Building a Corporate GSOC: An Interview on Budgeting, Functional KPIs, and ROI
This month, we’re sharing our interview with Steve Greenbacker. Steve is a rare individual: he built a GSOC in the military and two GSOCs in the corporate space. This blog is meant to be a resource for CSOs, Security Managers, and EP teams considering building or expanding their GSOC. Below, “CH” is Chris Hurst, Stabilitas COO. “SG” is Steve.
Any errors or omissions are ours.
Steve’s Bio: Steve started off his career as an officer in the US Marine Corps leading security teams domestically and in Iraq, coordinating embassy security operations across the Near East and South Asia, and managing a Reconnaissance Operations Center in Helmand Province Afghanistan. After military service, Steve left the military and continued his security risk management work in the energy and pharmaceutical industries and most recently offers his expertise through a large consulting firm. He is also an adjunct professor of intelligence for a well-regarded university.
CH: Steve — can you describe the functions of those three GSOCs?
SG: While in the Marine Corps, I was the Senior Watch Officer for my unit’s Reconnaissance Operations Center, responsible for integrating intelligence collection with combat operations in Afghanistan. In the private sector, I designed an operations center to support both physical and cyber security of the electric grid for a regional utility company. Most recently, at a pharmaceutical firm, I took a traditional GSOC which was focused on monitoring cameras and answering alarms and matured it into an intelligence fusion center which was responsible for risk forecasting, incident response, and other business uses like open source patient finding and new market entry assessments.
CH: At a high level — how were they similar?
SG: As with any critical operational function, the people and the plans are paramount. If you can find the right people and give them the right direction in the form of plans and procedures, you will be successful.
This also became a growing pain at points because we needed to know what we were looking for to find people who will be successful in these roles — and then design plans that provide the right amount of guidance while still allowing the people the leeway to make creative decisions.
CH: Again, at a high level, how were they different?
SG: To be successful, each GSOC needs to be tailored to the risk profile of the organization. While I am a firm believer that Intelligence Analysis and Risk Management are domain-agnostic, each operations center needs to be aligned with how the business operates.
Those same tenants need to be applied to each situation uniquely.
Starting a GSOC — Challenges
CH: For the corporate GSOCs, what were the biggest challenges you had getting them up and running?
SG: The typical initial barrier to entry is the financial investment in the infrastructure.
You need space, technology, equipment, and manpower. Just like any security initiative, there is a fight for resources. Demonstrating a potential return on investment is important to show the fiscal reasoning behind the center when compared to other projects in groups where a financial ROI is more visible.
The requirement to show ROI doesn’t stop. Once built, that ROI needs to be demonstrated frequently after implementation for the long-term internal support of the GSOC.
SG: We have been successful in this by monetizing the loss events we have avoided or minimized and by facilitating business operations which would otherwise been prevented without our intervention such as in the aftermath of terrorist events.
Secondarily, you need to balance the need for immediate decisions and analysis with the minimal tenure of the analysts in the GSOC. Visitors to our centers are always surprised how much authority and free reign our analysts have to respond to and solve problems. These analysts by nature are not senior leaders on our teams, but have been put into positions where they are at the point of friction for major strategic issues. We need to not only prepare the young analysts for these roles, but also provide a support structure for these decisions and back them up when necessary.
CH: What was the most important argument was in favor of building your GSOC?
SG: Like most organizations, we were busy. Maybe you have an executive protection program, a travel security program, and several facilities to secure around the world. As a security leader, you can not manage all things at all times. You will likely also struggle with triaging issues and staying on top of the event horizon for upcoming risks. This is where the argument for a GSOC comes in. There is a lot of synergy in the ops center to support a wide variety of security programs. It also provides a central communication hub to keep you informed as a security leader and give you the ammunition to communicate with the organization’s executives.
CH: If I were a CEO or CFO looking to start a GSOC, how should I budget this? What are the big buckets I need to think about — and the ranges of costs?
SG: We used a phased approach. By leveraging some simple technology and re-purposing existing space we were able to get some quick wins without a lot of investment. This was kind of a test case.
But when we committed to the concept, it resulted in a significant investment. Our most recent center is focused around an integrated video wall which connects all of our analysts computer systems and online tools at their desktops with an interactive display and secondary walls in our management suite and fail over center.
The technology itself was around $800k. The space to put it in needed to be retrofitted to support the IT racks with adequate climate control, work stations for the staff, and the expenses associated with resiliency for internet connectivity, electricity, and phone systems. This was in excess of $1 million. Most important — consider the staffing. Remember, this is the core competency of our GSOCs, so it is important to invest in the people staffing the center.
