What does the first hour after a critical incident look like? What is going on inside of a company’s Global Security Operations Center (GSOC)?
In this episode of the Managing Uncertainty Podcast, Bryghtpath Principal & CEO Bryan Strawser and Senior Consultant Jennifer Otremba share their experiences of leading and working within a command center environment during a critical incident. Topics discussed include GSOCs (Global Security Operations Centers), crisis communications, selecting your GSOC team, the triage of information and intelligence, and many other related topics.
Bryan Strawser: We were reminiscing about some attacks and incidents that we’ve been through, and one that came to mind as we were setting up this episode is a few months back when there was the attack in London where the guy drove a vehicle down Westminster Bridge, hit and killed a number of civilians, killed a police officer at the entrance to Parliament, and then was shot and killed by armed police there in London, I was in a client’s office in Phoenix, Arizona, and I think had just gotten in and was in a meeting when the news alerts started coming. And so I walked over with the Global Security Team to their Global Security Operation Center, GSOC, and kind of spent the morning with them helping manage that initial response.
We are in there on a retainer basis to help them manage their crisis management and global security programs, which are kind of in transition just for background as to what we were up to. But it’s always interesting to hear what happens behind the scenes, kind of what’s the battle rhythm of what starts up when something happens. And this company had impact from this because their international subsidiaries managed out of London and was only a kilometer from where this happened.
Jen Otremba: Yeah. And unfortunately this sort of incident or these types of incidents are not isolated. We’ve dealt with many-
Bryan Strawser: Just this year.
Jen Otremba: Yeah.
Bryan Strawser: Or the last few years.
Jen Otremba: Yeah. Many such incidents like this. So we thought it would be great to discuss what happens after the incident occurs, what happens in a command center.
Bryan Strawser: Right.
Jen Otremba: What does the incident lead to, what do the rest of the parties do in a situation like this.
Bryan Strawser: So I think we’re gonna use this as the example, kind of the experience with our client in Phoenix. This client runs a 24/7 GSOC with a typical shift crew of between two and five, depending upon the time of day. This was morning, so they had a pretty good size crew in, including the manager over the facility plus the global security leadership was in the office because the day had just gotten started, so they were all over there as well. So you had a pretty good number of hands plus me sitting there. We’re writing color commentary from the corner.
Jen Otremba: So you got CNN up on the screen and, “Breaking news. This just happened.”
Bryan Strawser: So let’s start with the TV aspect, right? Their initial notification was this popped up on TV before they started getting incident alerts from the usual sources. Once they identified that it was in London they switched one of their TVs off of a US station and went to BBC so they could get the direct British perspective of what was happening. And then they CNN or MSNBC up, I don’t remember which one. One of the two. And then like most GSOCs, they have some incident notifications that are flowing in, right? They’re an OSAC constituent, so they were getting the OSAC incident messaging from The State Department. Those came later. They use NC4 as incident notification and monitoring. So they had that really quickly that something had happened. Then they got additional updates.
Jen Otremba: Yeah. So we’re trying to validate, “This is really a thing.”
Bryan Strawser: Trying to validate. And then there’s first like, “What is going on?” So there’s the initial kind of, “Okay, there’s something big happening.” The immediate second question that comes to mind for an ops center is, “Okay. So do we have people nearby?” So you’re thinking about facilities and the staff that works there and then you’re also thinking about travelers.
Jen Otremba: Yep.
Bryan Strawser: In this company’s case, they had a facility within a kilometer that had a decent sized staff, which means now they’re gonna reach out to the facility and make contact with the security team there.
Jen Otremba: Yep, “Are they okay? What’s going on there?”
