October 29, 2020

Best Practices for Secret Keeping During Development

Topics

    Industry

      While some may argue that the information age, open-source, and the Internet all encourage corporations to spill their secrets, there are still good reasons to keep a new product launch quiet. Competitive advantage and the opportunity to surprise and delight your customers are two compelling reasons for nurturing a culture of secrecy during development.

      I’ve supported many confidential product launches, first at Bank of America with the launch of Apple Pay. Then at Apple during the launch of the iPhone 6 SE and the first standard form factor iPad Pro. I worked on the Amazon team that launched the Echo Look and Amazon Microwave with Alexa to market. I’m often asked, “How did you manage to keep these big launches a secret within such large organizations?”

      Here are a few best practices for safeguarding your product development projects:

      Identify what needs to be kept secret.

      New launches and initiatives need to be qualified as secret or not. Why do you want to keep it quiet? And which aspects of it need the greatest protection?

      Perhaps it’s a secret because it’s a brand requirement, and your business is legally bound to confidentiality. The product could create a significant competitive advantage and if discovered, a competitor could launch ahead of you.

      Once you know what kind of secret it is, you can determine the rigor needed to keep it classified.

      Share with your employees why it’s vital to the company to keep its secrets.

      From a company culture perspective, make sure everyone is on board with keeping a launch confidential. It is far too easy for anyone to brag about a new product at a dinner party, or mention it to a colleague in the coffee room. You need to stop these normal human behaviors. The only way to curb them is to share an important and compelling reason for everyone, company-wide, to keep the secret.

      At Apple, one of the first training sessions for employees covers why all employees diligently maintain company secrets. This training is key to Apple’s ability to surprise and delight their customers. Every employee has benefited from this approach.

      According to Business Insider, Apple’s approach to new product launch secrecy is partly cultural. Past employee Brian Hoshi explains, “The need for secrecy is mostly ingrained in the corporate culture to create innovative and revolutionary products… The secrecy is upheld throughout the organization, knowing that there is a corporate security team pretty much looking over your shoulder at all times and where even minor violations are grounds for immediate termination.”

      Have the tools to share secrets and know if secrets show up in places they shouldn’t.

      The team members who are dealing with these secrets on a day-to-day basis need to know how the internal tooling system works and use codewords associated with the product or technology. As well, they need the tools to scan for keywords, like a secret checker for your codebase. Developers are notorious for passcodes and module titles referenced in code.

      Some consumers love to find these clues and talk about them, which is the basis for the popular Mac Rumors website. There are similar tools to search online for codes but you never want to use Google or other typical search engines, as this creates an entry as a keyword for virtually anyone to find.

      A valuable tool to administer safeguards would be a database that creates the secret; it can share it, and it records when and to whom it was shared. The product development team should be able to look up this privileged information once they have been read in and see everyone who has access to it.

      This tool should not allow any user to describe what the secret is inside the keyword tracking tool, instead using only the codeword.

      Document your process for keeping product secrets.

      It’s helpful in organizations with a lot of confidential launches to keep it firewalled between other departments and teams.

      To embed good practices for keeping product secrets, hold training sessions to establish a behavior of using codewords only inside a secure area, and never outside of the site (including on campus or in the cafeteria). All employees should understand the importance of stopping a colleague from continuing any further if they begin inadvertently disclosing confidential information.

      When running a meeting on a sensitive project, the organizer should check a list to ensure all the attendees have permission to access the information disclosed.

      Design physical security and spaces for secret-keeping.

      Processes are important to secure secrets, and so are physical items or spaces that control the source of this written or digital classified information. This could be a box or a case, or better yet, a decoy—an object that looks like something else to avoid any curiosity or speculation from unauthorized employees.

      A series of physical barricades can help safeguard the information; this could include locks, boxes, or chambers inside the locked zone.

      Anyone with access to the secrets should be trained to properly access and protect these safeguards. These are the protective layers that ensure companies such as Apple and Amazon do not have information leaks that result in news headlines about their in-development products.

      Secret keeping completely contradicts the culture of open communication and open floor plans that fosters good product development. However, the opportunity to get security right means achieving a massive competitive advantage and surprising the market with a successful product. The effort is worth it.

      Learn more: