Upfront: Securing Knowledge Assets

Back to Contents of Issue: August 2004


How safe is your knowledge?

by By Kevin C. Desouza and Yukika Awazu

Most organizations are naive in their attempts to secure their most valuable resource: knowledge. It is an accepted fact that knowledge resources (assets and processes) are the most salient competitive weapons an organization possesses. Lose this knowledge (or misuse it) and you will find yourself out of business.

While awareness of knowledge management is budding, in our experience, the security dimension has received the least bit of exposure and debate. Why secure knowledge resources? We think there are three pivotal reasons.

First, today, there are very few factors that can differentiate competitive offerings of products and services. Consider the case of purchasing a computer. Today, we have numerous computer vendors from which to choose; most are price conscious and offer competitive offerings. Hence, what makes one individual pick an IBM and one a Dell?

All things being equal, we would argue that it is the belief in the perceived superiority of the organization's knowledge and innovative capabilities in the computer industry that makes the difference. Hence, if an organization was to lose this, their basis for existence would be lost and they would collapse.

Knowledge possessed by an organization helps in generating innovations, making changes to product and service offerings and outwitting competitors. An organization's knowledge resources must be rare in the marketplace, otherwise they will have limited value.

Consider the recent debate of the strategic value of information technology. As argued by Nicholas Carr (Does IT Matter?), information technology, in its generic sense, does not provide competitive advantages for an organization. The reason is simple--it is available to all in the marketplace and hence lacks a differentiating ability.

However, if an organization possess proprietary technology and can use it effectively, then you have a differentiating weapon. An organization's knowledge resources must be proprietary to the organization.

In order to keep it proprietary, we must secure it for unauthorized use, tampering, acts of vandalism and even possible sabotage. Competitive intelligence activities are on the rise and will continue to rise exponentially. Competitors are spending a great deal of resources trying to understand an organization's next moves, and competitors are fierce in their efforts to make their opponent's proprietary technology common knowledge in the marketplace. If they are successful in doing so, they will be able to extinguish the abnormal profits earned by the organization.

Take the case of Coca Cola. The formula to make Coke is one of the most closely guarded trade secrets in the business world. Just imagine what would happen if this knowledge was to be made public? Coca Cola would lose the differentiating capability that helps them earn abnormal profits in comparison to its competitors.

In addition, with the current rise in alliances between organizations, the need for security of knowledge takes on increased prominence. Organizations have accepted the fact that they must hone in on their core competencies, and forge alliances for securing their non-core needs.

Alliances call for sharing and relying on a business partner's knowledge. An organization must not only make sure that its internal controls and security protocols are apt, but must also ensure security measures in place by business partners. As the old adage goes, you are only as good as your weakest link. An organization must know with certainty how its knowledge will be used by its business partner, where will it be stored and who will have access to it. Regardless of where the knowledge leak occurs--whether it be within the organization or at the business partner's location--the ramifications from the leak could be disastrous.


Recently, we have seen an increased number of IT outsourcing agreements, especially those of an offshore nature. Technology sourcing agreements call for providing business partners with access to their critical resources--the knowledge of your business, the data and information on your constituents, and process methodologies.

These are prime opportunities for an organization to suffer serious knowledge breaches--unless they are sincere and holistic in their security protocols and implementation.

Third, the sophistication, ubiquity and pervasive nature of technology can be a factor that compromises the knowledge security of an organization. Most use multiple devices for knowledge communications and sharing, and these can range from the office phone and email to use of personal digital assistants, laptop computers, personal computers and so on. This is complicated by the fact that we work and communicate in multiple environments; hence we use these devices in multiple settings.

For instance, we could use our laptop computer at our office to take advantage of the office communication network. Then over lunch we could go to the neighborhood cafe and use an open wireless connection. Then at home we can have a personal communication network that taps into a local Internet Service Provider. The use of heterogeneous devices over heterogeneous environments makes the act of securing knowledge exponentially difficult, because an organization has a larger space of devices, gadgets, environments and systems to monitor and protect.

With the increase in hacking, spamming, spyware, worms, viruses and other nuisances that intercept, harm, sabotage and destroy electronic networks, knowledge communications over electronic networks are increasingly at risk. However, it is not only communication over electronic networks is that at risk.

Even if we are apt and capable of securing communication mediums, we must still be concerned with the devices on which the data and information reside. For example, if an executive loses his laptop on which strategic knowledge documents of an organization are stored, it could be used by unscrupulous individuals to their advantage with ease.

