She oversees security for one of the industry's largest software houses — a company that also once described its product as "unbreakable".
But Mary Ann Davidson, Oracle's chief security officer (CSO), takes on all challenges thrown at her head-on, even if it means having to acknowledge it might be impossible to create a product that is perfectly secure.
In an interview with ZDNet UK sister site CNETAsia, Davidson discusses somewhat sheepishly the software firm's infamous "unbreakable" marketing campaign in 2002, but maintains her belief that Oracle's products are a cut above its competitors in terms of security.
However, she stresses a need for IT vendors to get their act together and do a better job at securing their products. A good number of security attacks today are the result of poorly-built software, she says, and adds that the state of IT security is "not good".
Q: The number of security vulnerabilities found in applications today continues to increase, prompting industry observers to call for some form of regulation with regard to software development. What are your views on this?
A: Chief executives from 150 of the largest companies in the United States, at a business roundtable on cybersecurity last year, said it's a shared responsibility between customers and vendors to secure cyberspace. However, having said that, a lot of their woes were caused by poor-quality software applications that allow security attacks [to occur]. A tipping point is when chief executives, and not just network security people, are complaining to their IT vendors that they need to do a better job at it. Looking at this, we know that the state of IT security isn't where it needs to be.
IT has become more (involved in the business) infrastructure. Probably every company has an IT backbone, and if IT doesn't work, their business is dramatically affected. What if civil engineers built bridges the way developers build software? The answer is you'll hit the blue bridge of death. People don't worry that the building isn't going to be there, and yet, we routinely accept the fact that IT systems are going to be down. IT, as an infrastructure, needs to be as safe and secure as a physical infrastructure. Put that together, (and the conclusion) you'll get is that the state of IT security is not good — there are public safety issues.
The market has sort of failed in that customers don't always know what they're getting, and don't get a lot of corrective options as they get poor-quality software. Is it possible then, given the public safety issue and market failure, that there needs to be some market correction?