Security managers have staffing options, and the worry with using low-cost providers or undercutting salaries is that you’ll have a continuously revolving door of new analysts. Once you’ve invested in finding the right people and giving them foundational training and experience, you don’t want to lose them. To support a 24/7 center with additional full time specialists, our budget was over $750k. Additionally, we have a budget of $150k for intelligence collection and analysis tools.
In the end, the GSOC had an initial capital expense of over $2million and annual opex budget of over $1million.
CH: Ok — so they’re not cheap. What argument won the day over the cost argument?
SG: You can’t get around answering the “So what?” We were able to demonstrate such a return on investment, even outside of our security programs, that the GSOC became a critical function for the organization. We could demonstrate impact on life safety and business operations.
We engaged stakeholders outside the security team who were more profitable because of the work we did. We provided freedom of movement for our sales colleagues. We mitigated supply chain losses and impacts from terrorism. We gave our executives the confidence to continue doing business in countries with revenue opportunities despite significant operational risk.
CH: How did you measure the success of your GSOC?
All of our programs include a set of Key Performance Indicators (KPIs). For our GSOC, we broke the KPIs into sections for Operations and Intelligence. Operational KPIs included tracking our incident response and communications.
We used the FEMA ICS framework to maintain timelines and other metrics. For example, we typically alerted for a critical incident between 50 and 120 minutes ahead of other sources and news media. We could then demonstrate why those minutes were impactful to our response. From the Intelligence perspective, we modified an existing scoring method called the Brier’s Score to assess our forecasts and analytical conclusions. Not only did this allow us to demonstrate our performance, but we also became better forecasters by analyzing our success and failures.
CH: Can you describe more detail about the functions of your GSOC?
SG: Our GSOC was really the face of our entire Global Security team. First and foremost, it was the central hub for risk management, no matter the domain. Our analysts were trained to respond to HR and infrastructure issues just as well as to terrorist and cyber security attacks. But we mostly grouped their capabilities into analysis and response.
From an analytic perspective, we trained out analysts in intelligence and an ISO 31000 risk management framework. With this foundation, they assess risk and produce intelligence products to inform decision makers both within and outside of the security team. They are responsible for New Market Entry Reports, Geo-Political forecasts, and local risk assessments for business operations in areas of turmoil. Some examples of success we’ve had in this domain are accurately predicting the business-relevant fall out of the Brexit, the ebb and flow of tensions between Israel and Palestine, and the economic feasibility of business operations in Turkey post coup attempt.
The longer range analysis perspective then feeds into the response capabilities of the center. Since we maintain situational awareness around the world, we are immediately away of impactful events near our organization’s interests. We keep metrics on this, and on average we know about events 50 minutes ahead of other commercial intelligence feeds and an hour and 20 minutes ahead of the news cycle. The impact of this is we are then able to respond to the incident and mitigate the impact to the company usually before it even hits the 24 hour news channels. Overlaid on our GSOC is an emergency operation center concept which follows the standard practices defined by FEMA’s Incident Command System. This means in a response scenario, we have groups focused on operations, logistics, planning & intelligence, and others to bring together all the capabilities of our entire team. We leverage technology to track travelers and local facilities, communicate with our colleagues, and engage security partners to provide an on-the-ground security response. One great example of this was the complex terrorist attack in France in 2015. Not only did our analysts see the many indicators of bombings, shootings, and the nightclub hostage situation, but were able to piece it together immediately as a single large incident. Because of our early awareness, we were able to communicate to travelers who were already boarded on flights about to take off to Charles de Gaulle. We advised them of the situation and assured them we would have a security plan for them upon arrival. We also engaged a local security team to meet them at the terminal and move them to a safe haven outside the city as the events continued to unfold. Had we not had these capabilities, we would have had travelers arriving into a dangerous and dynamic event without any awareness of what was going on or how to protect themselves.
CH: How did the actual running of the GSOC differ from your original plans?
SG: Our concept really evolved along the way, and I would say it looks nothing like what was originally designed years ago. From my perspective, I saw an opportunity to leverage our assets to provide situational awareness and intelligence analysis. But at the start I think I also failed to see how applicable that skillset was outside of the security domain. The real evidence of business value for our GSOC was what we did for other departments in the company. We leveraged the intelligence analysis training to help our supply chain management colleagues define routes and relationships. We helped our friends in compliance with anti-corruption/anti-bribery screening and monitoring. As we developed our analysts and studied how to teach intelligence, we discovered that an expert in the analytic process can actually outperform a domain expert when it comes to intelligence and forecasting work. There are a number of reasons for this, but the work of behavioral psychologist Daniel Kahneman and the Good Judgement Project at IARPA (the intelligence community’s version of DARPA) are two good resources we relied upon to create our framework.
