📅
Oct 7, 2025 ✍️
Cybernoz 📁
ComputerWeekly 💬
0 ⏱️
9 min
The Security Interviews: David Bradbury, CSO, Okta
Spend any length of time hanging out with Okta’s in-house cyber security team and sooner or later you’re going to hear colleagues greet one another with a cheery “g’day, mate”, which is a surreal feeling when you’re sitting inside an air-conditioned Las Vegas conference centre and haven’t seen sunlight in 26 hours.
Although right now he calls San Francisco home, the man responsible for assembling so many Aussies in one place is Okta chief security officer (CSO) David Bradbury, who arrived at the identity and access management leader in 2020 from Symantec, having previously held security roles at Australia’s Commonwealth Bank and the government-backed National Broadband Network (NBN) company.
While any incoming business leader will naturally seek to put their own stamp on the company, in Bradbury’s case, his time at Okta was partly defined for him by a series of high-profile incidents – one of them directly targeting the company’s own products and services – that elevated Okta from a name known only to cyber professionals to one at the centre of major breaking national news stories.
The most immediate result of the October 2023 breach of Okta’s helpdesk case management systems – which led to the theft of data including customer service logs and support requests, and saw the company criticised by annoyed customers – was an unprecedented 90-day suspension of all new development work at Okta to give it time to work the problem without distraction.
The most tangible long-term result was the creation of the Okta Secure Identity Commitment (SIC), a long-term plan for cyber improvement. The four core pillars of this pledge are to provide market-leading identity products and services; champion customer best practice in all things identity; elevate the industry to be better protected against cyber attacks; and to harden its own corporate infrastructure.
Sitting down with Computer Weekly at Okta’s 2025 Oktane conference, Bradbury reflects on the success of the commitments Okta made to reinvent itself after its unfortunate experience. He says the breach really caused Okta as a whole to pause and think both about the company that it was, and the services that it provides to its customers.
“It was clear to us that the threat environment had changed around us, and we had not changed with it to the extent that we needed to,” says Bradbury.
[The 2023 breach made it] clear to us that the threat environment had changed around us, and we had not changed with it to the extent that we needed to David Bradbury, Okta
“Many of our customers rely on us for security, and expect us to be always secure, always on and almost like a utility, and we demonstrated that it is very challenging to make sure that is always the case.”
Threat intel: A new frontier
Part of this challenge is striking the right balance between focusing on building features and products that make the job of “doing” security easier, but also focusing on the wider threat landscape and making sure Okta can protect its customers first and foremost.
When the firm launched the Secure Identity Commitment, says Bradbury, it reflected a significant change within Okta to rethink how it prioritises the build-out of security products and features that are driven by how it understands the needs of its customers, based on its growing understanding of the threat landscape.
Okta has recently ramped up its own threat intelligence and research capabilities, working both with the intel it gleans from its own products and services – as an identity specialist, its technology is heavily attacked as a matter of course, so it makes sense to lean into this data – and working with other threat-led cyber experts.
“We like to think we have a unique perspective on who is accessing what application and [are able] to lead on proactive defence. We have completely reoriented the company to be threat-led when it comes to creating security products and security features”
David Bradbury, Okta
“We’ve seen the customer base of Okta really grow in certain verticals, and they’re highly targeted verticals, from the US federal government to the banking sector and healthcare. We see very interesting threat groups targeting these customers on a routine basis,” says Bradbury.
“We like to think we have a unique perspective on who is accessing what application, and by partnering heavily with our friends at CrowdStrike, Mandiant and others, it puts us in a really good position to lead on proactive defence,” he adds. “We have completely reoriented the company to be threat-led when it comes to creating security products and security features.”
Over the summer, Okta’s threat intel team identified a new social engineering campaign in which the threat actor tried to convince Okta users to turn off the FastPass passwordless authentication feature in Okta Verify to access an important Slack message. The threat actor claimed that this was because FastPass was not working properly with the target’s Slack integration. Okta learned about this thanks to reporting features the product teams had built into the technology and pushed live.
