SOC manager observes operations
Safety and Security Aug 17, 2023

The Modern GSOC: Security in an Evolving Landscape

Coordinating disaster response is hard enough even when things go right. To tackle diverse security threats at scale, you need a robust security operations center suited to your global organization.

Threat Intelligence Guide
See how AlertMedia can help you protect your people and business from nearby risk, anywhere in the world.
Cover of AlertMedia Global Threat Intelligence Guide

When a hurricane is headed straight down your path, security and safety operations can get complex quickly—especially when you’ve got people and sites all over the region. Thales Group, a multinational corporation with 50+ locations in North America alone, learned this first-hand.

Their emergency communication platform failed during a severe East Coast storm. As a result, they couldn’t get messages to the right people or confirm whether employees were safe when it counted most.

Coordinating disaster response is hard enough even when things go right. But it’s just one facet of the threat landscape companies face. On top of that, you’ve got cybercrime, physical security needs, and random emergencies.

To tackle these varied security threats at scale, you need experts working 24/7 to collect, analyze, and act on intelligence. A global security operations center (GSOC) fills this need, serving as a command center for large companies. But what sets a GSOC apart from other security facilities, and why is it uniquely suited for large-scale security coordination?

Find out how a GSOC differs from a security operations center, why it’s important, and how to maximize its impact and value.

“It’s understanding what your business does day-to-day and how does security fit into that? Once you understand that, it will help you start to put the pieces of the puzzle together—to build the foundation, knowing what your security operations center needs to look like.” —Grant Hayes, COO of RBO Technology

Global Security Operations Center vs. Security Operations Center

A security operations center (SOC) is critical to organizational resilience. And for many small or midsize companies with one or a few locations, a SOC can meet your security needs. But for larger companies, organization-wide security requires more than a single SOC’s capabilities (and spreading the responsibility across multiple independent SOCs creates inefficiencies).

That’s where a GSOC comes in. Much like SOCs, they’re a command center for all security, but the key differentiator between them and regular SOCs is in the name: global. They also serve a few unique purposes:

  • Oversee and coordinate local and regional SOCs, network operations centers (NOCs), and operational teams
  • Centralize specialized functions like fraud prevention and intelligence analysis
  • Liaise with law enforcement and external intelligence sources
  • Audit organizational security measures for interdepartmental gaps and malicious actor

Who needs a GSOC?

According to Grant Hayes, COO of RBO Technology, only some organizations have the need for a 24/7 GSOC, but certain types of businesses critically depend on them. Grant gave us some indicators that an organization may need a GSOC:

  • 24/7 working hours (or close to it)
  • Frequent travel requirements
  • Operations in dangerous industries
  • Operations in locations with frequent threats

How to formulate your security posture

2024 Threat Outlook Report
Get expert insights on the critical events that shaped 2024 to better protect and prepare your business in the year ahead.

GSOCs may look different depending on your security needs, but they all serve the same core purpose: protecting your people, property, and business operations from all possible security risks. Formulate your GSOC based on your company’s specific makeup of teams, sites, physical assets, threats, and available resources. For example, threats and security needs will differ greatly between an e-commerce company and a restaurant chain.

Thales Group is a good example of how a GSOC’s structure reflects operations. Their business spans several industries, from electrical system projects with large onsite labor forces to IT services. So, to protect their people, property, and clients, their GSOC is designed to:

  • Continuously monitor intelligence data to assess organizational risks
  • Respond to cybersecurity risks quickly and effectively
  • Advise on-site SOCs on physical security controls
“As a security team, we have a line of sight into something that maybe the business doesn’t. And because we have that line of sight in to traffic or weather or intel or whatever, by sharing that information with them, that might help them take a hard right turn instead of taking a left turn.” —Grant Hayes, COO of RBO Technology

What are virtual security operations centers?

A virtual security operations center (VSOC) is the online equivalent of a GSOC. VSOCs are frequently outsourced solutions but can also be in-house platforms. VSOC systems integrate with your company’s security systems to detect and analyze threats remotely. Your team monitors output through a web interface with real-time access to the same information as with in-house GSOC.

VSOCs are beneficial in a few scenarios:

  • For remote or hybrid workforces that need a flexible, decentralized solution
  • Off-the-shelf VSOC solutions can be cheaper than investing in the infrastructure and training to build a GSOC from scratch

But they also have limitations:

  • Systems integrations can be challenging and prevent making changes on the fly
  • Third-party systems could become unavailable in disaster situations
  • Tuning a VSOC to your company’s needs takes time and resources, which you could spend on a custom solution instead
See how AlertMedia can help protect your people & business from nearby threats

Benefits of a GSOC

Thanks to their unique capabilities, global security operations centers help organizations achieve many of the same goals other special teams can, only faster and more effectively.

A GSOC helps your company:

  • Improve threat intelligence: Threat intelligence is most valuable when fully tuned to your organization’s composition and needs. GSOC security teams have the experience and expertise to maximize usage, delivering more effective risk monitoring.
  • Streamline communication: Centralizing your threat detection simplifies incident management, especially when GSOCs can communicate with SOCs and employees via a two-way communication platform.
  • Maximize resource allocation: Assigning specialized functions to your GSOC frees other teams to focus on their core strengths. Local SOCs can work on their facility’s security while the GSOC handles fraud detection and intelligence analysis.
  • Prevent security gaps: A lack of clarity between physical and network security means things often slip through the cracks. A GSOC’s 360-degree view of security catches and mitigates these gaps.
  • Facilitate incident response: During a large-scale emergency, security officers on the ground will have their hands full. GSOC analysts can delegate responsibilities and coordinate with law enforcement while your front-line team focuses on immediate issues.

