October 25, 2016 By Kevin Beaver 2 min read

This is the fourth and final installment in a series about CISOs. Be sure to read Part 1, Part 2 and Part 3 for more information.

The construction industry is highly competitive, lucrative and steeped in politics that drive future business. But does the importance of information security in the construction industry justify spending valuable budget to hire a chief information security officer (CISO)?

The Good, the Bad and the Ugly

Having performed various security assessments in and around construction and real estate development, I’ve seen the good, the bad and the ugly in terms of IT management and overall information security posture. The good news is that, in most cases, construction companies’ IT environments are relatively simple, with flat networks, small online footprints and minimal personally identifiable information (PII).

Unfortunately, however, leaders of construction companies often fail to recognize risks and threats to the assets they do have, which includes intellectual property such as:

  • Building blueprints;
  • Geographic information system (GIS) maps and details on critical infrastructure systems;
  • Contracts and financial information;
  • Customer information; and
  • Medical/legal/labor/personal data of employees.

The ugly relates to some critical application, network and human vulnerabilities I have observed in my security assessments. This is made even worse when combined with outdated technologies that construction company executives often assume — erroneously — to be enough to keep things in check.

Building on Information Security in the Construction Industry

It doesn’t seem like much would be involved behind the scenes of a new office building going up in midtown or restaurant chain being built on the corner, but there is. In today’s world, construction and real estate development are driven by diverse requirements and concerns, from environmental engineering to homeland security. The information housed in these networks can be quite valuable to those looking to gain a competitive advantage or to hurt others.

Over the years, I’ve worked with clients in this industry that were required to perform security assessments simply because they were contractors of larger construction or critical infrastructure businesses. The information security trickle-down effect that started in other industries is now impacting the seemingly benign business of construction and real estate development.

Nowadays, construction companies often develop and host startup incubator projects, so a malware attack against a construction company could potentially impact its startup customers. There’s a lot of intellectual property at stake in this area alone.

To Hire or Not to Hire a CISO?

Does this mean every business working in the construction industry should go out and hire a highly paid CISO? Not necessarily.

Many businesses already have chief information officers (CIO) on staff who are responsible for security. Whether a construction company should hire a CISO depends on what there is to lose and the organization’s level of risk tolerance. What can happen and what’s going to be exposed as a result? The only way to fully understand that is to perform an information risk assessment to determine which systems, assets and processes are exposed to abuse.

Of course, budget matters as well. If a CISO is not in charge of security, someone else needs to be, at least on a part-time basis. There’s simply too much to lose, too much money involved and too many societal ramifications to ignore information security in the construction industry.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today