Most companies spend years trying to share knowledge more freely. One of the most successful industrial companies of all time has spent decades doing the opposite — deliberately building a secrecy business moat around the one thing it cannot afford to lose.
At WD-40, the formula behind its iconic blue-and-yellow can is handwritten, stored in a bank vault, protected by keys held by lawyers, and known by only a handful of executives. Even the CEO had to wait more than 30 years to see it.
No Slack channel.
No SharePoint folder.
No “just in case” access.
And that’s exactly the point.
Secrets are strategy — and information security is how strategy survives
WD-40’s formula accounts for nearly 80% of its revenue. It is not just intellectual property — it is the company’s competitive business moat.
What’s fascinating isn’t that the formula is secret. What’s fascinating is how deliberately the secrecy is engineered:
- Physical separation (a handwritten formula kept in a lockbox at an undisclosed Bank of America location in San Diego, not a server)
- Role-based access (even R&D doesn’t see the full recipe)
- Codified abstractions (scientists work with encoded versions)
- Formal controls (NDAs, legal custodians, restricted viewings)
- Explicit operating instructions (“Do not smoke” — written right on the notebook)
This isn’t folklore.
This is information security by design.
Not cybersecurity theatre.
Not trust-based assumptions.
Not “everyone means well.”
It’s governance.
Why this suddenly matters more than ever in a world of AI
AI has quietly and fundamentally changed the information-security landscape.
Historically, protecting secrets meant:
- locking files
- limiting systems access
- trusting senior people
Today, the risk profile looks very different.
Your:
- pricing models
- decision logic
- proprietary workflows
- process improvements
- sales strategies
- operational shortcuts
…can now be unintentionally exposed in seconds.
Not through malice — but through:
- employees pasting content into AI tools
- teams using AI to “clean up” internal documents
- vendors training models on shared data
- well-meaning experimentation with no guardrails
In an AI-enabled organization, data leakage no longer requires intent.
And this is where information security stops being an IT issue and becomes a business-continuity issue.
The uncomfortable truth: most companies don’t know their own sensitive information
Ask most leadership teams:
“What information, if leaked, would materially damage the business?”
You’ll usually get:
- vague answers
- technical jargon
- or a list that exists only in someone’s head
If you can’t clearly identify:
- what is sensitive
- why it matters
- who can access it
- and how it must be handled
…then you don’t have an information-security strategy.
You have hope.
WD-40’s real lesson: secrecy scales only with process
WD-40 doesn’t rely on loyalty, tenure, or memory to protect its formula.
It relies on repeatable, enforced processes.
That’s the part most companies miss.
To protect company secrets — especially in an AI-first world — organizations need operationalized information security, not policies that live in PDFs.
That means having clear processes for:
1. Information classification
Not all information deserves the same protection.
Processes must clearly define:
- public information
- internal-only knowledge
- sensitive operational IP
- crown-jewel secrets
If everything is “confidential,” nothing is.
2. Role-based access to knowledge
WD-40’s R&D team can innovate without seeing the full formula.
That’s not restrictive — it’s intelligent design.
Access should be:
- role-based, not person-based
- reviewed regularly
- removed automatically when roles change
3. Secure ways of working with sensitive information
Security isn’t just about storage — it’s about use.
Processes must define:
- where sensitive information can live
- how it can be referenced without exposure
- which tools are approved
- which AI systems are off-limits entirely
If you don’t explicitly define what never goes into AI, you’re already leaking value.
4. AI-aware information security controls
Most AI risk today comes from process gaps, not technology gaps.
Teams need clarity on:
- what data can be used with AI tools
- what must be abstracted or masked
- when AI outputs need review
- who is accountable for misuse
This is information security meeting operational reality.
5. Continuity beyond individuals
People leave.
AI models evolve.
Vendors change.
Secrets survive only when:
- knowledge is structured
- access is governed
- controls are embedded into daily work
Where Way We Do fits in
Way We Do exists for organizations that understand this shift.
Not to lock knowledge away — but to control how it flows, how it’s used, and how it’s governed.
With Way We Do, businesses can:
- document processes without exposing sensitive IP
- assign access by role, aligned to information-security rules
- embed AI-use policies directly into workflows
- create auditable evidence of information-security controls
- ensure people work within guardrails, not around them
In other words:
you don’t just say information security matters — you operationalize it.
The real business moat isn’t secrecy — it’s disciplined information governance
WD-40’s vault isn’t impressive because it’s secret.
It’s impressive because it’s intentional.
Where AI can summarize, infer, remix, and replicate faster than any human, competitive advantage doesn’t come from knowing things others don’t.
It comes from:
- knowing what truly matters
- protecting it deliberately
- and designing systems that make secure behavior the default
The future belongs to organizations that can confidently say:
“We share what helps us scale —
and we protect what makes us irreplaceable.”
That’s not old-school secrecy.
That’s modern information security.
And increasingly, it’s the difference between companies that grow — and companies that get copied. 🔐
Photo: Steve Brass, CEO, and Sara Hyzer, CFO of WD-40