The earlier hurricane scenario is a great example of how impactful a GSOC can be and how functions complement each other. Despite having good data on the storm, Thales group needed a better way to share actionable intelligence throughout the company. A GSOC can build a comprehensive solution to improve your company’s resilience by taking a holistic view of security and safety.

Global Security Operations Center Best Practices

GSOCs are uniquely positioned in any company’s security ecosystem as each has specific strengths and needs. Despite those differences, here are five ways to maximize any GSOC’s impact.

Foster communication and collaboration

Most companies use GSOCs for specialized functions like identity protection, 24/7 incident response, and real-time intelligence. But its more general role as a command center—i.e., the glue holding your security ops together—is just as critical. For your GSOC to run like a well-oiled machine, operators need to master organization-wide collaboration and open communication—they have to be able to reach anyone at any time. For example:

  • Interdepartmental: The GSOC’s responsibilities include everything from IT to operations to sales to HR. By sharing resources and information seamlessly, you can prevent security gaps and keep the whole company working toward common goals.
  • Top-down: Your GSOC oversees local and regional SOCs but needs their input to perform thorough analyses. Foster open and frequent communication with SOCs, using on-the-ground reports in the decision-making process.

It’s easy for a GSOC to feel like the secret police, working from the shadows of a command center, but Grant Hayes stresses how important it is to build a different kind of culture. Establish protocols so your workers understand the GSOC, how it relates to them, and when they can expect notifications. This kind of transparency can generate more open communication and trust, ultimately promoting a proactive safety culture.

Grant shared a story about an oil & gas company in the South Central U.S. that faced an F4 tornado with a high risk of harm to their people and damage to their property. But with the coordinating power of their GSOC, they were able to track the storm’s path using technology and on-the-ground reports from their employees, gathering crucial information that helped them keep everyone out of harm’s way.

Define responsibilities

As humans, we always want to avoid redundant effort. But leaving gaps because everyone “thought someone else was doing it” is even worse. To prevent both problems, your GSOC needs to define responsibilities throughout the organization. What will your NOC handle, and what falls to the GSOC? Make a detailed list for both physical and information security management.

Let’s return to our example of the company with multiple locations in the path of an oncoming hurricane. You don’t need six different onsite SOC managers following the details of the forecast. It’s inefficient and could lead to conflicting decisions. Instead, the GSOC can take charge, developing actionable intelligence for company-wide use. From there, each local SOC can coordinate specific plans for its location.

Implement organizational standards

Actionable intelligence begins with accurate information. Unfortunately, inconsistent data is a common sticking point for large organizations. Departments and locations have unique terminology for facilities and equipment, usually with good reason. But when information reaches a GSOC without the original context, the inconsistencies will lead to delays and flawed decisions.

Take, for example, a server room. Your company’s locations might call it a server room, data center, IT closet, or other names. But an IT closet could also be a storage space for spare cables, printers, and assorted parts. Now imagine your GSOC is fielding an alarm for the IT closet at your Miami office. How critical is this alert? Is someone breaking into your data center and gaining access to sensitive equipment? Or are some power strips and a broken scanner at risk? Creating and enforcing standards avoids these issues and facilitates rapid, effective decision-making.

Insights From The Forrester Wave™ for Critical Event Management, Q4 2023
Find out how AlertMedia stacks up against other platforms with critical event management, threat intelligence, and mass communication.

Deploy technology

A GSOC processes mountains of information. The amount of open source intelligence alone is massive. Then you have keycard event logs, CCTV recordings, internal communication, and other security data. Add it all up and no human can keep up, let alone extract actionable insights.

If intelligence analysts have one claim to fame, it’s knowing how to use technology to work smarter and faster. And predictive risk monitoring is at the heart of a GSOC’s operations. But to do it successfully, you need to:

  • Develop inputs such as location data, employee segmentation, and access controls
  • Configure and tune alert and alarm priorities
  • Implement escalation procedures to get the right sets of eyes on information in real-time
  • Filter meaningless noise to prevent information fatigue

Adopt a proactive approach to security enhancements

Security professionals know that dealing with ongoing threats and incidents is a full-time job, but the key to keeping your company secure lies not in reaction but in anticipation. In preparing for what’s coming next so when a hurricane, tornado, or other crisis strikes, you feel prepared, not overwhelmed.

With access to organization-wide data and predictive modeling tools, GSOCs can take on a variety of proactive security projects:

  • Perform regular audits to test if security policies are working as intended—for example, are keycards for old employees still active?
  • Collaborate with the NOC on penetration testing, especially for emerging threats like zero-day exploits
  • Analyze organization-wide incident reports to spot hidden trends and holes in your security
  • Spearhead initiatives to keep the company compliant with security regulations

Maximizing Security Solutions in a Fast-Paced World

Every day, your company faces threats across the digital and physical realms. Your job as a security leader is to enable an effective and rapid response to nearly any risk imaginable. No one tool or solution can guarantee your success, but a GSOC is a solid foundation for a robust security posture.

Centralizing special skills and tools allows every security analyst and GSOC operator to excel at their role and collaborate on organization-wide security. With a coordinated team and thorough planning, you can meet every day knowing you’ve built a strong security culture.

Threat Intelligence Guide

Please complete the form below to receive this resource.

Like What You're Reading?
Subscribe to Our Newsletter
Subscribe to The Signal by AlertMedia to get updated when we publish new content and receive actionable insights on what’s working right now in emergency preparedness.

Cookies are required to play this video.

Click the blue shield icon on the bottom left of your screen to edit your cookie preferences.

Cookie Notice