During the Second World War, the concept of a 5th Column, a network of spies seeded into a country prior to an attack, was created, and that same concept could be in use by some of the companies aggressively doing acquisitions or growing rapidly in the market.
With social networking and open-source activities providing unprecedented communications channels and opportunities for cross-company relationships, perhaps my speculation about aggressive competitive data mining isn't so far off, and we should consider this risk this week.
During the years I've seen some epic failures in terms of company performance. A few months ago, I suggested that Robbie Bach's colossal failure at Microsoft was so bad it could have been funded by Apple. Initially I was just joking. Now I'm not so sure.
I looked at an old (2001) presentation on how Oracle did competitive intelligence. This presentation more than implied Oracle had people working at each of its competitor's companies, and that it regularly mined incoming employees for information on the firms they left. I do think it might be the Scariest Company in Tech. HP Todd Bradley Example I used to run a field audit organization for IBM and had responsibility for security over the marketing and competitive analysis units while I was a competitive analyst. The intellectual property losses that we discovered were almost always connected to a disgruntled executive who had either been passed over for a promotion and/or was going to work for a competitor. The most pronounced was a senior video president of sales who had evidently been feeding a competitor critical information while crippling our own sales efforts prior to taking his new job with that competitor.
With the recent HP selection of Leo Apotheker to lead HP over the aggressive marketing by SVP Todd Bradley for the same role, Bradley should now be on the short list of those likely to provide competitive information. The recipient of this information would most likely be Oracle's Mark Hurd, the recently fired HP CEO who was also Todd Bradley's mentor. Speculation is increasing that Oracle is trying to aggressively drive down the value of HP so it can position itself for a hostile takeover.
If so, Bradley would be the most likely executive (at least at his level) to be operating to help them, particularly if he was promised the top HP job as a reward for his complicity. (How he executes with the second Palm Pre might indicate just which side he is really on.) Now just because he has both motive and opportunity doesn't mean Bradley is acting against HP's interests. It's only likely, and he's likely not the only one at risk. But to ignore this exposure would be foolish; given the future of HP is at risk, extra care likely should be taken to ensure any information critical to HP's fight with Oracle that Bradley does get can be tracked back to him--and that he knows it.
Mitigating Leaks During a battle--competitive, political, or otherwise--detailed information about the other side's strategy, weaknesses, and tactics can result in huge benefits for the firm that acquires it. In security, it is our job to plug leaks--which are difficult to find--to identify the potential for them. On the short list would be executives or employees who were passed over for critical promotions, complained about abuse, were identified as surplus but still working, or who were known to be disgruntled and aggressively looking for outside work.
Employees like this should be considered a security risk. Care should be taken to control the information they have access to, specifically looking for indications that information coming into their possession isn't being passed outside the company.
Of the firms I watch, Apple is likely the most aggressive at proactively looking for information leaks. And even it has had a problem with containment of late, largely with partners with practices that haven't been as aggressively implemented or enforced. However, much of Apple's success is in fact tied to its ability to contain critical aspects of its products and to identify and eliminate internal leaks.
While it is uncomfortable to think about co-workers who may be leaking critical information about the firm, that is part of the job in security. In hard times, employees sometimes lose sight of their ethical center. Keeping an eye on those who are the most at risk would seem a wise way to avoid your own internal 5th column.
One final thought: With HP's ex-CEO Mark Hurd clearly very close to Larry Ellison, cutting HP to a level consistent with what is often done to prepare a company for sale, olus looking at how quickly (and in an unprecedented fashion) Larry hired Mark after he was fired, is it much of a stretch to wonder if Mark was conspiring with Larry to sell Oracle HP? Security problems don't always start below the CEO, and with HP you might recall its last big leak problem was in its board. With the massive fight for customers, a massive consolidation trend, and security as one of the primary defenses against an unwanted outcome, it could be time to step up and both consider and address this very real risk.
-- Rob Enderle is president and founder of Enderle Group. Special to Dark Reading.