Is it necessary for a global organization to have a Global Security Operation Center (GSOC)?
“How did you go bankrupt?" Two ways. Gradually, then suddenly.” - Ernest Hemingway, The Sun Also Rises
I was working with a head of risk management - Chief Risk Officer - at a global organization that does not have a GSOC. One night over dinner I questioned him 'why not' - why doesn't his organization have one? Why doesn't he spearhead the initiative? His basic response was 'why' ... "I am not convinced we need one. The organization operates without a GSOC, so why now." He also stated "the reality is we are already doing it ... here and there ... the system works fine ... let people do their thing". Something that seemed so obvious to me and so unnecessary to him left me on the defensive and him on offense. After I reflected on the discussion, I wanted to formalize and share my thoughts.
Back to the question - simple answer, yes. If you are a global organization, you need a GSOC or some version of it. If you don’t have one, you will need to communicate the severity of the situation. The purpose of the thoughts in this post are to illustrate the need for such capabilities so you can justify the business case to your leadership and board.
What is a Global Security Operation Center (GSOC) ?
There is not a standard, general, definition. Most literature leaves the purpose and specifics to the individual organization. Basically, it is a center that handles internal and external risk and security processes. It can include everything from threat intelligence, travel security, incident and crisis management support, crisis communication support, security background checks, to business continuity support ... much more. If you have a standard definition, please post comment.
Here are three (3) primary justifications for GSOC capabilities:
- Statistics
- Beta
- Alpha
Statistics - the numbers don't look good
“One winter night during one of the many German air raids on Moscow in World War II, a distinguished Soviet professor of statistics showed up in his local air-raid shelter. He had never appeared there before. “There are seven million people in Moscow,” he used to say. “Why should I expect them to hit me?” His friends were astonished to see him and asked what had happened to change his mind. “Look,” he explained, “there are seven million people in Moscow and one elephant. Last night they got the elephant.” - Peter L. Bernstein, Against the Gods: The Remarkable Story of Risk
The numbers tell the story. In today's world the sources of complexity are accelerating. These sources include events and threats. The complexity is rooted in their speed and density of their connections and interdependencies. In a web of accelerated and dynamic complexity it is difficult to see cause and effect and more challenging to see cascading effects. Hidden and residual risks, as well as the need to take greater risk to survive and thrive, trouble an already challenging environment. To put the situation into context we can look at a few basic numbers [to make the point] to find answers and endorsements for a GSOC. Here are some beautiful statistics, which I have pulled from the books Out of the Mountains by David Kilcullen and Glass Jaw by Eric Dezenhall.
Massive risk growth all around that wreaks havoc on our risk landscape. The World Economic Forum - Global Risks 2015 10th edition, provides significant evidence of the changing risk landscape. It is an environment that must be actively managed. Today and tomorrow's environment ensures our businesses operate across a spectrum of threats. These factors create an environment of instability and continuing state of persistent threats. Our public and private infrastructures are stressed. Conflict erupts quickly. Bottom line - we need a capability within organizations to help us manage and respond to this dynamic, changing, complex, and connected world we operate in.
The GSOC(s) assist organizations and their leaders with reducing uncertainty to manageable levels. It is a mechanism to 'make sense' out of risk and security trends, situations, and decisions. GSOC assists with determining normal vs. abnormal data, creating insights, and providing predictive intelligence, as well as establishing preventative measures. Visibility, detection and speed are paramount to being agile. In order to capture what Daniel Diermeier calls the decisive moment or succeed in what Gary Klein calls the golden hour, organizations need the GSOC capability. As Eric Dezenhall says in Glass Jaw, "it is a lot easier to start a fire than put one out ... even when you do get the fire out you still have a big mess."
The need for an internal intelligence capability is necessary to do business in today’s world. GSOC provides a much needed risk and security information and knowledge management capability. Information management is the science of getting accurate information to the right person at the right time, in a digestible and immediately applicable format. Knowledge management is the art being able to apply and transfer knowledge throughout the organization. Information must become knowledge. Information and knowledge management are critical to making effective decisions, developing situation awareness, creating common operating picture, and accessing information outside of the organization to aid in the intelligence process. The process assist leaders and managers from being overwhelmed with information.
Organizational Beta
“The information you have is not the information you want. The information you want is not the information you need. The information you need is not the information you can obtain. The information you can obtain costs more than you want to pay”
― Peter L. Bernstein, Against the Gods: The Remarkable Story of Risk
Beta - Beta is a measure of the volatility, or systematic risk, of a security or a portfolio in comparison to the market as a whole. Beta is used in the capital asset pricing model (CAPM), a model that calculates the expected return of an asset based on its beta and expected market returns.
I am using Beta here to illustrate the downside of risk. In addition to the growing global numbers, our business environments are embedded in a setting of complex change, which comes with opportunity as well as risk. The risk element, which our profession is dealing with, creates an environment of instability and a continuous state of persistent threats. Global organizations have something 'bad' happening every day every hour because of their global presence and business networks. Not only do global organizations face every known threat, they have 100,000s+ ways of interpreting threats because of their diversity in countries, currencies, religions, norms, languages, ethics, demographics, and experiences. We no longer operate (perhaps we never did) in an environment where we “turn on the emergency operation center.”
