From Reaction to Resilience: Evolving Incident Management with Michael Civitano

0:00

Manish:

Michael Civitano is an accomplished security leader with expertise in revitalizing underperforming intelligence, physical security, and GSOC programs, transforming them into world-class operations. Currently serving as the Senior Security Manager of Intelligence and GSOC at ServiceNow, Michael oversees innovative intelligence solutions and ensures operational safety for over 28,000 employees worldwide. He provides strategic briefings on geopolitical risk and foreign threats to senior executives, also having earned the CFO award in 2023 for exceptional leadership during a global employee evacuation. With a career spanning military service, law enforcement, and corporate security roles at Twilio and Allied Universal, Michael specializes in maximizing resources, fostering team trust, and aligning technologies with business objectives. Please join me in welcoming Michael to the Connected Intelligence Podcast. Michael, welcome. Good to have you.

Michael: 

Thank you for having me on, Manish. Appreciate it.

Manish:

You’ve been a great friend of the business. Michael, thank you. And maybe let’s tell our audience a little bit more about your career journey and what brought you into the corporate world and private sector and ultimately into the GSOC. Yeah, love to hear your story.

1:44

Michael:

So, I really was doing nothing with my life up until about 2011. And that’s when, you know, one of my classmates in college, which I did not do well in, handed me a pamphlet and said, hey, have you ever thought about joining the Army? And so, gave it some thought. You know, my family had history in serving in the U.S. military. And so, I kind of made the plunge in. Served from 2011 to 2014, Army infantry. Really enjoyed what I did and really kind of gave me the baseline for how leadership should be, and really learning those leadership skills on how to treat people, how to manage teams, your team meets before you do mentality, and so that really kind of set the tone for me just on leadership. And then from that point, I did a brief stint with the Waco PD, and that was, again, another eye-opening experience and just kind of showing how to interact with the public, how we’re interacting with people on a daily basis. And so really after that, I went back to college, moved back home. And that’s when I really started getting into the corporate security. I was looking for a job to work while going to college, and I really started enjoying what I was doing. And then just getting exposed to some of these technologies at the time, where we’re just leveraging, you know, the early automation, very early stages of automation. And then from there, it just kind of took off. I applied for a role at Universal, had a major leadership role there, global security, overseeing multiple offices for a large tech company. And then, again, just seeing and being exposed to all that tech got me to take my next step with Twilio, where I was the physical security manager, as well as overseeing the GSOC and elevating that team. And then after my time there, I came to ServiceNow and physical security manager, oversaw the GSOC, was promoted into the intelligence manager role, and then from there, the GSOC came back under my purview, and here we are today.

Manish:

Very proud of your career trajectory. And for those of you who are listening or watching, certainly check out Michael’s posts on LinkedIn. They’re really insightful and it’s really an incredible journey. Michael, we know your boss really well. He’s been on this podcast before. I imagine you’ve had a lot of experience trying to demonstrate or finding ways to demonstrate value through metrics and reporting. How has that evolved and what have you learned along the way and what techniques do you use today?

4:06

Michael:

Yeah, I think one of the biggest things is we just got to keep it simple. You know, there’s a lot of times we try and think, how can we reinvent the wheel or reinvent the process that might be good? We just need to tweak it. So for me, it’s just speed, resolution and recurrence. And, you know, with ServiceNow, the biggest piece was when I took over the GSOC mainly was to just cut down our detection times. Coming in before we shifted to our new vendor, it was just the time to detect incidents, let the business know about these incidents so they can prepare and do what they need to do from the business continuity perspective. It was poor. It was very, very poor and it put the business in a really precarious position. And I think the biggest thing for me was just emphasizing to the executive leadership, to the senior leadership, that we’re not just simply reacting, we’re forecasting, we’re looking at these events, we’re looking at these incidents. What’s the likelihood of this happening? Is it going to be a yearly occurrence? Is this a one-off? And just being able to use that mentality to avoid undue exposure to the enterprise and be able to be a team player to the business because there’s multiple other business units that are going to be leveraging what we’re doing in the GSOC to ensure that their teams have contingency plans ready to go as well.

5:21

Manish:

Many of our listeners do run global operations just as you do. They have the few but mighty, the small but proud teams. I can imagine, and maybe unpack for our audience the, complexities of 28,000 employees, all of these regional locations, It’s gotta be different in terms of the intake process and flow and regulations and maybe just help shed some light and educate our audience on some of the complexities that you’re dealing with and how you’ve overcome those.

