Best in Class: GSOCs and Global Risk Management
When a gas explosion left one person dead, 25 injured and destroyed or damaged 40 homes within three communities in the North Andover, Massachusetts, area last September, Chris Nesman, CFM, was receiving “second by second” updates about the situation.
Nesman, who is Senior Manager, Facilities Technical Operations for EMD Serono, was sitting in EMD Serono’s new Security Operations Center (SOC), and he had access to information that helped the EMD Serono security team to assess any possible disruptions to the company’s facilities within close proximity to the situation, in addition to employees who lived in those communities.
“We had complete access to information as the situation unfolded, and we were able to employ our mass notification system to contact our employee base and do health checks,” Nesman says.
EMD Serono is the U.S. biopharmaceutical business of Merck KGaA, Darmstadt, Germany. The company’s one-year-old SOC is located in Billica, Massachusetts. “As a global business with global risks, we decided that we needed to be more proactive, versus reactive, and a SOC is one of the methods to achieve that,” he says.
Nesman was part of the design and build process. Before the SOC was built, Nesman reviewed other Global Security Operations Centers (GSOCs) and command centers to help him and his team to make decisions on layout and the security technology. His advice to those looking to build a SOC? “First, I recommend deciding what you want to accomplish with the SOC and establishing its scope. Is it a true GSOC, or something to only monitor local operations? And what do you want to monitor – all assets or just critical assets? I also recommend a soft start, especially with new technology platforms, and then continue to layer on top of that,” he says. “Last, I recommend integrating the security technology, instead of using standalone packages, to help you to get the most of the system and to achieve the second by second data that an integrated system can give you.”
That’s the power of a security operations center and a GSOC. And while a GSOC is not a new concept, its value is more recognized than ever as a necessity to support business goals and operations. It can provide situational awareness, real-time crisis management and risk mitigation, in addition to advanced 24/7/365 monitoring capabilities to make decisions regarding the safety of employees and operational continuity in the event of a crisis or security situation.
A GSOC can take the form of a new facility, or it can be housed in an existing one. And one size does not fit all with a GSOC, of course. Factors such as enterprise size, security budget and risk needs analysis all come into play.
Michael Wanik, Senior Director, Corporate Security for United Therapeutics Corporation, had the opportunity to build a GSOC, as well.
“I literally had to start from scratch to analyze what real estate we owned,” Wanik says. “We started to build and purchase the technology in 2014. We carved out a space in an existing building. With the first version, I took used furniture from a company warehouse. I felt it more important to get the [security] technology than to have the look. At one point our CEO came in and said to me, ‘This is amazing but how come it looks like this?’ And I told her that I have functional money, not Feng Shui money. And I got that money after that conversation to upgrade the design and layout.”
Wanik designed the GSOC’s access control system on the Good Manufacturing Practice (GMP) system for ensuring that products are consistently produced and controlled according to quality standards. Therefore, the access control is a validated system. Computerized system validation (CSV) is the documented process of assuring that a computerized system does exactly what it is designed to do in a consistent and reproducible manner. It is designed to minimize the risks involved in any pharmaceutical production.
The GSOC not only monitors social media, geopolitical events, has an enterprise-wide networked intercom system and IP video surveillance, but also an ID card provisioning system that’s tied into HR to ensure seamless employee access and non-access for all company facilities, 24/7. Additions and termination of card access are streamlined due to the integration, removing touches while also archiving approvals and other actions.
By 2017, the GSOC began to show its true value to other business units at UTC. “We became the center of the universe for information, a clearinghouse for data that all employees could use,” Wanik explains. “I felt like someone who had just cut his lawn and was standing back to admire his work. I had that moment of pride, because we had been working so hard and building and building and building for so long. I’m a believer in continuous improvement. And in 2017 we arrived at the level where I was satisfied that the heavy lifting was done.”
“One great success story with the GSOC is with [the 2017] Mexican earthquake, where after seeing data from social media, we were able to proactively reach out to a few affected travelers and coordinate their movement from their work site to a hotel and then place them on a flight out of the area the next day, as we knew ahead of time that the airport was going to close,” Wanik adds. “We were ‘ahead of the line’ for hotel reservations and for a flight out of country. Our travelers were amazed that we were calling them to get them to safety; they weren’t calling us for help.”
He continues to make adjustments, however, based on the GMP system. “We are currently doing failover testing to ensure that if we lose our servers that we still have our access control system in place.” He’s also looking to change the emergency messaging system. “I inherited an emergency messaging system that needs an upgrade because technology is changing, and I need to be able to get data input from employees through apps into the SOC that they can launch from their individual phones.”
What advice would Wanik give colleagues who are looking to build a GSOC? “Know your vision and how it fits into your culture. A GSOC provides a lot of opportunities to touch individual employees and allows business managers to see the value of security. For example, our GSOC took on the role of back up of drug temperature monitoring. While there’s an organization that monitors the stability of drugs, I inserted ourselves into the business as a backup, because what if that employee can’t make it into work and the drug fails because the temperature failed? You have to find those type of opportunities that aren’t security, but that add value to all business units.”
