Oracle is in the hot seat with the InfoSec community once again with the focus on CSO Mary Ann Davidson and her lengthy rant titled, “No You Really Can’t”. In the now-deleted blog post, Davidson rails against cybersecurity experts who find and report vulnerabilities in Oracle software. Featuring hilariously demeaning language and wildly exaggerated statistics, Davidson speaks with obvious disdain for both security researchers and everyday users of Oracle’s software. The company pulled her post within 24 hours, showing for the second time in those 24 hours a lack of understanding for tech culture in 2015.
The Oracle license agreement limits what you can do with the as-shipped code and that limitation includes the fact that you aren’t allowed to de-compile, dis-assemble, de-obfuscate or otherwise try to get source code back from executable code. There are a few caveats around that prohibition but there isn’t an “out” for “unless you are looking for security vulnerabilities in which case, no problem-o, mon!”
Davidson’s stance against security researchers during her time as Oracle’s CSO is less a legacy and more of a bad habit. Over a decade ago, she authored an opinion piece for ZDNet to accuse security researchers of endangering Oracle customers. One of the researchers named in her piece responded by accusing her of negligence and calling for her resignation.
This latest blog post was bad enough PR on its own; pulling it only amplified the message and implied that Oracle condoned Davidson’s opinion. Rather than turn the controversy into a discussion, the company as a whole adopted a head-in-the-sand technique that echoed Davidson’s apparent security strategy.
While this type of controversy will eventually surface for most tech companies, there are multiple options for preventing and managing the message before things get out of hand.
Never post while angry, or in response to a triggering event.
This is a general Internet adage that somewhat everyone knows and almost no one follows. Even the most patient poster hits a point where the buttons have been pushed and the flames start to rise. On a personal level, it’s worth taking time to know yourself and be aware of emotional triggers; being able to walk away and cool off is a critical online survival skill. At the corporate level, there should also be the benefit of a second pair of eyes to look over content, especially responses, before it goes external.
It’s a tough balance because you want to trust the people around you and encourage them to open up; on the other hand, a company can easily end up in Oracle’s position.
Have a strategy in place for public controversy.
Even a company that cultivates a culture of respect will stumble. Something will go wrong, someone will word a post poorly, and it’s not a matter of if it might happen–it’s when. A good strategy will outline different levels of damage control that are flexible according to the level of outrage, be it a small group of users or the Internet at large. It will start with the company’s community platforms and expand to efforts on social media, escalating eventually to mainstream media. The strategy must show an understanding of how news travels and should be updated regularly.
While such a strategy may have been in place at Oracle, it was either out-of-touch with society’s current habits, or worse: unenforced and unsupported, so someone’s panic kicked in as the first response.
When in doubt, choose the response that builds trust.
The Information Age has given way to the Communication Age. Customers expect to engage in a discussion with the companies they favor, and lack of communication when things are questionable is as good as confirming the worst. For established companies with a strict internal vs. external policy, communication is a legal nightmare even when at its best. Sometimes a large company’s slow turnaround for communication seems a fatal flaw. Mostly, it’s important to remember that things will probably blow over faster than expected and it’s more important to leave a legacy that won’t make you wince when Googled.
While Davidson’s post was deleted from her blog, the Internet archives several pristine copies. A better choice would have been to encourage discussion and address concerns if possible, or even post an apology or update on the blog post itself. Either way, alongside those records of the controversial post would exist attempts at communication and understanding, and the disdainful legacy would be offset when future critics call. Instead, the only remaining records are exactly what Oracle hoped to erase.