Michael:

Yeah, absolutely. You know, with having multiple regions and working with multiple stakeholders in different regions, there’s a lot of nuance, and we need to make sure we’re understanding that, being respectful of that. And again, one of the big tools that we’ve started leveraging and investing in heavily here at ServiceNow is just the usage of AI, not simply as just a cure-all, but as an assistive tool to make us, again, smarter faster and just better resolution times and so you know when we leverage ingesting the signals that come through, risk events that are coming through, we understand after having previous discussions, with HR in those regions, with the WPS of the office managers, with the regional security managers, what do you want to see?  What is the impact to your region and what can we filter out so that way we’re not creating undue noise but leveling up and bubbling up what really is impactful to their regions and I think that’s something that usually gets lost in translation is that there’s a catch-all it’s what’s impactful here is going to be impactful everywhere else, and I think we need to be able to cut through that mentality and realize we have multiple customers, is not just one big customer, we have multiple people that were supporting and business units that were supporting and so that was one thing that when we build out the GSOC and just the way we’re leveraging AI with security platforms, etc., we just want to be really pragmatic about how we were reporting, the ways we were reporting. And it’s really since then, just kind of having those sit down discussions, being able to have those, that tough dialogue to figure out, okay, let’s dial this back. It’s really paid dividends for the team, you know, because again, we’re just leveraging our regional subject matter experts, the RSMs in those regions to tell us what really, you know, kind of gets the ears perked up. And I think that creates a better symbiotic relationship, and it’s not just simply a mandate coming from the GSOC, you’re going to action on this it’s more so hey this is what you want to see this is what we’re providing to you.

07:54

Manish:

AI, an interesting, an interesting inflection point in our history. Obviously, ServiceNow has been very progressive. You guys have been very progressive. Maybe break some of that down for this audience. There are buzzwords out there, everything from gen AI to agentic. How have you guys leveraged it and maybe even unpack a little bit of those workflows to help you scale?

Michael :

Yeah, absolutely. So, you know, we’re working with a few vendors just, again, on the use of AI, not only just external platforms, but also in-house. You know, we want to leverage our own product in a smart way. And I think one of the big pieces is understanding how are we going to use this AI, not simply just spread across the board this is going to be what are the actual targeted uses for that and so you know you hear agentic AI a lot and that’s something that I think for me and the GSOC and intel team is the most exciting to see is because they can act as literal agents providing that initial triage going through that intake, filtering out the noise, getting to what really matters. That way, the analyst, the human in the loop, is able to grab that intelligence, review it quicker, faster, and make those executive level decisions that senior leadership is waiting on. I think when we look at AI, it’s not going to be the cure-all, but more so an assistive tool in a way that we’re able to elevate even further our analysts to let them do that critical work we hired them for and keep them away from the busy work that AI can leverage and assist us with. I think that’s going to be a big piece along with predictive analysis. Again, a lot of people try and predict world events. Some are very easy and some are very hard, they just happen. But again, leveraging AI, there’s multiple vendors out there that I’ve seen where they’re starting to leverage this thinking, this AI, where I don’t want to say it’s going to predict the future because no one can predict the future, but it leverages mathematical equations, likelihoods, pulling from history. That way it gives you just maybe a slightly clearer picture than it did before about, is there going to be turmoil in this region? Is workplace violence going to happen at this office sooner because of events that have occurred and ingesting our data? I think that is going to be really how AI is going to help enterprises mitigate workplace violence, but also forecast what’s happening in their regions, and be able to really move around BCM teams and security teams to address as needed.

10:28

Manish:

I agree with you. I think AI is going to promote and provide that step function change. But what advice would you have for GSOC teams, especially those that are a bit more cautious about AI? Maybe their legal teams internally are not quite ready for them to adopt. So put AI aside for a moment. What else could GSOC teams do? If you just think about incident management, if you think about the complexities of running their operations to help them be far more efficient, far more effective.

Michael:

Yeah, I think it just goes back to the people, process, and technology. You can remove AI out of it. Like you said, let’s just put AI to the side. You have to look at the people. Oftentimes, I see teams attempting to put repurposed guards into GSOC seats. While it’s well-meaning and they’re really trying their hardest, you’re not leveraging that people talent and being able to upscale, so that way, we’re making an impact with those teams. And I think people is the biggest process because if they’re not able to understand those nuances, it doesn’t matter what processes and what technology you have in place. If the lowest person operating on the team can’t understand it in a simple way, the chain’s already broken. And so I think really investing in personnel is going to be the key piece, but then also the processes. I’ve seen when I first came here and then other businesses I was at as well, a lot of times these processes and SOPs, eight to ten pages long, and in a fast-paced world, it’s almost like law enforcement. You have to be able to understand the law when you can use discretion when you can’t and the granularities to it. You can’t go off eight to 10 page SOPs. You need to keep that narrowed to one or two pages where someone can quickly understand that and then action upon it and it becomes that muscle memory. And I think a lot of GSOC teams and security teams drown in SOPs. And when something happens, they realize there was a process, but it was so long and so convoluted that it really just, it mitigated the entire reason that SOP was made. Then it comes down to technology. Obviously, if we’re not using AI technology, what helps the business today? What can we take off the shelf and leverage today that will help mitigate threats, help us at least get ahead or be more proactive in detecting these threats? Obviously, with Ontic, we leverage that with the intelligence coming through, etc. But there’s also just open source. People forget that there’s a lot of open source intelligence, Instagram, Twitter, where people will post things. I think that’s the key is, teams that are on a budget, you don’t have to break the bank. You can leverage one platform and then utilize those other free sources and still be a potent team that’s able to make impact for the enterprise. Without AI, there’s still absolute impact and it just goes down to those three core pillars.

