John Nolan of Phoenix Solutions

How to Find Holes in Your Security: Morris Blatt

`Confidential’ Lessons: Nolan

Corrections or additions?

These articles by Kathleen McGinn Spring were prepared for the

September 5, 2001 edition of U.S. Newspaper. All rights reserved.

Guarding the Gates

It’s Now Easy to Grab Competitors’ Secrets,

But it’s More Difficult to Safeguard Your Own

Top Of Page
John Nolan of Phoenix Solutions

John Nolan, co-founder and chairman of the


intelligence firm Phoenix Solutions, says an amazing number of people

have a "Push to Talk" button. He knows this because many of

the 32 full-time and 85 part-time employees of his Huntsville, Alabama

company spend considerable time dialing up graphic artists,


ad directors, engineers, and workers in dozens of other job


Their mission? Get unpublished information for clients about their

competitors’ new projects, products, and plans of all kinds.

The approach to unsuspecting informers goes something like this, Nolan

says: "Good morning Fred, I’ve been told you’re the smartest man

who ever wore hair on the subject of … (fill in the blank)."

Nolan finds the Freds of the world, very probably feeling at least

a little under-appreciated by their bosses, and rarely given an


to show off their expertise, are remarkably willing to chat at length.

"Fifty out of 100 go for it right away," he says. His


always identify themselves by name and company, and say they are


on a project for a client. Contacts who do not start talking


most often want to know who the client is. Thirty-five percent, told

that information can not be revealed, talk anyway. Only 15 percent

of the people Nolan’s trained interviewers call are unwilling to enter

into a conversation during which they will be skillfully probed for

all sorts of secret information.

While Nolan’s company makes these calls to clients’ competitors, he

finds it is considerably more productive to hunt information less

directly. "If money changes hands, information changes hands,"

he says. Any company’s customers, vendors, suppliers, PR firms, copy

centers, and accounting firms know a great deal about what a company

is about to do next. It is in this web of business partners that Nolan

instructs his employees to collect information for his clients.

This is just one of the ways that information — the new economy’s

most valuable currency — can be uncovered. Nolan’s firm


both in finding information for clients, and in helping them keep

their own vital information securely under wraps. Nolan, president

of the board of directors of the Society of Competitive Intelligence

Professionals, speaks at the organization’s NJ Education Day on


September 10, at 8 a.m. at the Newark Airport Marriott. Cost: $135.

Call 908-979-0570. (Nolan is also author of the book,


an excerpt from which is printed beginning on page 47 of this issue.)

Nolan is a native of the Garden State. He grew up in Haddon Heights

and spent his summers in Cape May. Now living in Alabama, he points

out, as those who enjoy Cape May tend to, that he hasn’t moved all

that far, because, after all, "Cape May is below the Mason Dixon


Nolan graduated from Mt. St. Mary College (Class of 1976), where

he majored in international relations and foreign policy. He then

served as an intelligence officer for the government for 22 years.

He was an Army officer, but says he was "detailed to other


dividing his time almost equally between intelligence and


He planned to obtain a Ph.D. and teach after leaving the Army, but

his wife nixed the idea. "She was tired of the relative poverty

of the Army life," he says, and was not eager to trade it for

the relative poverty of the academic life. She volunteered to relieve

him of family responsibilities for a time so that he could devote

time to studying business, which he did, earning advanced degrees

from the University of Central Michigan and the University of Southern

California. He founded Phoenix Consultants in 1991, and in 1997


up the Center for Operational Business Intelligence in Sarasota,

Florida (

That organization provides practical intelligence training for



Here are some of Nolan’s insights on corporate intelligence.

Technology has made the intelligence game easier, and more

difficult. "On the collection side, it’s immeasurably


he says. "It used to take us weeks and months to find 75 good

sources." Thanks to the Internet, the same number of quality


can now be unearthed in a matter of hours. The flip side, of course,

is that the other guy has access to the same wealth of information,

and is using it to undermine your business.

Newspapers are old news. "You don’t get intelligence

from what has been written," Nolan says. Keeping an edge requires

finding sources in the know who have not yet talked to a reporter.

Generally, leads to such primary sources are available by the hundreds

on the Internet. Look, Nolan says, for people within the target


who are published authors. Scrutinize job postings to find individuals

who have worked for the company, or are knowledgeable about the work

it does.

Foreign competitors may be a big threat. Nolan finds some

of the companies that are most aggressive in seeking intelligence

are based overseas. Common ploys, he says, include dumpster diving

to piece together projects from discarded notes, and staging fake

job fairs.

