Top 3 Mistakes to Avoid When Establishing a GSOC
It’s a new year with a fresh budget, and many Corporate Security teams now have money to build out a real GSOC, a fascinating project, to be sure!
Several months ago, a member of a Global Security Council to which I belong emailed our 1000+ members a simple request to solicit key learnings when establishing a GSOC. Considerations such as GSOC-as-a-Service v. In-house; where to locate the GSOC (HQ or distributed globally); how to staff the GSOC (FTEs or contractors or both); and which group budget(s) to fund this security service were just a few of the many topics on the table. The response was a wonderful collection of real-world experience and perspective across large and mid-size organizations.
Having been in the global security risk intelligence business for many years, I thought it might be helpful to highlight the Top 3 Mistakes to Avoid When Establishing a GSOC:
Establishing a GSOC before aligning its mission across the lines of your business.
Only set up your GSOC after aligning its mission across the lines of business (e.g., physical security, asset protection, critical communications, HSE, supply chain, etc.). Each organizational structure will be different, but the key here is to bring all the stakeholders together to communicate and capture feedback on your GSOC project. This step is foundational to a successful and sustainable GSOC. By removing silos, your team will:
- Uncover broader use cases than you originally envisioned which will drive business case/ROI metrics.
- Expose other groups’ current tooling and SOPs that may be useful in the GSOC and may identify necessary integrations.
- More effectively establish critical communication channels and desired deliverables (e.g., reports, etc.) with all stakeholders.
Don’t assume the associated cost.
Don’t assume that the associated cost of the GSOC should be absorbed by only one (your) group. Looking at many companies I work with, I see GSOC as a cost center, GSOC as a profit center, and GSOC as a hybrid cost/profit center. When 1. above is completed, the output will be a quantifiable budget roadmap with associated KPIs. Moreover, this value analysis should be ongoing and reported to the stakeholders regularly (e.g., weekly, bi-monthly, monthly).
For example, because the GSOC—using proactive risk tooling and adhering to company SOPs— alerted the organization of a Flood Hazard to a given company warehouse, the company was able to alert employees to work from home (Duty of Care KPI) and divert incoming product to the next nearest warehouse (supply chain KPI). Duty of Care is a compliance item, while uninterrupted product shipments are a sales/revenue item. Both are quantifiable and drive the ROI of the GSOC.
Don’t just hire to “fill the seats.”
Don’t haphazardly hire your GSOC team just to ‘fill the seats.’ The analysts and management team you put in place should:
- think globally and strategically; have a critical mindset to problem-solving and be encouraged to exercise latitude while adhering to SOPs when handling a crucial event
- thrive in a dynamic environment as often threats/events unfold rapidly and require rapid response
- see a clear career path and continued growth with your company: from analyst to senior analyst to manager, etc.
When a GSOC is adequately staffed, its value is realized immediately, and the dreaded ‘revolving door’ becomes a thing of the past. BTW, this approach is applicable whether you are staffing with internal FTEs or using security contractor services.
Here’s to a wonderful and safe year ahead!