Exit of Apple's security chief offers lessons for security professionals

 - 
Thursday, November 10, 2011

YARMOUTH, Maine—The departure of Apple's VP of global security in the wake of last summer's controversial investigation into a missing iPhone prototype highlights the potential pitfalls former law enforcement officers face when transitioning into the private sector, one security professional who specializes in intellectual property investigations, told Security Director News, sister publication of Security Systems News.

The facts surrounding John Theriault's departure from Apple and the investigation he oversaw last summer into the loss of a yet-to-be-released iPhone—including concerns that Apple investigators impersonated police officers—are still sparse. However, what is known about the investigation—that Apple investigators searched for the missing prototype in a private home in San Francisco after arriving with plain-clothed SFPD officers—and the public allegations of the homeowner—that he was threatened and that the Apple investigators didn't identify themselves properly—produced some messy headlines for the tech giant, which is more accustomed to being lauded for the sleek design and user-friendliness of its consumer electronic products.

"It didn’t do much for the reputation of Apple," Eugene Ferraro, CEO of Business Controls Inc.

Ferraro said he has nothing against law enforcement officers, but points out that sometimes the mindset they develop over the years as a police officer or FBI agent don't serve them well in the private sector, where there's often much more to be aware of—like a company's reputation—than just catching the bad guy. Theriault was with the FBI for 26 years before entering the private sector in 1996 as the CSO for Pfizer. He became Apple's VP of global security in 2007. "The tendency to hire those in law enforcement sometimes precipitates these type of outcomes," he said. "The problem isn’t that these people have law enforcement experience or cops are inherently stupid. That's not the issue. The problem is they bring with them to corporate America the mindset that the security function is similar to law enforcement. It's not. Law enforcement's responsibility is the enforcement of public laws. That's it," Ferraro, said.

"I task any security director to look at their corporate mission statement and find where it says our job is to put as many people as we can in jail." He went on to say the job of a security director "is to protect the interests and assets of the owners and shareholders and those that have interest in the organization."

Not all the facts concerning the Apple investigation are known, Ferraro admits, but given what is known—that the SFPD was involved and Apple's investigators searched a private home—he said it sounds like a plan a law enforcement officer would come up with. "In one regard, it's a little bit predictable," Ferraro said. "Instead of hiring people who are familiar with business, they hire people who used to investigate bank robberies and said, 'go find the phone.'" Ferraro said former law enforcement officers who can shift their mindsets away from law enforcement and focus on corporate security can successfully make the transition to the private sector, but it's not always easy.

The mistake, Ferraro said, is approaching the problem with the ultimate goal of catching the perpetrators and putting them in jail versus making a careful assessment (Ferraro cites seven distinct phases of an investigation) of how the IP theft damages the organization, how to mitigate that damage and determine how, if the investigation is completed, to manage any fallout that would damage the reputation of the company. "I would think the people who orchestrated this search didn’t answer those basic questions," Ferraro said. "Their approach and actions were monolithic: Let's get this stuff back."

Involving the SFPD was a problem to begin with, Ferraro said. "When it comes to intellectual property, the police are probably the last on your call list," he said. "It's sort of like calling the IRS because your corporation thinks they under-reported their earnings last year by  $300 million."

The responsibility for protecting intellectual property is relatively new part of security professionals' job descriptions, having previously been the purview of lawyers and HR people, Ferraro said. "Increasingly, because intellectual property is playing such an important role in the competitive world of international business, organizations are going: 'How come our security department isn't doing more?'"

The most important lesson from the news, Ferraro said, is: "Think before you act. Just because you know you can do something … it doesn’t mean it's a smart thing to do."