Mary Ann Davidson is the Chief Security Officer at Oracle Corporation, responsible for Oracle Software Security Assurance. She represents Oracle on the Board of Directors of the Information Technology Information Sharing and Analysis Center (IT-ISAC), and serves on the international board of the Information Systems Security Association (ISSA). She has been named one of Information Security's top five "Women of Vision," is a Federal 100 award recipient from Federal Computer Week, and has been named to the ISSA Hall of Fame. She has served on the Defense Science Board and as a member of the Center for Strategic and International Studies Commission on Cybersecurity for the 44th Presidency. She has testified on cybersecurity to the U.S. House of Representatives (Energy and Commerce Committee; Armed Services Committee; and Homeland Security Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology) and the U.S. Senate Committee on Commerce, Science and Technology.
Ms. Davidson has a BSME from the University of Virginia and an MBA from the Wharton School of the University of Pennsylvania. She has also served as a commissioned officer in the U.S. Navy Civil Engineer Corps, during which she was awarded the Navy Achievement Medal.
Statement of Goals
I have several goals I would like to pursue as a Directory of ISSA International. ISSA is a strong, diverse community of information security professionals. As a community, our jobs change as fast as new threats, new systems and new regulations arise, and clearly at a more rapid rate than many other professions. Ergo, the requirement to leverage one another’s expertise so we are "smarter, faster” is higher than ever. It’s particularly true given that many of us operate as "lone practitioners” or as members of small teams.
To this end, one key area I’d like to focus upon is in the area of regulatory impact. Many of us work in regulated industries; the rest of us soon may be as incipient "cyber security legislation” is front and center in multiple countries. While regulatory compliance is not optional – and often, and unfortunately, may often crowd out "real security” – we nonetheless have no choice but to conform to regulatory requirements. The degree to which we can leverage other’s experiences and knowledge in these areas helps us be smarter, faster. Furthermore, we should also consider – without becoming a "lobby group” per se - how we can use our voice to weigh in on public policy issues that affect us directly. There is a lot of money being spent on security that seems to be enriching consultants, but not necessarily enriching the organizations we serve by actually delivering better security. ISSA can be thoughtful and measured, and yet "speak for the troops in the trenches” who are at the front lines of information security. We need to speak up, particularly as most regulators do not understand the practical limits of security and also often have no idea of the cost of mandated measures vs. tangible benefits from those measures.
Another goal is strengthening our "pipeline” of new recruits by targeting universities. This is important for two reasons. One, like the community of opera lovers, whose demographic is skewed to older people, we are also skewed to "older IT security professionals.” We need to build our community in part by recruiting the next generation of practitioners (who may have as much to teach us as we have to teach them) to help create the "ISSA community of tomorrow.” A secondary benefit is that we may be able to use our interaction with universities to help instill in them the requirement for a security mindset (and better security education) in multiple disciplines such as computer science, computer engineering, software engineering and related disciplines (e.g., control systems engineering and for that matter, business school curricula).
We will always be handicapped as professionals by the degree to which the underlying IT infrastructure actually is designed and built as infrastructure. If we do not change our collective mindset – which means educational change - there are not enough IT security professionals in the world to secure critical IT-based infrastructure any more than training more doctors will stem a plague with no biological or chemical defenses (and where patients do not think they are infected). Further, cyber security is a function in support of larger business objectives, since business is about assuming risk and there is – alas – a paucity of understanding the systemic risk that the increase in IT-based systems can pose.
Ultimately, good public policy has to be implemented by people doing the work, not merely auditors or certifiers checking work. Improving the "inputs” to our professional lives – new recruits who can bring their educational experiences to us, better, more robust software and hardware engineered for today’s threats - will enable better "outputs” - defensible, robust cyber infrastructure that is managed in a public policy construct of doing that which is effective in securing our cyber infrastructure and cyber assets, not merely that which assigns blame.
It might seem counterproductive to want to make our profession easier by addressing these issues – but a worthy goal should be "solving harder problems.” We can continue to add value as professionals, but I think we would all like to focus on more difficult challenges. Raising the bar in these two areas can help free us to solve those harder problems.
Back to Candidates
This information provided by candidate who is solely responsible for the