Calculating Risk

In an increasingly connected world, security is a matter of culture.

by Aaron Lazenby

August 2014

When the surf is up, Mary Ann Davidson appreciates the spirit of innovation that’s putting good information into the hands of consumers—thanks to the surf report app on her mobile phone that helps her identify the best spot for a good session. But in her role as Oracle’s chief security officer, Davidson sees things a bit differently when she’s back on dry land. “We need to consider the new risks we create when we build new technology-based services,” she says.

Here, Davidson talks to Profit about the importance of adopting a security-first mind-set, the questions developers should ask to help reduce risk, and why she wants her security team to attack Oracle’s products.


Profit: What philosophy drives your security strategy?

Davidson: We know one thing about systems: There is no perfect system. So security needs to be about something more than tactics. It has to be a cultural mind-set. That should be expressed at the beginning of any IT project—before we start designing a system architecture, we need to discuss plans to secure the technology.

We’re in a period of technological exuberance and optimism. Innovation is the obvious upside of this, but at the same time we have people who want to launch businesses based on technological toys. If I’m going to create a startup based on a mobile app to share toilet paper preferences with my BFFs, I better make sure the value I’m creating is in line with any new security risks I’m introducing.

I always tell developers that they need to step back and understand the broader implications of their work. What problem are you trying to solve? What is the cost? What is the benefit? What are the risks? How can this technology be misused? What’s the worst that can happen? If you ask those questions thoughtfully, aside from minimizing your security risk, you’ll go on to invest in the right business strategies and systems.

Profit: How does the Internet of Things [IoT] impact security risk?

Davidson: There are now a couple billion internet-accessible devices. If you don’t get the security right, you have, in theory, a billion or more points of attack. So if you are developing an IoT strategy, somebody in your organization needs to be thinking about the risk versus the reward.

For example, in several cities, electronic billboards tell drivers how many parking spaces are available and in which specific garages. That is a smart service that uses sensor data. It prevents me from driving around in circles, and contributing to traffic. However, a hacker could think, “I’ll create a traffic jam by saying there are no spaces where there are spaces, and there are lots of spaces where there aren’t any.” You cannot ignore what-ifs. You have to actively imagine those edge cases and figure out how you will handle them.

There is no perfect system. so security needs to be about something more than tactics, it has to be a cultural mind-set.”

Developers operate in a world where new technologies create an amazing spectrum of possibilities. But they need to keep security in mind—and build with a clear-eyed awareness of internal and external threats. They also need to understand the liabilities of taking possession of a customer’s personal data. More data is not always better data.

Profit: Is there a way the IoT could be used to enhance security?

Davidson: As we become more reliant on IT, we create more-porous boundaries among enterprises. In that kind of environment, security analysts know they can’t prevent every bad actor from causing harm. So the question becomes: how do you build some sensible security into expanding systems?

Sensors are on the edge of the network and can serve as an early warning system in event of an attack. Every network element should understand that it can come under attack and be able to defend itself. It should be able to notify other elements on the network and raise an alert. That also means building in an automated counterresponse that could, for example, lock down the network and isolate any intruders to prevent further incursions.

We have this for secure buildings, with cameras to see who is out there, locked doors to keep people out, and alarms that trigger when a non-authorized person tries to enter. Systems should be designed with the same mind-set.

Profit: What does Oracle do to create more-secure products?

Davidson: My group exists in part to embed security culture throughout development. It’s not just, “Ensure you validate all input properly.” That’s a technique. We do that in part by seeding security expertise across development. More than 1,500 “security points of contact” function as evangelists for our security requirements within their organizations—as well as being our “enforcers.”

Also, if I have concerns about security, I will express them, and I have never been shut down for that. That’s a good thing. Oracle’s executive management knows security is important.

The more you can get developers and designers to think like hackers, think about how their technology can be abused and misused, the better off we’re going to be down the pike.

Photography by Shutterstock