“When it comes to phishing-resistant technologies, they’re really great at preventing you from being able to put your username and password into a fake site, but they don’t log it, they don’t send that information anywhere, they just prevent it from happening,” explains Bradbury.
“With our product, it actually records, it sends that to the customer, and it also alerts our intelligence, so we get to see these phishing events, and we can then start to draw intelligence and start to identify more root causes.
“We ourselves are just starting to unlock the power of our own products, and being able to find threat actors and feed that back to the broader security community to better protect ourselves.”
Cyber by default and shared responsibility
Buoyed by its growing understanding of the threat environment, Okta is keeping up a steady cadence of similar new features and updates and has been drip-feeding them into its products for about 18 months at this point.
Importantly, says Bradbury, in almost all cases, customers are not being given a choice in whether these features are turned on or not. Okta makes no secret of this. “We’re not going to wait for customers to figure out what these things are. We’re going to turn them on for you, because it’s in your best interests,” he says.
At first glance, this may seem a somewhat paternalistic way of thinking, and without doubt, there are many security leaders at end-user organisations who would baulk at not having a choice about what security features are enabled – after all, they’re paying for the product.
But Bradbury is confident that Okta is on the right track here, and his argument does have weight. Take road safety as an example. Drivers never asked for seatbelts en masse – Brits needed public information films in the 1970s to get them to strap in – yet the idea of buying a car without basic safety features as standard is unthinkable today.
When customers buy Okta now, they’re not just getting cyber seatbelts, but airbags, anti-lock brakes, blind spot monitoring, electronic stability control, lane-keeping assist – and, like in their cars, they’re not getting a choice in the matter.
When a security feature we create has value to a customer and doesn’t require extensive configuration, we enable that by default David Bradbury, Okta
Bradbury says this points to a clear mindset change in Okta. “When there is a security feature that we create and it has value to a customer and it doesn’t require extensive configuration, we enable that by default, we push that out,” he says.
“That’s what we’ve been doing now for a number of quarters – continuing to push out incremental security enhancements and improvements, some of them large, some of them small, all of them tied back to the threats we’ve been seeing. That threat-oriented mindset is absolutely fundamental to how we’ve been delivering over the past year and a half.”
Bradbury is not just pushing security-by-default for customers, he’s leading by example, too. Recently, Okta found itself among a huge number of companies coming under attack by threat actors who had hacked into Drift, a marketing services platform developed by Salesloft. Over a week-long period in August 2025, the hackers used OAuth credentials to steal data from customers’ downstream Salesforce instances.
However, Okta got away scot-free because it had turned on every possible security feature. For Bradbury, this raises interesting questions about responsibility.
“How much security should customers be on the hook for, versus vendors? Should Salesforce have turned on a whole bunch of security features that would have stopped that incident, or should it still be as it is today, where it relies on customers to configure things?” he says. “We were very lucky. We did the work. We turned on security features that hundreds of other companies did not, and hundreds of other companies were hit.”
Bradbury says that whereas others continue to cleave to the shared responsibility model, he is now coming round to the idea that service providers, vendors or suppliers – call them what you will – should shoulder the lion’s share of cyber responsibility.
He acknowledges this is a tough ask. “To drive adoption of new features across your customers requires a lot of effort and focus for all of us who are already challenged on having so many things we need to achieve,” he says.
“But really, it comes down to prioritisation, and sadly, what I think we’ve landed on with the shared responsibility model is that there’s very much an expectation as part of that, that the customer has to wear a substantial amount of the responsibility – the idea being that we secure the cloud and you secure the apps.
“However,” he continues, “over the past couple of years, we’ve seen far too many incidents that are around the mid-zone, the crossover point.”
Bradbury now agitates – and he says many other security leaders are starting to feel the same way – for the fundamentals of the shared responsibility model to be revisited and the lines redrawn.
“Whether it’s the Snowflake incident or the Salesloft Drift incident, these are examples of areas where there are security controls, but they just haven’t been adopted by the end customer. So the question is, what role do all of us in the vendor security community have in helping them? I think that’s the right debate to be having, and we need to be revisiting this shared responsibility,” he says.
