Oracle chief security officer Mary Ann Davidson has been part of the framework at the software giant since 1988. Since then, she's gone to great lengths to make security a part of the corporate culture and has had to uphold CEO Larry Ellison's "Unbreakable" credo. In this interview, Davidson talks about "Unbreakable," Trustworthy Computing and more.
What does 'Unbreakable' mean? And how much pressure did Larry Ellison's bold statement put on you and on Oracle's developers and engineers?
Davidson: When I first saw the advertisements for Unbreakable, I thought, 'No one can do this.' Unbreakable has two components. Availability is one, and the other is information assurance. The conversation has gone from talking about information assurance and always being about a new tool to now being about how to build better products. When you make a statement like that, it sends a message internally to a company like Oracle. No one wants to be the one who develops something that breaks. It also gives me a stick: 'We need to be unbreakable.' It really was a good thing.
And it was a nervy statement for sure, but what are the alternatives? Security is too hard to get perfect, so you give up? No. It's not innovative to put out a product with 82 features and 85 security flaws. It's irresponsible to introduce a new tool without thinking about security. Instant messaging and wireless come to mind immediately. It's laughable.
Does Oracle have
any plans for a security initiative similar to Trustworthy Computing?
Davidson: We've been doing Trustworthy Computing for 25 years. Microsoft started out developing products for the client, and security was not part of the corporate culture. Oracle started out as Project Oracle, working for the CIA protecting national security. We could not afford to not have security as part of our corporate culture. I'm glad Microsoft is paying attention. It's a good thing. The only issue I have with it is that [they] expect to be designated a medal for it. No, no, no. You should have been doing this all along. They're doing the right thing, and it's hard to change a corporate culture.
To whom do you report at Oracle? And, ideally, where should a CSO fit in an organizational structure?
Davidson: I report to the CTO (as of June 1). I'm still in product development, but we're consolidating security a little more -- and I think that's a good thing. I'll be two levels below (CEO) Larry Ellison.
A CSO in an organizational structure depends on the company. For example, there's the debate about whether to consolidate physical and IT security. It depends on what the company is doing and the degree of independence the security officer has and the existing corporate culture. It may be a question of reporting to the right person and not necessarily to someone with a title. If you work for someone who does not value what you do, you're in the wrong place.
I've heard you speak on several occasions and heard you recommend that enterprises make security part of their corporate culture. How can companies pull this off today, in this climate of tight budgets and limited human resources? Does security ever become of casualty of these factors?
Davidson: Security may well be a casualty. People say that it has to cost something for security, but it may already be costing you something. An example: One of the only metrics I've seen applies to the cost to apply patches. I've seen $900 per server and $700 per client. You're not going to save a lot until you realize how many critical patches there are per week and the number of servers to factor in. If you miss one and get whacked, if you don't pay for security now -- security is not just about buying a firewall -- and you don't do good quality control, you will pay later.
Are many enterprises asking for provisions in contracts with software vendors to conduct code reviews for security's sake?
Davidson: I don't think a lot of enterprises have the expertise necessary to know what they are looking for. Many vendors won't distribute and show their source code because of the intellectual property risk. Most companies who want the provision don't have the people in-house to audit the software. They can have others do it for them. ISO 15408 (the International Common Criteria) is the international standard for security evaluations and getting third parties to do evaluations of security. We've done 15 evaluations against the precursors of the common criteria, or someone else has done the evaluation. It's very expensive. There's a mutual recognition provision to do evaluations up to a level of assurance in this country [and] others that accept it. We do ours in the U.K., where it is also accepted.
How expensive are these code reviews?
Davidson: The expense depends on the assurance level, the work the evaluators have to do and the complexity of the product. Our database products are fairly complex, and it can cost between $500,000 and $1 million to do them. Now, you can say that's too expensive, but if the evaluators find a significant security fault and make you fix it, the earlier you find and fix something, the better off you are. Otherwise, if you have this significant security flaw on all platforms, it could cost you millions of dollars to fix it. If you find one flaw early, you pay for the cost of the evaluation.
It's not cheap, but what is the cost of bad security? I believe the cost of major virus outbreaks was somewhere around $1.4 billion. Someone is paying for them. Also, regulation is taking over. The government really means it this time. There's no waiver for this. Everybody has to build better software.
How important are the departures of Howard Schmidt and Richard Clarke from the position of cybersecurity advisor? Will their departures have an effect on the security of critical infrastructure and the Department of Homeland Security?
Davidson: It's a loss. Critical infrastructure isn't just government. Industry needs a cheerleader in government, and I believe a standard bearer in that office would do quite well. Richard Clarke made it clear during his town meetings that the administration does not like regulation, however if industry does not shape up and something bad happens again, Congress will legislate and you will not like it.
There aren't many females holding high-profile positions, as you are. Are you an advocate for more females assuming roles as corporate security officers?
Davidson: I've been a military person (a commissioned officer in the U.S. Navy Civil Engineer Corps), and there were not many women in my specialty. In terms of being an advocate, I'm an advocate of seeing competent people who are passionate about security in those roles. There's a high integrity component to security. Your yes has to be yes and no has to be no. I think women are straight shooters.
FOR MORE INFORMATION:
FEEDBACK: What suggestions do you have for making security part of an enterprise's corporate culture?
Send your feedback to the SearchSecurity.com news team.