Oracle’s veteran chief security officer Mary Ann Davidson is leaving the company unexpectedly, ending a career in senior management spanning almost four decades.
A prominent figure at the company since joining in 1988 from the US Navy, Davidson was among a select group of surviving senior employees from that era. Inevitably, this means that her departure, leaked to Bloomberg by an internal source, will be seen by some as holding deeper significance.
The timing could, of course, be simple coincidence. According to Bloomberg, in March this year the company began an undisclosed round of layoffs in its cloud division and across management roles, estimated to have shaved possibly hundreds of roles from a global workforce of 160,000.
With the company silent about the details, this month saw further lay-offs on a reportedly similar scale. The reductions are widely interpreted as an attempt to funnel money into the AI investments the company is having to make, including those to support the huge Stargate Project platform deal that will see it run OpenAI workloads.
Although no official announcement has been made about Davidson’s departure, it comes at a critical moment for Oracle, which earlier this year was widely condemned for its handling of a potentially serious data breach that it repeatedly downplayed.
Patching troubles
As one might expect for someone who’s been in or around Oracle security for so long, Davidson’s time has not been without controversy.
The first came beginning in 2004, when the company was heavily criticized by British database bug hunter David Litchfield for its tardiness in patching the rising volume of security flaws then being discovered in its products. Unwisely, Oracle and Davidson pushed back, leading to an ongoing public war of words they eventually quietly backed away from.
More recently, in 2015, came the infamous “No, you really can’t” controversy around a corporate blog of that title that Davidson used to call out customers “reverse engineering our code to attempt to find security vulnerabilities in it. <Insert big sigh here.>”
“This is why I’ve been writing a lot of letters to customers that start with ‘hi, howzit, aloha’ but end with ‘please comply with your license agreement and stop reverse engineering our code, already,’” she wrote in a post whose contents were later re-published on Seclists.org.
As criticism mounted, Oracle found itself beating another retreat, quickly taking down the article while stating: “We removed the post as it does not reflect our beliefs or our relationship with our customers.”
Full disclosure
In fairness, Oracle was far from alone in being slow to adopt the idea that software vendors needed to turn patching into a core security function while acknowledging that vulnerability hunters were allies in disguise rather than enemies.
Nevertheless, occasional missteps have continued up to the present, most recently in the evasive and confused reporting of an alleged breach of Oracle servers earlier this year by an attacker exploiting a known vulnerability, CVE-2021-3558.
The company’s initial response was to send customers emails denying that a breach had happened, before later conceding that, while an incident had occurred, it involved “two obsolete servers” not used to store important customer data.
The impression was of a company disclosing as little as possible in the hope that customers might not notice and journalists would eventually stop asking questions. There is no suggestion that this strategy was Davidson’s doing, although given her history of publicly downplaying critical issues, arguably she should have stepped in sooner.
“The breach at Oracle falls under SEC disclosure rules. If it was downplayed or not reported properly, that could be significant,” commented Timothy J. Marley of US cyber security consultancy Prism One. However, connecting her departure to the recent breach was probably going too far.
“You almost never see that sort of tenure in security leadership. Honestly, I wouldn’t be shocked if she simply decided it was the right moment to step aside,” Marley said.
More likely, however, is that Oracle is now undergoing a generational shift to younger executives more attuned to AI. “AI is forcing all of us to rethink our strategies and tactical solutions,” he said. “We’re doing our best to prepare for an uncertain future. For those of us who’ve been around a while, it really is about adapting quickly or risking being left behind.”
In addition, according to Brad Shimmin, VP and practice lead at analyst company The Futurum Group, the advent of AI was more than a simple segue into a new market sector for Oracle, and challenged its long-held assumptions about security.
“AI itself has changed the way companies and attackers view the security landscape, not only elevating the stakes and radically expanding the attack surface, often beyond the confines of current experience and knowledge,” Shimmin said.
No Responses