13:52

Manish:

There are many security leaders that I’ve spoken with, and I’m sure you have over the years, that continue to refer to GSOC as monitoring centers or, you know, they have this bias that it’s just triage and maybe even analysts with limited skill sets. Let’s bust that myth today, maybe up-level it. How should security leaders really be thinking about GSOCs in the totality of what they manage from incident all the way through risk management?

Michael:

Absolutely. Yeah. It’s a really great thing that you mentioned there. You know, when I first came on GSOC, it was still just, yeah, we have it, it’s the CCTV, the old, you know, the badging and dispatching guards, someone held open a door, etc. And I think you know, since 2023, I would say 2022 onward, you know, there was a lot of events in the world where there’s workplace violence, there’s geopolitical unrest, and a lot of times, teams would go, you know, there would be stakeholders from travel, stakeholders from the office management teams, real estate, reaching out, what is this impact? And you would have regional security managers scrambling to find the answers because the GSOCs weren’t really monitoring those as closely, it was more so reactive, what’s happening right here on site in our office. And I think since a lot of these events have occurred and just really the reenergizing of GSOCs, that’s kind of changed perspective. GSOCs have become the nexus for the enterprise, and when I say that, what I mean by that is oftentimes, you know, for example, with our GSOC team, they work closely with our travel risk team. Whenever things are popping up, even though our travel risk team may already see that, they’re reaching out to them, building that connective tissue. So that way they understand, hey, I can leverage the GSOC if I have questions about geopolitical happening or what’s occurring in a region. We don’t have much information. They become that critical point for the business where they can go to them. IT comes directly to us. We have that great relationship. Investigations with HR, great relationship. And so really it goes beyond just the guns, guards, and gates, as I’m sure we’ve all heard, and the monitoring of CCTV. It really, again, comes back to the personnel that build those relationships, like I’ve mentioned before, the people, having that upscale talent that can build those relationships, become that trusted point of contact, no matter who’s on shift. And that, I think, for me, is where we have seen the GSOC change. And I think a lot of businesses that have begun investing in their GSOCs have seen that change is where they’re quarterbacking connecting teams that normally would never meet, but they need to, being that connector. And so they don’t have to be the problem solver, but simply connecting those teams. I think prior to that, there was, I would say a lot of lag time between, you know, maybe HR and investigations reaching out and that pipeline and smoothing that out and making that a lot more seamless integration. So, you know, GSOCs are becoming the nexus point. I think really we’re gonna get to the point if you don’t have a GSOC, you’re in pretty dire straits.

16:55

Manish:

So maybe a two-part follow-up. One, how have you seen the hiring profile change as a result of that, if you think of those people? And then square the circle for me and our listeners on this trend towards outsourcing versus insourcing GSOC teams. You’ve written about it before, but I think your perspective would be valuable.

Michael: 

Yeah, absolutely. I think, you know, when we redid our GSOC, one of the critical pieces was we want the talent, we want that, that talent that understands those critical asks, they have that critical thinking, they understand, if we were to say, where’s Jakarta, they can point to one on a map, and they quickly understand, yes, I know what’s going on in this region, for the most part, and I can tell you where it is on a map. And so, you know, when looking at the talent, I think we have to move away from just simply someone that checks the boxes. But going beyond that, what is their understanding of not only geopolitics, but security, white glove service, just that human interaction, I think, is something that often gets lost and isn’t really delved into. And granted, it’s a very fast paced industry, we need to get people in seats, we need to have these operations up and running. But if you’re able to take that time and really dig in and see and ensure that the personnel that are coming into those seats are exactly what the business needs. Again, in the tech industry, white glove is a huge thing. And if they don’t understand those nuances and they can’t embed into that culture, that right there is gonna be a disconnect. No matter how much training, how good they may be, if they don’t understand those nuances of the culture within the business, it’s gonna be a pretty rocky road from there on out. And so, to your other question where you mentioned just internally hiring versus externally hiring. I’m all for building vendor relationships. There’s a lot of vendors out there and there’s a lot of talent out there that I could say they would be a great internal hire. But listen, I’m very much in depth and in tune with GSOCs and with hiring personnel, but I’d rather go to the specialists that understand this. Hey, you’re looking for GSOC talent, you’re looking for a myriad of requirements for your role, guess what, we know exactly the talent you’re looking for and we have that talent pipeline I think building those relationships with the vendors and pushing them to understand your requirements is a key piece because again what I think is great, is probably different from what they think is great. And they might actually have a better great than mine. And so I think, again, just being able to look internally and say, hey, I’m going to leverage a vendor relationship and be able to trust them to provide top level talent that will support our enterprise, build into the culture, build that connective tissue and just become again, trusted points of contact within the business. And I think that often gets overlooked is just how they build those human relationships beyond simply just putting a heartbeat in a seat.