In the latter instance, the company trolling for inside information

advertises positions calling for the exact skill set people working

on the project it wants to know about are likely to have. Stated


and benefits are generous enough to entice candidates. When applicants

are interviewed it is only natural that they talk about what they

are doing in an effort to demonstrate that they would do a good job

for the new "employer." Nolan has worked this scam himself

in the course of helping clients identify ways their information could

leak out, and finds it is very effective indeed.

Security can vary by geographic region, and by


Nolan says that, while manufacturing employees in the Mid-West may

wear ID badges and pass through security checkpoints without


the same measures could send Silicon Valley software developers in

search of new employment. Employers need to balance a need to keep

information secret with allowing their workers to operate in an open

atmosphere, and must know how far they can push.

Human beings purely love to talk — especially about


and about their work, says Nolan. A tendency to complain is pretty

much a given, too. That being the case, employers need to appeal to

their workers’ and business partners’ self-interest in urging secrecy.

Talk to them, Nolan says. Explain that keeping a project under wraps

can make the difference between a big market lead, and none at all.

Between big raises, and a freeze on wages. In the South, says Nolan,

such a talk is called a "Come to Jesus" meeting, and it can

be very effective in silencing those "Push to Talk" buttons.

Top Of Page
How to Find Holes in Your Security: Morris Blatt

Morris Blatt, a competitive intelligence


tells about a meeting with a client company. The president and eight

high-ranking staffers were in attendance. "What is your biggest

security problem?" Blatt asked. "`Leaks to the press,’"

replied five of the nine executives.

Blatt knew press leaks were the least of that company’s problems,

and he proved it. He set up another meeting early in the morning of

the following Wednesday. Arriving in the conference room with the

executives, Blatt watched as they read the whiteboard, which said

"Blatt: 8:30 Wednesday morning."

He had written the message hours before, in the dead of night, long

after the building was officially closed. He proceeded to hand the

executives 50 business cards, a couple of employee ID badges, and

a stack of documents he had collected in his unchallenged nocturnal

stroll through their offices. Sure, that company needed to worry about

press leaks, but first, says Blatt, it had to go out and hire a chief

of security.

Owner of three-year-old On Trac Solutions, a West Windsor competitive

intelligence company, Blatt is also a longtime member of SCIP, the

Society of Competitive Intelligence Professionals. He speaks at the

organization’s New Jersey Education Day on Monday, September 10, at

8 a.m. at the Newark Airport Marriott. Cost: $135. Call 908-979-0570.

Blatt holds a bachelor’s degree in engineering from Polytechnic in

Brooklyn (Class of 1968) and an MBA in finance from Monmouth

University (E-mail:

His interest in competitive intelligence began nearly 30 years ago

at one of his first jobs. He was working in operations for a chemical

company and wondered what the competitors were doing. It was a


that continued to interest him as he moved among industries and job

titles. Gathering information on what the competition is up to is

a function of many corporate divisions, he points out. Marketing,

pricing, technology, strategic planning, sales, research and


— all of these departments need to know who their competition

is, and what it is doing, or not doing.

After stints in chemicals, electronics, and telecommunications, Blatt,

who had been volunteering up to 40 hours a week to SCIP, and spending

significant time volunteering for the Special Libraries Association

too, decided to become a full-time competitive intelligence


"It was a logical extension of what I was doing," he says.

Blatt does not sell data, but rather sets up competitive intelligence

departments, and offers training in gathering data, disseminating

it throughout layers of management, and acting on it. He also performs

security audits.

Blatt himself has a mighty appetite for data. "I read 400 to 500

annual reports a year, 200 magazines a month, and five newspapers

a day," he says. He also spends time surfing the Internet for

information and says, "what you don’t know about data will kill


No casual reader, Blatt can extract much of what he needs from a


in one-and-a-half minutes flat. First, he looks at the advertising.

Who is spending big bucks on ads? And, perhaps more important, whose

ad budget obviously has been slashed? Then he reads letters to the

editor. Next, he looks for new product announcements. Only then does

he turn to the articles, clipping the ones that look interesting,

and filing them in a cross-referenced system for easy access later.

"Ninety to 95 percent of all information is publicly available

— if you know where to look," Blatt says. Beyond magazines

and newspapers, companies would do well to spend time at town hall,

where corporate building plans are likely to be on file, and even

at the local fire department, which will contain records of what


of which chemicals a corporation is storing where. (Information that

can go a long way toward giving away what the company is


Even press releases by elected officials gathering glory by announcing

plans to reel in a new corporate citizen can be valuable.

