American Bureau of Shipping CISO

Mike Davis has a career that spans several decades – so far – and he still enjoys the challenges and opportunities that his cybersecurity vocation provides each day.

Davis began his career with the U.S. Navy. He started out in engineering, specializing in propulsion systems, including nuclear power and gas turbines. He then moved into combat systems and command and control systems. “As you can imagine, both propulsion and weapons systems have some pretty extensive operational controls and interface aspects to them. This is where I started in managing systems controls along with those in IT and security and the protection of those systems,” says Davis.

During his time in the Navy, Davis earned several advanced degrees in electrical engineering and business management. After 25 years of active service, he retired as an engineering duty officer from the Navy and easily slipped into a civilian role as a program manager for information assurance for all the cyber products the Navy used (key management, crypto, firewalls, IDS). “I oversaw procuring and installing most of the cyber equipment for the Navy,” says Davis. “That was very enlightening and where I experienced how difficult complex, highly interoperable capabilities are to install and operationalize within the many interfaces, protocols and data exchanges. Thus, I had the integration and interoperability aspect of cyber operations well ingrained from an installed product perspective.”

The command that Davis was with then created a new position called a Technical Authority (TA). “It was like the technical subject matter expert aspect of the typical CTO position he says. “I became the TA for information assurance and cyber for the Navy. My job was to review architectures, specifications, program designs, and to conduct risk assessments, certification and accreditation, among other duties. I went from managing the cyber product capabilities and operations side of the environment to overseeing the architecture, engineering and standards part of it.”

Davis credits the Cyber TA position for launching his cyber career. “I did numerous systems reviews and assessments and provided several levels of management risk findings and recommendations reports. I performed the Cyber TA duties while also working within the Joint/DoD Cyber efforts, which were still evolving at that time, to standardize our security architecture and support processes. It wasn’t just architectures; I assessed current security threats and aligned those to current security suite capabilities. Today you hear the term ‘cyber hygiene’ a lot—patching and maintaining your IT environment to minimize vulnerabilities. I was a strong advocate of doing cyber hygiene well over a decade ago, but unfortunately poor cyber hygiene is still a major factor in over 85% of security incidents. As a security community, we still have a general lack of appreciation for doing the ‘cyber basics’ really well, first and foremost. When I practiced cyber in San Diego, I continued to advocate focusing on cyber hygiene in our security community. Whereas now this major risk element at least has the attention it needs. However, best practices still aren’t widely observed.”

Davis understood the gravity of his technical cyber oversight position. “The consequences of the military having a data breach are much more serious than in most organizations. It’s not just attackers taking some data or stealing resources. They could be compromising our weapon systems and/or manipulating key target data. You hear about attackers taking over the Internet of Things and connected cars with the potential to do humans bodily harm. Well, it can happen with ships and weapon systems, too,” says Davis. “From a security perspective, I do believe the military has to be much more on its cyber game because the consequences of a breach could be much worse than the typical business data breach.”

Now he is putting his knowledge and experience to work for the American Bureau of Shipping (ABS), which performs classifications (assessments) and issues certificates on ships that allows their shipping company to get a flag to operate in various countries. ABS has about 5,000 people across almost 200 locations in around 70 countries. As the CISO, Davis developed a risk-based security strategy for the global not-for-profit company to best enhance the company’s business objectives.

Davis is a big believer in sharing his knowledge and helping other companies raise their security profiles. He’s involved in several cybersecurity associations and community initiatives, such as the FBI InfraGard task force on cyber workforce enhancement, and the Cyber special interest group (SIG) for both the Society of Information Management (SIM) and the San Diego IEEE chapter. Davis has several professional certifications, including CISSP, CISO, and Systems Engineering, and he holds an MS degree in Electrical Engineering and an MA in Management.