W Power 2024

Tackling Opposing Incentives: How Open is Too Open?

The evidence from rotman-TELUS research studies reveals that the issues that surround the protection of proprietary information are not well understood

Published: Feb 27, 2012 06:52:21 AM IST
Updated: Feb 27, 2012 07:41:49 AM IST
Tackling Opposing Incentives: How Open is Too Open?
Walid Hejazi is an associate professor of International Business at the Rotman School of Management

In today’s economy, most business leaders recognize how important it is for companies to be open and transparent -- or at least, to appear to be.  Unfortunately, such openness can expose a company to significant risks via information loss, and as a result, every organization must carefully consider the trade-offs as it goes about setting its own particular level of openness.  

My main areas of research are global competitiveness and information security. Although at first glance these topics might seem unrelated, in fact they are not: in an increasingly information-based economy, intellectual property and knowledge are the very foundations of organizational value, and by extension, of a country’s global competitiveness;  and knowledge cannot survive as a source of competitive advantage without an ability to protect it.

Over the past several years, I have worked on the annual Rotman TELUS Information Security Study (the fourth in this series was released in November). In that time we have surveyed over 2,000 organizations and held over 20 roundtables with executives across the country. Essentially, our studies consider strategies to protect corporate information, where vulnerabilities exist and how they can be addressed. While the focus of these studies is IT related, I believe our work has much broader implications.

Whenever I lecture on strategies to protect an organization’s information, I begin my presentation with the following statement and question:   

Picture this scenario: an organization’s information is breached (i.e. stolen), costing the organization millions of dollars; and yet the organization never knows that it happened, and never detects that it has lost millions. How can this be?

Before we look at how such a thing could occur, let’s take a step back and talk a bit about competitive advantage in today’s economy.

Firms that emerge as industry leaders in our knowledge- and information-based economy are those that are able to innovate in some way and deploy new strategies to gain and maintain an edge on their competitors. The sources for many of these competitive advantages are transparent and obvious to other firms: patents, leadership and managerial styles. In situations where these sources are not easily replicable, they can serve as sources of long-term competitive advantage. Over time, however, competitors often manage to emulate and surpass the source of competitive advantage, thus forcing further innovation. This dynamic process of competition and innovation is ongoing and is the source of much of our prosperity. Firms invest in the development of new technologies and strategies with the promise that comes from profits which will flow to them until the technology is obsolete.

However, many sources of competitive advantage are not transparent to competitors.  These include intellectual property, sources of current and future innovations, client and customer names, and contacts in domestic and foreign companies and governments.  Developing and maintaining a competitive advantage is not just about possessing information and knowledge, but possessing information and knowledge that is not available to competitors. Once such information is leaked to competitors, imitation becomes more likely, and the benefits that flowed from that source of competitive advantage are lost. One of the key challenges in such an environment, therefore, is to minimize the leakage of information and knowledge so as to maximize returns.

It is almost impossible for companies to protect information forever: in producing goods and services and selling them in the marketplace, competitors learn about proprietary information, and notwithstanding patent protection, often copy or develop new products or technologies to enhance their market position. Corporate information can be leaked through legitimate or illegitimate channels.  Let’s start by taking a look at two common forms of ‘legitimate leaks’.

Leaks Stemming from Financial Market pressures. The most obvious leaks derive from financial market pressures and financial analysts developing performance expectations for corporations. As a matter of course, corporations make announcements of upcoming product launches, new technology initiatives, and so on, and these public pronouncements are often reinforced by speeches given by executives, discussions over dinner and drinks with journalists, politicians, financial analysts and countless others.

Information Available on the Internet. There is also, of course, the corporate Web site and other information that is widely available on the Web regarding most large corporations. These aspects of openness are necessary, given our financial markets, and the marketing benefits associated with building excitement around new product launches and the innovativeness of the corporation. Yet I have spoken to several executives who were shocked, after the fact, to realize how much corporate information was made available prior to the launch of new products.  There is a fine balance around how much information to release: enough to convince the markets that the company is doing it right, but not so much to give away too much information that can compromise the success of the launch and subsequent flows of profits.

