Knowledge management: Portal for corporate espionage? Part 1—

Defining the problem

By Jason B. Lee and Aaron D. Rosenbaum

At a certain level, knowledge management is indistinguishable from corporate espionage: It identifies critical information, key players, productive relationships, strategic goals, operating principles and the mechanisms that help them interact. KM may be viewed as the positive spying an enterprise conducts against itself. It can identify who is connected and who is not, what the company values and what it does not, who has information, who contributes and who doesn't. This is all valuable stuff for a company—and its enemies.

KM involves the sharing of information, but that creates a conundrum for companies that want to promote it: how to reconcile open communication and ready access with the imperative to protect trade secrets?

KM makes organizations more connected, more agile, more effective. But a company's client data, marketing plans, R&D, proprietary processes, custom software and intangible knowledge give it its competitive edge. Indeed, they make the enterprise possible. If KM provides a roadmap to the family jewels and, indeed, adds to corporate wealth by concentrating know-how in a critical mass, how can companies be knowledge-enabled yet knowledge-secure?

The threat of corporate espionage is serious: Two years ago, Procter and Gamble (pg.com) settled with European rival Unilever (unilever.com) over accusations of blatant pilfering. In July 2003, the U.S. Air Force (usaf.com) stripped Boeing (boeing.com) of $1 billion worth of contracts and barred subsidiaries that generated a fifth of Boeing's revenue because two Boeing employees were found to be in possession of 25,000 documents belonging to Lockheed Martin (lockheedmartin.com).

Nor are efforts in that direction trivial or hit-or-miss: Many companies support multimillion-dollar intelligence programs and covert research directed at their business competitors. Attacks can be single events, or ambitious campaigns sustained over time. The line between legal and illegal intelligence gathering is hazy. Case studies and lawsuits are imperfect guides, because companies that have lost information are loath to admit they were victimized. And because a number of organizations within a company may monitor competitors, corporate governance is unlikely to catch--or stop--every effort that crosses the line.

Competitive intelligence is valuable to spies not only because it reveals the enemy's operating principles, but what it knows about its competitors and what it does not know. Every KM system is also an anti-KM system, showing gaps in knowledge and understanding to those who wish to look for them. Who better to have this outside perspective than one's competitors? By looking at taxonomies, for instance, or decision structures, a competitor can gain an advantage--indeed, a lasting advantage--because what has been revealed is not simply information, but vision, and awareness, and judgment.

The old "Pogo" aphorism—"We have met the enemy and he is us"--certainly applies to KM. The constant evolution of knowledge management systems is a strength, but it also means that it's not always easy to determine what is being shared and what should be protected. Similarly, the ability to interrogate a company's knowledgebase in new ways means that a corporate spy can plumb a KM system for information that its own operators have not requested.

An imperative of KM, sharing knowledge across geographic and departmental boundaries, creates further opportunities for spies. Crosscutting KM operates on the enterprise level, meaning that the standard defenses may not be as defined or as strong when the query comes from within the company. By definition, high-level KM tries to bring different systems together, creating meeting grounds and common query and access formats. But the participating systems are never equally secure or similarly prioritized; a corporate spy who can penetrate an enterprise KM system can gain a view of whole Serengeti, as it were, picking out the weakest antelope in the herd.

As an iterative process, a KM system becomes more valuable as it matures. Categorizations and taxonomies do not exist in a vacuum. As they become more refined and tested by real-world experience, they become more useful to the company--and its adversaries. Software that associates information is fine-tuned by users to reflect their particular priorities. Thus, a good KM system reveals the operating principles of a company, and even more, of the organizations within it that rely on KM the most.

Many of the standard KM processes have specific value for corporate spies:

Customer relationship management systems

CRM systems identify customers, marketing strategies, sales approaches, past support, and hundreds of insights and experiences that have created business and promise to generate future business. As a KM system, CRM adds further value by identifying classes of customers and a web of particular characteristics that drive sales efforts and refine service on a local, national or even global basis. CRM also provides critical information about the correlation between service and sales.

Sales force support systems

Sales force support systems allow access to enterprise content, both for salespeople and customers. Driven by a torrent of information and a proximity to the actual cash flow of the business, sales force support systems evolve quickly, reach deeply into the enterprise and touch on a host of business activities. A notoriously mobile work force, salespeople can use a knowledge-enabled support system to enhance their attractiveness to potential employers—often their current competitors.

In a cutthroat environment, salespeople may give customers anything from a casual look to regular access to their systems, as part of a well-intentioned desire to cement relationships. Increasingly, data are shared with key customers to expedite long-term planning, ordering and customizing product lines. The larger question here is who has access to support material, targeted market data, contact lists and other critical information needed by sellers.

