What Does Our Competition Know About Us, And How Did They Get It?

Whether it is a new product launch, a new service or a company merger, there is a whole new calculus for today's security managers

In altogether too many companies, this is a question that is asked by senior management after a well-developed, well-financed, and otherwise well-planned new product launch has fallen flat. The new product could have been a victim in yet another one of those cases where the competitor got their product out first, with all the implications that has for market share. Or, the competitor got to market just shortly afterwards with a much improved version at a lower price. Worse yet, maybe they got there with a better product at a lower price even before your product got out of the starting gate.

But, this kind of question is not just being asked about abortive product launches. It's being asked with increasing frequency across a variety of industries, in a variety of ways about many different elements of business operations. So, whether it's a new product launch, a new service, a merger or an acquisition that went awry because of premature exposure, a major contract that had seemed to be in the bag, there is a whole new calculus for today's security manager.

How did the competition find out?

Sometimes this question is being asked of a group of managers which includes the head of security; at other times, the security manager is not considered a part of the team at all. In either case, if you are the security manager, what is your response?

If you're not part of the group, perhaps your first response should be to ask "Why not?" and then set out to make yourself a larger contributor to your firm.

For those who are already part of the group -and for those who are soon to join such a group - this article is designed to help you understand emerging security challenges. Security professionals may also see an expanded role for security operations in helping their companies deal with the changing conditions of an increasingly competitive marketplace.

Our experience in helping companies protect business operations - and information about them - tells us that the answer to the question depends largely on four factors:

1. the orientation of security managers;
2. how they developed those orientations;
3. how they lead the security function
4. the kind of charter the security function has within the company - essentially, how the corporate leadership views the security function.

A Tale of Two Companies

For the sake of illustration, we'll use two companies where this question is being asked - Applejack Products and Zephyr-Tec Electronics The primary difference between these companies, for the sake of this review, is the security function. Applejack Product's security director thinks in terms of "cuff 'em and stuff 'em"; Zephyr-Tec Electronics' security philosophy is centered on direct and meaningful, proactive, business operations support.

Both companies have lost out in market presence and share because they were beaten to the punch. Senior management wants to know why and the answers seem to be in short supply. No one is really anxious to step up to the plate and give any hard answers to hard questions because in doing so, they begin to enter potentially dangerous career waters. It's in places like these that it's sometimes well to remember the strong similarity between the Chinese characters for danger and opportunity. In this case, we'll consider that the signs point to opportunity.

For this example, we'll also have both companies share similar business situations, practices and processes. They both seem to have the necessary ingredients for success in their respective business areas.

Each has a cadre of reliable suppliers with great records for on-time delivery of sub-components with low rejection rates. Both firms have worked hard to develop distribution channels that get the product to marketplace quickly and reliably to ensure the consistent supply necessary to capture and keep new customers.

They've also recruited the most dedicated and knowledgeable employees in their industry, employees who knew just how to get the best products out of every minute spent in production. Their managers were proud of the contributions of the members of their production teams and marketing and sales professionals could present new products in the best possible light to the marketplace. And, both were led by experienced executives who thoroughly understood the competitive arena and had the smarts to prevail.

For comparison, we'll refer to the security leadership in the two companies by their differing approaches to security management:

Security as a reactive crime stopper: At Applejack, the security function is seen as a necessary cost center, focused on "gates, guards, guns and dogs" kinds of issues. The possible answers to the question of how Applejack's competition beat them to the punch seem fairly clear. The security manager's perspective is framed by a professional background in law enforcement - a background shared by over 50% of today's security managers. And, when he was brought on board to oversee the security function, that was the best kind of a background for the times and conditions.

Responses:Sitting in the post mortem meeting about the product launch disaster, the security manager ventures a vague guess about "industrial espionage" or theft of a key component that allowed rapid reverse engineering. His recommendations reflect the belief that one or two primary secrets were stolen outright and that the competitor obtained them illicitly.

Based on one of the most basic articles of faith in the security manager's lexicon - that the primary threat to information security comes from the company's employees - it's clear that an investigation should be initiated. And, at the outset, everyone is a suspect.

