Over the course of the past few years, readers have asked about the things that our experience in collecting information from employees tells us. Lessons learned about how much employees talk and say far more than the should when we contact them. Lessons that we have learned that security managers can use in their in-house briefings about protecting sensitive or proprietary information.

Usually, I respond to those readers individually, but frankly, the questions are getting to be so frequently asked that I’m almost tempted to copy and forward previous responses. But, rather than doing that, I think it might be better to just approach it in one article for Security Technology and Design.

So, we’re going to talk a little about how we do Competitive Intelligence work, as a background, for the lessons that we’ve learned over the years. And frankly, we’re not really worried too much that by telling you gentle readers how we do things and what they mean, that we’ll wind up unable to talk to your employees and thus, not be able to do our jobs for our clients. I don’t say that out of boasting or anything like it.

The reason that I don’t hesitate to talk a little about our way of doing things is that a considerable number of you won’t believe what I’m about to say. Others will believe it, but haven’t developed any way of disseminating the information to their employees. And yet still others, even if they do take it to heart, the greatest majority won’t do much more with the information than put it into a file and it’ll sit there, unread by and unknown by their employees.

And you’re sitting there saying to yourself, "What a jerk this guy Nolan is! Saying these things to me. Who does he think he is? As if he thinks he can get away with getting in my face, challenging me to improve the way we do our business! I’m a security professional. I don’t need his grief." If you’ll hold on a second, I’ll explain.

As you read at the outset, lots of people have e-mailed me or called me about countering threats to their proprietary and sensitive information. I’ve told them repeatedly what I’m going to tell you here.

We’ve sent information about protecting companies from people who operate in the Competitive Intelligence business to many security managers who read ST&D. As business turns, we’ve been asked to conduct intelligence collection assignments against an even dozen of those companies where the security managers had previously asked us about steps to defeat our efforts. In every one of those cases, we’ve accepted the assignment, because that’s what we do -- but with the caveat to the client that we are uncertain about our level of success because we know that the company under consideration has a security leader who is apparently involved in information protection.

But now, we don’t bother with that caveat anymore. Why? Because when we try to penetrate the designated target company, we don’t find it any more difficult to conduct collection operations there than in any other companies. There’s no way that I can say why this is, but I’ve got a couple of guesses. First, the security manager just isn’t really interested. Or, second, the manager took the information but didn’t do anything with it. Or third, she took it and tried to disseminate it to the work force without much effect. Or last, we’re just a heckuva lot better than we think we are. I tend to one of the first three possible explanations.

Competitive Intelligence 101

We don’t break into buildings, challenge gates or guards or guns or dogs. We don’t hack into computer systems. We don’t bribe people or do anything surreptitious. We don’t do midnight skulking or lurking. We don’t do Waste Archeology, the nice way of saying dumpster diving. We don’t even do ruse interviews, such as telling someone that we’re graduate students working on a research project. Instead, we call people on the telephone, meet them at industry conferences, scientific symposia, technical meetings and trade shows. Because we follow the Code of Ethics of the Society of Competitive Intelligence Professionals, we always identify ourselves by our true name and company affiliation before we start any interview.

You’d think that that would keep people from talking to us, or at least to ask some questions that would cause them to be more reserved or suspicious or both. You’d be correct, too. But only to a limited degree. It’s part of our business to look at trends that affect the way we do things and to change them accordingly. So, we track how people respond to our overtures. What I’m about to tell you derives from our examination of thousands of interviews over the past ten years, and the results have remained consistent during that time.

Out of every one hundred people we speak with, fifty of them will respond favorably and positively to our opening statement. For example, if I were to be calling a potential source in New York, I’ll say "Hi, Fred. My name is John Nolan and I’m calling from Phoenix Consulting Group in Huntsville, Alabama. I’m working on a project and I was told that you’re the smartest man who ever wore hair concerning XY and Z. Is this a good time to talk?" Fifty of these Fred’s will say something like, "Yeah, this is as good a time as any. What can I do for you?"