Unstructured data and multiple platform queries

KM systems enable their users to tap into file and document management systems; dynamic and static databases; e-mail systems, e-mails and attachments; intranets, Web pages and HTML documents; online information sources; and much more. All of those provide critical and often untapped information, which is precisely the business rationale for companies that produce software to mine that information. For an industrial spy, they certainly provide hard data, but also insights into trends, plans, discussions and the corporate factions behind them. The ability to query across platforms and data sources can spotlight intellectual property that has not yet been patented or trademarked or that cannot be protected because it is an experience-based trade secret.

Unstructured data can be a gold mine for what might be called "defensive information," evidence of wrongdoing that would be useful in a lawsuit, or regulatory lapses of which the targeted company may not even be aware. Search solutions that tap into unstructured data reach into multiple repositories, which underscores security concerns and creates opportunities for spies who know how to use search mechanisms against them.

Text mining

Spies are no less interested in the correlations that can be had from diverse documents than the companies that created those documents. A really good mining system captures intermediate versions as well as final documents. For both spies and corporate users, that can illuminate thought processes, minority ideas and changing priorities that don't show up in the final version. A more noble example of this principle are Chinese miners during the California Gold Rush who, barred by racism from registering claims, panned through the tailings left by other miners and extracted value from what others had discarded.

Searches

Searches can be viewed as a population, amenable to a kind of demographic analysis. By examining search patterns in a KM system, a spy can discover which searches are most frequent, emanate from which offices, link with which information, and are reiterated and refined in what ways. With a little patience and luck, a search analysis will reveal precisely the issues that keep people awake at night. A search is a vector; its path reveals what is pursued and who is pursuing it.

Information distribution

Information distribution is a way for spies to use a KM system as a roadmap, revealing who gets what information and when. Collaboration is designed not just to get people to work together but to construct a work process that collects and channels knowledge like an irrigation system. The flow itself reveals where information begins in an enterprise—who is the wellspring of ideas and may be worth recruiting—and who slows the process—who is the backwater—and a weak point a competitor can target.

Information distribution also touches on CRM: If experience with a particular product encourages a manufacturer to provide specific, technical support information to its best customers, a competitor who can tap into that seemingly restricted support site can gain a critical edge in identifying weaknesses its sales force can exploit. And how much more can it benefit if it can identify which customers are encountering which specific problems.

Pooling plans and information

KM systems allow companies to view the same business issue through varying lenses, focusing on different levels, different problems and different connections. That is critical to market development, because it enables a company to make sense of survey research, detect emerging trends and desires, and constantly focus its research and development. A spy who can penetrate pooled marketing information, for instance, can learn which products will be introduced and when, whether they will be rolled out in stages or as part of a new line, which upgrades are planned, whether there will be special rebates and which market segments will be targeted. That is marketing gold.

Collaborative learning

Collaborative learning involves more than just virtual classrooms. It is convection for the corporation, disseminating knowledge from a point of origin throughout the enterprise. Collaborative learning is notably democratic, emphasizing participation, contribution and knowledge sharing. For a company--and for a spy--this is much to be valued. Virtual classrooms allow a spy to play student and connect with the target's creative leaders. Resource directories and skill maps provide a guide to who knows what, and in a well-developed KM system, where their expertise has been applied. (For human resources types, those directories are a handy way to cherry-pick talent from the opposing team.) Process re-engineering, modeling and simulation, and smart systems provide a window onto how lessons learned are being applied.

Web-based collaboration

Each of the new mechanisms for collaboration within the enterprise—Web-based environments, peer-to-peer communication, instant messaging—constitutes a point of access to critical information. Project-based collaboration tools, which by their very nature use those linkages, represent a double challenge: The user group shifts from project to project, creating new opportunities for spies while generating new security challenges for managers.

The nature of knowledge management changes with the nature of the platform that is managing it. In this circumstance, "platform" refers not only to a technology, but to the way that technology is manifested. As Howard Rheingold shows in his seminal book, "Smart Mobs: The Next Social Revolution," instant messaging allows communities to form spontaneously and work for a specific need. As with blogs and standard IM and every new wrinkle in Internet usage, it is only a matter of time until that approach is incorporated into business KM. Younger employees who've grown up with it will demand it and will validate the business case for it.

Similarly, as processing is pushed downward, applications are being incorporated into PDAs, instant messaging platforms and peer-to-peer arrangements that are conducted over WiFi (wireless fidelity) in offices, homes and even hotel lobbies and coffee shops. That imposes new responsibilities in determining not only what information is shared, but what processes are shared. Within the enterprise, we are evolving toward new generations of collaboration platforms that can accommodate both informal and formal collaboration, meeting the bottom-up needs of communities and teams, and the top-down requirements of management. As all these platforms evolve, new security weaknesses inevitably will be created.

.....................................................................................................................................................................................

Jason B. Lee (jasonblee.com) is a certified financial management analyst and managing director at Lee, Pirelli & Co., a specialty investment banking firm focusing on enterprise software and biotechnology, e-mail jason@jasonblee.com. Aaron D. Rosenbaum is president of CreativeKM (creativekm.com), a consulting company specializing in custom KM applications and security solutions, e-mail arosenbaum@creativekm.com.