Discover how facility managers can protect against cybersecurity threats, focusing on the collaboration between FMs and CISOs to secure technology and mitigate cyber risks.
This week, Connected FM is taking a break, so we’re revisiting a critical topic that is increasingly impacting facility managers: cybersecurity. In this session, Stacey Shepard, President of Shepard Global Strategies, Lucian Niemeyer, CEO of Building Cybersecurity, and Rob Murchison, Co-founder of Intelligent Buildings, LLC, discuss the strategic partnership between IFMA and Building Cyber Security (BSC). They explore how this collaboration aims to raise facility management awareness of the opportunities and challenges associated with connected technologies, while also focusing on developing FM training for cyber risk mitigation.
Resources Mentioned:
Lucian Niemeyer: [00:00:00] How can we protect humans, protect their safety and their property from a bad actor? I think that question resonated with IFMA leadership. The partnership we have right now with them is not just scaring people about the threat, not necessarily discouraging them from using technology. We need technology.
We need technology for sustainability, better building operations, reduced costs. We want more technology in our homes, in our cars. But we also need to understand that it has to be protected and it's not just the technology needs to be protected, but the interface between the technology and the human beings.
Host: Welcome to Connected FM, a podcast connecting you to the latest insights, tools, and resources to help you succeed in facility management. This podcast is brought to you by IFMA, the leading professional association for facility managers. If you're ready to grow your network and advance in your career, go to ifma.org to get [00:01:00] started. This week, Connected FM is taking a break, so we're revisiting a critical topic that is increasingly impacting facility managers, which is cyber security. In this session, Stacey Shepard, the president of Shepard Global Strategies, sits down with Lucia Niemeyer, CEO of Building Cyber Security, and Rob Murchison, the co founder of Intelligent Buildings LLC.
Together, they discuss the strategic partnership between IFMA and building cybersecurity, and they explore how this collaboration aims to raise facility management awareness of the opportunities and the challenges associated with connected technologies, while also focusing on developing FM training for cyber risk mitigation.
Now, let's get into it.
Stacey Shepard: Hello, this is Stacey Shepard. I'm president of Shepard Global Strategies and also an advisor to the Board of Building Cybersecurity. [00:02:00] We're thrilled to be able to celebrate about one month into a strategic partnership with IFMA and to be able to talk about this partnership on this podcast. So I'm going to start with Lucian Niemeyer, CEO for Building Cybersecurity.
If you can introduce yourself and, and tell us a little bit about what is Building Cybersecurity and what's your vision for this new collaboration?
Lucian Niemeyer: Yeah, absolutely. I'm thrilled. First of all, to be here at a World Workplace here in September. It's an amazing event, bringing folks from all over the world.
And really it's an opportunity for us to showcase the partnership between IFMA and the nonprofit Building Cybersecurity. To allow the facility managers around the world to have better resources and training for how do you address the cyber threats, both not just in the information systems that we use day to day, but also in the building technologies.
Our buildings around the world are getting smarter. They're getting more sophisticated and the facility managers [00:03:00] should be aware of the risk posed. By a cyber attack to the technologies in the building that ultimately can be as destructive or more destructive than an IT attack. So we're thrilled that IFMA offered the partnership.
An opportunity for us to really engage with the facility managers around the world on how do you protect those systems.
Stacey Shepard: And before we move on from that, tell us a little bit about your background and why you actually are so passionate. Oh gosh.
Lucian Niemeyer: So, yes. So, so my background's in national security, but for about three and a half years, I ran the largest real estate portfolio in the world for the Department of Defense and, and, uh.
Got challenged by the secretary of defense to take a look at everything that's connected in our society and everything that's on the internet and where it posed potentially a risk and to come up with programs to mitigate that risk. So the work that we did in the department of defense, and we worked pretty hard on this over the course of three and a half years has translated into the establishment of this nonprofit to really face society, not necessarily federal government face society.
What can we [00:04:00] do to design integrate? Operate protections and controls in the built environment, particularly in the world for facilities managers and the building systems and the, and the real estate that we're operating.
Stacey Shepard: So thinking about those systems and protections. So Rob, I'm going to let you introduce yourself, but you run a company called Intelligent Buildings and you started that in 2004.
for having me. So talk a little bit about the company and what did you see coming in prop tech industry?
