Establishing a Global Security Operations Center (GSOC) may seem like a daunting task, given the utter complexity of pulling together so many disparate lines of intelligence, security systems, travel tracking and more. But then enterprise security leaders face the bigger challenge: funding it over the long-term.

The key on both counts, says Brad Minnis, Senior Director of Corporate Safety & Security for Juniper Networks, is staying focused on your mission. Juniper has both a corporate GSOC in its Sunnyvale, California, headquarters and a regional SOC in Bangalore, India, to coordinate worldwide monitoring and incident response.

“Every company is different, so the priorities for the GSOC will be different based on the industry you’re in, the assets you have, what culture you’re in,” he says. When it comes to technology, services and cost-effectiveness, “it starts with is a focus on what your priorities and objectives are for your particular organization. In a lot of GSOC environments, people try to do too much, so you end up overloading the GSOC with meaningless information.”

From that mission, Minnis and his department create and revise three-year strategic plans annually for the GSOC, looking at what needs to happen as an organization to keep up with physical security, health and safety needs. When a purchasing decision or operational change comes up, it can always be weighed against that three-year plan to determine if it’s a worthwhile investment for the mission of the GSOC.

“The whole idea behind the GSOC is we want to keep our assets out of harm’s way,” says Steven Ibison, Chief Security Officer for Noble Energy. “We want to maintain constant awareness of all our assets. We want to be able to identify and communicate the threats that we see coming into the GSOC, and we want to mitigate that risk by keeping people out of harm’s way.”

Noble Energy is a natural energy exploration company, with operations in Israel, Cypress, Egypt, Mexico City, West Africa, the Gulf of Mexico, Colorado and West Texas. The GSOC is located in the Houston hub, but a smaller SOC is located in Tel Aviv. When Ibison came onboard as Noble’s first CSO in 2013, it quickly became obvious to him that there was no way to centralize communications, so if something were occurring in the Eastern Mediterranean, it was unlikely that executives in Houston would know about it, at least not quickly. By utilizing a GSOC that manages emergency communication, threat monitoring, enterprise access control, security video and more, Ibison’s team can keep leadership and stakeholders informed of developing incidents with hour-by-hour updates to better inform their decision-making.

For example, in a 2014 conflict along the Gaza Strip, missiles were being shot into Israel. Through the GSOC, Ibison and his team kept key leaders informed and aware of any new developments. “We are the largest producer of natural gas in Israel,” Ibison says. “It’s very important to our company that this continues, and we need to keep our business leaders here in Houston aware so they can make those important decisions.”

For Oracle Corporation, the construction of its three GSOCs – one for the Americas; one for Europe, Africa and the Middle East; one for Japan and Asia – involved closing around 20 regional operations centers to unify threat analysis across entire regions, not just countries, giving Oracle a “true global picture,” according to Michael Maloof, Oracle Vice President of Physical Security.

“As the world begins to experience some of these unfortunate events, whether it’s terrorism or acts of war, we’re able to view how those situations impact not just a single site or a single city but an entire region for Oracle,” he says. “And where that really comes into play is for our travelers – they may be traveling through a region or visiting a new city, and the Oracle GSOC helps manage our travelers, mitigate any potential issues, and if an unfortunate incident occurs, we can reach out to employees and travelers in a particular region and verify their welfare and check on their status. Not only that, but provide them next steps. Do we want them to leave the country, is it safer to stay in their hotel, etc… Having GSOCs in those areas helps by giving our employees a single number to call for any issue they might have.”

 

Simplify, Simplify, Simplify

If the world were run by engineers and technicians, there would be sensors and alerts on every piece of machinery, and the sheer noise would prove unmanageable for even the most robust GSOC, says Minnis. When it comes to selecting the technology and services provided by your GSOC, “Simplicity is key.”

He adds: “We try to standardize how we present information to operators so it’s easy to interact with the technologies we may have in the GSOC, and there’s a limit to the number of technologies you have to learn to operate… There’s a tendency to put in technology that monitors everything, but the operator is presented with a lot of stuff that’s actually meaningless. Of all the information that’s displayed in a GSOC to an operator, in my opinion, 60-70 percent is not valuable. How do you minimize the amount of information that’s not useful and focus on what’s most important and actionable?”