19:49

Manish:

Very helpful. Look, we all have those moments in our career. You had one a couple of years ago, which resulted in that CFO award, that global employee evacuation. Maybe reflect on that moment. What did you learn and what are some lessons that you can share with our audience?

Michael:

Yeah, absolutely. It was something that really caught us, I would say, off guard, but I don’t think anyone was expecting it globally. It really just started out with a simple, hey, we have someone in this area. They might need help. Can you reach out to them? Upon reaching out to them, the employee was quite frightened. They didn’t know how to handle the situation. They didn’t know where to go through. And so I think one of the biggest pieces for me that I learned was you have to be pliable and you have to be fluid when building a plan. And the event that was occurring was very fluid. It was not static and it was consistently changing all over the region. And we really, I was tasked with building a plan to ensure to get person from point A to point B safely. And then when they were at point B, we realized we had to move them again to another hotel because the original point B wasn’t as safe as we thought it was. Again, the situation changed. And so we have to, you know, I understood that planning on the fly is a critical, critical skill to have and to be able to understand that plans are not going to go perfectly. You need to be able to pivot quickly and understand and look at the threat environment. And so that was one of the big pieces, again, when we were building this out is just building the relationships with our travel team, figuring out, hey, can we get this person a flight out? When’s the next flight? What does that look like? And again, building and leveraging those trusted relationships where they saw I needed that support and they provided it. And if I didn’t have that relationship, it might have been again, a completely different experience, where they wouldn’t go as out of their way. And so again, that, that was something that I learned quickly was just leveraging the team around you and those relationships to help the employee for the betterment of the employee to get them out of that situation. And so I think, again, just circling back to it was a really pragmatic way to get them out: be fluid, be pliable, and then, you know, a couple of long days, a very long week, tracking and making sure. And I think it’s also the human element too, is just, it was one employee touching base with that employee. Are you okay? Is everything going okay? Is there anything we can do and provide you on that end? So I think that really just opened my eyes on a grand scale of just how impactful, uh, building an operation on the fly can be.

22:25

Manish:

important lessons. Final question for you, Michael. We have one at the very, very end, but I personally think silos are the enemy, and I know you agree. Silos tend to be cultural. They tend to be organizational, process, tools, technology, data. They’re everywhere. How have you overcome or addressed silos in your career and certainly in the context of the GSOC?

Michael:

Yeah, I think the way to frame it is, you know, incidents aren’t just security problems, they’re enterprise risks. And, you know, from that perspective, you know, HR, legal, IT, facilities, office, having them lean in and not be opposed to that support. And, you know, at ServiceNow, what we do with our security team is we built a lot of cross-functional playbooks so that way roles were defined before an incident. No one is scrambling to figure out what to do. We built these playbooks so that way everyone could see the same picture in real-time. Everyone was on the same sheet of music when something was occurring. I think that transparency and pre-alignment to when these incidents occur, however they may occur, I think that just really elevated our response and just becoming a more trusted voice within the space is really what we were able to leverage these relationships a lot further than previously.

23:51

Manish:

All right. Our final question, it’s tradition here. What does Connected Intelligence mean to you?

Michael:

Yeah, that’s a good one. I was thinking about that all week and I think, you know, again, just going back to the previous question, Connected Intelligence is where multiple teams that normally wouldn’t be connected to that intelligence are able to be connected to that intelligence. Ensuring that the entire business sees the entire picture, and not just our team, we’re sharing out what we have, we’re keeping that connection with those other teams. So that way, they’re able to see what we’re tracking. And then they can escalate that maybe to other stakeholders that are not privy to that, or we didn’t know that they would be interested in that. And that just provides almost multiple layers of connection, friend of a friend, so to speak, where they can go back and say, hey, where did you get that from? And that connection will bring them back to the intelligence team, to the GSOC team, to the security team. And I think that is really how you can measure impact. The impact security has had in a business is when you have teams that normally you would never know about reaching out to you, asking for support, asking for further information. And I think that’s something that we’ve done here that has been really, really impactful.

Manish:

Love that. Our guest today, Michael Civitano. Michael, thank you for joining us.

Michael:

Thank you for having me, Manish .

Manish:

Appreciate it.