Talk about making yourself a target in the high-pressure world of computer security. As chief security officer for Oracle (ORCL ), Mary Ann Davidson is responsible for making good on the now famous claim by the database-software outfit that its products are "unbreakable."
Just so there's no misunderstanding about who to look up should something go wrong, Davidson's job starts with software development, where the task is to create a hacker-proof design, and ends with security response -- containing the damage if any occurs. That puts her on the hot seat in a world where much of the most sensitive and valuable information in Corporate America and Washington -- including the Pentagon -- lives in Oracle databases.
Davidson may not do acquisitions or run multibillion-dollar corporate kingdoms. Yet she wields a big stick: She testifies regularly before Congress on security issues and is a key player in a handful of industrywide collaborations between business, government, and academia, whose mission is to enhance cyber security. On most of those efforts, she's a lead participant. For example, Davidson is the top exec helping coordinate efforts in the open-source software community to win key security certifications for the increasingly popular Linux operating system. Such certifications are a prerequisite for government agencies that would like to use open-source software.
Davidson, 45, became Oracle's chief security officer in late 2001, when the post was created. But she had been CEO Larry Ellison's right-hand person on security well before that. Likewise, long before the terrorist attacks of September 11, 2001, she had made preserving the integrity of the nation's computer systems a hot-button issue at Oracle and in the tech industry.
"Everyone else is jumping on the security bandwagon, but Mary Ann has been the driver of that bandwagon for a very long time," says Tony Stanco, founding director of the Center for Open Source & Government at George Washington University. "We now know that there are people out there who want to hurt us. She has an important role in the IT universe in making sure that it doesn't happen."
NO ALPHA GEEK.
While Davidson has become a big wheel in a geeky field, she would never describe herself as an alpha geek. She's an avowed aficionado of the laid-back arts of surfing and skiing -- and telecommutes from the mountains of Ketchum, Idaho, for part of the year. The rest of the time she's in the air, commuting to Oracle's headquarters in Redwood Shores, Calif., meeting customers, or appearing at dozens of conferences and forums, where she's one of the most visible corporate experts on cyber security.
Davidson works with hundreds of Oracle security experts doing everything from code testing to ethical hacking [testing cyber defenses] to providing patches for software flaws. But her authority extends to every line of code Oracle writes. And she's in the inner circle of high-level software architects who, with Ellison, plan Oracle's products.
As a young woman, Davidson never imagined a future in the computer business. "God has a perverse sense of humor," she laughs, recalling that when she was studying mechanical engineering at the University of Virginia, "I didn't do well with anything on a computer." After graduation, she spent seven years in the U.S. Navy working as a civil engineer. Then she earned an MBA from the University of Pennsylvania's Wharton School. In 1988, she stumbled into a product-marketing post in Oracle's financial-software unit -- accepting the job "even though I wasn't actually sure what it was."
One of her responsibilities was helping sell government accounting software, which needs to be impregnable. Then, in 1993, when Davidson heard of an opening for product marketing in Oracle's secure-systems group, she went for it. "Because I had been in the military and understand paranoid mindsets, I thought that would be interesting," she says. "There's an interesting public-policy discussion around security that you don't see in other areas of IT," she says.
Though Davidson didn't have a programming background, she compensated with big-picture, strategic thinking. When Oracle's marketing team and Ellison came up with the "unbreakable" slogan, she mobilized her staff to raise the security bar. That entailed closely examining many products and changing the way programming code was built and planned. Davidson often asks the thorny security questions that software developers prefer not to answer, such as: Who should get privileges to see data? How can a software product guarantee that only the right people get that access? And how should products be built to both preserve security and accommodate government demands to see information on an emergency or surveillance basis?
Davidson also has made a splash outside of Oracle, winning kudos from some of the country's top cybersecurity practitioners. "I've been impressed by her energy and passion for security and her view that this is much more than a one-company issue," says Howard Schmidt, eBay's incoming chief security officer and the Bush Administration's outgoing cybersecurity czar.
Today, Davidson reports to Oracle's chief software architect and Ellison -- something that initially made her apprehensive. Like many other Oracle employees, she had spent most of her career trying not to be noticed by the famously difficult CEO. "People told me: 'Larry will like you because you will tell him what you really think.' I have, and so far we've gotten along great," she says.
Stanco of the Center for Open Source & Government says Davidson remains several steps ahead of the security crowd. "The government wants certified systems, such as Oracle databases running on the Linux operating system," he notes. "Most companies aren't thinking about that, but Mary Ann is already there." When you make the promise Oracle does, you can't afford to be behind.