It’s essential to review the systems in operation at any given time regularly, he says. As technologies and systems develop, they may start overlapping with other programs in use, and then enterprise security leaders can consolidate. Say, if the next generation of your enterprise access control technology gains functionality for visitor management and employee access requests, do you need disparate systems for the latter two functions? “What we look to do is reduce or consolidate the overall number of deployed solutions to make the most of our investment and also reduce maintenance cost on tools that are redundant,” Minnis says.

To stay informed on security technology’s evolution, Minnis has a “tech guru” on his staff who attends ISC West, ASIS and technology provider events and learns where technology is headed over a three-year period, which helps to drive and inform the department’s strategic planning. Having a dedicated technology expert also helps when coordinating security technology installations and maintenance with IT, Minnis adds.

When it comes to adding new technologies, “there’s a significant amount of time that we’re evaluating the product, talk to people using it, visit other locations where it’s in use, determine how it may add value to our operation… there’s a relatively rigorous evaluation project before we make a significant investment for a global deployment.”

“Technology can change overnight,” says Ibison. “There’s always something better out there. We are constantly looking at new technology, pricing new technology. You can always go out and buy the new shiny thing, but that’s not always what you need. We’re always staying focused on what the mission of the GSOC is, staying within that box, and looking at the technology that will get us there – it’s not always the most expensive technology, but it’s what can get us there.”

Ibison utilizes Everbridge’s Critical Event Management platform and Visual Command Center to overlay multiple intel streams and feeds into one common operating picture for GSOC analysts. “We’re not a big company, and I can’t hire five or six guys to sit down there 24/7, so one or two people needed to be able to monitor all that at all times, so they can tell me that if there’s someone traveling from Egypt to Paris tomorrow that there’s nothing going on in either place that would hinder those plans or that traveler,” he says. “Most people are visual; with this system, analysts can go down and put up pictures on the screen of where everyone is, globally, where aircraft with our personnel are, weather patterns, protests or airline strikes… overlapped on these maps to give us a quick, down and dirty assessment of what’s going on.”

“We’ve gone away from CCTV walls of different sites, and we’ve gone to a picture of the world – in terms of where are our travelers, where are our employees, what are the threats for an area, what’s the crime profile – and getting real-time analytics… that’s where we’re focusing our GSOC operations,” says Maloof. “Let’s say that a terrorism incident occurred in XYZ city and we have 13 employees there. Our tools prioritize that as something we need to act upon immediately. At the same time, the press of one button will tell us all the employees and travelers we have in that city, and you click another button and our employee notification system begins to activate and verify the welfare of every employee noted. In the past that was a very intensive process that involved constantly looking at newsfeeds and where that is in relation to sites, where we have travelers, etc. As this technology expands and improves, we would anticipate a manpower reduction as a result.”

 

A New Kind of GSOC Operator

While technology is altering the number of operators needed to maintain situational awareness and response in a GSOC, it’s also changing the type of operator that enterprises need.

“What we are looking for in a GSOC operator has changed,” says Maloof. “Customer service is paramount. When somebody calls security, they’re typically having a bad day at work, and we want to eliminate that potential problem for them and resolve it as quickly as possible. But also having somebody with a wider worldview of what’s occurring… An excellent security officer is not necessarily an excellent GSOC operator. We’re looking for a new skillset more closely aligned to a threat analyst position. In our Colorado center, we want someone who knows the United States very well, is familiar with Latin America, is familiar with how travel occurs – you should know that Dallas, Houston, Atlanta are major airline hubs… We’re looking at folks that understand geopolitical issues, understand customer service, understand how the world operates: Are you familiar with various news sites? Are you aware of events occurring in the world? We’ve seen that change in recent years, and it puts the pressure back on our contract provider to find the appropriate level of staff. We’re finding there are folks from the military – we’re a huge proponent of military hire (we have program in place with Warriors in Transition), and that’s a great resource for us.”

Adds Minnis: “Regardless of the technology that you use, you’ve got to take into consideration the personnel you use to operate those systems. A lot of companies spend millions of dollars on technology and then put a minimum wage security officer behind the desk to try and manage it. It’s critically important that you align the capabilities and skill levels of people you have in place in your GSOC to effectively manage your systems.”