Effects on morale and cooperation follow a fairly predictable pattern. The orientation is principally one of finding the guilty party, making sure that whoever has responsibility for punishing the ne'er-do-well gets a chance to do so, and then getting on with the next problem in line. Of course, the recommendation for an investigation is made with the caveat that in cases like this, there is no certainty that the guilty parties will ever be fully identified.

But, perhaps the Applejack security manager is a little further thinking than that. He may also recommend increasing the number of patrol officers, lighting and fencing, and adding to the number of video cameras mounted in strategic locations. He's also thinking about how this might be a good time to request some additional money to buy video training materials and make security practices a larger part of the corporate training program. In essence, using the situation to further justify the past three years' budgets that have been regularly under funded.

Further, it may be time for some changes in security procedures across the company, like mandating - instead of just recommending - changes of combinations to security containers or passwords to computers. Trying to think strategically, he considers a more effective classification management system, in which identifiably sensitive information is more carefully handled and controlled. Maybe this situation will also help him get the support he needs to ensure that all visitors wear access badges, all the time. It might even be time for the purchase of those shredders he's been thinking about, and requiring everybody to destroy anything that appears to be sensitive mere disposal as regular trash.

While any or all of these measures may well be just what the doctor ordered, there is yet another whole dimension to the issue.

Security as a proactive business function:On the other hand, Zephyr-Tec's security function operates on a much more direct, business support level. At Zephyr-Tec the actions of the security functions are more active than reactive. It's part of the profit side of the business instead of a cost-center and security integrated into the information process.

Zephyr-Tec is the kind of firm where the security management function's responsibilities include protecting the component parts of a firm's competitive edge. Instead of looking solely at the core of the new product as a simple entity that was 'stolen' by a competitor and making recommendations on the basis of that view, he goes several steps further. He's also interested in making certain that if there are any holes to be plugged, he finds out where they are and how to plug them.

Responses:In this approach, it naturally follows that the security manager at Zephyr-Tec would first determine what defines the product's crown jewelry. Looking at it more closely, he sets out to identify all those smaller jewels that make up the core or relate directly to it. Once they're identified, compiled and viewed analytically they may well present a clear picture of the product without ever having resorted to theft of the jewelry itself.

Once the actual strategically critical elements have been identified, Zephyr-Tec's security manager meets with the head of the company's competitive intelligence (CI) unit, a department started within the past year in response to management's need for a better understanding of the competitive environment. He asks if it might be possible to use some of the people in the CI unit to help with his inquiries. He doesn't know much about the work they're doing, but he believes that they are involved with trying to get the same kinds of information about Zephyr-Tec's competitors that was critical to the new Zephyr-Tec product's success or failure.

The CI unit manager agrees to help educate some of the security department's investigators understand the legal and ethical, yet very effective, ways in which they are able to gather information about Zephyr-Tec's competition and to use it for strategic purposes. He acknowledges that although he's thought from time to time about how the competition is working against Zephyr-Tec, he's been fairly busy with his own assignments that protecting Zephyr-Tec's information has taken a back seat to collecting it from and about their competitors.

Perhaps it's time for the two departments to work together.

In fairly short order, the CI unit helps the security investigators learn some of the ways that they would collect information from the various departments in Zephyr-Tec where indicators and elements of the crown jewelry might be found. Taking what can be termed a "red-team" approach, the Zephyr-Tec security team identified a number of vulnerabilities that a competitor could have exploited and still remained well within the law.

A "researcher" (ostensibly from outside the company, but in reality an investigator from Zephyr-Tec's own security staff) conducted numerous telephone conversations with various employees in different departments ranging from the home office to the manufacturing plants. From these conversations, a very interesting picture of the new product emerged in less than two weeks. When tied together with the identification of easily exploited patterns and only moderately sophisticated open literature searches, a wealth of otherwise sensitive and proprietary information about the product and its supporting strategy emerged.

Analyzing these disparate elements from a competitor's point of view, it was quite apparent that information from the periphery produced a remarkably clear picture of Zephyr-Tec's intentions.

