About UsContact UsOther ResourcesLibraryCareersDynCorp International
Course Catalog Search: <-Simple  
 

Now That You Know How They're Getting It, What Do You Do Next?

Appeals to employee loyalty are no longer sufficient to encourage active participation in a proactive countermeasures program, but the concept of self-enlightenment is not lost

Our previous article, "What Does Our Competition Know About Us, And How Did They Get It?" addressed the kinds of information collected and used for competitive advantage. We described two companies with contrasting styles of security management: security as a reactive crime-stopper and security as a proactive business function.

The focus of this series has been on the legal, yet highly effective, competitive intelligence efforts which are highly resistant to the kinds of security which a reactive and crime-oriented approach takes. The approach which has been shown to be most effective in dealing with this kind of practice is security as a proactive, business function.

In our experience, there are three principal elements to a successful program to deal with the collection efforts of competitive intelligence professionals: senior leadership buy-in, active employee involvement, and on-going, anticipatory (proactive) measures. For those of you who have been around the world once, been to a county fair and to a goat-roping, they may not seem especially profound. But, in practice, they each have some additional points which are worth discussion.

Senior Leadership Buy-In

Naturally, the end goal for any successful security manager is access to - and credibility with - the occupants of Mahogany Row. Unfortunately, all too many security directors have several layers between themselves and the senior leaders. The politics and processes of cutting through the layers could be the subject of an entire book and that's not our purpose. Instead, we'd like to deal with your preparation and presentation when you get those fifteen seconds of fame that Woody Allen allocates to every person on the planet.

One of the better models for educating - and then interesting - senior management in such concerns is the approach taken by Lynn Mattice, Corporate Security Director at Whirlpool Corporation. Lynn set the stage by having already prepared himself by reading the same things that the leadership read: very little Sports Illustrated, lots of Harvard Business Review, Sloan Management Review, CFO, et cetera.

That gave him several things:

  1. a common vocabulary on topics of current interest to senior managers;
  2. the ability to understand trends that impact the company as a whole and the security function either directly or indirectly;
  3. the opportunity to be in front of the power curve instead of behind it when those impacts are about to be felt; and perhaps most of all,
  4. the confidence of, and credibility with, his senior leadership to act on what he describes as a major issue.


As a case in point, Mattice had educated himself well in the areas of trade secrets and intellectual capital. So, unlike the fictional Applejack Products' security manager in our last article, Mattice took the initiative to introduce the issue to his leadership long before the leadership brought the matter to him.

And, the manner of presentation itself was well-chosen. It wasn't one of those down-in-the-weeds, highly detail-oriented briefings that highlights how hard the security department had been working. In keeping with the original intent of a briefing, his was a thoughtful, business-based approach that got the senior management's immediate attention:

"As you know, there are new ways of valuing a company. One of them is by valuing its intellectual capital. Typically, intellectual capital is valued at anywhere between three and four times book value. A key factor in understanding this process is that intellectual capital is the raw material from which financial results are made; intellectual property is the direct output. There's a whole new set of problems for our intellectual property and I'd like to suggest some solutions."

With the executive sitting up and with his eyes wide-open and not glazed over, the battle was already more than half over. He went on to present a program which would allow the company to protect its intellectual capital in a rapidly changing world.

Employee Involvement

The greatest factor impacting employee involvement in security programs is their level of understanding - their educated understanding - of the environment. In study after study, it's the relevance of the topical matter to the everyday business life of the employee that determines whether or not s/he absorbs the training and performs subsequently in the ways the company would hope they'd perform.

Whether provided in-house or using outside expertise, employees can begin to appreciate how they are the objects of the competitive intelligence collector's affection. Once they understand the basic principle exploited by CI professionals (that people give away great amounts of valuable information simply because they don't realize its value), they can become valuable security and countermeasures assets.

Appeals to employee loyalty are no longer sufficient motivation to encourage active participation in a proactive countermeasures program. But, the concept of "enlightened self-interest" is not lost on employees. If an employee begins to understand that his or her continued employment depends on how competitive the company is, they reconsider how much of that seemingly innocuous information that they are willing to divulge to a caller in the future. And, if your presentation to them is effective enough, you may be able to get them to the next level - active participation.

Active employee participation can begin with such simple acts as reporting to the security department those calls, faxes and other forms of requests for information. This can take several forms and yield a variety of results.

For example, consider a case drawn from a company which is a leader in the highly competitive electronics industry. In this company, about half of the 10,000 employees in one location were provided with an hour or so briefing about how competitive intelligence collectors operate, the kinds of success they enjoy, the kinds of information they are able to collect and the impact on both the collecting and target companies. Once they had an appreciation of this real-world issue, they were then asked to simply do three things:

  1. First, get the name, company and telephone number of the caller.
  2. Second, ask them precisely what kinds of information they are after and when they need to have a response.
  3. Third, after promising to get back to them, report the contact to a specific individual in the security department who would take it from there.


