A Case for
Business
Counterintelligence
By Bill DeGenaro
. . . the attacker might be able to
conceal part of this activity all the time,
or all of this activity part of the time, but
he cannot conceal all of this activity all of
the time . . .
This axiom is useful not only for those
who collect intelligence but also those charged
with the responsibility to protect information.
In order to understand the fundamentals of
counterintelligence, you need familiarity with
certain definitions and relationships.
Counterintelligence is an intelligence
discipline, not a security discipline. It relates to
security only in that the end game is the same.
Counterintelligence is highly dependent upon
a comprehensive understanding of your rival’s
capabilities and intentions, which requires
you to have a sound business intelligence (BI)
process in place. Our consulting experience
has taught us that an accurate assessment of
corporate attitudes towards business intelligence
helps us anticipate the odds of developing a
good counterintelligence program.
12 SCIP 2005 www.scip.org
A PREREQUISITE FOR SUCCESS
Given the interaction of positive intelligence
(intelligence on your rivals and the world around you)
and counterintelligence, a thorough understanding of
the competitive landscape is a prerequisite for success.
There are several reasons for the overall lack of business
counterintelligence programs:
1. Few world-class business intelligence programs are
installed, indicating a lack of appreciation for the value
of intelligence.
2. Correspondingly, senior managers have a low level of
awareness relating to the intelligence activity of others.
3. Corporations lack intelligence expertise.
States and commercial enterprises all strive to gain a
knowledge edge. In fact, successful organizations implement
cultures that provide a continuous organizational learning
advantage over rivals – organizations that have the ability
to learn and business intelligence programs contribute
significantly to this process. These organizations highly value
outside information.
The leaders of successful learning organizations realize
that they are engaged in knowledge warfare and that the
smarter organizations will win. Organizations with better
Competitive Intelligence Magazine
a case for business counterintelligence
learning capabilities recruit better, define markets better, and
identify new opportunities and technologies better than their
less well-informed rivals. The primary driver for innovation (a
competitive necessity) is the rate of organizational learning.
THE INTELLIGENCE INVESTMENT
Successful leaders also know that strategy formulation
is frustrated by a lack of intelligence and that uncertainty is
the plague of all decision-makers. Good intelligence is not a
luxury, it is an investment in sound decisions.
A world class business intelligence process focuses on a
broad spectrum of external issues of interest to management.
Bob Flynn, former CEO of NutriSweet, claimed that
his business intelligence group was worth $50,000,000
per year to him. Other leaders have pointed to timely
acquisitions, currency exchange coups, critical negotiations,
and country risk analysis studies worth millions of dollars
to their respective firms. Intelligence contributions also
include psychological profiles on executives of rival firms.
These profiles can provide the ability to anticipate the
competitor’s decision propensities, enabling strategic and
tactical coups.
In addition to the positive reasons to embrace business
intelligence, I contend that officers and directors have a duty
to know. Technology and alliance surprises can significantly
injure a firm’s strategy. Management has a responsibility to
both employees and investors to avoid surprises. Disasters
are potentially foreseeable: they were not created overnight
– during the initial stages events accumulate that are at odds
with norms.
Good business intelligence is not only desirable but
also essential in today’s competitive environment – even
your rivals acknowledge this. Their intelligence activity
is growing in both volume and sophistication, creating a
need for effective countermeasures. A major challenge to
business today is the protection of proprietary information.
This requires experienced intelligence personnel to assist
corporate security staff and senior management in this critical
task.
AVOIDING SURPRISE
The need for intelligence – and in particular the desire
to avoid surprise – is as old as recorded history. Every major
human undertaking has an intelligence component. Success
is usually preceded by an intelligence breakthrough, and
failures are most often predicated upon a lack of intelligence.
Beginning with Sun Tzu (the famous Chinese general) and
the Romans’ use of the Frumentarii (the grain merchants)
to John D. Rockefeller (who said “next to knowing all about
your own business, the best thing to know about is the other
fellow’s business”), historically intelligence is highly valued
both in commerce and in war.
Volume 8 • Number 5 • September-October 2005
Whether we refer to the commercial experience of Lloyd’s
knowing when a cargo ship sunk or the incredible value of
cracking the Enigma code during World War II, we have a
historical continuum of intelligence value and appreciation.
The ends do not, however, justify the means in the private
sector . . . we are speaking only of legitimate and legal activity,
not espionage committed in the attempt to steal trade secrets.
