Back to the main page
Q&A: Oracle CSO Mary Ann Davidson on Meeting Tomorrow's Security Threats
In an age of high-profile security breaches, Mary Ann Davidson has her work cut out for her. She is chief security officer (CSO) of the world’s largest enterprise software firm, which also happens to be a leader in security solutions.
In her role, Mary Ann is responsible for Oracle’s Software Security Assurance, Oracle's methodology for building security into the design, development, testing, and maintenance of all its products. Beyond Oracle, she is an active leader in driving industry standards, and she has also regularly served as a high-level advisor to national security policy-makers.
Given her wide-ranging experience and vision, we asked Mary Ann to share her thoughts on next-generation security threats.
Q. In the wake of so many high-profile security breaches in 2012, what advice would you give CSOs to safeguard their company's brand?
A. I would recommend that companies really get the fundamentals right, which means good security governance and a focus on strategic assets. Two-thirds of your most sensitive data is in the database. So that means most of the risk is inside. At the same time, most of the threats lie outside—at least for now. How do you respond? With strong database security, application security, and good governance of user access control. While the threats are becoming more advanced, they are exploiting simple weaknesses in our security governance.
Start with understanding what assets are most sensitive and strategic. To quote Frederick II of Prussia, “He who defends everything defends nothing." Nobody has enough time, money, and security-awareness to secure everything, so you have to first determine which assets matter most.
Q. How would a company begin taking a security inside-out approach?
A. First of all, it begins with defining which data requires the strongest protection. That might be high-value intellectual property or financial results, for example. Or it could be data that, if breached, would mean regulatory fines and/or serious brand damage.
Once you've looked inside to the assets, you need to look outside by examining excessive access, privileged accounts, weak passwords, etc. And then you need to understand exactly what compliance and audit exposures you face.
Then it's time to ensure you have security built into your database layer. But you also have to be sure you have continuous monitoring. It has to be on all the time—not just once every six months when an audit is conducted. You need know in real time—or as close to real time as possible—when a key system is out of compliance.
Q. Oracle, like most enterprise software companies, is embracing social media. What advice would you give to CSOs about this new media?
A. A couple of key concerns come to mind. First, you need to think about the customers connecting to your organization—and the effects of a breach of their data. Don’t collect data if you don’t need it. “I might want it at some point” is probably not a good enough reason. And once again, secure and encrypt any customer data you do collect—inside your database.
But that's just part of the story. Employees have also been known to divulge sensitive information in social media. So you need clear policies on social media use by employees, and the policies have to be backed up with enforcement. And you should also consider emerging technologies that enable vetting and monitoring of social media posts based on keywords.
Q. What are your top five recommendations for CSOs looking to embrace cloud, mobile, social technologies in 2013?
A. These are my top five.
- Your most valuable data is in your database—look at simple and effective controls to reduce the risk of breaches.
- Think about security across the stack, from the applications all the way to the disk.
- Secure single sign-on and fraud detection for mobile and cloud applications (and don’t assume the client is secure—anything unvetted from a client is not to be trusted).
- Streamline governance, and remember that it becomes more difficult when your applications move off-premises.
- Understand when not to take the bet. There are occasions where saying yes creates a systemic risk—such as giving nuclear missiles IP addresses—and the definition of systemic risk is that it cannot be mitigated.
Watch an upcoming Webcast featuring Mary Ann Davidson and find out more about Oracle's inside-out approach to security.