Rob Murchison: Well, thank you for having me here, Stacey. It's, it's, it's exciting to see how much technology has made its way into the built environment in the last 20 years. I would say that what we saw coming was a world that needed better data on how the built environment was operating.
And, and initially that was, you know, to go save energy, enhance and experience. Where that is today, we've gone from a world of optionality, like maybe I'm going to [00:05:00] use data to run a building to a world now of, I have to have data. If I'm going to decarbonize a building and what we've, what we learned is in order to do that, a building has to be connected and protected.
Okay. And if you just connect the building without a plan, you could, you're likely faced with a situation where you're introducing more risk into the environment than the benefit that you're actually generating.
Stacey Shepard: So Lucian, Rob mentioned being protected and I know you've dedicated your life to the protection of buildings.
So talk about kind of what's that future look like? And the near term and where you see that vision.
Lucian Niemeyer: Yeah. So I think for those of you listening in and one, one resource that you have to check out is the IFMA website and the research recently done by Jeffrey Saunders and team to raise this issue of public safety in buildings.
When we look at traditionally cyber attack, yes, we want to [00:06:00] protect data. We want to protect software. But in this case, when you're looking at an attack, the operational technologies is what Jeffrey's research team really dove into. It's the technologies that are in a building that if they are compromised can truly hurt somebody, can cause property damage, can cause casualty, and we're talking the fire control systems, we're talking the HVAC systems.
So really what I'm looking at is how can we protect. Public safety, not just in buildings, but in cars. I mean, right now we have over 2000 microchips in a typical car. We have smart systems in our homes. These are potentially vulnerable. How can we protect humans, protect your safety and their property from a bad actor?
So that's the question we ask ourselves in our nonprofit. I think that question resonated with IFMA leadership and therefore they were looking for solutions. And that's why. The partnership we have right now with them is not just scaring people about the threat, not necessarily discouraging them from using technology.
We need technology. We need [00:07:00] technology for everything that Rob mentioned, sustainability, better building operations, reduced costs. We want more technology in our homes, in our cars. But we also need to understand that it has to be protected and it's not just the technology needs to be protected, but the interface between the technology and the human beings.
Stacey, you and I in 10 years are going to be living with a world of robots. We have to design those robots. We have to design the systems around us in a way that we understand that they cannot be in any way compromised and create any kind of a threat for us. So that's really what I'm talking about with protection.
How can we protect and safeguard, um, the occupants in a building or your clients, if you're a facility management company, how do you protect those entities from a potential bad action
Rob Murchison: that
Lucian Niemeyer: could cause a
Rob Murchison: problem? If I could jump in, one of the reasons we got so excited with Lucian's vision around protecting that until BCS came along, there really wasn't a framework [00:08:00] for the built environment, right?
There was no way if I'm a facility manager and I see that I need to address this, like, what do I do? And now we have, with the partnership with IFMA, we have, we have the ability to
Lucian Niemeyer: do that. Right. And that's what we felt we needed to do in the industry. There's a lot of vendors out there and a lot of facility management companies use third party vendors, you know, to help out as a consultant on cybersecurity.
But there's no industry standard. There's nothing that says, you know, okay, here's the things you should be doing. You can still hire a consultant. You can still hire your vendors to do what, what they propose, or do you want an industry standard that says, Hey, this is what a group of experts have come up with national security background on what you should be looking at doing.
That the types of protections and mitigations should put in place across, not just your buildings itself, but how they're designed. And, and how they're commissioned, ultimately how they're operated and how they're maintained. So we cover the whole life cycle from beginning, very beginning [00:09:00] design all the way through the end of a life of a building.
How do you ultimately maintain that series of protections and really Rob, our partnership, we've built a framework. You're going to offer the facility management community a way to protect those systems through a managed service for the life cycle of the project. Okay. We really believe collectively we can offer facility managers and CIOs.
Remember there's a huge disconnect between the IT community, your CIO and your facility manager. We can close that gap by offering to that CEO, here's where industry is saying we need to be. And more importantly, as you know, Rob, we are also working with some of the leading insurers in the world to offer that incentive.
