The Apple of my Eye

Chris Morse IT Security, News Leave a Comment

May I begin by prefacing this with the standard disclaimer of “I am not a lawyer.” I have not played one on TV, and I will most likely never star on Law & Order SVU. That being said, Apple’s response to the present court ruling intrigues me. Specifically, one sentence in Tim Cook’s response intrigues me.

“And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.”

See there, he said it. Control. Well, specifically the guarantee of control, which is an impossibility to begin with, but it brings up an extremely interesting and valid conversation when we talk in concepts of Risk Treatment and Mitigation. I can not argue the specifics of citing the validity of the All Writs Act or its far reaching interpretation ramifications. What I can talk to is the very interesting result of this Risk Strategy. This is a pretty interesting trifecta when you examine it as a whole. Too many times, we view a treatment strategy as a very linear approach and destination. One risk, one treatment, one result. On its face, this may be true.

This position from Apple paints a very different picture and puts into the public eye how risk avoidance in one area results in a sizable risk acceptance in another resulting in the limitation of a potentially larger set of risks. Let me explain in my best made for TV mock phone call:

Ring ring
Apple: Hello.
FBI: Apple, this is the FBI. Let us in the backdoor of the iPhone.
Apple: We’re not gonna….
FBI: We think that’s an unwise decision.
Apple: We accept that.
Consumers: I can’t believe you’re going to let them in our iPhones!!
Apple: We aren’t.
Consumers: Whew… Thanks Apple, go team!

This overly elementary example of a hugely complicated risk management strategy beautifully paints the interconnectivity of risk within organizations.

Specifically, Apple avoided a huge risk by electing not to create the iPhone kitty door. Notably, creating something so valuable that nothing outside of absolute certainty of control could mitigate against.

In doing so, it now created a potentially even larger risk that it had to accept. The windbreaker brigade.

And by accepting that risk, it was able to limit what could be the largest of them all, the damage done by the loss of consumer confidence in the security of its products.

Rarely does an illustration such as this occur in the wild at such a high level. We know that the results of these actions required a battalion of really smart people doing really smart things and to dumb it down to this watered down write up should be considered an assault of really smart people making really tough decisions. At the same time, it does highlight something that happens in every organization, every day.

Your risks are interconnected and related. A linear approach is good as far as it goes, but heightened insight and being able to examine those risk relations are an essential part of a risk mitigation strategy.

With Framework, you can gain insight into these areas and develop a comprehensive treatment strategy that is efficient and flexible. Call us today to find out more.