The Cyber5 Podcast

EP74: Evolving the Physical Security and the GSOC with Open Source Intelligence Collection and Analysis

Episode 74 | June 8, 2022

In episode 74 of The Cyber5, we are joined by Robert Gummer, the Director of the Global Security Operations Center (GSOC) for the National Football League (NFL).

Episode 74 | June 8, 2022

In episode 74 of The Cyber5, we are joined by Robert Gummer, the Director of the Global Security Operations Center (GSOC) for the National Football League (NFL).

First, we talk about how to expand the mission of a global security operations center (GSOC) using open source intelligence. We talk about the role of vendors in the GSOC ecosystem and how open source intelligence can be aggregated in the case management systems across all facets of a GSOC fusion center. We also talk about how to educate business stakeholders to make them a valuable intelligence consumer. We further discuss how a GSOC can model collection and analysis around successful outcomes for the business, both from a risk management function, but also as a business enabler.


Here are the 5 Topics We Cover in This Episode:


1) APIs are at the Forefront of Digital Transformation and Must be Protected:

A GSOC is a fusion center – the blend of physical security, cyber security, emergency preparedness, business continuity, and global investigations around any and all threats to an enterprise.

Most physical security threats have a cyber or digital nexus. Active shooters, someone flying a drone over a location, and ransomware threats that shut down business continuity all have equal threats to business that need to be dealt with in a collaborative environment.


2) Key for Open Source Intelligence to Solve Business Problems: Eliminating Coverage Gaps is an 18-Month Process:

There are two main categories of datasets to map, those are traditional open-source intelligence and non-traditional open-source intelligence. Traditional open-source intelligence datasets encompass the qualitative and quantitative collection and analysis of public, non-classified sources that deliver context such as archives, business records, dating sites and dark web. 

Non-traditional open-source intelligence datasets include the human, signals, and imagery intelligence equivalents in OSINT – based on anything from threat actor engagement on social media to external telemetry (netflow, passive DNS, cookies) to social media photos used to pinpoint locations.

Dialing in the threat intelligence landscape and reviewing vendors to determine who has the better social media and data coverage is a lengthy process, sometimes taking 18 months to get right.


3) Aggregation of Intelligence is Still a Maturing Process for Many Physical Security Teams:

While mature physical security teams have an incident system that sends notifications for action, there still is not a single source of truth that aggregates everything together.

Finding vendors that want to integrate with other vendor platforms is still a challenge. Vendors should not look to displace other vendors, rather they should try to integrate with systems like a Virtual Contact Center (VCC) platform.


4) Vendor Relationships are Partnerships and Real Intelligence Providers; GSOC Focuses on Educating Stakeholders to Drive Feedback and Integration with Business Requirements:

There is no turnkey solution for triaging alerts in a GSOC and business stakeholders do not understand the GSOC and open source intelligence space. It takes months of triaging alerts and molding filters to get the right information that boils down real threats.

Vendor relationships should be leveraged as partnerships to help triage the right alerts, give actionable intelligence, and integrate with existing enterprise systems.

Then, GSOC stakeholders can spend more of their time educating the business stakeholders to become more valuable intelligence consumers where feedback is given that gives enterprises a competitive advantage with regard to risk.


5) Top 10 Use Cases for OSINT; Review of Tangible Examples:

Read Transcript

LANDON: Welcome to the Cyber5, where security experts and leaders answer five burning questions on one hot topic in actionable intelligence enterprise. Topics include adversary research and attribution, digital executive protection, supply chain risk, brand reputation and protection, disinformation and cyber threat intelligence. I’m your host Landon Winkelvoss, co-founder of NISOS, managed intelligence company. In this episode, I talk with director of intelligence operations at the National Football League, Robert Gummer. Within the physical security apparatus, we talk about how to expand the mission of a global security operations center, using open source intelligence.

We talk about the role of vendors in the GSOC ecosystem and how open source intelligence, can be aggregated in the case management systems across all facets of a GSOC fusion center. We also talk about how to educate business stakeholders to make them a valuable intelligence consumer. We further discuss how a GSOC pin model collection and analysis, around successful outcomes for the business. Both from a risk management function, but also a business enabler. Stay with us. Robert, welcome to the show sir, would you mind sharing a little bit background for your listeners please?