Bryan Strawser: Are they accounting for the team or are they kicking off the process of what they need to follow? And then they’re looking at travelers. And they also had travelers there. In fact, the CEO was there. London’s low risk, so he wasn’t with anybody. He was just there. So they were able to … So there’s a direct contact from GSOC. There’s an individual authorized to make that call to the CEO, so they’re calling up making sure that he’s aware that this is going on and that they’re okay. And then the other immediate action is like many companies they’re using international travel safety and security provider. That provider was also making contact and then letting us know and then activating a panic alarm on the CEO’s phone so that he knew he could hit that if the situation changed from being okay. That was all in the first 15 minutes.
Jen Otremba: Yeah. And I think of the travelers specifically or even the business that may have potentially employees there. Believe it or not, not everyone has the news up 24/7 like we do. So they may not actually know what’s going on. So we may be the first one to actually educate them on the situation that’s near them.
Bryan Strawser: Mm-hmm (affirmative). Then what happens, okay, so now you’re 15, 20 minutes in, you’ve pretty much determined or you have in flight. Here’s what’s going on generally. Breaking news is always wrong, by the way.
Jen Otremba: Yep.
Bryan Strawser: But you’ve made contact with your traveler. The traveler’s okay. You’ve made contact with the business. The business thinks they’re okay, but they’re gonna them a while to confirm, maybe an hour, to make contact with all of their employees. Depending upon now what you have in place, you might be sending some communication or posting something, internal Twitter, internal chat, or perhaps it’s just an email update that, “Hey, this happened. Here’s the impact. Here’s what we have in flight. Here’s what we’ve done.” Maybe you’re activating your crisis process. Maybe not, it depends on your protocols. In this case they didn’t, but it didn’t rise to that level trigger for-
Jen Otremba: Well, if nobody was involved, then maybe it wouldn’t be necessary.
Bryan Strawser: Right. But if they had, then they would have brought together what they call their senior crisis management team, which is all kind of support staff and then a lot of the C-Suite together, and you would have had, again, this multi-disciplinary crisis team that would have talked about, first what has happened. Second, the impact of that. And then third is what do we need to do to support travelers in business, anticipated other problems.
Jen Otremba: Right. And that group’s gonna come from different perspectives. So you may have a travel department that could talk about different things. You may have HR human factor at the table, right, to talk about that. You might have facilities in the area that may be addressed for whatever reason. And then, of course, your communications folks. So external communications and internal communications, right?
Bryan Strawser: Exactly. And then you also have the … You will have started your accountability of employees, and that can be as simple as a phone tree. But if you’re talking about a headquarters location that has thousands of people, then you really want to have this set up so that you have a mass notification tool that can do data capture and it can call you SMS, email and say, “Hey, Jennifer. There’s been an incident at the Westminster Bridge with fatalities. The following roads or transportation stations are closed. Are you okay? Do you need assistance?”
Jen Otremba: Yeah, “Type Y for yes, N for no,” things like that.
Bryan Strawser: Exactly. Yeah. Or in some cases there’s an app on your phone that lets you do the same thing. But knowing that your people are okay is a really big deal and probably the most important thing that you can do.
Jen Otremba: Yeah. Once your people are okay, then the concern may be, “Well, this person’s okay, but their family is not or their daughter was involved.”
Bryan Strawser: Yeah. You can start to branch out-
Jen Otremba: Yes.
Bryan Strawser: … In terms of support.
Jen Otremba: And then also from there you’ve got key partners that may not be direct employees of the business, but they’re very key partners and very close partners to the business. So you may want to be looking out for them as well.
Bryan Strawser: Another challenge to look at when these things happen is to look at where your travelers are staying and where your team lives and do we need to make those decisions about, “Do they stay or do they go? Do they need to relocate? Do they need to be farther out?” We talked about this in a previous episode when we talked about Egypt, and we had to move people to a hotel and then we had evacuated expatriates and then we had done some things. In that situation, the same applies here, “Do we need to get them farther out? What was the incident? And what’s really the risk of them being there?”
And, of course, if you’re moving them out of the country then you run into the issue of, “Well, what passport do they hold? What’s their nationality? What passports and visas do they have? And what can you do in terms of moving them somewhere?”