As a few examples of how open sources could be exploited, researchers were able to:

1. deduce the probable production dates for a new product from a review of newspaper classified advertising for new employees;
2. gain an understanding of the techniques that would be used in the production from a review of the same advertising;
3. gain an appreciation of the strategic part the new product would play in the direction of the company, and how it related with other product lines, derived from a review of the remarks that Zephyr-Tec's president made to the local Chamber of Commerce;
4. obtain the layout of the manufacturing line for the new product from documents filed with the local emergency management office;
5. gain an understanding of some advanced manufacturing techniques to be employed in making the new product, derived from an article in a technical journal written by a member of the engineering staff; and,
6. gain a clear picture of the penetration strategy to be employed by Zephyr-Tec, complete with a statistical treatment of how the pricing and distribution decisions were made, deriving from an article in a professional journal written by a member of the market research staff.

Once these elements were developed, they served as "pointing and tracking data" that showed the investigator which direction to take in his telephone calls to staff members of Zephyr-Tec and others. By the time she'd completed her inquiries, the investigator had developed a real appreciation of a basic principle of competitive intelligence collection. This is the principle that people give away a terrific amount of valuable information simply because they don't realize the value of it.

As a few examples of the way in which human sources could be exploited, the researchers were able to:

1. identify the sub-assemblies associated with the new product, the sub-contractors who made them, and data associated with delivery schedules, quality and reliability of the various sub-contractors, pricing and volumes issues, and weak points in the relationship;
2. estimate annual production rates, based on a data obtained from the company that would be producing the packaging materials for the new product (which also gave insights into the design characteristics of the product);
3. confirme the production rates, launch dates and customers from based on conversation with the transportation company which had historically been engaged to move goods from Zephyr-Tec's manufacturing facility to the distribution centers;
4. identify various patterns concerning market tests conducted by Zephyr-Tec; and which, upon follow-on conversations with participants in those test marketing activities;
5. reveale that others - probably representatives of the competition - had interviewed the test market participants to collect the same kind of data that was collected by Zephyr-Tec and used for product development decisions.

Results

In the case of Applejack Products, the results can be expected to follow a fairly predictable path. Depending on the amount of pain being felt by the company's leadership, security will be enhanced to a certain extent, based largely on how much credibility the Security Manager enjoys.

There will be the inevitable complaints that security restrictions are keeping people from being able to do their jobs, and some talented people will decide that the security atmosphere is too oppressive and they'll move on to other positions in other firms. Still others will consider some measures to be infringements of their civil liberties, and with litigation emerging as our Nation's favorite non-contact sport, there are sure to be some additional costs. Perhaps the new security measures will even provide some additional elements of protection for the firm's information and processes.

Nonetheless, there will always be the unanswerable question from senior management to the Security Manager: "Can you guarantee that after all your recommendations are acted upon, that there will be no repeats?" Or, maybe there'll be an easier one: "Will we be able to demonstrate to the stockholders that we have reduced the chances of compromises like this in the future?"

Over at Zephyr-Tec, meanwhile, there is some significant business process re-engineering going on. Like all re-engineering efforts, the changes occur across functional and departmental boundaries and measurably contribute to the effectiveness of the organization as a whole. In next month's article, Now That You Know How They're Getting It, What Do You Do Next?we'll deal with the next steps in the process of protecting a company's most important information.

And, just to prove the Law of Unintended Consequences does not always mean something negative, consider Zephyr-Tec undertaking legal proceedings against the competitor who had beaten them to market and who had garnered the greatest share. As most security professionals know, the independent development of trade secrets information (i.e., not developed as a result of a breach of a confidential relationship) precludes a trade secrets misappropriation claim. With a quite probable alternative explanation to trade secret theft, perhaps the company can spend its money on developing new products and not legal fees.

 

About the author: John A. Nolan, III CPP, OCP is Chairman and Managing Director of Phoenix Consulting Group, which provides competitive intelligence, counterintelligence and professional development/training programs across a variety of industries. He is also a co-founder of The Centre for Operational Business Intelligence in Sarasota, FL where corporate intelligence practitioners from around the country and the world learn the tools and techniques necessary to prevail in the marketplace. His newest book, “CONFIDENTIAL”:Uncover Your Competitor's Top Secrets Legally and Quickly - And Protect Your Own was released by HarperCollins Business Books in June 1999. He is frequently featured in national and international media such as Forbes, George, Times of London and CNN, to name just a few. He can be reached at jnolan@intellpros.com, or at 1.800.440.1724.