"Make it easy for people to do the right thing, and they tend to."
Those words were first spoken to me by a very wise and talented Chief Information Officer (CIO) who mentored me early in my career. The quote really stuck with me, and it came to define my overall approach to leading security teams at the companies I've worked at over the last 15 years. It's certainly on my mind as I move into the new role of Chief Security Officer (CSO) for Oracle Cloud Infrastructure.
Whether it's securing a public cloud or securing personal computers at home, most people want to do what's right. But if the process of enabling security is overly difficult— if it requires too many steps, takes too much time, or is impossible to understand—people tend to procrastinate, and that can lead to gaps or weakness in their security posture. If security is simple enough and features are built directly into processes whenever possible, people will do the right thing.
I'm beyond thrilled to be the new CSO for Oracle Cloud Infrastructure. Moving forward, I'll always be asking questions like these: How do we continue to make it easier to scan code for typical coding errors? Are we constantly integrating security features into day-to-day standups and weekly sprints in keeping with Oracle tradition? How do we consistently reinforce and uphold Oracle's long held commitment to highly secure systems as defined by our core security pillars?
I'm very much looking forward to the challenge. After serving as Chief Information Security Officer (CISO) at companies like PricewaterhouseCoopers, Google, and startup Jet.com, where I was also a cloud customer, it's a challenge I'm ready to meet.
Early in my career, I never thought I'd end up working at Oracle. Back then, I didn't know much about the company other than the fact that the world's largest enterprises depended on its relational database technologies.
The first thing I noticed when I met the Oracle team is that the atmosphere in the Oracle Cloud Infrastructure organization is much like that of a startup—but a startup that's backed by resources that only a large, successful software company can provide. Things move fast in the Oracle Cloud Infrastructure team. Innovation and new ideas aren't just encouraged, they're mandatory.
I became absolutely certain I wanted the position when I realized that Oracle Cloud Infrastructure exceeded my two main criteria for selecting a company to work at. First, I knew the job would be fascinating—that I would have the opportunity to solve complex problems that others hadn’t solved before. I like the sound of that. Second, it was clear that I was going to enjoy working with the Oracle Cloud Infrastructure team. Everyone here has been amazing.
I also liked the fact that Oracle had taken on the colossal challenge of entering a crowded market and building a public cloud from scratch. And it's not just any cloud. It's a cloud designed for large and small enterprises that truly care about security features. It's for government agencies and other organizations that need to run highly secure workloads. Oracle is doing cloud better than the competition, and I'm proud to be part of the team that's making it happen.
I've learned a lot in the short time since I joined the team. Oracle's devotion to enabling security features is evident in every corner of the organization. It's evident in the design of Oracle's enterprise resource planning, human capital management, and other business applications. And it's evident in the architecture of Oracle Cloud Infrastructure, where database systems are deployed into a virtual cloud network by default. This allows a high level of security and privacy and gives users control over the networking environment.
One other thing will significantly inform my approach as CSO for Oracle Cloud Infrastructure: the time I spent using a competing cloud when I was CISO at another company.
Cloud providers offer access to certain systems via user interfaces (UIs) and application program interfaces (APIs). As a cloud customer, I found some of those UIs and APIs didn't adequately enable security teams to perform anomaly detection, incident response, and forensics. As CSO, I will ensure that my team upholds Oracle's commitment to customers having access to the right systems. A great example of this are Oracle's bare metal offerings, where customers can directly access hardware, memory, storage, and other systems with no need for virtualization.
As a CSO, I have strong demands before I'll allow sensitive data to be stored in our cloud. As a former cloud user, I can put myself in the customers' place and understand the true impact of our security decisions. I'm excited to use those skills and experiences as my team builds the security roadmap and the future of Oracle Cloud Infrastructure.