ROBERT: Sure Landon, my name’s Rob Gummer. I’m the current GSOC director for the National Football League. I’ve been here for just over three and a half years. Prior to that, I spent eight years in the US military. I taught military intelligence for about four years before proceeding with a career with the FBI. Where I served a variety of different roles, but you know my final job, I was a senior national intelligence officer for science and technology. And on for this podcast purposes, these opinions are my own and they don’t reflect that of my organization.

LANDON: I can’t thank you enough for joining the show and I know you’re very passionate about open source intelligence and it’s evolution evolving use with the GSOC. So and that’s the Global Security Operations Center, mostly within the physical security space, with the enterprise and that’s what we’re gonna be talking about today. So provide a baseline. What is the GSOC? What is it’s role? How has it evolved?

ROBERT: I had the unique opportunity to create the GSOC for the National Football League along with, its intelligence operations program. So what does that look like for us? The Global Security Operations Center, is more or less like a fusion center. It’s the marriage between physical security, cybersecurity, and really all threats, all hazards. So everything comes into the GSOC it’s, I guess a 911 center, for employee safety, but we also do a lot of investigative support. We provide direct operational support to every league event and game, both domestic and internationally. We manage the travel risk program for the league. We manage the due diligence program for the league.

We also, manage the emergency communication side and the business continuity piece. The GSOC serves very unique function because unlike many of the other sports leagues, we actually provide direct support to all of our teams and stadiums as well and that’s both on and off season. How has it de evolved? Like I said, in the beginning, we started it from nothing. So year one was a very fascinating journey because we were bringing together an entirely new team, of intelligence analysts, cybersecurity specialists, and a host of other kind of specialties and building a center like an actual physical center, which here is 3,600 square feet in NFL Films. And then making a capability that the league has never seen before.

So the first year was really figuring out where we fit in that space, how we supported the mission, what that mission really was. And then year two was the pandemic, which definitely evolved I think the understanding inside the league of what a GSOC was. It certainly evolved the use case and actually proved the use case, to even those who might have doubted what that was. And we stood in places that I think traditionally GSOCs really weren’t. We had a vital role and public health support. So that couldn’t have been receiving the information on positive COVID test. We also were tracking all of the COVID restrictions across the United States and the globe, mainly because we were the one sports league that actually had a complete season during 2020.

And that was a very precarious situation. And if you remember back to 2020, every state, every city, every local ordinance at times had their own kind of guidance and restrictions. And you’re thinking if you’re deploying staff to help support a game or event, they had to be fully aware of what’s going on. And we were still trying to do things like hard knocks and other stuff that the general public, kind of expects for the league and that was a very dynamic situation. During the 2020 election, we served as more or less the contingency plan for the entirety of the league. We were out monitoring the security situation for any of our stadiums. We had 12 that were highlighted as polling stations, but there was a very volatile and controversial election.

And there was a lot of threat shatter out there that we had to be aware of and make sure our constituents, our partners were tracking as well. I’ll say lastly, the thing that we really hang our hat on, is the growth in partnerships. So very much like the intel community for every GSOC that’s out there, there’s an equal and opposite GSOC. There’s varying degrees in what that looks like. We have our counterparts in the sports world, but the league crosses multiple business verticals. And you think about all of the sponsor partners that the league has, when we have signature events, those guys are operating, inside of our ecosystem. And that could be the movement of executives that could be, activations that they have going on.

So we actually work across the aisle with them and do real time information sharing both during the events, but also on game day we have a very close relationship with fusion center and local law enforcement partners of varying degrees and that’s from the local to the federal level. So we really fill that void as a true fusion center for the league and that’s expanded the awareness of the league and it’s partnerships. And I think we’re only going to evolve as the league continues to push, to do more things internationally, which means you need more threat information and understanding of what’s going on in those respective environments.

LANDON: Talk through the blend of the physical and the cyber. Cause you said a lot of things that were very pertinent right there. When I think of a physical security programs, I think of protecting executives, protecting assets, ESG around environmental safety, environmental safety issues. Global investigations, couple other tenets I’m probably missing, but that’s generally the feel of physical security programs. Cyber security programs usually around the confidentiality, integrity, availability of data systems, networks, vulnerability management programs.

