McAfee Accuses Former Employees Of Stealing "Secret Sauce"
McAfee sues three former employees of stealing their “secret sauce” to take to their new jobs working for their competitor, Tanium. When I read the attached article, I could not help but think about the irony because both of these vendors are in the end-point protection space right? So how is it that your employees were able to access your “secret sauce” without you knowing about it until after the fact?
In this case the secret sauce was McAfee sales tactics and customer acquisition strategies which included “pricing information, marketing plans, customer lists, deal flow, negotiating methods, personnel and other confidential and proprietary sales information.” One of the employees was accused of accessing the “Deal Tracker” after she had given her resignation and there was “no legitimate McAfee business purpose for [her] to be accessing this confidential sales and marketing information at that time.” My question is McAfee, if there was no legitimate business purpose for her to be accessing the information, why did she still have access to it? It’s called access control, best practices say that once an employee no longer needs access, especially to the “secret sauce,” you remove them.
As I read it, I don’t think McAfee has much of a case, here’s what I would argue, stay with me. The whole assessment process in cyber security starts with identifying your “secret sauce” and putting a program around it to protect it. Protecting the “secret sauce” includes technical controls like DLP, which would have prevented the employees from emailing the information to themselves or downloading the information to a thumb drive as described in the article. In addition, technical controls, through access control, could have been used to prevent the employee who had given notice from accessing the “Deal Tracker” spreadsheet. The case fails a part because if it is “secret sauce” you have to treat it like it is secret. Doesn’t look like McAfee treated the information to the level that it deserved protection, so why should the courts punish the former employees or Tanium for poor security practices? Gasp.