Within two weeks of the start of this education program, there were over 600 reports of unusual or remarkable telephonic inquiries. Obviously, there was no way of determining just how many of these calls went unreported. But the response was valuable on several levels:

  1. First, that there were so many calls reported was one indication that the education program itself was working.
  2. Second, an analysis of the calls revealed that all of those reported calls came from five callers from one particular company.
  3. Third, a more detailed analysis - in conjunction with the target company's own competitive analysis group - showed the specific areas of interest to the competitor which is helpful in several respects itself.
    • It helped to identify gaps in the competitor's information.
    • It provided some insights into where the competitor was probably going. In this instance, it is not unlike a country, threatened by a bellicose neighbor, that learns about the intelligence collection efforts against defenses in a particular border region. The more they learn about the kinds of questions that the other country is trying to answer, the more they can anticipate where an attack may be focussed.
    • It demonstrated the extent of interest by the competition and the nature of its collection activities, in itself an area of significant interest to senior management.
  4. Fourth, with the telephone numbers as a reference point, the operators fielding the calls could then compare the caller identification readout with the names previously used, and be alert to changes in the tactics (e.g., use of various names, etc). Further, they could also help to identify the recipients of calls from those numbers - contacts which might not have been reported.
  5. Fifth, and perhaps most active of all, this program could have the additional advantage of engaging the employees in a countermeasures program - a program which itself sought to make the competitor think things were different inside the company than were actually the case. Of course, this becomes a much more complex process in the actual event than might be suggested in the description.


Referring back to the first in this series (Is Somebody Dulling Your Competitive Edge, Security Technology & Design, August 1995), you can see how this one part of the countermeasures process can be integrated with, and complement, an in-house competitive intelligence organization's activities. Indeed, in one instance at a client company - one of 6 companies in a corporate structure - the security manager who took the lead in this integration at his company created the model for the corporation. In his case, four years later he now has responsibility for the intelligence and countermeasures programs at the corporate level. His former peers at the other 5 companies in the corporate structure now report to him. From a practical point of view, security managers can also have "an enlightened self-interest."

Proactive Measures
This final section will provide a few sample countermeasures which will retard the progress of competitive intelligence activities directed against your firm. Using the results of the proactive security management efforts of the fictional Zephyr-Tec(1) from last month's article as the basis for the countermeasures, perhaps a different model for protecting information in your organization will emerge.

Recall that Zephyr-Tec found out that their competitor was able to deduce the advanced manufacturing processes, probable launch dates, penetration strategy and the part that a new product would play in achieving the company's strategic objectives. They had been able to do this through a combination of sources: internal and external, "open source" and human.

Since over 50% of the respondents to a survey of Competitive Intelligence professionals revealed that they maintained a consistent watch over the classified advertising of target companies, it was not surprising that Zephyr-Tec's competitor could learn much from their review.

Recognizing the value that this coverage had for the competitor, Zephyr-Tec's integrated team approach provided for a technical review of all classified advertising before it was sent to the media. They were careful to ensure that the position descriptions were vague enough to prevent a competitor from deducing the actual numbers of people, types of projects engaged in previously and special skill sets which suggested any future initiatives.

The downside from personnel's perspective was that they would be inundated with resumes - indeed they already got more than what they wanted - that didn't meet the specific criteria the managers were looking for in prospective employees. With a new senior management commitment to protecting itself, the company approved a joint security-personnel request for optical scanners which would permit much more rapid review of in-coming resumes - one which had been previously rejected on purely personnel hiring grounds.

Instead of advertising all at once, for many positions in the same advertisement, place the advertising at staggered intervals. Naturally, the downside to this was that the managers who would employ these people needed to get their requests in before the last moment as well. Sharing an appreciation of the fate of a previous product launch was attributable to the competitor's use of the advertising, helped to encourage the product managers to get the requests in to personnel on a much more timely basis. A tangent benefit was the number of markers the security manager was accumulating for his future dealings with the Human Resources Director. Personnel people can never owe you enough.

When the legitimate point was made that such a process was going to cost more than it had in the past, the cost-savings were then compared to the anticipated value of the market share. Since it was already fairly clear that the classified advertising had helped the competitor get out the door first, which translated directly into lost market share with a distinct dollar value, the cost-benefit analysis closed the issue.

Zephyr-Tec's president had also made some remarks at a Chamber of Commerce that were, in hindsight, very illuminating for the competition. Since the president was one of the principal recipients of the findings report, it almost seemed touch and go from a career perspective for the security manager to point to this matter in the briefing. Fortunately, the president was magnanimous enough to accept his responsibility and some suggestions made by the security manager. Again, the Law of Unintended Consequences surfaced when he went on to relate that he had never felt quite at ease dealing with people in a variety of social settings where the activities of the company came up. He felt that he had probably given away as much - if not more - in other settings besides the Chamber of Commerce. He opined that others in the company might have the same experience and asked for some recommendations about dealing with that matter.

