Keeping Your Secrets: Responsible Counterintelligence in Action
Engaging with individuals outside of your company is essential to product marketers and product managers. Representing your company at industry conferences, coordinating marketing webcasts, running customer or partner councils, engaging in professional networking events—the list of potential external-facing communications goes on.
Of course, not all your company knowledge is appropriate to make public. You’re privy to proprietary information that you could unintentionally expose, compromising your company’s work and eroding its competitive advantage. Are you mindful of the valuable information you give away?
Protecting your company’s information—practicing counterintelligence—presents an increasing challenge. Despite the opportunity cost, counterintelligence and data-leakage assessments remain inadequately addressed at many corporations. Further, most attention focuses on cybersecurity/digital threats, but analog/human data leakage is more widespread and harder to prevent. Most U.S. C-suite leaders (84%) identified employee negligence as their biggest information security risk, according to Shred-It’s 2018 State of the Industry: Information Security report.
Competitive-intelligence collection that targets your company can have real business consequences. To understand your role in protecting your company’s information, consider the relationship among proprietary information, competitive intelligence and counterintelligence.
Proprietary information is material deemed sensitive to your organization or company. It’s information that shouldn’t be shared externally without a solid business reason—and only then when following company, legal and regulatory requirements. Examples include:
- Product roadmaps
- Organizational structure and headcount data
- Merger and acquisition plans
- Product supply-chain logistics
- Market and customer insights
- Internal KPIs and benchmarks
Competitive intelligence is like assembling a puzzle that starts with seemingly unrelated puzzle pieces. As you slide more pieces into place, a cohesive picture emerges. More images emerge with each newly fitting piece, and you become confident that you’re on the right track.
Similarly, skilled intelligence gatherers can amass many individual data points about a company like yours. They assemble and triangulate these points until an accurate understanding of nonpublic, often proprietary aspects of the company emerge. Each data point that better fills in a bigger picture can potentially harm your company. For instance, a colleague in a public coffee shop who comments on the details of an impending company downsizing may unknowingly be overheard by a competitor who combines it with other, related data. Now your competitor can better anticipate your company’s confidential restructuring plans and related implications.
Companies that compete against yours seek a competitive edge. Building a deep enough understanding of your company can help them outperform you, preempt or neutralize your initiatives, emulate your successes and take advantage of your weaknesses. Your competitors can assemble this type of intelligence through activities such as:
- Passively monitoring public sources via your public company announcements and secondary sources (e.g., subscription databases and reports) for activity and changes
- Actively gathering and collating additional information by engaging third-party agencies, speaking with a wide range of sources (e.g., customers, partners, employees) familiar with your company and attending your company’s events (e.g., annual user conferences)
- Possibly illegally (purposefully or not) receiving materials gathered by third parties that are comfortable breaking the law
Be aware that, while your own company likely follows strict standards of business conduct, some of your competitors may not. Some may illegally gather intelligence via pretexting, misrepresenting their identities, or practicing bribery, coercion or even theft.
Counterintelligence is the practice of managing the range of intelligence-gathering activities directed at your company. And the heavy external-communication nature of your role makes counterintelligence especially important. You undermine your company’s success when you are unaware of the value of the proprietary information you possess and don’t actively manage external access to it.
You and your peers can execute sound counterintelligence by knowing the signs of potential intelligence-targeting activity, becoming aware of risky situations and knowing the protective steps to take.
Know the Signs
Common signs can indicate someone is targeting your company for competitive-intelligence collection. Use caution with inquirers conducting activities such as collecting information for a survey or undisclosed client, or fact-checking for a publication or presentation. In particular, watch for inquiries from people in roles such as:
- Market researcher or management consultant
- Recruitment specialists
- Students conducting research
- Potential job applicants
- Personal contacts (especially distant ones) who take a sudden interest in your work or company
- Prospective clients asking intrusive questions about your company
The Keys to Responsible Gatekeeping
Legal or otherwise, intelligence-gathering techniques continue to grow in sophistication and volume. In the end, the burden of proof lies on the responder (or the unaware leaker), not on the inquiring individual. Ultimately, it’s your responsibility to protect your company’s information and its competitive edge.
For example, you run a higher risk of exposing proprietary information in certain locations. Among others, be alert to places such as:
- Public transport to or from industry conferences and tradeshow venues
- Hotels, coffee shops and other public places near conferences and tradeshow venues
- Professional networking events
But you don’t carry this responsibility alone. Counterintelligence requires support at the company level: A critical protective measure should be to have regular reminders from senior management or legal to reinforce what constitutes confidential, proprietary information that should never be shared. It’s equally crucial to sensitize nonemployees (e.g., channel partners, solution providers) to the severe bottom-line consequences that leaking sensitive data can wreak.
Your company leadership also should initiate and maintain corporate expectations for awareness of signals that may constitute a potential attack—and direction about how to act on them. Figure 1 illustrates the best practices for fostering an internal culture of counterintelligence.
It also can be helpful to collaborate with a third-party partner to train cross-functional teams on counterintelligence-awareness programs, facilitate role-playing with data-elicitation techniques or stage a “red team” attack to identify areas of data leakage in your organization. Then, educate affected parties about how to prevent future leaks.
And remember: Balance is important. There’s no need to go as far as former Intel CEO Andy Grove’s famous corporate mantra, “Only the paranoid survive.” But do advocate for making all cross-functional teams aware of intelligence-targeting risks and the means to defend against them. A robust awareness and training program across the organization coupled with a report and follow-up process for flagged counterintelligence events is mission-critical to protect your company’s proprietary assets.
At its most effective, counterintelligence includes fostering a culture of mindfulness across your organization and company. It’s true that your role as a product marketer or product manager gives you unique exposure to risky intelligence situations. But it also gives you an opportunity to protect your company—and remind your colleagues to do the same. Responsible gatekeeping of your company’s proprietary information starts with you. Use your influence to ensure it doesn’t stop there.
Looking for the latest in product and data science? Get our articles, webinars and podcasts.