Many countries consider economic security synonymous
with national security, and the political realities of
maintaining adequate employment levels are sufficient
to involve the state. In these cases the country’s flagship
enterprises enjoy significant government support which,
frequently involves government intelligence cooperation. This
support may take the form of education and training such as
Ecole de Guerre Economique (the French school of economic
warfare) or running actual intelligence operations to support
commercial interests. Government involvement of this kind
demonstrates the importance attached to intelligence.
DEFENSIVE INTELLIGENCE
Without a professional positive business intelligence
process, an effective counterintelligence program is not
possible. You must be able to assess the capabilities and
intentions of a competitor before you can implement
counterintelligence. While protection activities are referred to
as defensive intelligence, in fact counterintelligence requires a
very offensive character.
Counterintelligence, while used as a broad term for all
information protection tasks, is focused only on the rival’s
activities. George Jelens, director of operations security,
National Security Agency, argues that there are three major
activities that are included in the overall title of defensive
intelligence:
1. Security countermeasures are the traditional physical
security activities of the firm and include gates, guards,
access control, storage etc. All are very necessary but not
sufficient.
2. Operational Security (OPSEC) deals not with the
secret but evidence of a secret. The signals are emitted
in the normal conduct of business. You might want to
think of it as the opposite of indications and warnings
intelligence. Warnings intelligence requires the
establishing of indicators as the basis for collection tasks
. . . OPSEC attempts to deny the adversary the ability to
read indications created by your firm.
3. Counterintelligence is all about the discovery and
neutralization of adversarial intelligence activities.
Sidebar 1 contains additional descriptions of defensive
intelligence by Jelen.
SCIP 2005 www.scip.org 13
a case for business counterintelligence
SIDEBAR 1: DEFENSIVE INTELLIGENCE
Defensive Intelligence consists of:
•
•
•
security countermeasures: defending against
adversarial attempts
operational security: denying to the adversary
the evidence of planning and execution of sensitive
activities
counterintelligence: uncovering adversarial
intelligence activities
Counterintelligence: aimed at reducing the threat
Security Countermeasures/Operations Security:
aimed at reducing vulnerability
Ultimate Objective
•
•
to deny an adversary certain information that is
considered advantageous
this requires the clearest possible understanding of
the adversary’s capabilities and intentions generally
referred to as a threat (George Jelens)
OPERATIONS SECURITY
Operations Security (OPSEC) is a perfect tool for
business but it must be positioned, explained, and sold
effectively. The simplicity of the five-step OPSEC outline
has great appeal to busy executives. It is challenging to
implement but the concept is easy to grasp (see Sidebar 2).
Some executives seem to intuitively know that their focus on
physical security is inadequate for today’s threats but have no
idea of what needs to be done or who should be responsible.
Identifying critical information
The first step (identifying critical information) usually
brings these issues into focus. Understanding what deserves
to be protected is a very strategic consideration. This
most important step should involve people well beyond
the security circle. The involvement of functions such
as research and development, strategic planning, human
resources, intellectual property law, security, and business
intelligence provide a necessary multidisciplinary approach
to answering the question. These contributing functions can
also form a multidisciplinary watch committee as part of the
organizational implementation plan.
This step will also often expose the woeful lack of
positive intelligence in most business organizations. You need
to identify critical information not only from an internal
view but also from a competitor’s perspective. The process
may even raise serious concerns about strategy but will
undoubtedly contribute to the rich analysis of what makes
14 SCIP 2005 www.scip.org
the firm competitive. Almost assuredly the firm will become
aware of any lack of strategic consensus associated with
evaluating competitiveness and will require some strategic
acumen from the consulting team.
Analyzing the threat
The second step (analyzing the threat) identifies the
need for better business intelligence and the project work
to get past this step. Decision-makers may not immediately
understand their competitor’s business intelligence capability
but will react when they learn that the competitor is well
ahead of them, having invested in a sophisticated intelligence
capability. Understand both the competitor’s intelligence
capabilities and targets as well as their ethics associated with
intelligence gathering.
Analyzing vulnerabilities
Step three (analyzing vulnerabilities) requires a Red Team
test. More firms are showing an interest in learning just what
leaks they have. This is especially true if the company has
been stung or is convinced through reading about other cases
that the threat is real.
During this analysis, it is important to determine what
kind of competitor they wish the Red Team to emulate. The
team should include experienced intelligence people able
to emulate the most aggressive competitors. The project
should be closely held but involve security, legal, and senior
management. Guidelines for situations (such as an employee
being offered money for information) should be worked
out in advance. A little preliminary work can go a long way
towards insuring a successful project.
