Oracle CIO: Cybersecurity and the Board of Directors

Find out what Mark Sunday, CIO and SVP at Oracle, says about managing cybersecurity threats, from dealing with the executive board of directors to informing rank and file employees.


May 20, 2019

As digital security threats increase in complexity and severity, organizations are searching for comprehensive and automated ways to stay safe. Any breach of a company’s digital security could amount to millions of dollars in lost revenue, as well as untold damage to a brand’s reputation. Managing the scope of security projects is not an easy task, which is why Mark Sunday, CIO and SVP at Oracle urges CEOs and executive boards to get involved in the process immediately.

During our discussion with Mark, we explore his role managing the corporate infrastructure for one of the largest technology companies in the world. We examine the ways in which CIOs and CISOs should inform employees about potential threats and how they can help to defend against them. Mark also offers advice for senior leaders on how to handle evergreen security issues—from turning the board into advocates and educating the rank-and-file.

Watch this video to learn more about how your company can stay secure and find out what Oracle CIO Mark Sunday has to say about managing digital security threats.


Michael Krigsman: How do we communicate issues around security to the board? I'm Michael Krigsman. I'm an industry analyst and the host of CXOTalk. We're speaking with Mark Sunday, who is the chief information officer at Oracle, about this topic. Hey, Mark. Tell us about your role at Oracle as CIO.

Mark Sunday: I've been the CIO at Oracle for about a dozen years. My responsibility is the overall corporate infrastructure that runs our 150,000-person company in roughly 100 countries. It includes, the first thing, the network that allows everyone to connect together, and then the end devices that allow people to access it and, perhaps more importantly, enable our individual employees.

Key Security Issues

Michael Krigsman: You spend a lot of time with security leaders and CIOs. What are the key security issues that they face today?

Mark Sunday: It's really been interesting to see the dramatic change in the awareness around security because, quite frankly, the threats have gotten much, much greater. I mean if I look at the one area that my organization has increased year on year on year, it's what we're investing in security. We're the norm in that, not the exception. But then also the increased sophistication of the threats, the increased sophistication of the tooling and so forth required is putting more and more focus on this. It becomes, really, job one.

Michael Krigsman: To what extent has security become a board-level issue?

Mark Sunday: I think that boards have now become aware that they absolutely have to. They are accountable to ensure that the people, the processes, the technology, that all the steps that one needs to do in order to ensure the integrity, confidentiality, privacy, and security of not only the customers' data, the company's data but, in fact, the employees' data as well.

Michael Krigsman: What does this mean for CIOs and chief information security officers?

Mark Sunday: I think security is getting its place at the table, whether it's within the IT organizations, at the corporate level or at the board level, that security has always been something that's out there, something that we've had to take into account. More recently, there have certainly been more high-level incidents that have highlighted just what the impact of security can have.

But also, I think it's been highlighted that you need to have the focus, that security is not just the role of the CIO, not just the role of the CISO, but it's everyone's responsibility. It begins with making people aware of what they need to do; what the threats, what the vulnerabilities are; and what their role is in defending against that.

Security needs to be built into every line of code we write, every configuration we enable, every computer that we manage the configuration asset the patching level on, the updates on. It affects, essentially, most roles within the organization.

Take a Holistic Approach to Security

Michael Krigsman: When it comes to protecting software, how should CIOs and CISOs think about doing this job effectively?

Mark Sunday: Well, just given the scale, size, complexity, and the opportunity for human error, you really need to take a holistic, comprehensive, and automated approach towards how you deal with configuration management, change management, vulnerability management. All of these are key aspects. It's very difficult if it's done manually, so you have to look at a comprehensive program that allows you to simplify, standardize, centralize, and automate all the aspects of how you deal with those things that could expose your company to security and privacy concerns.

Michael Krigsman: What advice do you have for senior leaders regarding security?

Mark Sunday: Well, I think every enterprise has the security it deserves, so it begins at the very top. It truly begins with the board, the CEO, the executive committee to set the culture and to ensure that the people, process, technology, the governance processes are in place to ensure the security of customers', company's, and employees' information.

Michael Krigsman: Mark Sunday, CIO of Oracle, thank you so much for spending time with us today.

Mark Sunday: Well, thank you.

Published Date: May 20, 2019

Author: Michael Krigsman

Episode ID: 599