While Blatt says he "strongly believes in ethical standards,"

he knows that not everyone does. "Oh yes," he says, "there

are people who buy garbage, and try to put shredded documents back

together. There are dumpster divers."

Dumpster divers are unlikely to be a company’s biggest information

security problem, though. The enemy most likely is within, and in

many cases has no idea that he is giving away company secrets. What

is the one document you need to know all about a company? Blatt asks.

The answer, surprisingly enough: The phone directory. Get that, he

points out, and you know exactly how many secretaries, chemists,


vice presidents, and media relations employees a company has, and

very likely, how the company’s departments are organized. Yet, he

says, few employees know the value the document has to competitors,

and take measures to safeguard it.

While gathering intelligence on competitors is vital to business


at least equally important is keeping the intelligence that


want away from them. Here is Blatt’s advice for keeping proprietary

information under wraps.

Educate employees on what is proprietary. Like the phone

directory, every company has documents, plans, products under


legal issues, and hiring plans it does not want its competitors to

know about. Give employees guidelines. Let them know what information

is to stay in-house. And, if possible, mark documents — like that

phone directory — with a stamp that reads "proprietary."

Watch those loose lips. Blatt tells of flying out to a

meeting with a client, and, by chance, drawing a plane seat in a row

directly behind two of that client’s employees, who merrily chatted

about proprietary company information all the way across the country.

On another occasion, he ate in a company’s cafeteria — a big


badge affixed to his lapel — while employees all around him talked

about new products under development. Employees should be drilled,

he says, on not talking about their company’s proprietary information

in public places, and particularly not in restaurants near the



Be on guard at industry conferences. There are certain

venues, says Blatt, where companies in a particular industry gather.

"All your competitors are there," he says. "You want to

look good. You get caught up in the moment." At such times, it

is especially easy to let secrets slip.

Realize E-mail is not secure once it leaves the company’s

firewall. Twice in the last year, Blatt has had E-mails


On one occasion, a person added an obscene sentence to the beginning

of an E-mail going to a client. "People don’t realize," Blatt

says, "that if you send an E-mail to Philly, it doesn’t go


there." The message may pass through eight servers, and at each

location it can be opened, read, and even modified.

Turn off computers at lunch time. Most employees simply

stand up and walk out at lunch time, leaving whatever document they

have been working on up on their computer screens. Visitors walking

through are free to read whatever is there, possibly learning about

agreements or products the company had planned to keep under wraps

for months.

Lock up at night. Not only should doors be secured, but

employees should sign off from their computers, and should stow


documents in locked drawers.

As for press leaks, Blatt says this is an area of concern. In

general, though, he says "don’t be paranoid. Getting information

out can be a good thing." Just make sure employees know which

subjects are off limits — things, for example, like the fact that

a consultant was able to roam freely through the offices well after

the last employee had left for the night.

Top Of Page
`Confidential’ Lessons: Nolan

In this excerpt from his book, "Confidential"


1999), John Nolan, former government intelligence officer, and founder

of both a competitive intelligence company and a competitive


training institute for executives (see page 14), talks about how to

protect vital company information.

An Example from Coca-Cola: In their quest to keep


under wraps, some organizations — both government as well as


— often miss these simple truths and expend precious resources

in a wasted effort. They fail to follow Bismarck’s admonition, "He

who seeks to protect all, protects nothing."

While it could be argued that there really are some things in a


program environment that demand complete protection, it’s rare that

a business can afford to keep absolutely everything about their


secret. For example, the Coca-Cola formula story. They know what to

protect, and they’ve taken virtually every step known to man to keep

it secret, and it seems pretty clear that they want to protect it

forever. Yet they don’t go so far as to keep their product off the

shelves lest someone break down a sample into its precise ingredients,

quantities, and process, and be able to replicate it. No company can

stay in business if it keeps its products or services under lock and

key so that a rival can’t see them, and at the same time keeps them

away from customers too.

Let’s stay with the Coca-Cola formula for a little while longer as

we try to figure out this problem of knowing what to protect. Clearly,

anybody who has ever heard from Coca-Cola’s lawyers has learned that

trying to get the formula would be a long and very costly process.

That goes for anyone who has spent — and is making — billions

on a product that is worth protecting through all means possible.

Are you going to try and gain some competitive advantage from


any of your competitors by attacking their strongest and most


defended asset? Hardly. Instead, you’re going to attack other aspects

of their business base. You’re going to go after their distribution

channel, for example. New packing approaches. New co-branding and

strategic relationships. New line extensions and where they’re headed.