Jen Otremba: And because there’s so many factors with moving people, that’s where that multidisciplinary team can really come together and discuss, “Okay, what is the best situation for this individual or this family of individuals?”
Bryan Strawser: Mm-hmm (affirmative).
Jen Otremba: Because it’s gonna be different every time.
Bryan Strawser: Mm-hmm (affirmative). And, of course, as you’re talking through this situation, you also have to be watching the current, the situation as it is right now evolve and decide, “What are you learning from that? What do you need to communicate? How does that impact the decisions you’re making? Are there specific things that are happening that are triggers that indicate you need to escalate your response or deescalate your response?” And you’ve gotta be managing all those balls in the air while you’re trying to talk through the items that we just outlined.
Jen Otremba: Right. You can’t be making decisions in a silo, so as an instant lead in the past what I have done is definitely delegate certain tasks to different people, right? So, “You’re gonna continue watching this. You’re gonna let me know if X, Y, and Z happens. Until then, continue watching. You’re going to be working on communication. You’re going to be working on this. You’re gonna be talking to the execs,” that type of thing.
Bryan Strawser: Mm-hmm (affirmative). We encourage folks to really think about … As you think about situational awareness, so really think about where your locations and what are your new sources available that give you accurate information about those locations. We’ve always been an advocate of, “Okay, if it happens here, then these are the TV stations that I want to tune in to. Here are the news sites I’m going to pull up. Here are the Twitter feeds I’m going to watch, monitor for that specific location that’s gonna give me accurate information.” And I mean, here we’re talking governments or vetted sources, not Jane on the street who saw something happen that might not be a valid source.
Jen Otremba: Right. And also cross checking different sources. So if they’re all saying the same thing, that’s gonna say something different, then. This ones saying this and this one’s saying this. Having trained individuals that know ahead of time which ones to tune into definitely helps.
Bryan Strawser: Mm-hmm (affirmative). Mm-hmm (affirmative). And, of course, you have your government sources, OSAC from The State Department, DSAC from the FBI, InfraGard from the FBI and others that will be making announcements. If there is an international incident, The State Department will have some guidance out within a fairly reasonable amount of time, but you’re going to want to react before that information comes out.
Jen Otremba: All of this is happening within the first, what do you say, hour? Two hours? Three hours?
Bryan Strawser: Well, first 24 hours.
Jen Otremba: 24 hours?
Bryan Strawser: Right. And keep in mind, some of these situations are … The London situation was essentially done in over three to four hours from start to finish in knowing the story, didn’t take long. But there are situations that unfold over a much longer period of time. Think about the-
Jen Otremba: Boston bombing for instance.
Bryan Strawser: The Boston bombing took a week. But I was thinking of the terrorist attack on the hotels in Mumbai, India back in 2011. I mean, that was a 36 to 48 hour situation that didn’t stop. So you have to be prepared from the long haul to kind of manage through this initial response and see that continue, and then you gotta start thinking about the shifts and how you relieve people and how you make sure people are getting rested to deal with what’s next. It’s a lot of complexity.
Jen Otremba: Yeah. And then while you’re managing this particular situation you have to remember that other things are happening in the world besides just this situation. You have to remember to continue monitoring everywhere else, too. That’s sort, I guess, the rundown of what an incident could look like in a corporate command center or a GSOC or command center of some kind.[podcast src=”https://html5-player.libsyn.com/embed/episode/id/11714021/height/360/theme/standard/thumbnail/no/direction/forward/” width=”100%” height=”360″ scrolling=”no” class=”podcast-class” frameborder=”0″ placement=”bottom” use_download_link=”” download_link_text=”” primary_content_url=”http://traffic.libsyn.com/bryghtpath/016-TheGoldenHour.mp3″ theme=”standard” custom_color=”” libsyn_item_id=”11714021″ /]