The most important thing we need to do is if we're going to spend money on cyber security, we need to ensure that there's a payback. And for building owners and operators, they pay insurance, they pay cyber insurance, they pay property casualty insurance. What can we do by suggesting that investments and risk mitigations can't be [00:10:00] compensated or rewarded by favorable rates when it comes to insurance in the future?
Stacey Shepard: So you talk about protections. You know, we've talked to several people at the conference that feel that they are protected because their CIO is looking at the technology and the software. You've talked often about creating that connective tissue between the IT and the OT, the operational technology, and that is a challenge of awareness.
And so together, partnered with IFMA, I know that you're just about to launch a very exciting new training effort. Maybe can you talk a little bit about that and then Rob, why don't you weigh in about the need with re skilling and up skilling our workforce. So Lucian, first to you.
Lucian Niemeyer: Yeah. So first of all, we have used the framework we developed, but it took us about 15 months to develop it.
And a series of buildings for which the building owner felt that they were the one, the most progressive and proactive. Uh, owners as far as protecting their systems. And we uncovered a lot to the point where they're [00:11:00] still recovering from our assessment. So I think for the facility managers that are listening in, hearing from their it department, well, we got this covered, we have these protections.
I would challenge them a little bit on whether they know of every piece of every device and piece of technology that's on that network, are they tracking it? I want to make sure we're clear on the definition. Operational technology are the devices and systems that run a building or can be your, your, your audio visual equipment.
It could be in a hospital, your imaging equipment, your operating equipment. So we look at a full range of operational technologies, not just your HVAC, your lighting, your fire controls, your elevators. But we look at other equipment that you rely on for building operations or revenue generation. That's a big key here.
Technology is driving additional revenue. How do you protect those revenue streams? So really looking forward to, we do need to see as more technology gets incorporated in, you have to stay on top of that with a performance indicators that will mitigate that [00:12:00] risk along the way. And a part of that is the training too.
We are very excited, uh, to partner with IFMA. On offering a, just a basic course on the basics of cyber safety and cybersecurity. And I want to put emphasis on cyber safety, which is important for us. We're talking about technologies that can hurt somebody or cause property damage. So we are offering, and we, and it's available now, a disciplinary course.
We are working with IFMA to set up and establish a more in depth course. And so through the association, you can get credits, professional credits for having a more in depth understanding of cybersecurity. And we do believe this is core to a workforce development that will be cyber savvy and ultimately, uh, practice cyber safe techniques and practices.
Rob Murchison: And to just build on that. Let, let's face it, there's going to be more technology in buildings five years from now than there is now for a variety of reasons we talked about, whether it be decarbonization or energy reduction. And the reality is that [00:13:00] the most important role in accomplishing that is the facility manager and the facility manager that they're, this technology that's coming at them needs to be, they need to be educated in a way, but they also don't need to be afraid of it back Lucian.
And so what. We believe, and in partnership with BCS, is that if we can raise the awareness of the facility manager around the risk and the safety that could be accomplished, they can have a much more, let's say, harmonious relationship with their IT department. And they can row in the same direction. And if you're rowing in the same direction, get rid of some of that friction, we can accomplish some of the bigger goals that are needed when we talk about the built environment.
Stacey Shepard: So looking ahead, we just have a few more minutes together. What are you looking for in this relationship with IFMA? We're talking about training. We're talking about education and awareness. We're talking about expertise. I think you [00:14:00] also, if you go to building cybersecurity. org, offer 16 steps. Which are great.
It's a free questionnaire that you can bring back to your teams and your staff to be looking and validating your efforts and initiatives and to perhaps find some areas of potential vulnerability. Maybe you want to hit on that and would love to have you kind of wrap this up.
Lucian Niemeyer: Yeah, so I, I do believe the training is important and the awareness, but bottom line is you want to put tools in place.
You want to actually mitigate risk. You want to protect your buildings. You want to protect them on behalf of your clients. You want to make sure as a facility manager, you're not creating more risk. So training is good, but really what we would like to see within our organization is facility managers around the world, actually taking a look at getting in a building assessment.