The first response was to provide the company's senior leadership with a course specifically designed to counter the techniques used by good elicitors and interviewers.Once they had learned how information was actually collected using such techniques, they began to include their subordinates in such programs - engineers who were approached at conferences and technical symposia, sales and marketing people approached at trade shows, et cetera.

The second response was to form a program where the employees returning from conferences, symposia and meetings were routinely and regularly debriefed concerning their contacts with others. This not only became a part of the process of understanding the interests and objectives of the other companies in Zephyr-Tec, it also allowed a better understanding of the methods and capabilities of the people who were collecting against Zephyr-Tec. Later, when Zephyr-Tec's own competitive intelligence program was expanded to include "on-sites" (where employees were debriefed on daily activities during the course of a conference), representatives of the security debriefing team were also on-hand to identify who was asking what. This assisted considerably in helping to warn and prepare other employees at the same conference to deal with such identified collectors. Further, since the information was being provided on a daily basis to the security debriefers, it was always fresh and more accurate than if there had been a passage of days or weeks.

The Zephyr-Tec security management team's finding that part of the information about their manufacturing processes had come from the competitor's access to documents filed with the local emergency management office served as the basis for a review of all of the company's public reporting - at local, state and Federal levels. The amount of intelligence that could be gleaned from the information that was in the public domain as in response to regulatory filings was almost unbelievable. In order to deal with this point, Zephyr-Tec's approach to public reporting became very stingy.

One of the first things that Zephyr-Tec did to reduce the possibility that significant information could fall into the hands of the competition was to review the reporting requirements. Finding that in almost all cases the company's employees were over-reporting: that is, wanting to avoid bureaucratic hassles with whatever level of government, they were providing more information than they had to and giving far more insights into the operations of the company than was prudent. The company began an active campaign to under-report in response to government filings. In those rare instances in the past three years of under-reporting where the recipient agency asked for more information, there was none of the unpleasantness that had been expected previously.

An additional element was the use of very large, bold warning notices on the front of nearly every public document filed with any agency. It warned that the document contained information which was deemed to be of a proprietary, sensitive nature; that it was intended solely for government use; and that dissemination of the information in any form outside the government should be coordinated with Zephyr-Tec's legal counsel. While of course this warning had little force in law, it nonetheless had a positive effect, understandable to one who understands basic bureaucracy. The first response of the typical bureaucrat in such a situation is to avoid pain by just not responding to someone's request for the information. The second probable bureaucratic response is to indeed contact the legal counsel and be content when the counsel says "We'll review the potential for problems and get back to you," which also keeps the information in limbo for a while longer. The next level of response comes when the legal counsel responds and asks that only certain parts be released and others not. This has done several things: delayed what was probably a time-sensitive intelligence collection activity; reduced the amount of information of value to the collector; and it has identified who the interested competitor is and the nature of the competitor's interest in the company.

Lastly, Zephyr-Tec's security estimate had revealed that the professional journal articles by a member of the engineering department and by a member of the marketing research department had also provided great insights into the product. As a result, Zephyr-Tec introduced a policy of pre-publication review of all articles written by employees. The pre-publication committee, comprised of security, competitive intelligence, senior management and technical staff, had the final say on whether or not an employee could submit such an article (or paper at a professional conference). Since virtually all employees had signed non-disclosure and confidentiality agreements, this method actually contributed to ensuring that there would be no question about "unwitting" violations of the agreements. At an absolute minimum, the pre-publication committee consistently declines to authorize publication until after the "time-cocoon" in which the information must remain protected had expired. This could either be with the launch of a product or with any number of other events.

At bottom, the opportunities afforded the security manager who understands the nature of today's business environment - and the challenges that it presents - are considerable. From a basic understanding comes a framework for appropriate response which has the potential for considerable, strategic contributions to be made by a security function which is all too often viewed as an overhead expense - and not as a contributor to the business.

Back to Archives

About the author: John A. Nolan, III CPP, OCP is Chairman and Managing Director of Phoenix Consulting Group, which provides competitive intelligence, counterintelligence and professional development/training programs across a variety of industries. He is also a co-founder of The Centre for Operational Business Intelligence in Sarasota, FL where corporate intelligence practitioners from around the country and the world learn the tools and techniques necessary to prevail in the marketplace. His newest book, “CONFIDENTIAL”:Uncover Your Competitor's Top Secrets Legally and Quickly - And Protect Your Own was released by HarperCollins Business Books in June 1999. He is frequently featured in national and international media such as Forbes, George, Times of London and CNN, to name just a few. He can be reached at jnolan@intellpros.com, or at 1.800.440.1724

 

 




 

 

 

 

 

 
©2009 DynCorp International, all rights reserved.
Home Home