Open
yet Guarded: Protecting the Knowledge Enterprise
As knowledge management changes the
rules of competitive intelligence, offense and defense must merge in a
coordinated strategy.
By Steve Barth
-
Knowledge Management
Magazine - March 2001
Discussions
about knowledge management frequently begin with the assumption that KM is
about sharing knowledge more freely. There is a general belief in the
post-industrial, post-Cold War world that we have more to gain from exchanging
ideas and information than from locking them away in "need to know"
silos. Business can derive benefits from such openness: the increased
effectiveness of one-to-one marketing, better service and support, improved
products as the result of better customer interaction, improved supply-chain
efficiency through electronic data exchange, savings through cooperative
procurement and greater brand awareness and investor support.
At
the same time however, many KM and corporate security experts voice skepticism
about the idea that "information wants to be free." They argue that
there is a smarter, more controlled way to share knowledge with colleagues,
suppliers, customers and even competitors without giving away existing
advantages. Whether they're being stolen or simply shared, if your
intellectual assets are benefiting your competitors, you aren't managing your
knowledge effectively.
Acquiring
the information that you need to be competitive while safeguarding the
information you already have in order to stay competitive is a complicated
task. Companies must balance the advantages of openness against its inevitable
risks, maximizing the efficiency of electronic communication without making it
a magnet for intruders. Experts say that you must integrate offense and
defense into a comprehensive strategy, and furthermore suggest that it's time
to integrate intelligence and security imperatives with other knowledge
management strategies and processes.
Intelligence as knowledge
The
aspect of knowledge management relevant to this discussion is the information
gathering process traditionally known as competitive intelligence (CI). Its
purpose is to anticipate changes in the competitive environment--changes that
can be triggered by partners, investors, employees, suppliers, customers,
government regulators or critics as well as competitors.
Alan
Breakspear, president of intelligence consultancy Ibis Research in Ottawa and
a former officer in the Canadian Security Intelligence Service, segments
similar activities into what he calls a "value chain" of ascending
importance. "Information management helps us understand what has
happened," he says. "Business intelligence [his term for CI] helps
us understand what is likely to happen externally and [what] our options
[are]. Knowledge management helps us change what is likely to happen,
internally and externally, through innovation, reinventing and
repositioning."
In
short, then, CI is about anticipating and adapting to conditions external to
the company. As a larger process, KM looks inward as well as outward, backward
as well as forward. It can use CI to create strategies to enhance and protect
competitive business advantage.
Of
course, your market positioning information can be almost as valuable to a
competitor as it is to you. Thanks to increasing digitization of various kinds
of information and improved access to that material through powerful
applications and networks, your business information is more vulnerable than
ever before. You have to be prepared to protect and defend your knowledge
assets.
Everybody
is looking for "information superiority," according to James Luke,
an information warfare specialist with IBM Global Services in England. But he
worries that the pervasive nature of modern communication has resulted in a
more relaxed attitude about security in which employees abdicate
responsibility to mechanisms such as firewalls and passwords.
There's
a great deal that you can learn from others and that they can learn from you
without breaking any laws. An executive's travels might indicate a potential
new factory or new customer; job postings might reveal labor conflicts or
imminent expansion; and any draft documents in your trash may be fair game.
Moreover,
in the Knowledge Age, you may be handing over your knowledge without being
fully aware that you're doing so, through means such as sales collateral, Web
sites and analyst briefings. "CEOs give away so much information when
addressing analysts to increase their visibility and stock price. They love to
brag about their products and show off," says Herbert Clough, a former
FBI counterespionage expert and now president of Cointelsys, a security and
intelligence consultancy in Los Angeles.
Clough
warns that it's easy to give away too much when you exchange information with
people. "It's a thin line you walk when you put at risk your trade
secrets and proprietary information," he says. "You have to
recognize when you are giving away your family jewels."
You
don't have to be a defense contractor to have sensitive information to
protect. Your trade secrets are anything that would enable another company to
derive economic benefit from your hard work. The long list includes designs
and formulas, customer lists, marketing strategies, price structures, new
product information, manufacturing processes and factory locations. Not every
piece of sensitive information is considered a proprietary secret, however.
Unless a company takes definite steps to designate and protect its trade
secrets, they are not covered by the Economic Espionage Act of 1996.
In
business as in the military, secrets about operational strategies tend to be
the most valuable, according to Graham Titterington, senior analyst for
technology consultancy Ovum Ltd. in London. "If it's a new soap, the
formula is not as valuable as the marketing campaign, the pricing strategy and
where the trial marketing will be," he says.
