Oracle Information InDepth



Stay Connected

Database Security

Oracle on Twitter Oracle on Facebook Oracle Blog

Identity Management

Oracle Identity Management on Twitter Oracle Identity Management on Facebook Oracle Blog 

June 2013

Subcribe Subscribe Share Forward

Back to the main page

Q&A: Oracle CSO Mary Ann Davidson on Meeting Tomorrow's Security Threats

In an age of high-profile security breaches, Mary Ann Davidson has her work cut out for her. She is chief security officer (CSO) of the world’s largest enterprise software firm, which also happens to be a leader in security solutions.

In her role, Mary Ann is responsible for Oracle’s Software Security Assurance, Oracle's methodology for building security into the design, development, testing, and maintenance of all its products. Beyond Oracle, she is an active leader in driving industry standards, and she has also regularly served as a high-level advisor to national security policy-makers.

Given her wide-ranging experience and vision, we asked Mary Ann to share her thoughts on next-generation security threats.

Q. In the wake of so many high-profile security breaches in 2012, what advice would you give CSOs to safeguard their company's brand?
A. I would recommend that companies really get the fundamentals right, which means good security governance and a focus on strategic assets. Two-thirds of your most sensitive data is in the database. So that means most of the risk is inside. At the same time, most of the threats lie outside—at least for now. How do you respond? With strong database security, application security, and good governance of user access control. While the threats are becoming more advanced, they are exploiting simple weaknesses in our security governance.

Start with understanding what assets are most sensitive and strategic. To quote Frederick II of Prussia, “He who defends everything defends nothing." Nobody has enough time, money, and security-awareness to secure everything, so you have to first determine which assets matter most.

Q. How would a company begin taking a security inside-out approach?
A. First of all, it begins with defining which data requires the strongest protection. That might be high-value intellectual property or financial results, for example. Or it could be data that, if breached, would mean regulatory fines and/or serious brand damage.

Once you've looked inside to the assets, you need to look outside by examining excessive access, privileged accounts, weak passwords, etc. And then you need to understand exactly what compliance and audit exposures you face.

Then it's time to ensure you have security built into your database layer. But you also have to be sure you have continuous monitoring. It has to be on all the time—not just once every six months when an audit is conducted. You need know in real time—or as close to real time as possible—when a key system is out of compliance.

Q. Oracle, like most enterprise software companies, is embracing social media. What advice would you give to CSOs about this new media?
A. A couple of key concerns come to mind. First, you need to think about the customers connecting to your organization—and the effects of a breach of their data. Don’t collect data if you don’t need it. “I might want it at some point” is probably not a good enough reason. And once again, secure and encrypt any customer data you do collect—inside your database.

But that's just part of the story. Employees have also been known to divulge sensitive information in social media. So you need clear policies on social media use by employees, and the policies have to be backed up with enforcement. And you should also consider emerging technologies that enable vetting and monitoring of social media posts based on keywords.

Q. What are your top five recommendations for CSOs looking to embrace cloud, mobile, social technologies in 2013?
A. These are my top five.

  • Your most valuable data is in your database—look at simple and effective controls to reduce the risk of breaches.
  • Think about security across the stack, from the applications all the way to the disk.
  • Secure single sign-on and fraud detection for mobile and cloud applications (and don’t assume the client is secure—anything unvetted from a client is not to be trusted).
  • Streamline governance, and remember that it becomes more difficult when your applications move off-premises.
  • Understand when not to take the bet. There are occasions where saying yes creates a systemic risk—such as giving nuclear missiles IP addresses—and the definition of systemic risk is that it cannot be mitigated.

Watch an upcoming Webcast featuring Mary Ann Davidson and find out more about Oracle's inside-out approach to security.

Back to Top

Please send questions or comments to

This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor is it subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission.

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

  Hardware and Software, Engineered to Work Together Contact Us | Legal Notices and Terms of Use | Privacy Statement
Oracle Corporation


Oracle Corporation - Worldwide Headquarters, 500 Oracle Parkway, OPL - E-mail Services, Redwood Shores, CA 94065, United States

Your privacy is important to us. You can login to your account to update your e-mail subscriptions or you can opt-out of all Oracle Marketing e-mails at any time.

Please note that opting-out of Marketing communications does not affect your receipt of important business communications related to your current relationship with Oracle such as Security Updates, Event Registration notices, Account Management and Support/Service communications.