The Business Assurance Center (BAC) at Amazon functions, essentially, as the GSOC for Amazon Corporate Security (ACS). The BAC is an integrated part of Amazon’s Global Threat Management (GTM) team whose promise is to preserve life, protect assets and promote community, says Scott Jones, Head of Global Threat Management for Amazon. Contract GSOC analysts and in-house security personnel manage a high volume of alarms, field calls about security issues and provide customer service to internal clients.

“As security technology advances to help mitigate nuisance alarms, it unlocks analyst time and allows more focus on customer service. Internal customers will rarely interact with the GSOC for security-related issues, but will often reach out for support for simple things like help with finding lost keys or getting access to a parking garage. These seemingly small interactions are incredibly important and serve as the first opportunity for the BAC to earn trust with its partners,” says Nathan Nguyen, GSOC Manager.

Early on in the life of the BAC, Jones decided to take a different route when hiring. He looked for potential hires with backgrounds in hospitality and journalism, in addition to traditional security personnel. “A diversity of skills, opinion and thought processes allows us to have a stronger product in the end,” he says.

 

Marketing the GSOC

There’s no question that a GSOC is an expensive investment, but cutting costs isn’t necessarily the best way to make it worthwhile to the enterprise. Technology can reduce the number of operators needed around the clock, and some services have tangible ROI, but getting buy-in hinges on communicating those benefits effectively, and continuously looking for new opportunities to provide value.

“Thinking of it as a budgetary black hole shows a lack of creativity in marketing your security operations center,” says Jones. “Make your GSOC bigger than security – it’s not just an alarm shop; you have more capabilities, so market those as an employee benefit. Look beyond the term ‘security’ even, because most GSOCs are doing more.”

In marketing the BAC, Jones and Nguyen took cues from previous experiences within entertainment (Jones) and technical (Nguyen) industries. They take a multi-modal approach to communications and marketing by leveraging myriad internal resources to support education and socialization benefits and services. Creative approaches include the use of infographics for analytics, videos and stakeholder tours of the BAC. Their goal is to not only explain security to employees through the lens of the BAC but to make the center as real to people as possible.

“Whatever operations center you have will tell its own story,” Jones says. “Try to break the mold and learn from how other industries market their services. Seek opportunities to tell your story more creatively. And while we cannot be prophets of our own story, we can evangelize through other departments and customer impressions. Whatever you do, obsess over your own customers – not the competition!”

Marketing the GSOC doesn’t need to be complicated. At Noble Energy, Ibison gives GSOC tours to the Board of Directors, executives and other stakeholders. “A lot of times folks within your own organization don’t realize all the big things and little things that a GSOC brings to the table. We want to let folks know,” he says.

Oracle also offers GSOC tours, and Maloof has a dedicated education and awareness manager for the security department who helps to discuss the GSOC and its services at Oracle events or team meetings. “We ask attendees at these sessions to think about their lines of business, and if there’s anything the GSOC could do to help support them. And that has been very well received from the executive level down to individual teams. We have taken on additional roles and responsibilities as a value-add to Oracle, such as our facilities emergency updates, traveler protection… in essence, we are constantly saying that security is a resource to any line of business out there, and between lines of business and security, we put our heads together and ask what else we can take on that would be well-aligned with our GSOC at the same time providing support and relief to some other lines of business.”

To calculate ROI, Maloof looks at the intangible benefits such as the peace of mind from having a proactive traveler protection program, as well as the tangible, financial benefits. Each Oracle GSOC has a contract systems and technology expert on staff 24/7 with 100-percent ROI. These experts mitigate and manage alarms that appear to be troublesome or a potential malfunction, often performing a repair from the GSOC through reprogramming or modifying the schedule for a particular alarm, to reduce service call demand. If an on-site technician is needed after all, they can call the GSOC technology expert to get a full briefing of the situation, and both sides will work together to test the technology after the repair, reducing the need for repeated calls to the site.

“The value of a GSOC is overwhelming to an organization, and it is a requirement for any larger security organization,” Maloof says. “I fully understand that not everyone has the capital infrastructure to build their own, and there are various ways of outsourcing that, but the old methodology of a GSOC – someone to answer the phone for security questions and mitigating alarms – there’s so much more that a GSOC can do, and that’s where we’ve found the real value: supporting the safety and security of our employees globally, from the number of different initiatives, both forward looking and reacting when an incident does occur. That for us is the true value of a GSOC.”