A key thing I’ve seen, I’m sure to welcome your thoughts on this is, and when we talk about the blend of the physical and cyber is really against those reputational threats, cause those can be a lot of different things that could of course can come over a lot of different means, mostly from a cyber context. There’s a lot of thought leadership going into that blend of physical and cyber. What do you mean by that?

ROBERT: When we look at threats these days, there’s very few physical threats that exist out there that don’t have some kind of cyber component, cyber nexus, and really on either side, a physical direct physical threat or a cyber threat can shut down your operations. An active shooter could go in and shut down a facility just as much as a ransomware attack can literally prevent you from doing operations, period, or shut down key infrastructure around you, for one of like our signature events. So when we look at it, we kind of look at it as the two halves of the whole. And so when we work across the teams, there’s our cyber teams are looking at, threats to the infrastructure.

They’re looking at threats to the infrastructure for our clubs and stadiums, but at the same time we are looking for those physical threats and those online threats to those same locations. If you’re looking at it from a game day so to speak, a person being able to hack into a stadium, is just as disruptive as someone trying to attack it from a physical standpoint. Someone’s shutting off the lights, taking over the billboards, think about the mass panic that stuff like that can cause, and you could do it just the same as the things that where traditionally we would think about. Like an active shooter, a drone issue, stuff like that. And really, if you don’t look at the threats from both sides these days you’re gonna be blind.

And unfortunately or fortunately, the world’s going more towards a digital space. And our interactions and activations and anything we’re trying to do is getting more and more digitized. So that means you have a bigger threat factor in that space and really, both of those threats impact your organization equally. So the marriage that we have here is very cool, just because there’s capabilities that are unique to each side, but when something’s happened, those capabilities all come together, they really add, I guess additional layer of resiliency to our operations.

LANDON: Let’s talk through social media and all source intelligence collection analysis. I almost think, coming from our backgrounds, human intelligence, signals intelligence, imagery intelligence, you can make parallels of all three of those in the open source context, right. Engaging with right actors that sounds like human. Passive DNS, external telemetry has overtones of signals intelligence. I know it’s not, but I mean, it’s still data, right? But geo intelligence, looking at a social media picture honing in on, a point. That’s very much like as a geo intelligence perspective. How has that dynamic grown with the GSOC? And I’m kind of curious how you could think about coverage gaps, right? Because a lot of vendors with a lot of different coverage, I mean there’s, covering social media platforms is very different than covering off platforms like the Gabs and the, those types of mediums, telegrams. Kind of talk through like how you guys think about that.

ROBERT: I’ll attack this in a couple of different ways. First I will say in this sphere, like all sorts of intelligence is always all sorts of intelligence. You’re always looking for, injects of information, however you get it, whether it’s your liaison, your partnerships, and open source being the platform that it is. I used to manage a lot of the FBI’s analytic tools and one of the capabilities that we had was open source intelligence. However, I will say even during that time period there was still, I don’t wanna say an aversion to it, but it was an aversion to it because most IC agencies operate on higher classifications, right. And the infrastructure wasn’t truly there to help support the social media side and was really seen as kind of like, oh, like some folks are out there.

And when I first came over here there was a recognition that, that’s one majority of our, people are at and we had to have that capability day one. So it was actually the first thing that we instituted, was having that, that open source monitoring capability just as a base layer. Since then, we’ve definitely evolved into, I guess the point that you were asking on the vendors. The vendors are absolutely critical with that. And I think inside the security space, there’s a better understanding now than I think even a couple years ago on how nuanced the space is. Yeah you can get alert of all kinds of things that are going on, but it really one has to be tied to, where your stuff is actually at, your assets.

But two it’s really gonna be tied to true information needs. There is a bunch of information you can receive, but is it relevant? Is it stuff that you actually care about or even can action or want to action or keep your decision makers informed of? And that’s a tough balance. How do we get around that? We really, we have monthly meetings with our open source vendors and we talk through, everything that we’re seeing and we’ll make adjust and tweaks on the fly. There’s no such thing as a ready made solution. I know that oftentimes in this space you hear AI driven and actionable insights and yada yada, yada. All that work really has to be done at the operator level.

