As an information assurance professional, I am aware of the competitive intelligence field. It is loosely defined as defining, gathering, analyzing, and distributing intelligence about products, customers and competitors to support an organization’s strategic decisions. Most of my exposure to the field has been in conducting forensics investigations where less ethical forms of competitive intelligence (e.g., social engineering, fake interviews to bleed project data, wi-fi sniffing at local coffee shops, etc.) were being used. But a call I received today opened my eyes to the broader, more ethical world of competitive intelligence and the impact that it will/should have on your Information Security Management System (ISMS).
The call was with a potential client in the “packaging industry” who was looking to develop a certifiable ISO 27001 Information Security Management System to manage information security risk. At first blush it didn’t appear that the risk associated with developing and manufacturing “boxes” matched the formality and rigor of the security posture they were aspiring to. Most typically, clients pursuing ISO 27001 are interested in protecting high-risk data (credit card, personally identifiable information, patient health information) that is heavily regulated (PCI-DSS/HIPAA).
The “education” the prospect conferred on me during the call helped me to better understand an “evolving” risk related to competitive intelligence — one that many of our clients likely need to be more aware of. Consider that:
- Many large corporate organizations have a dedicated Competitive Intelligence department (a Monster/Google search is enlightening).
- There are colleges offering degrees in Competitive Intelligence.
- The line between competitive intelligence and corporate espionage is a fine and ill-defined one.
- Estimates as to the market size vary widely, and go as high as $30 billion.
Our potential customer indicated that some of his clients in the Consumer Products area are encouraging providers to be ISO 27001 certified as a means of reducing the likelihood of competitive intelligence agencies gaining early knowledge/insight about new product development and the approach to marketing these new products. They estimated the value of a breach of this information for new products to be “in the millions.”
So what does this mean for the rest of us? I’m thinking that we need to do a better job in understanding the business risk associated with competitive intelligence and ensure that we have the requisite controls in place to mitigate the risk to an acceptable level. We will update our ISO 27005 centric Risk Assessment Methodology to explicitly raise it as a risk to consider.
A good starting point to learn about competitive intelligence is Strategic and Competitive Intelligence Professionals (SCIPS), formerly the Society of Competitive Intelligence Professionals.