Blog

banner-asset-med

Profile: Mary Ann Davidson, CSO, Oracle

Davidson.png

View the Magazine Here

VIEW MARY ANN'S FULL PROFILE HERE

Integrity and an unwavering commitment to speak up when there is a problem are the key attributes that earned Mary Ann Davidson the first CSO role at Oracle Corporation.

“When the CIO offered me the position of CSO I was a little surprised. We had several astute IT security professionals in the organization,” Davidson comments. She thought others may have been a more obvious fit for the role, as she came from the product management side of the business. Davidson continues, “But our CIO felt that I was the person who would scream when things are not right, and the role requires that. Oracle values when employees speak up. The fact that Oracle demands a level of core integrity to always do what is right, really speaks to the kind of company Oracle is, and why it is a great place to work.”

Oracle considers security a core business value. Davidson believes this makes her job as CSO slightly easier than it might be for her peers in other organizations. Since the inception as “Project Oracle”, building the first relational database for the CIA, security has been a priority for Oracle. “Now, of course, we have more products and customers across government and all types of industry, but the inherent need for security is still there. Because security is a core value, I have the authority and respect to do what needs to be done to make our products more secure.”

THE PRODUCT SECURITY CISO
Due to the nature of the business and importance the company places on security, Davidson has two peers who direct other aspects of the security program within Oracle. While she focuses on assurance, specifically making certain Oracle products have security built in, other security leaders in the company focus on physical security and enterprise security policies.

“My focus is assurance. How do we engineer security into all our products, our cloud services and consulting – everything we sell to customers? If you don’t build security in from the beginning it is less likely to be secure. There is no magic security pixie dust you can sprinkle on the product at the end.”

“My goal is a strange one - I want my team to be redundant over time. I want it to be that we get so good at secure engineering that the only thing left for our team to do is routine oversight. We are fundamentally making security a cultural value at Oracle.”
Davidson makes an engineering analogy to emphasize the importance of building security into every product: “Civil engineers know they have to build buildings to be structurally sound from the start. Security is just like that.”

“Years ago, when I started working in business, the entire world was less IT intensive, so maybe security mattered less. Now, technology is infrastructure – it needs to be structurally sound. We need to ask, how can this be broken, where can it be attacked. This has to be everyone’s approach, whether business people or coders, they have to be thinking about structural integrity and security.”

Davidson uses another analogy to describe the importance that every member of the organization thinks about security. “The Marines have a saying ‘every Marine, a rifleman’; it means every single person can defend the others. In business, every single person should be empowered with security awareness. Oracle is building a culture of security where everyone is focused on it.”

CUSTOMER FACING CISO
Davidson says one thing evolving for her and her team is how much information customers are requiring from the security team. She comments, “Customers are much more interested in how we built the product, and that is a good thing. You want people to ask these questions, and as a result we spend more and more time talking to customers.”

ADVICE FOR NEW CISOS
As Davidson realizes, not every CSO is in a security-aware organization such as Oracle, and some of her peers are struggling to elevate the importance of security within their company. Davidson points out that “responsibility without authority equals frustration.” However, there are specific steps CSOs may take to help prove the business value of security, thereby increasing relevance and authority.

Davidson believes economics plays a large part in making the case for security. “People say security does not pay, but of course it does. Why does it pay to engineer security into the product? First, it’s a brand issue. A secure product has customer confidence. It’s also a cost avoidance. When products have security built in, less money is spent down the line fixing vulnerabilities. If we catch a problem from the beginning, it requires a lot less time and money.”

    Subscribe

    Stay up to date with cyber security trends and more