Reactive Vs Proactive | GSOC

Are you running a Security Operations Center (SOC) or Global Security Operations Center (GSOC)? Are you being proactive with your security approach or simply reactive?

Many organizations have GSOC/SOCs that are reactive, as these are easier to set up and were historically cost efficient with limited technological resources. You could throw some cameras up to monitor parking lots and entry doors. Maybe you have your access control dashboard up on a screen to deactivate lost badges or terminations that HR remembers to report to you and your fire or burglary alarms most likely get called into the desk operator for them to notify the key holder from some dusty binder sitting on a shelf behind them. I can’t be the only one who had this setup to start with, right?

When I first took over GSOC, I was expecting a little more proactive capability. More analytics being used, KPIs being measured, and maybe some threat monitoring. I wasn’t managing a regional SOC with a few employees, I was managing our GSOC with over 900 locations globally, ~10,000 CCTV cameras, global access control, burglary alarms, fire alarms, travel risk, and emergency response.

What I did have was a pretty large GSOC room with a wall of TVs and almost all the TVs monitoring the cafeteria that was 20 feet away. None of my operators had access to the badge access system, primarily Hirsch Velocity. They did have a screen that would scroll the Velocity event viewer with no filter. Imagine ~3000 readers being scanned throughout the day and the scans coming in across the screen with additional alarms but no ability to stop, filter, or even see what is going on more than a constant blur. There was a lot of room for improvement to say the least.

So, lets take a look at what a reactive GSOC and a proactive GSOC looks like.

Reactive

A reactive GSOC primarily responds after incidents occur. Their focus is on monitoring, alerting, and incident response, often with limited predictive or preventive capabilities.

Key Characteristics:

• Incident-driven: Responds when alarms, alerts, or tickets are generated.

• Limited context: Often lacks integration between systems (e.g., access control, video, IT logs).

• Manual workflows: Heavy reliance on operator judgment and manual triage.

• Short-term focus: Priority is to restore normal operations quickly.

• Example activity: An operator receives an alert from a motion detector and checks camera feeds to verify a break-in.

Pros:

• Simple to set up and operate.

• Adequate for smaller organizations or limited risk profiles.

Cons:

• Misses early indicators of threats.

• High false positive/negative rates.

• Reactive culture — “fighting fires” instead of preventing them.

Proactive

A proactive GSOC focuses on anticipating, detecting, and preventing incidents before they escalate. It uses intelligence, analytics, and automation to predict risks and guide decisions.

Key Characteristics:

• Data-driven & predictive: Uses analytics, AI, and threat intelligence feeds to detect anomalies and forecast risks.

• Integrated systems: Correlates physical security (video, access) with cyber data and external sources.

• Automation & orchestration: Playbooks automate standard responses to known threats.

• Continuous improvement: Regularly assesses vulnerabilities and refines processes.

• Example activity: Detects a pattern of failed badge entries before access control data and CCTV identify a potential insider threat.

Pros:

• Reduces incidents and response time.

• Builds resilience through prevention.

• Enables strategic decision-making and resource prioritization.

Cons:

• Requires higher investment (technology + skilled analysts).

• Needs mature processes and leadership buy-in.

So which format is best for you and your organization? Well, that all depends on what you are looking for and how big of an organization you have. You may not need a proactive GSOC if you are a small organization with few employees. However, if you are a global enterprise with thousands of employees across dozens of locations, and depending on the risk or security measures your facility needs, you may want to look at having a proactive GSOC.

So, how do you make the move from Reactive to Proactive in your GSOC? This is a great question that I’m sure many of you are asking. Many organizations I have seen started off years ago with simple regional SOCs or even minimal GSOC operations. Eventually, they have grown into larger setups taking on more and more responsibility. The advancement in security technology has also helped. This is exactly what I walked into – a GSOC that was essentially set up as a SOC for one large location. Initially, there were about a dozen CCTV servers with a handful of access control panels. It subsequently took on the responsibility for all security monitoring for a global fortune 50 company.

What We Need to Look At Moving From Reactive to Proactive

1. Integrating systems (video, access control, IT security, weather feeds, etc.).

1. Enterprise systems- are you running enterprise systems across your organizations or does each location have their own VMS and access control?

2. If you have multiple locations, I would recommend detailing your security systems during your site security assessments.

2. Implementing analytics & AI for threat correlation.

1. Check your current security systems. Do your cameras have technology you’re not taking advantage of?

2. Does your access control have alarms that you’re not taking advantage of?

3. Automating standard responses through SOAR (Security Orchestration, Automation, and Response) tools.

4. Developing threat intelligence programs (internal and external sources).

5. Training analysts to interpret data and identify early risk indicators.

6. Operator Training

1. This is one of the more difficult feats from both an educational and cultural perspective. You need to properly train your staff to use the new equipment but also break away from the “This is how we have always done it mentality”.

2. I also have found it difficult to teach your local regionally based GSOC operators to wrap their heads around global operations. Make sure to tailor your training to your business needs. If your needing to understand the cultural differences in reginal areas you work, make sure your training addresses those areas.

You’re also going to need to set KPIs for your GSOC team to make sure you are performing well.

 I certainly do not use all of these, but there are a few that have been great for us.

Camera uptime- we keep a percentage of how many cameras are up and our timeline for addressing them once they go down.

Camera coverage ratio- this is a KPI we monitor but is actually within our Asset Protection group and not directly in with the GSOC. We conduct yearly Site Security Assessments and grade each location on camera coverage for critical areas and then the overall camera coverage. This goes into a overall report for each site.

Training Completion- this has been a critical KPI that I use internally as we have adjusted from reactive to proactive. Since I have been making a lot of changing within the team, I am wanting to make sure that they are getting the appropriate training and we aren’t moving too fast.

Error Rate- this is aligning with our training completion above. If we begin seeing an increase in errors, we may be moving too fast.

Overall Incidents – we utilize a single tracker that inputs all preventative incidents, external threats, and incident hotspots. We utilize this data to find out how our global security team is moving e.g., are we doing more executive protection, installing more cameras, having more insider threats issues, etc.

Investigations- investigations are collected and reported out if it is a theft, insider risk, or safety investigation.

Audits- percentage of audits conducted on access control, camera access, Active Directory groups, etc.

Your KPIs will be set by your team and will most likely change as you make the move from reactive to proactive. As we first began making the shift, our initial KPIs were more focused on the initial move and to better determine the direction we wanted to go. As we have become more established in our transition, we have solidified our KPIs to be more long term focused and align with the rest of global security.

The last topic I will discuss is the relationship between your GSOC and your technology team. I hope that your technology team, your access control and CCTV installation team, and the GSOC all report up through the same team. I was fortunate in the fact that soon after I took over the GSOC, I was also able to take over the technology team. Being able to have both of these teams together greatly increased the synergy between them. Not only that, but being able to have the GSOC working directly with the technology team sped up the training process with the GSOC.

There is also a huge benefit here that I did not initially expect to reap the benefits from. How many of you have a high turnover in your GSOC? It may not be that surprising when the GSOC operators do not see promotional opportunities. How many of you also have difficulty finding quality technologist? Finding someone who knows your VMS, Access control, Alarm systems is nearly impossible. However, if your GSOC operators are working with the technology team, you are able to teach the GSOC operators the skills they are drawn to. What I have found is that my high achieving operators have eagerly taken on learning the security systems to help out the tech team. This has greatly helped out not only the technology team but also helped out the investigators; needing access reports pulled or camera footage located and saved. I have even promoted several of the GSOC operators since making these changes.