Should global organizations have a global security operations center (GSOC)?
“How did you go bankrupt?”
“Two ways. Gradually, then suddenly.”
- Ernest Hemingway, The Sun Also Rises
I was working with a head of risk management—the chief risk officer—at a global organization that does not have a GSOC. One night over dinner, I asked him why his organization didn’t have one, and suggested he spearhead the initiative. His response? “I’m not convinced we need one. The organization has always operated without a GSOC, so why start now?” He also said, “The reality is, we’re already doing it here and there. The system works fine. Let people do their thing.” Something that seemed so obvious to me and so unnecessary to him left me on the defensive and him on offense.
The reality is, if you’re a global organization, you need a GSOC—or some version of it. If you don’t have one, you will need to communicate the severity of the situation and get one. Allow me to illustrate the need for such capabilities so you can justify the business case to your leadership and board…
What is a Global Security Operation Center (GSOC)?
There is no standard, general definition. Most literature leaves the purpose and specifics to the individual organization. But basically, it’s a center that handles internal and external risk and security processes. It can include everything from threat intelligence, cyber security, travel security, incident and crisis management support, crisis communication support, and security background checks to business continuity support—and much more.
Here are three primary justifications for GSOC capabilities:
Statistics: The Numbers Don’t Look Good
One winter night during one of the many German air raids on Moscow in World War II, a distinguished Soviet professor of statistics showed up in his local air-raid shelter. He had never appeared there before. “There are seven million people in Moscow,” he used to say. “Why should I expect them to hit me?” His friends were astonished to see him and asked what had happened to change his mind. “Look,” he explained, “there are seven million people in Moscow and one elephant. Last night they got the elephant.
- Peter L. Bernstein, Against the Gods: The Remarkable Story of Risk
The numbers tell the story. In today’s world the sources of complexity are accelerating. These sources include events and threats. The complexity is rooted in their speed and density of their connections and interdependencies. In a web of accelerated and dynamic complexity, it’s difficult to see cause and effect, and more challenging to see cascading effects. Hidden and residual risks, as well as the need to take greater risk to survive and thrive, trouble an already challenging environment. To put the situation into context, we can look at a few basic numbers to find answers and endorsements (i.e., to make a point) for a GSOC. Here are some beautiful statistics pulled from the books Out of the Mountains, by David Kilcullen and Glass Jaw, by Eric Dezenhall.
Population Growth by year:
1250: 420 million people
1750: 790 million
1800: 1 billion people
1900: 1.6 billion
1950: 2.5 billion
2000: 6 billion
2010: 6.8 billion
… and projected for 2100: 10 billion people
Urbanization by year:
... and projected for 2050: 70%
5 exabytes of content were created between the birth of the world and 2003; today, 5 exabytes of content are created daily
Facebook users share nearly 2.5 million pieces of content
Twitter users tweet nearly 300,000 times
Instagram users post nearly 220,000 new photos
YouTube users upload 72 hours of new video content
Apple users download nearly 50,000 apps
Email users send over 200 million messages
Amazon generates over $80,000 in online sales
Travel [via Boeing]:
1.1b people on 18m flights
1,260 million fight hours since 1959
686 million departures since 1959
2010: 1t (2m per minute in 2012)
2015: 4m per minute (20 petabytes of information per day in 2014)
1980–2013: 12,102 outbreaks of 215 human infectious diseases, comprising more than 44 million cases occurring
in 219 nations
The data points to massive risk growth all around that wreaks havoc on our risk landscape. The World Economic Forum - Global Risks 2015 10th Edition provides significant evidence of the changing risk landscape. It’s an environment that must be actively managed. Today and tomorrow’s environment ensures our businesses operate across a spectrum of threats. These factors create an environment of instability and continuing state of persistent threats. Our public and private infrastructures are stressed. Conflict erupts quickly. Bottom line: We need capability within organizations to help us manage and respond to this dynamic, changing, complex, and connected world we operate in.
The GSOC(s) assists organizations and their leaders with reducing uncertainty to manageable levels. It’s a mechanism to ‘make sense’ out of risk and security trends, situations, and decisions. A GSOC assists with determining normal vs. abnormal data, creating insights, and providing predictive intelligence, as well as establishing preventative measures. Visibility, detection and speed are paramount to being agile. In order to capture what Daniel Diermeier calls the decisive moment or succeed in what Gary Klein calls “the golden hour”, organizations need GSOC capability. As Eric Dezenhall says in Glass Jaw, “It is a lot easier to start a fire than put one out… even when you do get the fire out you still have a big mess.”
The need for an internal intelligence capability is necessary to do business in today’s world. A GSOC provides a much-needed risk and security information and knowledge management capability. Information management is the science of getting accurate information to the right person at the right time, in a digestible and immediately applicable format. Knowledge management is the art of being able to apply and transfer knowledge throughout the organization. Information must become knowledge. Information and knowledge management are critical to making effective decisions, developing situation awareness, creating common operating procedures, and accessing information outside of the organization to aid in the intelligence process. The process assists leaders and managers from being overwhelmed with information.
The information you have is not the information you want. The information you want is not the information you need. The information you need is not the information you can obtain. The information you can obtain costs more than you want to pay.
- Peter L. Bernstein, Against the Gods: The Remarkable Story of Risk
Beta is a measure of the volatility, or systematic risk, of a security or a portfolio in comparison to the market as a whole. Beta is used in the capital asset pricing model (CAPM), a model that calculates the expected return of an asset based on its beta and expected market returns.
