aren’t admitting their methods were bad.

The main purpose of the Brian Harpole interview with Shawn Ryan was to protect people’s careers so that they could continue to operate.

That was the main thrust and motivation for the interview, not like, “Hey, let’s dissect this and figure out what went wrong.” Whether there was incompetence or not, there’s this idea of “I’m protecting my team,” “it’s the optics that are important to me.” There’s a lot of bravado, there’s a lot of chest bumping, and whether you’re a cop, whether you’re a Secret Service, whether you’re FBI, or military or different special forces, there’s this sense that outside expertise is a threat, rather than a sense that people may have experiences you can learn from.

Do you think the security industry’s refusal to take responsibility for failure contributes to conspiratorial thinking?

I do and this is the reason why: I’ve talked to a lot of people about this but when the failure is so obvious to people that are not in security, then they look at this, and they can just say “Okay, that was a failure, and yet you’ve got this supposed level of training and capability on site,” it really starts to make people wonder how could it be this this bad? How could it possibly be this bad?

People think rationally whether an assassination like this was allowed, because there are gaps that are egregious and obvious to everybody and seem purposeful. It comes down to this question: it’s either rampant incompetence or there was something else involved. You can almost forgive the people that are coming up with these conspiracy theories because they’re just looking at this, trying to figure out how it’s possible to have incompetence of this magnitude.

I do know that this was an abject failure and that this was preventable. I’m not the only industry leader that thinks that. In addition, the excuses after excuses and optics management also contribute to conspiratorial thinking since there are things that come out and then they have to get re-explained or changed after.

I would also argue that the lack of immediate communication and explanation of reality contributes to conspiracy theories. People will fill in gaps on their own if officials withhold information.

Thank you, Toby. That’s all for today.

Conspiracy and Professionalism

In both the successful assassination of Charlie Kirk and the failed assassination of Donald Trump, the same things led to failures. Multiple issues, including a lack of interagency communication, a poorly executed risk assessment, and an outdated concentric circles approach, precluded a competent operation. A culture of ego, insecurity, and undefined industry standards amplified siloed threat perceptions and led to obvious threats going uncovered.

And none of this is talked about, almost ever, because it points the finger at the people who actually fail to do their jobs. So, instead of looking at a growing competency crisis in a largely unregulated, life-or-death industry, the public—under the influence of the very people responsible for failure—are led to conspiracy theories:

I spoke to an unnamed source affiliated with UVU who shared that they covered the site of the shooting because it was soaked in blood at the very center of their university. I would also add that it would obviously become a site of either pilgrimage or, just as likely, vicious acts of cruelty, such as pissing, that would forever be a sore wound at the center of the university and American life. It is beyond irresponsible that Brian Harpole and Shawn Ryan engage in conspiratorial thinking, but I understand why they do: to shift blame from the security team to faceless actors. Though the University should have taken pre-planning more seriously, though part of the blame may rest with TPUSA and Dan Flood, the TPUSA head of security, who previously worked with Brian Harpole and hired him, in the final analysis, the dispute over responsibility misses the larger point: multiple elements of good security practice, from shared risk assessments to unified command, were missing. And the same is true of the security planning ahead of the Butler Rally. Bad training, bad culture, and a lack of professionalism led to this assassination, and now, that same lack of professionalism—in this case, a lack of dignity, which normally leads one to resign—is feeding conspiracies, which will forever chase the Kirk family.

Though conspiracies abound, just like the Trump assassination attempts, the reality is much simpler. And in my view, much more chilling: lone gunmen took advantage of uncovered and obvious gaps in security perimeters, which were poorly managed, defined, and communicated, because security teams were not doing their job.

I reached out to UVU while preparing this article and received this statement:

This Should be Impossible

Ahead of July 13, there was no shared risk assessment. Ahead of September 10, there was no shared risk assessment. On July 13, no one person was ultimately responsible for security. On September 10, no one person was ultimately responsible for security. These are facts that few know, but are matters of public record. From these simple facts, one can infer the whys and hows of the assasinations. And yet there are ten thousand hours of whodunit content and not one major media report on the obvious similarities between the shootings, and obvious reasons why the assassins were so successful: security teams failed in obvious ways. Their failures were attributable to sheer incompetence stemming from identifiable bad practices: no shared risk assessment, no unified command, and the use of a concentric circles approach that amplifies these issues. Lethally outdated practice dominates an unregulated profession. We have this fantasy that security professionals are John Wick, well-armed with drones, radios, and perfect accuracy. They are not. They are more often cops or ex-cops, getting tattoos with their buddies, or maybe even overweight models who can’t pass a physical fitness test. It is tempting to think the lack of competency is a Democrat problem, but it’s not: it’s industry-wide. The competency crisis is affecting executive protection and is not solely attributable to DEI. What unites Brian Harpole’s Integrity Security Solutions and the Secret Service’s unusual recruitment practices is that both exhibited narcissistic tendencies, emphasizing inward-looking cultures over performance. It is not an exaggeration to say that Harpole’s team may have spent more time getting tattoos together than preparing for the UVU event, or, in turn, that the Secret Service spent more time on DEI than on preparing for the Butler rally. Can what Christopher Lasch termed a “culture of narcissism” coexist with a culture of professionalism?

Professions seem to have reoriented themselves from “jobs” that one does to “social clubs” that one participates in. The security industry may be especially affected, as it is dominated by ego and small teams. Just as the left has undermined merit through diversity quotas, the right has undermined merit through a culture of status-based networking. This is distinct from the masculine codes of honor that once dominated professions—Harpole’s refusal to resign would have no place in that world. Harpole’s hiring methods selected for trust and closeness, a natural result of a politically polarized culture, which nonetheless encouraged groupthink and a failure to engage in dynamic planning. This is the same problem with diversity statements, only in the other direction. The fear of infiltration by hostile actors fostered an insular mindset that ultimately rendered Harpole’s team, literally, shortsighted. Security teams operating as clubs create siloes, limit what expertise they can access, and perpetuate a certain brand of thought. Imagine Harpole’s team, its tattoos, its literally small bubble—and extrapolate those dynamics to a whole industry. For example, the Board of Executive Protection (BEPP) is almost exclusively composed of Secret Service personnel and thus emphasizes its methods. ASIS EP is almost all corporate EP backgrounds. Others, such as the International Protective Services Board (IPSB), are law-enforcement focused and employ outdated techniques. Their tactics are their identity, more than a trade.

Fortunately, reforming the security industry is possible. Congress, DHS, or the FBI, in collaboration with industry partners, could establish new standards for EP; doing so would benefit our democracy. Successful assasinations are politically and socially destabilizing. Violence is like fire. The more it consumes, the hungrier it gets.