Information about these kinds of things is what a competitor would

be after. Information that the rival can use either tactically or

strategically. That’s the information that Coca-Cola, you, or anybody

else is going to have to protect.

The Trojan Tractor Trailer: In the mid-1980s a senior

government official realized that he needed to provide some protection

for a major project that he’d been involved in for some time. He


for some assistance in protecting his project from disclosure,


to the Soviets.

The planning meeting started poorly and went downhill rapidly. He

started off by saying that the program was well enough along that

it looked like the technology would work, and that it would be another

18 months before it could be fielded. In the meantime, it absolutely

needed to be kept under wraps.

A few well-pointed questions got some awkward answers. "How many

people know about this project?" When the answer was "over

300," eyes began to roll, especially after hearing that there

was no "knowledgeability list" of those who had been made

aware of the project. But at least it was a place to begin fixing

the problem.

The next answers were even worse. The project had been going on for

over three years at that point, and one room held nearly 50 safes,

all filled with the written materials and technical drawings related

to the technology. Virtually no other measures had been taken to


the project, its open contracting for research assistance, or any

of the other, myriad elements that should have been in place for


The recommendation: get 25 junior people with appropriate security

clearances, get 25 photocopy machines, 50 more safes, and an


Photocopy everything in all the safes, and put the copies into the

new safes. Put the new safes on the tractor trailer and drive it into

Washington. Drive it through the front gates of the Soviet embassy

and leave it. Abandon it. In their suspicious, paranoid, and


way, the Soviets will look at every single document and every element

as if it was all part of a massive deception operation. They’d spend

far more than the 18 months needed to safeguard the new technology

in trying to figure out what was true and what was not, and they’d

be paralyzed. In the meantime, the project could go forward with new

protections built in.

Needless to say, the out-of-the-box solution set was not what the

humorless bureaucrat was looking for. But you get the point.

Cues and signals: You have to look for all those cues

that, when aggregated and analyzed, tell the tale. Cues and signals

that can be elicited from the person who has them. The person who

doesn’t attach any particular significance to the cues and signals

because he doesn’t understand the piecing together of the jigsaw


that is the hallmark of the intelligence process. Cues and signals

that tell a competitor where your firm is headed.

Cues that are sometimes individual items themselves. Cues that are

sometimes patterns that reveal how and when something is going to

happen. Cues and signals like the pattern that one of your competitors

likes to make new product launch announcements with a great deal of

fanfare at a particular resort — and because they made the travel

and hotel reservations six months early, that provided their main

competitor an early warning to counter the product.

J&J Intercepts BMS’s Signal: Johnson & Johnson was making

a gazillion with America’s Number One Pain Reliever Tylenol.


really thought that there was a place in America’s bloodstream for

another painkiller and developed Datril. They test-marketed it in

Peoria, Illinois, and Albany, New York, two bastions of


Middle America. Two cities that they’d used many times for test


in the past. Two cities that helped Johnson & Johnson identify when

and what new products Bristol-Myers was planning on launching. Two

cities that were part of Bristol-Myers’s pattern of cues.

Johnson & Johnson’s monitoring of these patterns revealed the Datril

test marketing. Cues that revealed that Bristol-Myers was going to

attempt a price penetration for Datril at $1.89 a bottle, compared

with Johnson & Johnson’s $2.89 a bottle for Tylenol. Cues that


Datril’s entry on April 15. Cues that led Johnson & Johnson to tell

Mr. and Mrs. America and all the ships at sea that in making Tylenol

America’s number one pain reliever, J&J had recovered their


costs years earlier than projected. Cues that let J&J tell the folks

at home that J&J wanted to pass along savings to them in the form

of an immediate price reduction to $1.89 a bottle, complete with


coupons for anyone who’d bought a bottle in the last month. Cues that

let J&J do this on the first of April. Cues that let J&J completely

disrupt the entire Datril advertising campaign, to include the media

blitz that would have to be put on hold until the new Datril strategy

could be developed. Cues that let J&J take the offensive in a campaign

that eventually made the media refuse to take any Datril ad space

until they had their act together.

Cues that kept Datril from gaining anything more than a 1 percent

share a year later, when Tylenol was able to withstand the


murders. Imagine. Something that is supposed to help people overcome

pain winds up killing them instead. Certainly, not through any fault

of Johnson & Johnson’s. But what would’ve happened to Tylenol if


been a strong number two at the time of the murders? Anybody’s guess.

But it wasn’t Datril.

— Kathleen McGinn Spring

Next Story

Corrections or additions?

This page is published by

— the web site for U.S. 1 Newspaper in Princeton, New Jersey.

Facebook Comments