You really have to know what you’re looking for, what you’re trying to achieve. And you have to understand your threat picture. It took it as far about a year and a half they get really dialed in into, what it is that the real information we care about and what’s kind of white noise. But you have to constantly fine tune that. I would say once a year, we’ll have a, a more deliberate meeting with those vendors and really talk about some of the issues that we see on a horizon. Like for instance, the midterm elections, or the volatility that we’re seeing in the geopolitical space.

Or even things that we’re seeing, globally, particularly since we’re expanding globally, having more insight on, the Russia Ukraine situation, or even any potential emerging threats. I will tell you a lot of these offshoots of like the parlors and these kind of sites are a challenge just because, unfortunately they seem to be repositories of threatening information at times, and they’re getting more and more nascent and spread out. But it’s absolutely critical because as the unfortunate incidents that happened over this weekend show, the information is out there and you have to be able to identify it because it could be the difference between life and death.

LANDON: You’ve said a lot of interesting things there really around actionability and decision makers Before we kind of dive into those aspects, let’s talk through the aggregation of such, right. With our cybersecurity brethren, there are threat intelligence platforms, right, that aggregate let’s call it what it is, they’re indicator, platforms, where you gives you a common picture. What does that look like on the physical security side? Are sophisticated teams still logging into 20 panels or is there a case management system that integrates everything? Is there room for automation? Is there automation that’s happening? Talk through what a central platform is looking like and does the fiscal security landscape still have a ways to go from that regard?

ROBERT: I think as an overarching banner, the physical security space definitely has some growth opportunities because everyone still trying to figure it out. And I think 2020 and 2021, challenged physical security departments in ways that they, probably wouldn’t have even thought of, years prior. So like we have an incident management system and it is a repository. We have platforms that are directly integrated to it. Like our emergency notification platform directly ports into our incident management system.

Our cyber folks, they instantly port incidents into that platform as well. But when it comes to, kind of like the social media or open source monitoring, we have a VCC platform that we utilize and it’s been a build to start growing and moving data into that so we can have a true combined operations picture. The issue is, you’re still kind of in a space where, some vendors will work for each other, others will not. So, it’s hard at times to find a foundational platform where you can do, which I like to do is like a Mr. Potato Head model, where you’re trying to find the best to breed, to bring things on, and if it’s no longer effective, you can remove it. So it’s a constant thing because you’re constantly battling like, what is it that you do need to know?

What can I automate and what actually needs to have eyes on? I will say, for our open source platforms that we have, sometimes we can automate it directly into that VCC platform, it’s effective. But if there’s a particular thing that we’re trying to dial into, it might not be the best way that to go about business. Perfect example, over this last year, we’ve had more threats to like officiating crews or whatnot. So we can monitor, some of the issues that come like on a game day across the United States and kind of look at them even post game day through our VCC platform and see some of the content that’s out there. However, that’s maybe not the most effective if there is a particular official that’s actually being, that’s maybe at the most risk of receiving threatening content.

And then we would have to, open up an additional panel and really look closely at the content that that individual would be receiving and that’s maybe not the best use of the VCC platform. So right now analyst or operators, still have to bounce between multiple things. There’s always the talk of like being able to consolidate that, automate things like news and whatnot, but it’s there’s just so much information now. And I think as the years go on, there’s more information, there’s more platforms there’s more injects. And I think the challenge that we’re about to run up against is the over saturation of information and really understanding, what can be action and what’s not.

My job as an analyst has always been to digest and sanitize and go through a variety of information and like, we get trained specifically to able to pluck out relevant data. That’s not everyone’s background and that is not everyone’s training. And it’s certainly not everyone’s training inside the GSOC space. I truly wonder for those who started their GSOCs with this the gates guards and guns who try to morph into an intel fusion center or what we’re trying to do here at the league, how successful they are if they don’t have folks who are properly trained, to go out for information. Because it’s not like there’s no information, there is a ton on open source, but is there’s so many platforms as you kind of mentioned in the last question there, there’s so many different things that folks have to look at and be aware of.