In addition to facing every threat, global organizations are increasingly burden with what Daniel Diermeier calls Private Politics. In these situations, companies are expected to fill many of the obligations that in the past were tasked to governments or social organizations. It is necessary for organizations to work with government and NGOs to ensure appropriate business practices and employee support exists.
And there are constant organizational changes (e.g., acquisitions, mergers, partnerships, business models, leadership regimes). Organizations continue to transform with efficiency initiatives, technology implementations, value propositions, calibration of culture (e.g., better, faster, cheaper) etc. to stay competitive. GSOC helps break down silos of excellences, ensure shared data, and provide transparency.
Our supply chains and business partners span the world. As organizations look for ways to innovate, increase efficiency and effectiveness, and reduce cost, they turn to business partners. More and more of an organization's risk lies outside of their direct control. In my interview with Yossi Sheffi, he speaks to two of his favorite crisis management case studies that illustrate supply chain GSOC capabilities. The more risk outside, the more need for GSOC.
Brand and reputation are the lynchpin for success in a tumultuous setting. Managing messaging and media are important for our reputation. The news cycle as changed dramatical with changes in technology. Today messaging and action cannot be separate activities. We need to speak before we know what is happening. Being on stage (media) can be frightening for most executives. Everyone is watching and judging. The public is looking for a singular cause, linear sequence of events. Everyone wants to know the story - who is the victim, villain, and hero. We need to actively shape perception.
GSOC can assist with creating and reenforcing a culture of risk, resiliency, and security. Dedicated to risk and security, it pursues concerns we typically don't evaluate such as concentrated risk, residual risk, hidden risk, and compounding risk. Global organizations inherently have the best intelligence capability if they can learn to harness, cultivate and harvest it. With 1,000s or 10,000s or 100,000s+ employees and business partners there isn’t a threat pulse that can’t be monitored. Using specialized threat intelligence business partners and alliances / coalitions, organizations use their GSOC (i.e., shared service) to be able to optimally manage and respond to threats to protect its people, products, profits, and the planet. The GSOC should guide the organization's thinking on risks, as well as generate information about threats to influence decision makers. The ability to have predictive intelligence and anticipate threats can prevent and reduce impact to our organizations. The GSOCs ability to detect and internalize threats is a necessary trait to proactive responses. But also the center and exploit business opportunities as well as turn incidents and crises into opportunities.
Organization Alpha
“The prospect of getting rich is highly motivating, and few people get rich without taking a gamble.” - Peter L. Bernstein, Against the Gods: The Remarkable Story of Risk
Alpha - Alpha is used in finance to represent two things: 1. A measure of performance on a risk-adjusted basis. Alpha, often considered the active return on an investment, gauges the performance of an investment against a market index used as a benchmark, since they are often considered to represent the market’s movement as a whole. The excess returns of a fund relative to the return of a benchmark index is the fund's alpha. Alpha is most often used for mutual funds and other similar investment types. It is often represented as a single number (like 3 or -5), but this refers to a percentage measuring how the portfolio or fund performed compared to the benchmark index (i.e. 3% better or 5% worse). Alpha is often used with beta, which measures volatility or risk, and is also often referred to as “excess return” or “abnormal rate of return.” 2. The abnormal rate of return on a security or portfolio in excess of what would be predicted by an equilibrium model like the capital asset pricing model (CAPM).
I am using Alpha here to illustrate the upside of risk.The upside of risk is just as important as managing the downside. Participating in strategy decisions, which are at the root of most reputation crises, perfroming proper due diligence, designing new product, developing business development, etc. all have a risk element to them. There is a saying that "70% percent of the cost and risk inherit in a product is built in the design." The GSOC can assist leaders with facilitating and maintaining scenario planning, research, pre-mortem as well as post-mortem analysis, red teaming, branches and sequels, planning and plans, as well tracking, monitoring, and reporting.
Two examples of companies integrating crisis and business are Walmart and Home Depot. Both organizations use weather patterns and crises to reallocate products to affected locations, which increases sales and customer service.
Industry intelligence is another GSOC alpha. An organizational failure is a competitor's victory. In this situation, the GSOC has their eyes an ears on what is happening to the competition with a goal to capitalize on any risk and security inadequacies. Many times crisis is the only catalyst for change, whether the crisis is internal or external to the organization. It can be difficult to make necessary organizational changes without a crisis because we (humans) prefer predictability and status quo. We are more likely to make errors of commissions rather than commission. Once a structure or process is in place it is difficult to change it as it affects people who own it and belong to it.
A crisis is an opportunity to earn and cultivate a tremendous amount of brand equity that can be leveraged for decades. Actively, searching and preparing for crises from a competitive advantage increases an organization's alpha.
Summary
In summary, global organizations need a clearing house for risk and security processes, activities, and communication. GSOC is not just a defensive capability, it is a competitive advantage.
Enjoy - Sean