Assessing risk and applying countermeasures
The final two steps (assessing risk and applying
countermeasures) further determines how you implement
operations security. Management will be anxious to discuss
countermeasures after completing the first three steps. At
this point in the process, it is key to convince management
that OPSEC is an essential tool and won’t consume the total
organization. It can be implemented incrementally and will
contribute value by providing immediate awareness.
RECOGNIZING THE NEED
At the conclusion of a presentation I recently delivered
to a group of executives, a participant asked, “Why do you
use so many government terms and examples?” I responded
by reciting the Willie Horton story. During an interview, the
infamous bank robber was asked by the reporter “why do you
rob banks?” Willie responded by saying “because that’s where
the money is.”
The business of intelligence has been the purview of
governments and a necessary part of statecraft for centuries
– that’s where the knowledge resides. Intelligence and
Competitive Intelligence Magazine
a case for business counterintelligence
counterintelligence is not taught in American universities and
there is no creative research work going on that would benefit
US business. The fact that business executives often don’t
know what they need or even that they have a problem is a
major contributor to the situation.
More executives seem to be motivated to avoid than
there are gain oriented leaders. Executives today are very
concerned with the downside of their activities. The litigation
level of our society has much to do with their concerns.
Potential embarrassment, negative public relations, and
assaults by an incredible array of special interest groups take
up a disproportionate amount of executive time. Because of
all these pressures, running the business often takes a back
seat to managing the emergencies, which seem to be created
daily. Add to this dizzying array of threats the potential
to lose a grip on what makes the firm competitive – its
knowledge edge.
Unfortunately, many senior managers somehow have
intelligence and counterintelligence confused with espionage.
They are convinced that collecting information and
developing insight into competitors’ plans represents theft or
at least something unethical and untoward. But management
has a duty to not only protect its proprietary information but
also to fully understand the competitive landscape in order to
chart a successful course.
PROTECTING THE FIRM
In spite of the need to be well informed, to avoid
surprise, and to manage uncertainty, as a group senior
management has shown minimal interest in formalized
business intelligence. While every management fad seems
to rate an instant vice president, the vice presidents of
business intelligence can be counted on one hand. I doubt
that most CEOs know the names of the people toiling to
generate accurate, timely intelligence – intelligence that
could avert strategic surprise or reduce uncertainty. A lack of
access to decision-makers guarantees that well meaning BI
professionals will waste company assets answering questions
that were not asked.
Exacerbating this situation are law departments headed
by general counsels who in the interest of protecting the firm
advise management not to engage in business intelligence
activities for fear of running afoul of laws such as the US
Economic Espionage Act of 1996. Seldom are they guided by
a good understanding of trade secret law and over reaction is
almost always the outcome. A further irony is firms that do
not value intelligence also do not understand why their rivals
value it and therefore almost never have even the most basic
counterintelligence programs in place.
Firms create a knowledge edge by out-learning their
adversaries. The organization learns via a spectrum of
activities including the use of consultants, new employees,
attendance at seminars and technical conferences, and
Volume 8 • Number 5 • September-October 2005
SIDEBAR 2: OPERATIONS SECURITY
IMPLEMENTATION OUTLINE
1.
2.
3.
4.
5.
Identify critical information
Analyze threat
Analyze vulnerabilities
Assess risk
Apply appropriate countermeasures
implementing a world-class business intelligence process.
Additionally, increased instances of economic espionage has
created even greater peril for the unsuspecting executive who
must communicate with many constituencies, form foreign
joint ventures, and file an incredible amount of information
to meet regulatory obligations.
BECOMING PART OF THE SOLUTION
Disenchanted employees, a lessening of corporate
loyalty due to restructuring, and the frequent use of contract
employees creates a very challenging environment for our
avoid oriented executive. She has more downsided proprietary
information loss scenarios to consider than most humans can
manage. If BI professionals are to be part of the solution, we
must avoid being so caught up in our discipline as to mistake
it for an end rather than a means.
Executives and their firms can take advantage of our
expertise without burdening the company with yet another
major program. If busy executives are allowed to believe
that we must command their total attention to accomplish
anything, the proposal is doomed.
Professionals who don’t understand the executive’s
environment attempt to sell their program through name
changing (OPSEC won’t sell), which misses the point. There
is nothing wrong with the term OPSEC – it simply must
be explained. Far more threatening is the idea that the firm
must invest in another major corporate program and further
distract employees from their primary functions.