I’m now like a part-time weatherman sometimes, and that even in that there’s a thousand different data feeds in which one’s the best, which one’s the one I can actually put my hand on, my hat on and say, “Hey, I know there’s gonna be tornadic activity at this,” or it could be completely wrong. And I will tell you, it gets become a more precarious game and I think in security space because our roles are expanding so rapidly, we have more at stake when it comes to credibility than I think, many other industries. Because our ability to get it right, is the difference between life and death.

LANDON: I was at a panel last week and a chief information security officer, said no more dashboards, simple as that. Would you agree or disagree from your context where you sit, on the physical security side?

ROBERT: I guess it depends. So I have seen an over-emphasis on, like BI tools and whatnot, that try to drive insights on things that at the end of the day, aren’t really tied to true decisions. It’s like, oh I know everything that’s happening inside a facility for instance, everything. From someone taking out the trash to someone who, is budging the gate, but are you getting what you really need? What are you actually asking for? And I think there’s a dissonance right now where everyone wants to know all the things and they want their security operation center to be all the things, but they still don’t have true information needs. Like I hearken back to the military actually, when we had like priority intelligence requirements.

Those are driven by, you know, the commander’s intent and his guidance. These are things I need to know to be effective. I think there’s still an unwillingness or maybe just a lack of understanding aside of security space, that your operations centers need that kind of like information. Because yeah, you could see 10,000 dashboards and it’s probably all the things you might have asked for before, but is it really helping you with your decisions or is it just, flashy stuff that looks really good when someone walks into an op center? I would say a lot of that is just flashy stuff.

LANDON: So you mentioned a key thing earlier, you said it takes, took 18 months to get it right. And what you’re really talking about is going from trends and noise to actionable information, right. That filter of like, okay, and you just mentioned, threatening officials, right. You can put in the keyword searches and literally get back 40,000 alerts and then to call that down into something that’s okay, this is what we gotta watch for. If you’re talking to a new GSOC, would you tell them it’s gonna take 18 months to get this right, is that fair?

ROBERT: I would absolutely tell them that. And that’s tough, that’s tough for folks to hear, because I know from my own experience there’s a lot of pressures you somehow the moment you open your doors, you somehow know all the things instantly and like your tools and platforms, you’re gonna pull every single thing that you’re looking for. And we had, trust me there was multiple times in the first year and a half we’re like, well, how come your tools didn’t catch this? How come tools didn’t catch that? And we were looking for those very things, but our filters weren’t tight. So the things that we were looking for, they were there, we were getting them, but they’re buried underneath, a volume like 30,000 different other things that are coming through and not necessarily relevant information.

And unfortunately, the stuff you want can easily be drowned out in all that noise. And there’s just a lack of understanding from those who are outside of that space, how hard that is. That is not just, you set a bunch of guys down in a, in some nice chairs, give someone some monitors or some computers and some software and boom, presto, you magically know all the things. It takes a lot of work, it takes time to really grind that down and it takes feedback. It takes true feedback and I really treat our vendor relationships, like a partnership.

We are in this together, help us get to where we need to be. That helps your value when it comes to your tool or platform, but you have to have that back and forth exchange. There’s no just turnkey, and though it gets promoted as such, oftentimes this industry, there’s such things, a turnkey solution, that I just sit back and it’s pushing me all the things, because if that’s the case, you don’t need a GSOC, you don’t need operators. If there’s some kind of software that is going to give you all the answers, that’s just not the business we’re in.

LANDON: When I think I hear 18 months, I mean, brings back kind of almost, brings back to like public sector days, of like federal procurement cycles. That is a long time, right there’s gotta be a better way. Do you almost feel kind of looking at the stakeholders, right. So like, this is all about kind of the action, actionability, for lack of better words around educating business stakeholders and making them a valuable intelligence consumer. Do you see it almost that your job is almost to focus and make them a valuable intelligence consumer, and that’s the majority of your job. And then everything from your own analysts to vendors and partnerships, they’re almost their own intelligence feeds that are giving you the answers, that make sense. And then you’re ultimately focused on pushing those answers, to answering the business problem. Am I thinking about like that correct when you think about stakeholders?