I am using “beta” here to illustrate the downside of risk. In addition to the growing global numbers, our business environments are embedded in a setting of complex change, which comes with opportunity as well as risk. The risk element, which our profession deals with, creates an environment of instability and a continuous state of persistent threats. Global organizations have something “bad” happening every hour of every day because of their global presence and business networks. Not only do global organizations face every known threat, they have 100,000s+ ways of interpreting threats because of their diversity in countries, currencies, religions, norms, languages, ethics, demographics, and experiences. We no longer operate (and perhaps we never did) in an environment where we “turn on the emergency operation center.”
In addition to facing every threat, global organizations are increasingly burdened with what Daniel Diermeier calls Private Politics. In these situations, companies are expected to fill many of the obligations that in the past were tasked to governments or social organizations. It’s necessary for organizations to work with governments and NGOs to ensure appropriate business practices and employee support exists.
There are also constant organizational changes (e.g., acquisitions, mergers, partnerships, business models, leadership regimes). Organizations continue to transform with efficiency initiatives, technology implementations, value propositions, calibration of culture (e.g., better, faster, cheaper) etc. to stay competitive. A GSOC helps break down silos of excellences, ensure shared data, and provide transparency.
As organizations look for ways to innovate, increase efficiency and effectiveness, and reduce cost, they turn to business partners and supply chains that span the world. More and more of an organization’s risk lies outside of their direct control. In my interview with Yossi Sheffi, he speaks to two of his favorite crisis management case studies that illustrate supply chain GSOC capabilities. The more risk outside, the more need for a GSOC.
Brand and reputation are the lynchpin for success in a tumultuous setting. Managing messaging and media are important for our reputation, and action cannot be separate activities. The news cycle has changed dramatically with changes in technology. We need to speak before we know what is happening. Being on stage (i.e., in the media) can be frightening for most executives. Everyone is watching… and judging. The public is looking for a singular cause, a linear sequence of events. Everyone wants to know the story—who is the victim, the villain, and the hero. We need to actively shape perception.
A GSOC can assist with creating and re-enforcing a culture of risk, resiliency, and security. Dedicated to risk and security, it pursues concerns we typically don’t evaluate such as concentrated risk, residual risk, hidden risk, and compounding risk. Global organizations inherently have the best intelligence capability if they can learn to harness, cultivate and harvest it. With 1,000s or 10,000s or 100,000s+ employees and business partners, there isn’t a threat pulse that can’t be monitored. Using specialized threat intelligence business partners and alliances / coalitions, organizations use their GSOC (i.e., shared service) to be able to optimally manage and respond to threats to protect its people, products, profits, and the planet. The GSOC should guide the organization’s thinking on risks, as well as generate information about threats to influence decision makers. The ability to have predictive intelligence and anticipate threats can prevent and reduce impact to our organizations. The GSOCs ability to detect and internalize threats is a necessary trait to proactive responses; but the center can also exploit business opportunities, as well as turn incidents and crises into opportunities.
The prospect of getting rich is highly motivating, and few people get rich without taking a gamble.
- Peter L. Bernstein, Against the Gods: The Remarkable Story of Risk
Alpha is used in finance to represent two things: 1, a measure of performance on a risk-adjusted basis. Alpha, often considered the active return on an investment, gauges the performance of an investment against a market index used as a benchmark, since they are often considered to represent the market’s movement as a whole. The excess returns of a fund relative to the return of a benchmark index is the fund’s alpha. Alpha is most often used for mutual funds and other similar investment types. It is often represented as a single number (like 3 or -5), but this refers to a percentage measuring how the portfolio or fund performed compared to the benchmark index (i.e. 3% better or 5% worse). Alpha is often used with beta, which measures volatility or risk, and is also often referred to as “excess return” or “abnormal rate of return.” 2, the abnormal rate of return on a security or portfolio in excess of what would be predicted by an equilibrium model like the capital asset pricing model (CAPM).
I am using “alpha” here to illustrate the upside of risk. The upside of risk is just as important as managing the downside. Participating in strategy decisions, which are at the root of most reputation crises, performing proper due diligence, designing new product, developing business development, etc. all have a risk element to them. There is a saying that “70% percent of the cost and risk inherit in a product is built in the design.” The GSOC can assist leaders with facilitating and maintaining scenario planning, research, pre-mortem as well as post-mortem analysis, red teaming, branches and sequels, planning and plans, as well tracking, monitoring, and reporting.
Two examples of companies integrating crisis and business are Walmart and Home Depot. Both organizations use weather patterns and crises to reallocate products to affected locations, which increases sales and customer service.
Industry intelligence is another GSOC alpha. One organization’s failure is a competitor’s victory. In this situation, the GSOC has their eyes and ears on what’s happening to the competition with a goal to capitalize on any risk and security inadequacies. Many times crisis is the only catalyst for change, whether the crisis is internal or external to the organization. It can be difficult to make necessary organizational changes without a crisis because we (humans) prefer predictability and status quo. We are more likely to make errors of omission (i.e., that is ‘do nothing’) than errors of commission (i.e., action) . Once a structure or process is in place, it’s difficult to change it as it affects people who own it and belong to it.
A crisis is an opportunity to earn and cultivate a tremendous amount of brand equity that can be leveraged for decades. Actively searching and preparing for crises from a competitive advantage increases an organization’s alpha.
Global organizations need a clearinghouse for risk and security processes, activities, and communication. A GSOC is not just a defensive capability, it’s a competitive advantage.