The Intelligence Blind Spot Inside Today’s GSOCs

Security managers face one of the most demanding corporate mandates: defend against an always-expanding threat to the universe and do so with finite resources.

The scale of the operation calls for prioritization. For many global security operations centers (GSOCs), this has meant focusing on cybersecurity incident risk. This approach, however, has opened an intelligence gap that puts businesses at risk. Today’s threat landscape stretches well beyond cyberattacks. The relative stability of the post-Cold War era has given way to a resurgence of Great Power conflicts, intensifying regional flashpoints and public protests. 

Tensions between China and Taiwan, the recent tumult in Iran, and the continuing war between Russia and Ukraine are just a few examples of current geopolitical threats. Flare-ups can emerge at any time, endangering the safety of an organization’s workforce, multinational enterprises, and Fortune 500 companies, in particular. But physical security, while always a top concern, isn’t the only issue. Supply chains, global commerce and organizational reputations are also at risk. Damage to any of those will hit the bottom line and impact shareholder value. 

Against this backdrop, GSOCs must cultivate deeper intelligence by analyzing long-term trends to anticipate change rather than react to it. The goal is to respond appropriately and rapidly to fluctuating physical security and geopolitical events. But before we consider how to improve intelligence gathering and analysis, let’s examine the roots of the intelligence gap.

Cybersecurity Focus Limits Perspective 

GSOCs typically focus on cybersecurity-related risk. It’s easy to see why: There’s a material and immediate financial impact when threat actors obtain sensitive data or shut down enterprise systems in a ransomware attack. The prospect of a headline-grabbing data breach worries corporate boardrooms and C-suite executives. Businesses risk losing money and the trust of employees, customers, and partners. 

Another factor has been the lack of an urgent, overarching geopolitical concern that could compete for corporate attention. The end of the Cold War in the early 1990s ushered in a period of relative stability. With the geopolitical situation mostly calm, businesses prioritized what they saw as a new problem set and one that they could address through technical expertise: cybersecurity events. 

As a result, geopolitical threats and physical security have dropped down the list of GSOC concerns. That reduced focus increases an organization’s vulnerability to events. Organizations that neglect long-term global risk analysis won’t be prepared when a crisis occurs. Their reactive posture virtually assures a rushed response. The Russia-Ukraine war provides a case in point: The 2022 invasion caught many businesses off guard, forcing them to improvise in real time without a pre-established plan.

To the extent that businesses look beyond cybersecurity, they tend to focus on highly localized security issues. Here, investments are designed to protect against insider threats, terrorist attacks and mass shootings. While those measures are clearly important, they don’t address the expansive nature of geopolitical risk. 

The threat environment has indeed changed. GSOCs that restrict their purview to cybersecurity and local security concerns miss the bigger picture. 

Diminished Intel Teams Increase Vulnerability 

Input from a corporate intelligence team or department might broaden a GSOC’s perspective, but those organizations have been dismantled or significantly reduced over the years. Post-Cold War attitudes also play a role here. The business community has become complacent, treating geopolitical crises as a thing of the past. That view has led many corporations to shrink their commitment to intelligence teams. 

Corporate cost-cutting measures also contribute to this trend. Geopolitical risk assessment requires a long investment horizon, and the return is perhaps less obvious compared with cyber defense. So, budgets are reprogrammed to address online attacks at the expense of a more comprehensive security regimen. 

Businesses, however, increase their risk profiles when they shrink their intelligence teams. Limited insight into geopolitical tension could endanger employees. Beyond physical safety, logistics and operations also become vulnerable. Regional risk assessments can inform logistical planning and help organizations implement measures to reroute aircraft from contested airspace or to reroute ocean-going vessels from threatened shipping lanes. 

An intelligence gap can also put budgets at risk. A disruption in the Strait of Hormuz, for example, would affect commodity prices. But companies that anticipate events that could trigger an oil price spike can adjust their budget planning accordingly. 

Reduced investment in corporate intelligence hinders organizational security across the board. Corporate teams, whether in logistics, operations management, finance, or corporate communications, don’t have the expertise to analyze geopolitical trends – their core competence lies in their respective specialties. They need support from a corporate intelligence firm. 

GSOCs Receive Poor Quality Intelligence 

Complacency, cost-cutting, and a narrow cybersecurity focus all combine to create an intelligence gap. Unfortunately, attempts to close that gap often fall far short of the objective. The corporate intelligence efforts that survived cutbacks often provide information of limited value. That’s because they rely on archaic methods and systems. 

Those approaches generally fall into two categories. In the first group, companies rely on human-driven analysis that’s slow-moving and overly broad. The information proffered isn’t tailored to a business’s specific needs. In the second group, companies employ technologies that prioritize alerting: when an event occurs, the system highlights a specific trouble spot. That approach, however, lacks contextual nuance and isn’t much different than getting a phone alert from a news organization – technology that’s been around for decades. 