ROBERT: No actually, I really enjoy how you broke that down because I’ll be honest, I didn’t honestly think about it like that. A lot of the work inside that relationship between the GSOC, the vendors, the partners, that’s all in the background. A lot of those business lines, aren’t gonna understand that maybe not even appreciate it, but in a lot of ways, they don’t have to, right. They have their own things that they’re focusing on, for you as a GSOC, you just have to be that translator. Like okay, we know all this stuff that’s going on in the background, but a lot of these folks are not gonna sit around to hear like this deep threat brief. It’s not, that’s not gonna happen. Unless they have some direct equities and they wanna do something. So like, if you look at the international expansion that we’re about to embark on, right.

We’re about to go to places that we likely have never had a league presence there before. Normally, they’re not gonna be paying attention to what’s going on the news. They’re not even, they’re gonna think it’s just like going on vacation, like anywhere, right. And it’s until they hear something that’s going on, it’s like, oh wow wait a minute are my guy’s gonna be safe. Now you have a reason that like reach in and really have that buy-in, because now you have an opportunity to really address a direct need that they have and that’s gonna be a consistent need. But what you can’t do is like go into the deep well, that we might have done in the intel community, whereas like the world’s going to end and the terrorists are everywhere, blah, blah, blah.

No, you really have to boil it down to direct things like, hey, when you’re going to the airport, keep an eye out for stuff like this. Hey, like there’s some recent issues with local crime, here’s what that means for you. Reach back out to us if you identify X, Y, and Z, and on other business lines, we have a lot of activations. So they wanna use a lot of influencers and celebrities and what have you, not everyone they wanna use, has a good background that’s gonna look well on a reputational side. You know from the GSOC side that they want to do this activation, you’re not gonna stop that from happening.

However, if you’re able to take the information that you find that something that might not be favorable and say, “Hey just FYI,” “this person has X, Y and Z going on the background,” “they’re kind of controversial right now.” “That might not be the best look” “for what you guys are trying to achieve.” You’re still gonna achieve your goal. Which from our perspectives, is the inform and influence. It’s the same that you’re doing government and you’re not necessarily breaking down every aspect of the risk that they’re gonna get. But they understand if I do this, it could look back on me and the business, and that’s not good for anyone. And so you really just have to make them the consumers on things that matter most to them.

And then, you create that pipeline that’s always there. And lo and behold I will tell you, we’ve done that across every business line which is pretty unique, I think for our GSOC, but what that’s done, that relationship has grown to them now asking for other things from us, that they traditionally would’ve never asked. They’re like oh, we know you guys are very good at looking across the globe and stuff like that. We’re trying to do this, can you guys like give us the insight to what’s going on? And you make them come to you now and they’re coming to you regularly because you’re providing them good content.

LANDON: So if they’re coming to you, I have to assume they’re coming to you, they’re not coming to you for risk management. Is that fair to say, like, do you see yourself almost, are they still coming to you for risk management or are they really now coming to you because now you can be a true business enabler to actually facilitate their business goals with the business unit.

ROBERT: I would say it’s a combination of both. Some have like some, like look for partnership deals, foreign countries. So they will come to us from a risk management side and say, “Hey are these folks on global watch lists?” “Is there anything I need to be concerned about?” But we also have like our digital media folks, they come to us because we’re business enablers. We vet the influencers, the celebrities and stuff that they wanna work with. They wanna make sure that anything they’re putting out there is pinning the demographics, the way that they design it to that it’s been well received. So they really see coming through us as a way to ensure that, they’ve checked all the right boxes and whatever it, that they’re gonna put out is gonna go over well.

So we’ve somehow blended those two worlds and we’ve got to a place where, we’ve convinced them to think about security, without really convincing them to think about security. Like they, we’re not pounding into their heads all the time like oh, is this secure, is this secure? Did you check this, did you check that? We’ve just shown the value in having us in that loop and as a result it’s really kind of made us like the easy place to go to, that’s safe. It’s not like, oh security is all over here and stand off and not only come to them, if something’s gone terribly wrong. We’re actually now seen as more of the, the inter locker between whatever it they are trying to do and that success.

