Hikvision Tabs Ex-IBM Exec Security Architect as N. American Cybersecurity Czar
Chuck Davis will use his extensive experience to enhance Hikvision’s cybersecurity initiatives, plus advance industry outreach and education.
CITY OF INDUSTRY, Calif. — Hikvision has appointed Chuck Davis, a former IBM executive security architect, to serve as cybersecurity director for the company’s North American operations.
Davis has worked for more than 20 years building cybersecurity programs for large enterprise organizations. He began working for IBM in 1997 and rose to the position of global security operations manager before leaving the company in 2011. He later returned in 2015 as executive security architect, serving in that role for more than two years prior to joining Hikvision.
He is credited with designing and managing the global malware defense and vulnerability management programs at IBM, as well as a thought leader and architect of IBM’s Computer Security Incident Response Team (CSIRT). Under Davis’s leadership, the team was responsible, in part, for inspecting IBM’s vast network infrastructure with vulnerability scanners and rapidly communicating exposures to system administrators and other managers so threats could be patched.
From 2011 to 2015, Davis served as manager of global cyber defense for The Hershey Company where he built and managed the chocolate manufacturer’s comprehensive cyber program. In addition to his work as a cybersecurity professional, Davis is an adjunct professor of Computer Science at the Univ. of Denver, teaching master’s degree courses in ethical hacking and computer forensics.
SSI spoke with Davis about the cyber threat landscape and his work to come at the world’s largest provider of video surveillance products and related technology.
Building Upon Existing Cyber Program
The physical security industry will admittedly present a steep learning curve in the early going for Davis, who has spent his entire professional career and academic life in the IT world. Still, he considers his new role an ideal post. Not only will he work to expand an existing program at the company, he’s looking forward to assisting the industry as a whole to strengthen cyber defense practices.
“The thought in coming to Hikvision was about moving back into a scenario where I could be a leader, affect a lot change and also be able to build something again,” he said. “Hikvision has done a great job at building a strong cybersecurity program. I am not creating anything from scratch. I’m being handed the baton and I am going to take this program to the next level.”
Davis is charged with overseeing internal and external cybersecurity initiatives. This will entail buttressing a communications process around vulnerability management to speed interactions between North America and headquarters in Hangzhou, China. Also key is paving a communications path for outside parties — including installing security contractors, end customers, IT security researchers and other stakeholders — to connect with the company in short order.
“Even before I got here we already had a security center on the Hikvision website where anyone who thinks there’s a security issue or vulnerability with a Hikvision product can report that directly to us,” he said. “We have a team of people, myself included, who monitor any entries that come in there so we can quickly determine whether or not there is a vulnerability and then react.”
A significant reason why many companies never realize their products are at risk is because they do not apply the rigorous testing necessary to discover security holes prior to a data breach. While Hikvision worked with third-party cybersecurity firms prior to Davis’s arrival, including software development and lifecycle testing, furthering these efforts will be another key focal point for him.
“I want to continue down the path of using our own internal resources and external resources — like ethical hackers and security researchers — to help communicate [potential or found vulnerabilities] to us so we can rapidly respond,” he said.
In this area, Davis is building a program he inherited into a two-pronged initiative. First, third-party ethical hackers will work to try and break into Hikvision devices and environments. The second piece is pursuing cybersecurity certifications and then testing the products and services against those requirements. Certifications are well and good, but withstanding withering network assaults that are sure to arrive eventually is a wholly different beast.
“As a cybersecurity expert I like going through those certification processes, but they are essentially just check lists. Are you doing this? Are you doing that? The ethical hacker will actually try and break in,” Davis explained. “They will break and bend the rules to figure out the right way to penetrate that system, and that is where you get some of the real answers to how secure your systems are against known vulnerabilities.”
Davis won’t be deskbound. He’ll be racking up lots of frequent flyer miles spreading the gospel not just about Hikvision’s network security efforts but educating the industry as well. Already on his near-term agenda is travel to a manufacturers’ training session for a Canadian Security Association (CANASA) event, among other related stops in Canada. The company will also soon announce a series of cybersecurity-focused educational seminars, during which he will engage with customers to discuss best practices in regions around North America. Next year’s PSA-TEC in March is also on his itinerary where he will make a presentation and network with attendees.
No Ducking the Backdoor ‘PR Issue’
Davis signed onto Hikvision in September in time to travel to the ASIS Seminar & Exhibits in Dallas, where he was introduced to customers and industry professionals. He arrives at the company amidst persistent rumblings that Chinese surveillance products, and in particular Hikvision’s, could be compromised by a backdoor. Thus, the rumoring goes, potentially giving the Chinese government or other proxy access to video and cart blanche entrée onto IP networks worldwide.
It is a topic Davis does not shy away from and fully expects to be routinely discussing with customers as the company continues to contend with the public relations dilemma.
“This is something that was shared with me early on in the interview process that this is part of the job and part of the challenge. Of course, I did a lot of homework on Hikvision and the industry before I accepted this position and I was actually rather pleased with how candid Hikvision was with me about this PR issue,” he said.
Davis is quick to emphasize Hikvision most certainly has had vulnerabilities, similar to other security vendors, and that the company has a responsibility to grow and continue to build cybersecurity into its products. Nowadays, companies are rated on how they respond to cybersecurity incidents rather than if they have them, he commented.
“From a technical perspective I understand what the challenges are. Really they are not all that technical. They are really very much an image and education and awareness issue. My role as a seasoned, 20-plus year cybersecurity professional is to come in here and be able to talk to customers, talk to the industry and be able to explain things in plain terms about the real cybersecurity risks. And try to also communicate with customers and potential customers about the truth.”
So how does Davis believe the marketplace was misinformed by reports about vulnerabilities discovered in Hikvision products in recent time? The answer goes back to why he is so focused on building relationships with security researchers.
A well-known practice in the IT security world is called a “responsible disclosure,” which unfolds something similar to this: If a security researcher identifies a vulnerability, the protocol is to then inform the company without publically disclosing it. This allows the company time to test, create and release a patch, and then communicate with customers. Once all that happens, the vulnerability is then disclosed.
“Coming from the cybersecurity industry there is definitely some education awareness than can happen and will happen as the physical security industry matures in the Internet-connected space,” Davis said. “I would not have taken this job and put my name on the line as a security professional and a college professor if I thought Hikvision was up to anything nefarious.”
In Davis’s view, news of Hikvision product vulnerabilities failed to tell the whole story or instead focused on the wrong parts of the story. “If you take a look back at the recent security vulnerability that was addressed earlier this year it is a great example of how responsible disclosure works with a security researcher,” he said.
A security researcher found a vulnerability in a Hikvision product and informed the company. According to Davis, within a week the company had tested, created a patch and released it. Six month later the security researcher fully disclosed the details around the vulnerability.
Yet, Davis contends, attention-grabbing media headlines by some who reported the disclosure read “almost like click bait. You read a couple sentences, skim over a paragraph and come to the conclusion that Hikvision has products that aren’t secure.”
The point that readers missed, he said, was that Hikvision released the patch six months earlier and communicated to customers the current version of firmware needed to be updated.
“That is really the story that should have been reported and I think has been missed. What I am going to work to bring is a better communication with our customers, with the public and better, quicker communication channels back to headquarters,” Davis said. “I, luckily, do not need to create a great program because it is already in place. I am here to make it better.”
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.
A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!