How to Begin
This true story took place in early 2001, which is important only to give a context of the threat environment of the time. In this case the competitor was the primary threat of concern.
I was the manager for the company sensitive information protection program including support for the product development organization. One day a staff member contacted me and said it was urgent that I come meet with John.
In the meeting, John shared the high level for initiating development on the next generation commercial airplane, leveraging the strongest minds across the corporation. John was under orders from his boss, the organization leader Alan, that the program must be absolutely secret. The consequence of a leak would be that John, the program leader, would be fired. I was asked if we would take responsibility for the information protection program. He needed to start implementing the security plan in one week.
I returned to my office, arranging a meeting with my boss and the Chief Security Officer. They supported my recommendation that we accept the assignment. The goal of the security plan was preventing disclosure which was most likely to occur by program insiders. A particular scenario was the threat associated social engineering by the competitor, since they clearly engaged in business intelligence, and were widely rumored to engage in espionage.
The security plan was modeled as much as possible on the approach to protecting government classified information, particularly for personnel security (limited need-to-know list, screening and approving access, non-disclosure agreements) and physical security (access-controlled areas, storage containers, alarms). However, given the timeframe and technology of the time, stand-alone computing was not entirely feasible. Many of the deliverables were in the form of Microsoft Office products; the personal computers could be limited to the program areas, closely restricted access to file shares. The balance of the computing was compute-intensive numerical analysis. While this data was the foundation of the program’s success, on its own it appeared no different than other analysis and could be disassociated from the program.
With the security plan completed and approved by my management, I was ready to meet with the program leaders. I did not expect them all to read the plan, so I prepared for a conversation about how the security program needed to operate. This was a presentation of 6 Vufoils for the overhead projector (remember this is before conference room projectors became common). John introduced me, and I said a few introductory words when he interrupted me. His remarks covered my first slide, and the same happened for all 6 slides. So, I had the remarkable luck to have a leader who intuitively understood most of what needed to happen, and that cemented support by the leadership team.
Except, I had one more thing to say: “John, who is owner of your information assets, and decides how much protection is enough?” “Well, I am.” To which his leadership team unanimously dissented; they reminded John that he was mostly not available for day-to-day management. He relented and appointed his deputy program manager, Pete, as the owner. Pete reviewed and approved the security plan. Whenever there was a program team meeting, Pete was the one who led any discussion of security, which demonstrated to the team the leaders’ commitment and support of the plan. We never had any complaints about why the security plan required what it did.
I’ll skip the operational details, not because they lack interest, but they don’t contribute to the lesson.
During all this time, John and Bill were talking with customers. Their goal was to elicit requirements and assess interest. I can only imagine how they did this without showing their hand too soon, which would have potentially compromised the competitive advantage. At one point Alan apparently judged the time was right, and publicly disclosed the program.
The existence of the program was no longer a secret. The leaders decided to continue the security plan, which actually became more difficult. It is pretty easy to explain to people that they mustn’t share anything about the program. It is much harder to get leaders to establish a sensitive information protection guide that identifies the categories of information to protect and relates the category to the protections required (consider government classification guides that relate categories of information to Confidential, Secret, and Top Secret protections).