Vendor Risk Management is the Key to Building Cybersecurity – As seen in Realcomm Edge Magazine

Cybersecurity may not be easy, but you might agree by the end of this article that it is easy relative to the broader technology-related problem in commercial real estate (CRE). In other words, cybersecurity is only a subset of the real problem.

For many years, all industries have struggled with traditional enterprise cybersecurity risks and the consequences we read about in the headlines every day. As a result, there are many cybersecurity solutions for traditional IT areas, such as local area networking (LAN), remote access, and information security (infosec) in general. Although commercial real estate is late to the game in most IT solution implementations, we do have the advantage of being able to pick and choose what is right for our portfolios from established options.

If you have not already done so, your real estate organization will likely soon end up putting all building control systems on your existing enterprise network or providing stand-alone, remote access and LAN solution for those buildings systems. For the latter, it requires a much more simplified solution that not only protects but is also cost-effective and easy to manage for the organization and the contractors using it. In short, it needs to be an IT solution for a non-IT customer.

However, focusing on the remote access issue alone misses the real problem: vendor risk management (VRM).

The 2019 Gartner Glossary describes VRM as the process of ensuring that the use of service providers does not create an unacceptable potential for business disruption or a negative impact on business performance.

Gartner intended this for IT environments, but our 15 years in the real estate technology space tells us that this is even more applicable to real estate than it is to IT-proper for the reasons outlined below.

In larger portfolios, there are three things that any real estate professional knows about vendors, particularly building systems contractors:

    1. Fragmentation: There is tremendous fragmentation in the number and type of contractors across all the total building count
    2. Inconsistencies: The fragmentation creates indescribable inconsistencies for system setup and configuration, data back-ups, and remote access
    3. Turnover: There is frequent turnover at all levels between contractors, building managers, and property managers

Fragmentation, inconsistencies, and turnover at scale create chaos. This chaos tells us the “real problem” is VRM and dealing with dozens or even hundreds of different contractors who not only have or need remote access but also manage onsite, complex, digital building systems such as HVAC, elevator, lighting, parking, and metering. These building systems provide critical functions affecting life safety, experience, productivity, core network integrity, regulatory compliance, and insurance exposure.

…critical functions affecting life safety, experience, productivity, core network integrity, regulatory compliance, and insurance exposure.

There is indeed a big problem with secure, remote access for control systems, which must be addressed. But as noted, there are many different, well-established ways to address that technically. Notwithstanding that fact, nearly all those IT solution providers do not understand the technology nor the culture of the building systems world, leaving the potential for a misused or underused solution for remote access.

Still, the question remains, “what can go wrong if I establish secure, remote access?”. Putting aside for a moment whether all contractors will adhere to the remote access procedures, the answer is most things that go wrong today in building systems are not related to hacking. The cause of approximately 80% of all cyber-related incidents is human behavior ( And hence, the number one cause of disruption in building systems is Ransomware, followed by outdated software or firmware, and then a variety of site-related problems caused by poor system configuration.

We know multiple real estate organizations who have never been hacked but have been completely shut down by these other VRM issues. Additionally, a related and prevalent behavioral issue is that there are no current backups to restore with, and backups from all systems are rarely in the same, validated place that lasts through contractor turnover.

…multiple real estate organizations have never been hacked but have been completely shut down by these other VRM issues

With or without a remote access solution, if each system has password complexity, proper configuration, and recent backups they can “survive” malicious attacks or sloppy mistakes. This is the essence of VRM – having a proper inventory, policy, and policy compliance process for all systems and contractors. The policy and policy compliance must be reasonable and manageable given the deeply embedded cultural realities of building systems contractors, or it will risk rebellion and failure.

A VRM solution must have a customer-empowering, customer-owned approach. This approach must survive the contractor turnover and rise above the inconsistencies caused by the fragmentation of service providers. VRM is a top-down solution that is pushed throughout all regions, buildings, systems, and contractors. This will be manifested in new policy requirements, service contracts, and organization-wide process and controls. The process and controls will eventually mimic formal IT process and controls, such as Service Organization Control (SOC) 2.

So, the next time you say you need to address cybersecurity for your building portfolio, you might consider saying what you really need is a VRM strategy that includes cybersecurity.

About the Authors: Tom Shircliff and Rob Murchison are co-founders of Intelligent Buildings, LLC a nationally recognized smart building consulting and services company that leads the industry in OT cybersecurity and vendor risk management solutions for projects and portfolios at scale.