Theo Tryfonas

Centre in Systems, Faculty of Engineering

Embedding Competitor Intelligence Capability in the Software Development Lifecycle Security and Protection of Information 2009 - Brno, Czech Republic

2 Outline

• Competitor Intelligence (CI) and tools

• Software development process and informational

requirements

• An integration framework

• Relationship to infosec and challenges

3 The importance of Intelligence

“If you know the enemy and know yourself, you

need not fear the result of 100 battles. If you know

yourself but not the enemy, for every victory gained

you will also suffer a defeat. If you know neither the

enemy nor yourself, you will succumb in every

battle”

General Sun-Tzu, c. 544-496 BC (?)

Recent industrial espionage cases4

5 Competitor Intelligence and competitive advantage

• Many forms of intelligence– National Intelligence, Military Intelligence, Criminal

Intelligence, Corporate Intelligence, Business Intelligence, Competitive Intelligence etc.

• CI: A systematic and ethical program for gathering,

analyzing, and managing information that can

affect a company's plans, decisions, and

operations.

6 The CI process

• The process of monitoring the competitive

environment.– 80% of large multinationals have an organized system for

collecting intelligence– 60% of US companies (of that review sample)

• It includes competitive, technical, people, and

market intelligence.

7 The CI process

Integrative CI model showing intelligence

information processing stages (Bouthilier &

Shearer, 2003)

8 CI tools and applications...

• Generic (e.g. databases) and specific (e.g. price

monitoring agents)– Mind mapping, system dynamics, textual analysis, …

• Knowledge management/information engineering

focused– Requirements elicitation, Data mining, Artificial intelligence,

OLAP, Visualisation, Collaboration portals etc.

• The Internet!

(table 1 in the paper: tool/function/description)

9 ... facilitating

• Porter’s five forces analysis (consumer, vendor,

competitor, new entrants, substitutes)

• SWOT analysis (strength-weakness-opportunity-

threat)

• Competitor profiling

• Benchmarking (measuring against competition)

• Customer-led/requirements-driven design

• Etc. etc.

10 The software market: Monopolies and ‘The cathedral and the bazaar’

• The software industry faces extreme pressures to

provide new applications that add value in today's

competitive environment. (authors’ JCIM paper)

• ‘Siloed’ market with near-monopolies for core

technologies– E.g. OS (Microsoft), database (Oracle)

• Intellectual property protection drive, s/w licencing and

(personal view) misunderstanding of the digital product

in pricing strategy – OSS/FS vs. commercial

11 Software processes and development lifecycles

• Developing a product in isolation is impossible –

especially software– User needs, technology platforms, development tools,

laws and regulations, available products and their shortcomings etc. etc.

• Information gathering is critical throughout the

development lifecycle– Both technical and organisational/market driven– To appreciate cost and risk and anticipated revenue

12 SDLC

The informational requirements

are similar regardless of the

nature of the process (linear,

iterative, ...)

Fig from

http://en.wikipedia.org/wiki/Iterative_development

Fig. from

http://en.wikipedia.org/wiki/Software_development_process

13 Indicative informational requirements in the SDLC – intelligence input

• Requirements analysis– User needs and preferences, threats and threat agents, existing products, emerging

markets, ...

• Design– Input from previous stage– Competitive products designs, ...

• Coding– Input from previous stage– Target platform APIs, threats and threat agent tools, target platform or build technology

known vulnerabilities and exploits, ...

• Testing– Input from previous stage– User needs and preferences, ...

• Etc. etc.

Integration of CI into SDLC14

Integration of CI into SDLC (cont’d)15

16 CI/Infosec interface: Knowing others, protecting yourself

• Information security practices can assure the

ethical gathering and processing of information

(e.g. via compliance with Data Protection Acts)

• as well as protection from unethical gathering

(industrial espionage of third parties, risk of internal

threat etc.)

17 Conclusions

• Understanding the market, user needs and how to price the resulting

product has a profound impact on software – and its security– Piracy and IP protection, put-to-market pressure etc.

• Competitor intelligence is usually viewed as a task of marketers – it isn’t– Many technical aspects, threat environment and hi-tech espionage, need for

professional integrity assurance

• Software processes are now (after many years of preaching) being

modified to meet infosec requirements – perhaps they could also

formalise the intelligence input to the development/security processes– to capitalise on the maturity of the CI discipline and on the interface of security

with real-life business