CH: What were the biggest challenges you saw?
SG: We had to find the right people. We needed team members who were critical thinkers with a global curiosity but we also couldn’t afford analysts with 20 years of experience with government intelligence.
Additionally, there were some cross generational and cross cultural issues integrating the GSOC into the larger security team. You can imagine the animosity between a millennial analyst who expects to come off the night shift after 4 months and an experienced security leader who spent 14 years working nights as a police officer. They just come from two very different perspectives. You can imagine my surprise that I only learned I was a millennial later in life and here I am caught in the middle trying to balance these two sides.
CH: How did you overcome them?
SG: First, recruitment and retention became a central focus for us. We partnered with universities and designed co-op programs to bring talented students into our ecosystem and test them for a good fit with the team. We also discussed at length the characteristics we wanted in an analyst outside the obvious skillset. Teamwork, humbleness, and work ethic were important to us. Even if you were the smartest kid in the room, you still needed to fit into the team.
Also, we made an effort to change the culture of the team. Instead of forcing others to join the existing culture, we embraced the perspectives of those new team members and adjusted the groups culture to be more inclusive. Now we would have an evolving culture that every colleague could buy into because they had input on it.
Finally, we created a clear career progression from a new analyst all the way up to our Chief Security Officer. So when we told that analyst he wasn’t coming off nights yet, we could at least show him a plan which helped him gain experience, become a peer leader, then a senior analyst, GSOC manager, and on up through the organization. This showed we weren’t just sucking the value out of our analysts without regard for their own development.
CH: Any insights on building a team with contractors?
SG: This is something we learned hard lessons with. It is hard to mentor and retain contractors. Not only are there co-employment issues with directly guiding performance and career development, but contractors have inherently less reason to stay with an organization when compared to employees who have bonus and equity structures. Compounding all that, the model we were operating under including partnering with a security guard firm, who was stretching to support this capability for us. We ended up doing a lot of our own recruitment and training, and it was difficult to get the kind of intelligence professionals we were looking for to apply to a security guard firm. If I was starting this project from scratch again, I would partner early on with a firm which specializes on intelligence, despite any other existing relationship.
On the topic of contract management, there was also a key takeaway with regards to how we framed the contract. A typical agreement with these types of vendors is a fixed price model which negotiates the bill rate for the positions being provided. Included in this bill rate are contributions for employee pay, overhead, uniforms, equipment and others as well as profit. We found that when comparing quotes from different vendors, there was no incentive to retain good employees and outfit them to be successful. The scenario this inevitably causes is at then end of a contract period, the incumbent now has employees who received pay increases the last three years, and may or may not have received proper support which was financed through the bill rate. This makes them less competitive than new entrants who can hire at a lower initial rate, and use the extra in the bill rate to introduce new infrastructure. To solve this problem, we instituted a cost-plus model which has a negotiated mark up rate on billable hours, and every other expense for training, equipment, etc is a pass through expense at cost. This creates a level playing field because now the vendors are competing on the mark up, without muddying the water with other considerations.
CH: We do a lot of outreach with vets. What do you wish you would have known as a veteran entering the corporate space?
SG: This is a topic I care a whole lot about and I struggle to be successful with. I always look to hire veterans because I know their experience and its relevant to what I do in the private sector. But time and again, I find this difficult either because the vets I interview are sorely unprepared to translate what they did in the service to layman’s terms for the rest of the interview panels or they have unrealistic expectations about leadership roles and compensation. As a former military leader, I care a lot about taking care of the troops, even now as a civilian. And the military has a challenge in preparing service members on the way out. A great example was a young Marine corporal who I went through a class for veterans with. We were learning about resume writing and interviews, all the typical stuff. We were talking about plans, and he shared his concerns about the private sector along the lines of “Nobody is looking to hire a machine gunner.” The problem is, he’s not just a machine gunner. He’s a small unit leader who has to balance the needs of his boss with the considerations of his team. He’s also a professional equipment maintainer with all the PMCS he had to take care of for his weapons system. He also understand training and tactics and human resources issues. But he just wasn’t in the position to see that about himself. So if I could get myself in front of all the veterans leaving the service for the private sector, I would tell them all to go find a mentor who has already made that transition who can help prepare them for the business world and translate their stories into terms understood by civilians. I was lucky enough to find those people, and I also make myself available to mentor those coming out behind me to do the same.
Thanks Steve. Great insight!
Chris can be reached at firstname.lastname@example.org. Steve can be reached on Linkedin at https://www.linkedin.com/in/sgreenbacker/