Information is also leaked through illegitimate channels, including the following.  

Employee Leaks. Perhaps the most obvious channel would be an employee selling information, and this can happen for a myriad of reasons. Evidence shows that this happens more often when employees are let go, and hence such leaks tend to spike in recessions. However, it can also happen when employees feel they are being taken for granted or neglected. Understanding this particular risk and managing it is therefore critical -- especially in knowledge-intensive industries.

Job Interviews. Another source of leaks is recruiting activities. Picture this: a company identifies an employee from a rival company that it is interested in hiring, and invites that employee for a job interview. The employee is treated very well during the process: a business class ticket, a five star hotel, and an over-the-top dinner with key executives.  During the interview process, the employee is made to feel both valued and more important than she rightfully deserves, and as a result, she feels obligated to divulge more information than she should.  For the costs associated with this interview, the recruiting company has potentially gained significant and valuable ‘insider’ knowledge.  More often than not, the employee never speaks of this job interview unless it leads to a job offer; and of course, if the company seeking to recruit has gained significant knowledge, it would not want this kind of employee joining the company, for obvious reasons.

Employees with Foreign Postings. A third channel of illegitimate information leakage involves naïve employees getting a foreign posting. Not long after arriving abroad, these individuals might develop relationships with locals that are agents of foreign governments. These locals often gain access to the employee’s apartment, computer and hence corporate information. A recent presentation at Rotman by a former Canadian Security Intelligence Service agent revealed the extent of this issue and the significant financial losses being absorbed by Canadian companies.

IT Security Breaches. Perhaps the most important channel by which valuable corporate information is lost occurs is through an IT security breach, which can be done without human contact and from great distances by hacking into an organization’s information system. The critical importance of IT security must be motivated by the fact that much of the information that underlies a corporation’s competitive advantage is housed on its information system.  Unfortunately, the cost that is often least understood is the implications for a company’s strategic information.  When information systems are compromised, the extent of the breach is often uncertain: it is difficult to determine whether the information was intentionally targeted, or whether a hacker managed to obtain that information but really doesn’t know what to do with it, nor has any desire to try to use it.  IT security professionals often focus on the tangible costs associated with a breach, such as:

•    How much did we have to spend to fix the problem?
•    How much did we have to spend to deploy a new patch to prevent the breach from happening again?
•    What were the costs associated with notifying customers or clients whose information was breached?
•    What were the costs associated with hiring a public relations company to manage the fallout if the breach was public?
•    What was the impact on the company’s business as the Web site is shut down for maintenance?

These costs are easily quantified and tend to be the focus of business executives in making decisions on IT security strategy.  However, if sensitive information associated with a company’s source of competitiveness is breached, it is virtually impossible to know whether this was done deliberately and hence whether the information will be used by someone outside the organization, and these unknown costs can be debilitating.

In closing
The evidence-to-date from the Rotman-TELUS studies reveals that the issues that surround the protection of an organization’s proprietary information are not well understood.  When we asked survey participants, “Which group within your organization most often disregard security policies?”, executives were ranked number 1. This is a critical issue, given that executives have access to the firm’s most important information.  

There are obvious benefits to being open, divulging information to the markets, sending executives out to spread the word, and so on. But at the same time, there are significant risks of too much information being made public, legitimately and illegitimately. Before leaders decide how open their organization will be, the benefits must be carefully measured against the risks.

Walid Hejazi (PhD ‘94) is an associate professor of International Business at the Rotman School of Management.  The latest Rotman Telus Rotman faculty research is ranked in the Top 20 worldwide by the Financial Times.

[This article has been reprinted, with permission, from Rotman Management, the magazine of the University of Toronto's Rotman School of Management]

Post Your Comment
Required
Required, will not be published
All comments are moderated
  • Prof Samir Joshi

    Excellent work and its the order of the day. Today information driven comminication has been rising at an astronomical rate, in view of this we believe that it is solely a company who has to decide which information is to be disseminated.

    on Mar 10, 2012