OPSEC and New Product Development
by Daniel W. Phillips, OCP, PSP
A key and sometimes-overlooked factor in the successful development and launch of a new product or technology is protecting it from prying eyes in the concept and development phase. Whether developing a new concept or modifying an existing product, the intellectual property developed or used in the process is a valuable and sometimes fragile and time-sensitive asset. Once a product has been submitted for a patent it may have already been duplicated and the “element of surprise” lost. Implementing the principles of Operations Security (OPSEC for short); identifying your CI, knowing your competitor’s intent to collect against you, identifying your vulnerabilities, assessing the risks to your CI and implementing countermeasures to reduce or eliminate those vulnerabilities, is important to the success of your new and existing product development.
Intellectual property (IP), trade secrets, and proprietary information represent your company’s Critical Information (CI), which must always be protected. Your CI is what your competitors need to gain advantage over you or at least neutralize your market position. Therefore, the basis of secrecy must start in the concept phase (at the drawing board) through market introduction and beyond. OPSEC, like company pride and loyalty, must be practiced and engrained in the corporate mindset from the CEO to the maintenance and janitorial personnel.
Because secrecy may not always be at the forefront of people’s minds, there are sometimes incidents where new ideas and products are compromised long before they enter the market. Unfortunately, this can result in losses of untold thousands and sometimes millions of dollars for the initial developer, and it seems the risk is greater where market competition is fierce. CI may be lost, disclosed or compromised in any number of ways. The CI may be compromised by an insider or discovered by a competitor through some inadvertent act of an unwitting employee, such as tossing away old concept plans in the trash or recycling containers. While intellectual property rights/laws, copyrights, patents and non-disclosure/non-compete agreements provide a basis for legal protection. These safeguards don’t often stop or even dissuade unethical, dishonest, or disgruntled employees. Case in point, a DuPont employee fired in 2006, emailed trade secrets on DuPont Kevlar® to his new employer Kolon Industries, Inc. a DuPont competitor and more recently in the Edward Snowden case which exposed government secrets. Neither do they deter black-marketers or “pirates” in those foreign countries where those laws are non-binding or non-existent. Counterfeiting products is a large business worldwide. One report in The Economic Times estimates the total worth of counterfeit and pirated products is likely to be $1.22-$1.77 trillion by 2015.
While physical security like locks, safes, sensors and alarms serve to deter and detect unauthorized persons, there are still many avenues in which the CI related to new products can find its way into your competitor’s hands. Losses may result from lax security procedures, cyber theft and even industrial espionage. Even if your CI is well protected physically, procedurally and legally, there are often subtle indicators that when analyzed can be compiled to form a clear picture of your plans, intent and/or capabilities. (Indicators are those things that point toward your CI.) They may be hints and rumors among competitors, information obtained from public sources like permit applications for testing, and request for proposals and orders for specialized parts, tools, chemical additives, etc. Increases in traffic at facilities, new construction or building modifications, changes in shift work, unusual fluctuations or changes in observed procedures or production schedules, a deliveries, increasing (or decreasing) activities all can point to something changing within your company or organization. Even something as simple as a sudden increase in production workforce and new job announcements and hiring can provide indicators. (It is not uncommon for competitive intelligence groups to send in “new applicants” for job interviews to obtain information about a company’s activities.)
The important thing to consider is that these indicators lead to the observer to the perception of something new. This, in turn, may raise the interest of those following your company activities and may prompt them into further scrutiny of your company. While one or two seemingly innocuous events or indicators may not reveal much. With enough pieces of the puzzle, (data aggregation) a trained observer may be able to glean sufficient details of your plans which may in turn lead them to your CI. It is easy to see why it is not enough to lock your ideas away physically, but remove or limit those indicators which might disclose your intent or plans or lead directly to your CI. With a relatively small effort in self-analysis, it is possible to identify those gaps in procedures and design and implement actions (Countermeasures) to minimize exposure of your CI, and reduce or eliminate indicators.
These OPSEC practices, combined with standard security protocols, legal protection, and a little due diligence is critical to ensure your CI is protected from prying eyes. These actions are an absolute necessity to ensure initial and continued success of your programs. As a cost factor of doing business, these extra steps may not provide a tangible return. In fact, these actions when implemented properly will be transparent. The true benefit to OPSEC comes from the peace of mind knowing that all possible efforts are made to protect your business, its product line and market share, and future revenue derived from new products.
Dan Phillips is government Operations Security program manager and past president of the OPSEC Professionals Society.