LANDON: So they’re almost seeing you as an easy button to get to the easy button, this is the way it has been with our customers. Like when we have maturing customers that are need to figure out and understand the process of what they do with the information we give them. There’s some time where they’ve got to get those processes set up often time that needs to be interfaced with legal. That has to be interfaced with human resources, engineering, across the business. As you were developing, I have to assume you guys went through the same transformation in that 18 months, right?

What are successful outcomes and how do you measure success? Kind of walk through that because at the end of the day, it’s about outcomes that need to be purchased and kind of worked through. And it’s different for every organization, depending on what the business looks like. At a high level, how did you guys measure successful outcomes as you were working through that process?

ROBERT: I would tell you one of the frustrations and challenges year one, is that we really didn’t know how to measure that. You know, we were still new. We didn’t fully understand what a lot of these units were doing and what they’re trying to achieve. And when we would send stuff out and respond to a request, a lot of times we didn’t get good feedback or any feedback at all. Strangely the pandemic helped us because, you have like, we’re in New Jersey. A lot of these business lines are either in New York and LA. So kind of the distance, culturally, the different offices, and made it very hard for us to tie that together. What changed was the fact that now everyone was at home and we actually took a, I would say trade craft, but something from the and that’s the brown bag.

The old school brown bag, we called it lunch and learn. And what we tried to do as you know, what we did, we actually booked 30 minutes of time with every business line unit and they usually have like monthly meetings on the side. And so we just kind of hopped in and what we did, we spent the first 10, 12 minutes kept it really tight, just explain what the GSOC did. And then we listened to them to learn more about what they were doing. And then like the last segment of that meeting was really looking for opportunities for us to like work together. So we started learning about things like fan of the year or all these other engagements and things that they were doing both domestically and internationally that, they, a lot of these units work on autopilot.

They know their cadence, we had no idea. And I would say in some ways a security department at large should really fully understand the full scope of all these different lines of business that were happening, that actually had risk. So the next step from that was, really leaning in on those initiatives, delivering on them and doing a very basic thing, after action reviews. After action reviews go a long way to really, show that buy-in and that we cared about the results, and we really wanted to help more. And we found that that was incredibly successful. We then expanded it to take, like we saw different business units doing similar things. So we saw opportunities to bring all those guys together.

It was like, hey just you guys know we are fresh to the game, but we’ve noticing that you guys all work together and you guys all do the same thing, you’re using the same people. Why don’t we all talk about how to better like help this workflow? And we did that. And then we did a yearly, like roll up. I was like, hey how has our services been? Are there things that we providing you that’s, been helpful? Has the way we write things up or present things to you, is that of value, or is there other ways that we can convey the information, that’s more beneficial to you? And I will say one of the things that we’ve done, is we’ve kind of taken over the process of doing that because all these business units, these work, these go, and they’re just doing things.

And these units are very effective they know what they’re trying to do, they know what they wanna do, and that’s just it. But a lot of it’s still . So we have actually kind of taken the role of being that inter locker between them and championing those conversations, looking for ways to make things more effective and efficient for everyone involved. And that’s, I would say increased our value and increased the relationships that we have amongst those guys.

LANDON: Who’d ever thought security brings people together.

ROBERT: But you gotta be very clever in this space. I mean you really do because, I think before the GSOC, a lot of our employees really looked at it as, either a punitive place, or a place you need to get your badge. Like I need to get access to a door, so I guess I need to go see security. I lost my computer, I need to see computer security. As opposed to it being that business enabler, that friendly face that you come to when you need assistance on a project and I think we’ve achieved that.

LANDON: How have you achieved that? I mean, I know if we’ve been talking obviously about it, a lot here, but I mean at the core, is it relationships? Is it you know, that you need to have an MBA? Do you need to have crash course in having the business educate you what they do? Is it all the above? I mean, cause what you’re talking about is really just, not only just being great in security, but frankly understanding business and profit and loss, how those two things come together. Cause I know that’s little nascent days in security, to be able to do that.

