This is the fourth and final installment in a series about CISOs. Be sure to read Part 1, Part 2 and Part 3 for more information.

The construction industry is highly competitive, lucrative and steeped in politics that drive future business. But does the importance of information security in the construction industry justify spending valuable budget to hire a chief information security officer (CISO)?

The Good, the Bad and the Ugly

Having performed various security assessments in and around construction and real estate development, I’ve seen the good, the bad and the ugly in terms of IT management and overall information security posture. The good news is that, in most cases, construction companies’ IT environments are relatively simple, with flat networks, small online footprints and minimal personally identifiable information (PII).

Unfortunately, however, leaders of construction companies often fail to recognize risks and threats to the assets they do have, which includes intellectual property such as:

• Building blueprints;
• Geographic information system (GIS) maps and details on critical infrastructure systems;
• Contracts and financial information;
• Customer information; and
• Medical/legal/labor/personal data of employees.

The ugly relates to some critical application, network and human vulnerabilities I have observed in my security assessments. This is made even worse when combined with outdated technologies that construction company executives often assume — erroneously — to be enough to keep things in check.

Building on Information Security in the Construction Industry

It doesn’t seem like much would be involved behind the scenes of a new office building going up in midtown or restaurant chain being built on the corner, but there is. In today’s world, construction and real estate development are driven by diverse requirements and concerns, from environmental engineering to homeland security. The information housed in these networks can be quite valuable to those looking to gain a competitive advantage or to hurt others.

Over the years, I’ve worked with clients in this industry that were required to perform security assessments simply because they were contractors of larger construction or critical infrastructure businesses. The information security trickle-down effect that started in other industries is now impacting the seemingly benign business of construction and real estate development.

Nowadays, construction companies often develop and host startup incubator projects, so a malware attack against a construction company could potentially impact its startup customers. There’s a lot of intellectual property at stake in this area alone.

To Hire or Not to Hire a CISO?

Does this mean every business working in the construction industry should go out and hire a highly paid CISO? Not necessarily.

Many businesses already have chief information officers (CIO) on staff who are responsible for security. Whether a construction company should hire a CISO depends on what there is to lose and the organization’s level of risk tolerance. What can happen and what’s going to be exposed as a result? The only way to fully understand that is to perform an information risk assessment to determine which systems, assets and processes are exposed to abuse.

Of course, budget matters as well. If a CISO is not in charge of security, someone else needs to be, at least on a part-time basis. There’s simply too much to lose, too much money involved and too many societal ramifications to ignore information security in the construction industry.