OVERCOMING CHALLENGES
Because offensive and defensive intelligence are so
intertwined, as professionals we have a large education
challenge to overcome.
Let’s begin with the first challenge – management’s
lack of appreciation for business intelligence. Who would
not want to be warned of an impending technological
breakthrough that will transform your industry overnight?
What about a blind-siding alliance? Are warnings of this
nature deemed not of any significant value, or is a lack of
interest based upon a lack of knowledge that these things are
knowable?
SCIP 2005 www.scip.org 15
a case for business counterintelligence
What manager would not like to reduce decision risk or
least enjoy greater confidence? How many executives have a
psychological profile of their rival? How many know who is
at the helm of that opposing division? I must conclude that
the lack of interest must be based upon ignorance of what
business intelligence can contribute. Intelligence is actionable
information. By definition it should cause a management
action: accelerate something, adjust investment, stop
something, or re-deploy resources.
The second reason for executive hesitation in regards
to BI is the fear of doing something wrong, resulting in
litigation or embarrassment. This is a reasonable concern.
There have been a few situations where someone operated
in an overzealous manner and caused a problem. Strong
legal and ethical guidelines and good training are the best
preventatives, and they have historically provided reasonable
control and adequate protection. There are only a few cases
where someone practicing professional business intelligence
operations placed a firm in serious legal jeopardy.
The question that puts these issues into a more complete
perspective is “what is the cost of not providing adequate
warning?” Or, what is the cost of sub-optimal decisions?
What is the cost of miss-assessing your competitor’s motives
. . . intentions and capability? What is the cost of a new
technology platform compromised by espionage?
Doesn’t management have a duty to know? How can
boards and senior management answer the question “when
should you have known?” When will we see the first actions
brought by investors and white collar workers charging
strategic malfeasance? Then management will have failed the
due diligence test. It should have known because the business
intelligence processes are well understood and available.
There is a professional organization dedicated to enhancing
the competitive intelligence profession named SCIP, with
members around the world. No management can legitimately
claim ignorance of intelligence services and availability.
Positive offensive intelligence is a requirement for an
effective counterintelligence program. Warning intelligence
is part of both offense and defense. OPSEC is the flip-side of
warning and is absolutely necessary for protecting corporate
learning. Conclusion: you better be prepared professionally to
handle it all.
There are indeed two countervailing forces. If we gather
information in an improper way, utilizing poorly trained
individuals, we run the risk of a trade secret misappropriation
case. But if we don’t engage in rigorous, professional
intelligence production, we invite a response of a different
kind. Mistakes made in the intelligence gathering side don’t
threaten the survival of the firm, but a lack of intelligence
may. When you couple a lack of counterintelligence mind set
with little or no positive intelligence, we engage in a serious
game of “Double Jeopardy.”
William (Bill) DeGenaro has more than 30 years of strategic
planning, intelligence, and business management experience.
He was director of Business Research and analysis for the 3M
Company and also director of Innovations Resources. Bill
holds a management degree from the University of Illinois at
Chicago and advanced studies at the Joint Military Intelligence
College in Washington, DC, Harvard University, Columbia
University, and University of Minnesota. He is an active member
of professional organizations including Operations Security
Professionals Society, Security Affairs Support Association,
Strategic Leadership Forum, National Military Intelligence
Officers Association and the Association of Former Intelligence
Officers. Bill served on the SCIP board of directors and is a
Fellow of the Society. He can be reached at [email protected].
Competitive Intelligence Institute
October 24-26, 2005
Renaissance Washington Hotel, Washington, D.C.
Analysis
Competitors & New Entrants
Industry Actions
Leadership
Building a Successful CI Team
Effective CI Leadership
The SCIP Competitive Intelligence Institute program provides an integrated
approach to fundamental CI principles and the latest thinking in specific CI
disciplines. The interactive learning environment allows you to manage
your professional development in the areas that have the greatest impact
on your career objectives. For more information and registration, visit
www.scip.org.
16 SCIP 2005 www.scip.org
Collection
Primary Source Information
Secondary Source Information
Don’t miss this great opportunity to:
·
Learn the best tools for analyzing competitor and industry actions
·
Study different and ethical approaches for competitive information
retrieval
·
Develop insights to leadership challenges relevant to CI teams.
·
Expand your skills and outsmart the competition!
Competitive Intelligence Magazine