Wanik is quick to give credit to the UTC leadership for the opportunity to create the GSOC. “I came to United Therapeutics and I had a blank slate. All of the stars were aligned so I’m very lucky.”
In the summer of 2017, approximately 3.4 billion people watched the FIFA World Cup in 12 Russian cities. Among the spectators were 1,000-plus Visa high-profile executives, clients and guests. A worldwide partner of FIFA since 2007, Visa is the Official Payment Services Partner of FIFA activities around the world.
Also keeping a close eye on the event was Visa’s Don Hill, Head of Global Security and Safety; Corey Vitello, Senior Director, Global Security and Safety; and Mary Hackman, Global Security Operations Center and Protective Intelligence Manager, via the company’s GSOC in Ashburn, Virginia. “We relied heavily on the GSOC for 24-hour incident monitoring and response support as well as intelligence analysis on a daily basis,” Hackman says. “We also tracked personal safety issues such as thefts, health concerns and weather events. There was a wide variety of issues, from health to terrorism from crime to weather that we tracked that might have had the potential to affect the Visa staff or guests.”
Visa’s state-of-the-art GSOC includes an extensive video surveillance system, social media monitoring, in addition to monitoring of major television news networks. What makes its GSOC unique is a proprietary technology dubbed the Security Risk Management System (SRMS). SRMS exists behind Visa’s firewall for the GSOC team to grab data feeds from various important sources throughout the company and then overlay any intelligence received through vendor data feeds to provide a clear threat picture. “We created our own system so that we could have several sources of data,” Vitello explains. “When an incident happens anywhere in the world, it alerts us on our map. With one click of a mouse on an alert icon, a report is generated within seconds that tells us what happened, who to contact, which travelers are on ground, which travelers are in route and even which travelers will be there within the next two weeks and who could be affected. The technology alerts of us to any expats or telecommuters that are in the area of an incident, be it a terrorist attack or natural disaster. We’re pulling data feeds direct from our trusted security intelligence providers, corporate services, HR, corporate real estate; from our corporate events group and from our travel provider. So, we are a one stop shop for all things that are important to Visa, and we know what our risk exposure is at any moment. And, we’re quite proud of that.”
Hackman adds, “I haven’t seen anything [from a vendor] that does what our system does. So I encourage others not to feel limited by what’s out there [with technology], but keep trying to work to find your own solutions.”
Closer to home last year, the Visa GSOC team was involved when Hurricanes Florence and Michael hit the East Coast, in addition to the wildfires in California, particularly with telecommuters. “But essentially it’s involved any area where we have assets on the ground,” Hill says. He adds, “Another example is the PyeongChang Olympics. It was just all-consuming to Visa, because again as a sponsor, we invited a lot of VIPs and Senior Clients. Once we got there, we were monitoring the norovirus and other health issues and the extreme cold. It all went well, but major issues can take place when you have 300-400 staff on the ground that aren’t used to extreme cold weather. While we had a world-class team of operatives on ground, the GSOC supported Visa’s programs remotely on all issues from an intelligence or medical or security perspective.”
When asked to name a specific incident that the Visa GSOC has mitigated, Vitello notes: “It’s very difficult for anyone to say that their GSOC mitigated something. Our GSOC has been there to respond effectively and efficiently and been able to reach out and account for employees, anything from the Westminster Bridge attack in London to things taking place while we were in Russia for the World Cup [in 2017]. Whenever something happens, they [the GSOC team] are the first responders. They see it, they have protocols in place and they are able to get information to the people that can make judgment calls really quickly with as much information as possible. And within 30-45 minutes the message is sent up to our executive team. That all goes a long way to enhancing our security brand within our own organization. So, I can’t say that having a GSOC has stopped a terrorist attack or a plane from going down, but certainly it’s been in place to help us account for the safety of our assets, provide assurance that we have our employees’ backs anywhere in the world, and to get out the word to Visa executives and employees soon after an incident occurs.”
Hill’s advice for anyone looking to build a GSOC is to first meet with groups that have established GSOCs. “I’ve yet to meet a GSOC manager that won’t give you everything as far as advice and benchmarking,” he says. “They want to share. They want everyone to have a wonderful GSOC. They’re willing to share data, on technology, what works and what doesn’t work and lessons learned.”
“You need to know your risk exposure and exactly what you’re trying to do with the GSOC,” Vitello adds. “You don’t have to be a Fortune 200 or Fortune 300 company to establish a GSOC. We all have a duty of care to protect our employees, wherever they are in the world. But, it doesn’t take building your own proprietary system and spending a ton of money on beautiful screens and tons of resources. And only do what’s absolutely necessary at first. Take baby steps. Grow and learn over time. Because if you spend a lot of money on a gorgeous GSOC and then you make a mistake, or fail in some way – even if in perception only – an executive is going to wonder what you’re spending money on. Also, have the right talent pool in place, focus on customer service and know exactly what problem you are trying to solve by having a GSOC.”
[Editor’s note: As of this writing, Corey Vitello has joined the security team at Stripe, a San Francisco-based payments technology company.]