Taken in aggregate, securing knowledge is important and a strategic imperative for organizations. However, securing knowledge is not any easy feat to accomplish. Organizations are still grappling with information security issues. Securing knowledge is more difficult, tedious and cumbersome than securing information.

Information, for all intents and purposes, is a product for particulars, financial records, et cetera. Due to its nature as a product, securing it calls for ensuring that information is tagged, stored in a secured location, accessed by authorized personnel and transmitted over secure communication lines to designated recipients. These activities are no different than what would be required to secure any kind of raw material or product.

But knowledge is more than a product. Knowledge is fluid, dynamic, and more mobile than information. Unlike information, knowledge is not easy to capture. Knowledge resides in the minds of the employees, is embedded in work processes and is captured in product and service offerings.

Moreover, unlike information, knowledge is in a continuous state of flux. Knowledge changes its state as it is exchanged between individuals and entities; knowledge is represented in actions. For instance, knowledge about customer behavior is the insights one receives from the analysis of customer purchasing behavior (information), and also based on the context, experiences and know-how applied to that information. If two individuals are presented with the same customer information, they will each draw different insights. If the two engage in a dialogue, their knowledge about customer behavior will change further. Due to its evolving nature, knowledge is difficult to pin down and capture.


So how do you get started on securing your organizational knowledge? We offer steps to get you started.

First, conduct an organizational knowledge audit. You must identify and value before you can begin to secure. The knowledge audit must be systematic and holistic. Key issues in conducting a knowledge audit include: the identification of knowledge assets; the identification of knowledge assets creators, owners, hoarders, distributors and users; the valuing of knowledge assets; assessing threats to these knowledge assets and the personnel interaction with the assets and assessing the implications of knowledge assets to the competencies and competitive advantages of the organization.

Once knowledge assets are identified, we must understand the governing dynamics of how they are used. This will call for conducting a thorough analysis of the various organizational actors than interact with the given knowledge asset. Valuation of knowledge assets is a difficult yet salient task. While all organizational knowledge is valuable, we must ask: Is the knowledge asset in question rare? Is it nonsubstitutable? Can our competitors imitate and duplicate the knowledge asset? Answering these questions will help us understand the true value of our knowledge assets.

For instance, if a knowledge asset that we posses is easily imitable by our competitors then we must either increase the difficulty for imitating it, thus deterring our competitors from expelling the cost to do so, or we must create backups and alternative knowledge assets that are more difficult to imitate. Once we ascertain the value of our knowledge assets, we must enumerate the threats. This is where we must be clear on the significance of the threat.

The significance of the threat and the associated value of the knowledge asset would determine the managerial intervention necessary to secure the asset. If the significance of the threat is high but the value of the knowledge asset is low, we must be concerned--but simple economics dictate that we will not have enough resources to attend to the knowledge asset in a holistic manner.

The last component of the knowledge audit is to link the knowledge assets possessed by the organization with the overall mission, competitive strategies and core capabilities of the organization. This step is critical to determining and segmenting knowledge based on its contribution to the core of the enterprise and what can be considered as auxiliary. The knowledge audit is only the first step. However, if done properly it will be an excellent foundation on which the knowledge security program of the organization.

Using the knowledge audit as a background, we must now dig deeper into the issue of vulnerabilities. We have already uncovered the people who own, create, store, distribute, and apply knowledge. Now we must ask how vulnerable the organization will be if these people decide to leave the organization or act with guile (i.e., misuse knowledge).

For instance, if one of our chief innovation scientists decides to leave the organization, will he/she take with him knowledge that is not documented or available to anyone else in organization? If so, we have a problem, as a significant amount of research effort could be halted. Moreover, what happens if all the individuals who distribute knowledge or all of the computer systems such as email malfunction? In the case of humans, this could be caused due to a grievances with the organization resulting in a strike or boycott by the workers, and in the case of computer systems, a virus or hacker may cause damage. What will be the result to the overall health of the organization?

Assessing vulnerabilities is never an easy task, as it calls for lowering our pride. However, make no doubt about it, you better believe that your adversaries are enumerating your weaknesses, as this is how they can exert competitive and other influences over your organization. Using the knowledge audit and the vulnerabilities assessment, you must now decide on the most appropriate security strategy for your particular needs. @

Note: The function "email this page" is currently not supported for this page.