ROBERT: Yeah a lot of this is relationship. Like I said, with the lunch and learn, we had to get them to know us and not just as a service, but as people. So like one of the things I was intentional about during the lunch and learn was that not like, oh these are just all the services, blah, blah, blah. First thing we did was intro to team. And we talked about the team’s background and whatnot and like put a face to the names that they’re gonna be seeing on like emails and whatnot. The other thing was really just the relationships. One of the things that we’re leaning on very much here at GSOC is quick turnarounds, but not just like giving someone something, but really being intentional about how that’s being conveyed, the excellence and what we’re providing that product.

And you just, they start expecting that if you send them something, if we could do a quick turnaround, we will, if we can’t, we’ll be honest and say, we can’t do that, here’s what we can do though. And that has grown kind of that reputation because now they’re starting to see like, oh okay. And then that word of mouth starts spreading and they’re like, “Hey, oh, I hear you’re working on this” “you probably should talk” “to those GSOC guys over there about it.” The other half of that equation is really allowing them to educate us. So once we started hearing about like the different initiatives where we saw our ability to plug in, we would just reach out and say, “Hey, sounds really cool that you guys do” “do you mind spending 15 minutes to kind of walk through” “like what you guys are trying to do.”

And they’re super happy because they’re excited about doing it, right. So they’re super happy to share. And because you know as intel folks, we love information, it was a natural kind of marriage like, oh, that’s really cool, well, how about we help you guys with X, Y, and Z. And then once we complete that full like cycle of whatever support we’re providing, they will then open it up and say, ah, you know what, we’re trying to do a couple other things later this year, can I pull you guys in? Yeah absolutely. And every single step that we’ve taken has kind of opened up more of the aperture and more of understanding of how the business works. And the more that we’re able to deliver with that wider aperture, the bigger our reputation has grown.

We just finished our inter security conference and I’ll tell you, every team and stadium security director literally came up to our staff and thanked us, for everything that we’re doing. And only on intel side, we have a staff of seven, it’s a magnificent seven. And they were surprised that that’s all we had, because we make it seem so effortless to be covering all these different things. And it requests even from their level is a wide range of different things. Sometimes it’s support to EP for ownership. Other times it’s, the teams wanna do some kind of Madden activation, and they wanna make sure the folks that they’re are leveraging for that, don’t have something that’s problematic in their backgrounds.

And it’s just really being that like GSOC itself has to be a brand. I think sometimes it gets lost you know as that, oh, you’re the security operational center you just do security operational stuff. No, you are a service, you are a brand. And if you’re not branding that service and what it stands for, and if it stands for excellence and it stands for quality product, if it stands for this, that is what’s gonna bring folks not only to your door, but it’s gonna keep ’em coming to your door, but it’s just like any other store, right. If you go to a store and it’s some hot mess, you might go there one time because it’s the closest thing next to you, but you’re probably gonna avoid it, if possible in the future.

I mean, that’s just human nature, right? So if your stuff is locked in, you see yourself as that service and that partner, it will open every door that you could possibly ask for. Like now we have, I think an embarrassment of riches when it comes to our relationships and not necessarily an embarrassment of resources to help support those asks. But we have such good will that we’re able now to, manage expectations and manage the time in a way that doesn’t bury us as more things are happening in the world. Folks wanna do more things now that things have opened up. And the GSOC has that reputation now of just being that good, that anything that comes our way, we find a way to get it done.

LANDON: You’re almost your own entrepreneur.

ROBERT: It is a business, you are running a business, whether you realize it or not. And every single decision that you make, any capability that you bring on, any service that you say you’re going to be able to generate, has to be repeatable and sustainable, just like any business.

LANDON: You wanna do business with people you know and trust are gonna make you successful. And that can be a vendor, a customer relationship. That’s a B2C relationship. That’s even within business units, security working with business units, like what you’re talking about, it really spans again would you agree?

ROBERT: Yes 100%.

LANDON: Robert, you know you’re, a world class practitioner and leader in this space. I can’t thank you enough for your time congratulations on all this success and thank you for joining the show. For the latest subject matter expertise around managed intelligence, please visit us at There we feature all the latest content from Nisos experts on solutions ranging from supply chain risk, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation, as well as cyber threat intelligence.

A special thank you to all Nisos teammates who engage with our clients to conduct some of the world’s most challenging security problems on the digital plane and conduct high state security investigations. Without the value the team provides day in, day out this podcast would not be possible. Thank you for listening.