The other fifty Freds are a little less willing. These second category people respond with something on the order of "What’s Phoenix Consulting Group and what’s this about?" Do we reply with some sort of fictional explanation? No. There’s no need to do that. We respond that we’re a research firm and that we’re engaged in a project on behalf of a client. Inevitably, our respondent asks another question at this point, such as "Well, who is you client?"

Our researchers are trained to answer that we have confidentiality agreements in place with all of our clients, which extends even to the identity of the client. You’d think that at this point in such a conversation, anybody with above a room temperature IQ would say "Hey, if you’re not going to tell me who your client is, this conversation is over." Click. And you’d be right. Except that this only happens to about fifteen of those remaining fifty people. The other thirty five say things like, "Oh yeah. We’ve gotta put up with all that confidentiality nonsense at our place too. What can I do for you?"

Think about this for a nanosecond. This means that 85% of your fellow Americans, 85% of your employees, agree to cooperate in the discussion and reveal information that is valuable to you and your firm. When we get slammed by one of those fifteen others, we take comfort in the fact that there are still a whole bunch of sources out there just waiting to talk to us -- without knowing or really caring who we are or for whom we’re working.

Elicitation Techniques 101

Then, once we get the person agreeing to speak with us, we begin to abandon our direct questioning approach and turn to the intelligence officer’s stock-in-trade: elicitation. Getting the information we need without asking for it. Techniques that we train Federal intelligence officers and undercover officers in several times a year. Techniques that we train Competitive Intelligence professionals in dozens of time a year -- although of course there are some techniques that we teach the Feds that we don’t teach business people.

Techniques that range from a seemingly common exchange of information, certain kinds of provocative statements, disbelief, feigned naivete, criticism, encouraging members of our society of snivellers and whiners to cry on our shoulders, and many more. Techniques that recognize a variety of human factors: a desire for recognition; tendencies towards one-upmanship (or one-downsmanship, as in "Yeah, well let me tell you how bad my place is compared to yours); natural tendencies to correct others when somebody makes a mistake -- on purpose -- in the interest of getting a knowledgeable person to provide the real, and accurate, information; and ten or fifteen others.

Factors and techniques that are used in a rigourous and organized process of obtaining information in a systematic and highly effective way. Knowing which ones to use with which source, or trying out others, discarding the ones that work and noting for future use on the source card, those techniques that worked well with each individual. Knowing when to end the conversation before the target becomes concerned with the course of the conversation. Knowing that corresponding, confirming and additional information will be forthcoming from one of the many other sources that you’ll be calling during the project. Knowing that it will all add up at some point to the information you. Knowing that it’s extremely rare -- and sometimes less than desirable -- to get everything you need from one individual source.

Countermeasures 101

As you can tell from the sub-course numbering, we’re still at the most fundamental level. The level where it’s up to you to do some thinking. Just understand that the foundation for any countermeasure is awareness of what the issue is in the first place. Perhaps this simple little discussion will cause you to think a bit about how well prepared your employees are to deal with calls or contacts from outside such as those I’ve described. Perhaps this will stimulate you to ask about specific kinds of countermeasures that are useful for a security manager to provide the employee population in an additional effort to safeguard your proprietary information.

If you’re thinking along those lines, you’ve actually got a couple of options. You can wait for a future column to speak about some of the more common and effective countermeasures that we teach to people who are serious about protecting their proprietary or sensitive information. Or, you can send me an e-mail if you’d like a handful of useful and practical approaches that you may find useful in training up your employees to keep things to themselves.

Or, you can file this article away with everything else, do nothing, and embark on the exciting career of a librarian.

About the author: John A. Nolan, III CPP, OCP is Chairman and Managing Director of Phoenix Consulting Group, which provides competitive intelligence, counterintelligence and professional development/training programs across a variety of industries. He is also a co-founder of The Centre for Operational Business Intelligence in Sarasota, FL where corporate intelligence practitioners from around the country and the world learn the tools and techniques necessary to prevail in the marketplace. His newest book, “CONFIDENTIAL”:Uncover Your Competitor's Top Secrets Legally and Quickly - And Protect Your Own was released by HarperCollins Business Books in June 1999. He is frequently featured in national and international media such as Forbes, George, Times of London and CNN, to name just a few. He can be reached at jnolan@intellpros.com, or at 1.800.440.1724.