Alerts do serve a purpose: They provide geopolitical information that’s good to know. What they don’t provide is an in-depth analysis that helps decision-makers take proactive steps during a crisis. 

Other Errors in Geopolitical Risk Identification 

An event‑alert system, on its own, is an inadequate platform for effective risk management and security decision-making. But GSOCs also face other pitfalls. One issue is the use of keyword-based systems. With such a system, a user seeking news about the county of Lebanon will receive information regarding all geographic locations containing the keyword “Lebanon.” 

Keyword logic inundates security professionals with information, making it difficult to assess its relevance. GSOC personnel experience an unfavorable signal-to-noise ratio. The data deluge slows incident response. In addition, a lack of contextual understanding hinders efforts to address an unfolding situation effectively. 

GSOCs that are beginning to take on a geopolitical analysis role can also struggle with source validation. Analysts must recognize that not all sources can be graded equally, and that the reliability of their information can vary. Source validation, while second nature in military intelligence, isn’t always fully grasped in the corporate world. 

This deficiency leads to extreme reactions: corporate security analysts either trust everything or find everything suspicious. The ideal middle ground provides a stronger foundation for analysis and even considers disinformation or propaganda. Learning what narrative a government aims to advance is useful intelligence. 

Closing the Intelligence Gap Through OSINT

Contending budget items, outdated intelligence methods and imperfectly understood sources all contribute to the intelligence gap. Closing the gap requires organizations to move beyond the often-limited scope of their endeavors. Adopting open-source intelligence (OSINT) is a key step in that direction. OSINT has grown rapidly in recent years, enabling intelligence practitioners to gather information from public documents, traditional and social media, and other online sources. OSINT can make GSOCs more effective by providing a richer intelligence source than news bulletins and event alerts. Assessing social media in specific cities along a transportation route, for example, can provide security managers with insight into the safety of logistics networks. 

In addition, monitoring state media channels in other countries helps organizations assess threats beyond what U.S.-based news outlets report. Using such sources, a GSOC can, over time, build a series of key indicators and warnings that signal escalating risk. OSINT, when done properly, can help organizations analyze situations and become more proactive when a crisis occurs. 

Many companies have struggled to leverage OSINT for in-depth analysis to support decision-making. The rewards can be significant, but this approach requires knowledge – source validation, for instance, and an understanding of what OSINT is and isn’t. People may equate OSINT with little more than reading the news, but effective OSINT demands an in-depth approach. For example, a news report could indicate that an explosion happened in a particular area. OSINT will consider the report and also attempt to validate and geo-confirm the information using an image. 

From a technical standpoint, OSINT requires the ability to ingest large datasets for analysis. That’s yet another factor for GSOCs to consider as they expand their intelligence gathering. 

Developing a Reliable Response to Geopolitical Risk 

Assessing geopolitical risk and bolstering physical security starts with prioritizing threats. In miliary terminology, that’s called establishing priority intelligence requirements (PIR). A PIR identifies the threats to monitor and guides the intelligence initiative. Depending on the company, a CEO, COO, president or other business leader could set the PIR.

Planning begins once priorities are in place. Security managers determine which assets to collect, including OSINT, in the corporate context. The focus then shifts to where the organization can obtain the most information. Data ingestion and analysis follow. Information is then disseminated to the key decision-makers and stakeholders. 

How does this work in actual practice? A top-level business leader might identify the outbreak of a regional war in Asia as the No. 1 geopolitical priority. The build-up of indicators and warnings establishes the critical triggers. Once those pop off, the informing phase of the intelligence process transitions into the decision phase. The stakeholders gather, evaluate predetermined courses of action, and select the way forward. 

Two other considerations in geopolitical risk response come from opposite ends of the intelligence spectrum: AI technology and human knowledge. AI and related technologies, such as large language models, enable GSOCs to collect and analyze vast amounts of intelligence data. AI’s ability to recognize patterns provides contextual understanding that’s largely lacking in keyword-matching alerting systems.

The human aspect, meanwhile, is crucial for making judgments based on the data. Regional expertise is especially important: a GSOC with an interest in China's geopolitics needs an expert to interpret AI model outputs. 

A Recurring Pattern Meets a Continuous Process

Building a firm foundation for managing geopolitical risk and physical security will help GSOCs deal with the return of Cold War-era tensions. Organizations that equip security managers with actionable intelligence insights will have an edge in threat mitigation. Moreover, the prepared organization can proactively implement plans to keep business operations running during geopolitical crises.

The task ahead is not only to build such a capability, but to commit to its ongoing operation. The times demand a consistent, continuous process.