How CI has changed
Intelligence
professionals were managing their knowledge long before KM was in vogue.
Whether the goal is military, political or commercial advantage, intelligence
is a discipline that relies on and drives development of knowledge management
techniques and technologies. Both CI and IT have evolved as a result of this
symbiosis.
"The
essence of CI has changed," says Patrick Bryant, president of the Society
of Competitive Intelligence Professionals and a clinical professor in the
medical school at the University of Missouri, Kansas City. "It has become
more a part of the company, more widespread and accepted. IT has given it more
tools."
Intensifying
domestic and international competition has increased the role that
intelligence can play. No longer is it a mysterious art practiced only by
corporate librarians and retired spies whispering in the ears of executives.
Now every employee can and should contribute to it, just as every employee can
and should also benefit from it. This democratization can be facilitated by
increasingly robust corporate information structures, such as portals.
Increasingly,
valuable facts are disclosed in digital form. Many of these items are
published on the Internet explicitly or can be gleaned implicitly by mining
and analyzing the content of aggregated documents and data. Knowledge and
information management technologies for storage, retrieval, categorization and
presentation of information can expedite all phases of the CI process,
particularly when it comes to distilling intelligence from disparate scraps of
information.
The
biggest change in the landscape of competitive intelligence is obviously the
Internet. "It is easier to gather information about your competition with
the Internet. There is more out there and it's increasingly better
organized," says Ernest Brod, managing director of Kroll International, a
risk mitigation company based in New York City. "If you were doing
nothing before and now are using only the Internet, you are doing a lot better
than you were."
However,
Brod and other CI professionals warn against over-reliance on Web-based
information. Online information can be static, focusing mostly on the past,
and can be filtered by whoever posts it. It could also be intentionally
misleading.
At
the same time, Brod warns of the dangers of online access when your company is
being scrutinized. "The original Internet philosophy of openness got
companies into trouble," he says. "A lot of them found their
confidential information finding its way out through this open approach."
He advises companies that still retain such a naive view of the Internet to
reexamine their assumptions.
Requisite disclosure
All
organizations publish data that often reveals more than the company originally
intended, both by what is there and what is not. "Organizations need to
appreciate that information is transmitted by every action they
undertake," says IBM's Luke. "Information on a Web site, recruitment
adverts for specific skills and even the working hours of staff all represent
information transmissions." Such open source material can offer valuable
competitive intelligence--or it can be manipulated to create distraction and
disinformation.
At
the same time, the law requires all companies to disclose information that
many would rather keep private, such as the ingredients in food and drugs, the
origins of manufactured goods, the names of executives and the details of new
products submitted for patent. In the old days, notes Luke, nuggets like these
were safer because they were kept in scattered locations on paper. Now most of
this information is available in electronic format and can be acquired without
having to scour warehouses full of documents or microfiche.
Patent
data is perhaps the most potent example. During the Cold War, the Soviet
Union's intelligence agency, the KGB, created software to monitor patent
registration and identify areas of technology development. Now corporations
can do the same, legally gleaning the secrets of their competitors while
spending less on research. "The electronic age means that even the
smallest company can acquire such a capability," Luke says.
Intelligence vs. espionage
Competitive
intelligence, as knowledge, supports corporate decision-making by targeting,
collecting, analyzing and disseminating critical, forward-looking, actionable
information about threats and opportunities. However, CI as a process draws a
line between two methods of obtaining intelligence. One is legal and ethical;
the other is theft of trade secrets. Virtually every company needs to practice
CI. And every company must be ready to defend itself against both CI and
industrial espionage in real space or cyberspace.
Traditional
approaches, such as eavesdropping on conversations or steaming open envelopes,
were labor-intensive and risky and often produced spotty results. Electronic
spying has now eclipsed older methods, and Ovum's Titterington says that too
many companies underestimate the extent of the risks these changes pose.
"There is a new category of external attack that was physically
impossible before everybody was connected," he explains. "[Spies]
have the ability to attack the main communications system used by everybody in
the company every hour of the day. They can get all the internal and external
communications on a continuous basis."
In
matters of defense, awareness comes first. Many executives fail to understand
how easy it is for innocuous public disclosures to be mined, compiled and
analyzed. Business leaders who are savvy about securing their information
systems may be clueless about how much competitive information they give away
on their Web sites, while briefing analysts, at the coffee urn at conferences
or chatting on their cellular phones in airport lounges.
