Building a Global Security Operations Center vs. Outsourcing

Monday Jun. 06, 2016

Building a Global Security Operations Center vs. Outsourcing

Building a Global Security Operations Center (GSOC), versus outsourcing the activity to a third-party provider, can create substantial controversy around the conference room table. The best way to offset this is to frame the discussion by documenting key points. This provides the data necessary to move the process forward. Lets look at four major areas in defining the scope and aiding decision-making.

1. Assessing Internal Expertise

First, does the entity have the expertise and experience to effectively develop and manage the effort? Staffing considerations should include how the organization is currently positioned to recruit, select, train, and retain a sufficient level of staffing not only to support 24/7 operations; but also to have the capability to surge response to effectively address high-impact events. The selected approach should be based on locations, coverage needs, staff competencies and required availability. Internal or outsourced, effective management will require integration into the enterprises plans, policies, procedural guidance and processes in order to develop the protocols necessary to coordinate, monitor and support operations.

2. Establishing Requirements

Centralizing incident response efforts can initially create challenges in managing disruptions. Determining the budget, scope and functional requirements your GSOC will need is essential to address these challenges. Establishing design criteria reveals components and system performance needs versus wants. If outsourcing, this provides the information needed to create the SOW in an RFP. When building your own, this aids in site selection and identifies the infrastructure specifications essential to support continuous operations. Whether you select an internal, outsourced, or hybrid approach; without a clear requirements document, the collective effort is tantamount to engaging in a never ending game of whack-a-mole.

3. Identifying the GSOC Lifecycle

Once your requirements have been identified and design specifications established, one of the most overlooked aspects in the decision-making process is understanding what is known as the Total Cost of Ownership (TCO) of the GSOCs equipment lifecycle. The decision focus tends to gravitate to equipment procurement and installation costs. However, in addition to supporting infrastructure maintenance (e.g. UPS's and generators), system components will need replaced at certain frequencies, parts may go out of production, or technical support no longer provided. Also unidentified or underestimated is the costs for ongoing training, drills, exercises, audits, and oversight to ensure regulatory, contractual, or other stakeholder expectations are met. These characteristics determine the TCO aspect of the GSOC decision.

4. Developing Supporting Documentation

Lastly, and most importantly, is compiling these into a document with the courses of action available that is easily absorbed by the entitys decision-maker(s). Review and ensure key elements have been identified, characterized, and analyzed to support executive decision-making. Where cost is the primary concern; providing a comparative analysis of internal, external, and hybrid approaches with high-level pros and cons can be a valuable aid. Additional content to consider includes: current day-to-day operations and limitations; real events and reasonable scenarios demonstrating the impact and consequences of moving forward with and without a GSOC; and key performance indicators to measure ROI.

In closing, it is recommended the entity select a qualified disinterested third party (e.g. no relation to manufacturers or integrators) to assist in reviewing design specifications, installation drawings, operational procedures, or provide independent audits/ reviews. This ensures the efforts usability, suitability and operational reliability. It also ensures alignment with established design standards and industry practices.

Michael Payne is an ASIS International, Certified Protection Professional (CPP) and DRI International, Certified Business Continuity Planner (CBCP) leading iJET’s Organizational Resilience Department within the Global Operations Division. In this position, he is responsible for organizational planning/ readiness, security operations, strategy, assessments, evaluations, resiliency systems design and emergency assistance.
 
Michael has a distinguished career managing the operations, crisis/emergency response, protective strategies, physical security implementation, physical and cyber security integration, procedural development, andpersonnel situational awareness and safety for several critical infrastructure and key resource entities. During iJET critical response operations, he assumes the role of Global Operations Incident Manager, leading crisis surge management efforts for significant events such as major natural disasters, political situations, and terrorism.

Comments

Leave a comment

Your email address will not be published.
Required fields are marked.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
11 + 4 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.