Q & A Round with David Cross (Chief Information Security Officer, Oracle Cloud SAAS)

What are some of the key components to succeeding as a CISO in today’s business environment?

The CISO role is transforming and evolving and is no longer a traditional standards, policies, process and compliance.  In many companies, it is critical that a CISO provide a technical engineering leadership role as well as line of business leadership perspective.  A CISO must have common skills, experience, and vernacular with their peers across the business and engineering units.  The customer of the CISO in a technology company is the developer.  You must understand the engineering roles, its challenges, its need from a DevSecOps perspective and work to provide services to accomplish the critical challenges.  If you do not invest and understand the business and roles in your company firsthand, it is very difficult, if not impossible to drive the influence, functions and changes needed from a security perspective.

You are set to take the stage at Black Hat MEA this November, what can our audience expect from your session, and what are you most excited about?

The world’s applications and data are all moving to the cloud and the advantages of the cloud environment are numerous and clear. However, many businesses have common questions when transitioning from an on-premise to a SaaS environment.  The threats, roles and the expectations are different as the transition occurs and it is important to understand the differences from a security responsibility perspective. Once you understand the roles and common questions, it is much easier to ensure you have a safe and protected environment to meet your security needs.

If you had a time machine, what advice would you give yourself at the beginning of your career in cyber?

It is important to be hands on and train with the latest technologies, tools, techniques, languages and platforms as frequently as possible.  In the security world, the attacks and challenges are dynamic and will evolve and advance continuously. The defenders and security professionals must be regimented and schedule training/learning/development on a structured and regular basis to be ready to match the threat landscape.  It is no different than the traditional engineering roles which also must grow and develop over time, but it is often much more dynamic and fast moving in comparison.