At
the other end of the spectrum, it's essential to understand how far some
competitors and foreign governments will go to steal your secrets--even if you
aren't aware of them as competitors. As economic security replaces military
security in a global economy, government agencies supporting national
industries--and retired spies working for private clients-use all the tricks
of the Cold War and all of the tools of information technology. They even bug
the first-class seats on certain airline flights and staff their own business
hotels.
Cloaking public information
These
realities need not lead to despair. Although you cannot protect all sensitive
information, there are ways to give the competition less to work with. John
McGonagle, managing partner of the Helicon Group, a competitive intelligence
consultancy in Blandon, Pa., suggests a process he calls "cloaking"
to implement countermeasures to protect your company. "Cloaked
competitors don't operate by stealth or clandestine methods," he
explains. "Instead, they take some fundamental steps to control the flow
of information into the public domain, without trying to stop the flow or
taint it with false information."
McGonagle
lists three keys to becoming an effective cloaked competitor: determine the
activities of greatest interest to your competitors and focus on protecting
them; understand the channels through which your competitors collect raw data
on your firm and control what goes into them; and discern what techniques your
competitor uses to analyze the data and then deprive it of a few key pieces of
data that are necessary to complete the analysis. He also offers some examples
of how to do this:
•
Blur numbers. Instead of giving the exact specs for your warehouse, say it's
"more than 100,000 square feet." If you're expanding, say you'll be
using "three times as many trucks" as you do now.
•
Be vague. Instead of telling people the specific names of software that you
use, say, "It's state of the art" (if it is) or "We use
computers that are just right for our needs."
•
Don't over-file. The Securities and Exchange Commission realizes that some
company information is sensitive. Be wary what you include after such
forward-looking words as "expect," "plan" or
"intend." Volunteer only the minimum required for government
paperwork.
•
Code randomly. Product numbers in catalogs can reveal to your competitor the
age of the equipment you use or how long you have used it. Keep those numbers
under wraps.
McGonagle
also suggests that you can turn the wealth of information disclosed on your
Web site to defensive advantage, by playing against the over-reliance on Web
surfing mentioned by Kroll's Brod. "The Internet makes collecting
historical and near-current data easier than ever," he says.
"However, it tends to convert competitive intelligence into reporting
about competitors, substituting volume and currency for analysis and
thoroughness. Its growth continues to perpetuate the myth that everything is
on the Net. If key data is not on the Internet, inherent laziness and time
constraints tend to keep many CI researchers from seeking it." Merely
looking online is no substitute for doing the harder work of talking to live
sources.
Don't go too far
If
poor security can compromise a company's competitive position, so can too much
security. Over-reliance on technological solutions can disconnect knowledge
workers from their constituents as well as from their tasks. Companies
sometimes tighten the security of their information systems to the point where
employees can't conduct effective online research or communicate with
customers, partners, suppliers or even colleagues.
The
doubt and paranoia that these stifling policies imply can paralyze an
organization in a number of ways. When this happens, your competitors are
already gaining advantage without gaining intelligence. For example:
•
If people don't trust each other, they won't share.
•
If people don't trust information, they will waste time and effort validating
it.
•
If valuable information exists, it can be obscured by worthless material.
•
If policies and procedures interfere with getting the job done, they will be
ignored or subverted.
"You
can't be heavy-handed," Titterington says. "It's no good having a
system that's 100 percent secure if, at the end of the day, you can't do
business efficiently. Protecting assets and enabling employees is a difficult
compromise to get right, but it's worth the effort."
Real
security can be guaranteed only through behavioral changes in an organization.
Anything less is easy to compromise. For example, an onerous password regime
may drive people to write them on sticky notes or tape them up in plain sight.
Luke urges employees and executives alike to learn how valuable their
knowledge is to competitors, how prevalent the dangers are and how easy they
make it by speaking on mobile phones or working on documents in public, such
as while traveling.
The
best technological solutions are ultimately incomplete and fallible without
human behaviors and networks of personal trust. Experienced KM professionals
know that loyalty cannot be coerced. And without loyalty and trust, any
company's intellectual capital will always be at risk. "Effective
security, like effective knowledge management, should be natural and based on
the support and commitment of educated staff," says Luke.
If
knowledge assets are worth collecting and sharing, it is because they have
value. If they have value, those assets must also be considered worth
protecting.
http://www.destinationcrm.com/km/dcrm_km_article.asp?id=774
|
