Harvard Business Review — 05/12/2016 at 13:04

Leading in a World Without Secrets



Buried amid the furor of speculation about what results of the U.S. election mean for businesses is a fact that’s getting too little attention, but that CEOs and business leaders will definitely need to adjust to: it’s gotten much harder to keep your company’s secrets. Leaked communications that were presumed private at the time have apparently had a major impact on world events. It’s a trend that was already well underway in business, with hacks on companies like Ashley Madison, and leaks of emails from companies like Sony. We’ve had a tendency to think of these primarily as addressable technical failures. It should now be dawning on us that they also reflect a new reality when it comes to keeping legitimate business secrets, requiring a new mindset and strategies from those leading all kinds of enterprises, especially in knowledge-intensive industries.

The primary driver of this new reality is not technical, but economic. It’s getting cheaper and easier for people to get at your protected info, more expensive and harder to keep that info safe. And there’s little reason to expect that to change. The deployment of smart appliances (fueled by enthusiasm for the Internet of Things) and smart devices, as well as always-on social media, will continue to multiply both the ways of seeing into your company and the ways that information can escape.

And there’s an additional factor: the weakest link in our efforts to protect proprietary information is turning out to be not a technical factor but people. Successful computer hacks now more often than not involve “social engineering,” the modern equivalent of an old-fashioned con. Someone gets talked into giving up info or doing something they should not. Such ploys exploit enduring human qualities, such as the tendency to empathize with and believe other human beings, so can’t ever be completely eradicated. And this factor is likely to loom even larger in the future because many of the benefits of new technologies increase as more people join in. Each person who joins becomes a “human node” in the system, and a potential point of vulnerability. And this doesn’t even account for the cases of disgruntled insiders up to no good who might intentionally help your secrets escape.

What does the new reality mean for business? It means we are moving into an era in which every company and organization must expect that secrets will get out. You cannot afford defenses that will fully protect you. Consistent with the philosophy espoused in HBR way back in 2003 in the article The Myth of Secure Computing, business leaders will need to decide which of their information assets are so valuable that they want to invest a lot to protect them, and which they can’t afford to protect vigorously. The realistic expectation for the number of secrets that will leak every year from any company will be greater than zero.

How should leaders adjust? There are two ways to prepare for the possibility of people trying to get at your secrets. You can protect them better (which, as already stated, might get expensive). Or you can act to minimize the consequences of leakage. How can you do this?

Companies do not all depend equally on proprietary information for competitive advantage. Some inevitably do, and if you are one of these, you are most exposed. But you do have some control over this. You can systematically examine your business model to find its points of vulnerability to information leakage. And you can opt for strategies going forward that depend less on keeping information secret — that depend, perhaps, on difficult-to-imitate operational or sales capabilities, rather than trade secrets. (Toyota used to conduct plant tours all the time for execs from other auto companies curious about its famous Toyota Production System; replicating TPS elsewhere depended on hard to develop capabilities, not secret formulas.)

You cannot, however, completely insulate your company from the consequences of information leakage. This means you must have a way of containing the damage and recovering. Partly this is an operational capability — how do you quickly shut down avenues through which information is escaping? But also it is about developing a capability for reacting publicly, quickly and rapidly. What will you say to customers, shareholders, and the public about a leak? How will you compose the messages that you’ll need to deliver at such a high stakes moment? Who will be involved? Many of these details can be worked out in advance. It can’t just be left to the PR department — the necessary messaging is too likely to be entangled with technical, legal, and ethical issues to compartmentalize it to any one department. You’ll need a team-based, collaborative capability, with top executive and, probably, board involvement. The board clearly has a fiduciary responsibility here, and boards are becoming more susceptible to legal difficulties for failing to carry out such duties. In addition, tapping into a strong board’s experience and judgment could be an important part of a response to a leak — if, that is, the board has been briefed and alerted and is prepared to respond to such attacks.

It can also help to rehearse events before they happen. Practice developing the exact wording of statements, and figure out how to craft the most effective messages, before you need to do it in real time. These can be exceptionally dicey situations. Saying something that later turns out to be wrong can have legal (disclosure) implications. Saying something unnecessarily alarming can damage your company’s reputation (if you accidentally prompt speculation that exaggerates the scope of a data breech, for example). You’ll have to walk a fine line in a tense situation.

In the worst case, in our “post-fact” information economy, your leaked information might be used to generate believable falsehoods about your company’s activities or intentions. We asked some of our twenty-something students — digital natives who live with many of the technologies that have produced the new reality — what companies should be most afraid of. Their response: “A grain of truth, in a wrapper of misinformation.” The world has awakened to the power of such dangers. Business leaders must be prepared, in thought and practice, to prevent their companies from becoming a victim.

Robert D. Austin, who holds the chair in Management of Creativity and Innovation at Copenhagen Business School, is a coauthor of Harder Than I Thought: Adventures of a Twenty-First Century Leader.

Richard Nolan (rnolan@hbs.edu) is an emeritus professor of business at Harvard Business School in Boston and a professor of management and organization at the University of Washington Business School in Seattle.


Femmes dirigeantes : ce que cachent les statistiques
The Factors That Lead to a Pay Premium for Women
Advice on Running a Government Agency Like a Startup, from Someone Who’s Tried It
Non, les hauts potentiels ne sont pas tous de futurs leaders

Leave a Reply

— required *

— required *