What can we do bringing a team in of objective experts that understand the industry? What can we do to actually look at a building and offer and mitigate, truly mitigate risk? It's one [00:15:00] thing to keep talking about, to keep admiring the problem. It's nothing to want to put efforts in or money resource in to mitigate risk.
So our ultimate goal with IFBA is to raise awareness, offer training, but also offer an assessment tool and a certification tool. And Rob will talk about it in a minute. The assessment is provided by building cybersecurity. Where do you have vulnerability gaps? How do you close them? And then how do you maintain that closure?
So you're, so you are truly mitigating risks over time. And that's really the partnership with Rob. I know you're really interested in the, in the certification.
Rob Murchison: Yeah. So like we talked about beginning as a company called Intelligent Buildings. We believe that technology can have a big impact on the built environment if addressed properly, but we have to be connected and protect it.
The opportunity is to be connected and protected without a huge lift, right? We have to get that protection in place. There are things that you could do over time to become better, but you got to start somewhere. So the partnership between Intelligent Buildings [00:16:00] and BCS is the ability to quickly put in a managed service.
That addresses the protection piece out of the gate in 24 hours. And now what you do, that opens up the opportunity to do a lot of other things within your built environment in a harmonious relationship. Give them an idea of the cost for them to be able to get those protections in place. So a building you can start as low as 600 a month.
Right. It's, we're not talking, it was zero capital cost. Yep. Yep.
Lucian Niemeyer: So that's really, you know, what we see as that, you know, it's not a matter of if you're ever going to have a cyber attack, it's a matter of when it's just a growing profession. So what can you do now to start reducing that risk? It's kind of like when you buy a computer at home, you can install aftermarket software to reduce your risk.
It's not a guarantee. But there's a good chance that you're going to be blocked or you're going to be prevented from having 95 percent of the malware that's out there and bad viruses infect your system. Same what we're doing. We won't guarantee that you'll never have a problem. We'll just significantly [00:17:00] reduce the attack factors and the risk by the combination of the framework we provide and what companies like Intelligibility can do to execute on behalf of facility managers.
Rob Murchison: And I would also point out for the facility managers that are listening to this. Many of you, most of you are faced with a world where you're getting more square footage and not more staff. And by connecting and protecting the building, we now have the ability to use data to drive automation, to use the appropriate amount of staff, where it's adding more and more folks when you don't have the budgets.
Lucian Niemeyer: So look, I mean, you know, right now we're in the end of 2023, commercial real estate's a little bit of a free fall, vacancy rates are 20, 30, 40%. There's a lot of building owners and operators and facility managers are looking for ways to get folks back in the buildings. For me, technology is the key. You can only get so much done sitting in your, at your home computer.
You're going to see a lot of progressive facility owners, real estate owners, investing in advanced technologies in order to [00:18:00] offer, you know, generative AI, machine learning, and speeds of data that you can never get anywhere at home. In order to get folks back into the office, holographic teleconferencing, advanced audio visual, incredible community collaboratives technologies.
These are all part of the PropTech future. How do you protect those? You're going to want those for vendor generation. You're going to want those for enhanced user experience. How do you protect them?
Host: Are you ready to connect with FMs who live in your area, work in your industry, or share your interests? IFMA chapters, industry councils, and communities have opportunities for you to be involved as you want to be. Visit ifma. org to find your group.
Rob Murchison: That is the bottom line. And I was also going to add to, to, this is for any type of facility. This is just not office.
This is life sciences. This is retail. This is higher education. It's independent of the type of asset that we're talking about. And it's any technology in any built [00:19:00] environment.
Lucian Niemeyer: So in conclusion, for those of you who are listening in and you want to know more, the IFMA website has a link to cybersecurity.
I would start there. There's some great research and there's also some great tools as training. If there are folks out there would like to get a hold of building cybersecurity and intelligent buildings. Our website is www. buildingcybersecurity. org. So that's a good way if you would like to go direct to us to figure out how you can use our framework and then Rob to get ahold of you.
Get ahold
Rob Murchison: of us. We're just at Intelligent Buildings, that's buildings with an S dot com. And you can go on our website and learn more about our Advantage Services. Yep. So Stacey, appreciate the opportunity.
Stacey Shepard: Well thanks for taking the time to come in. I think this has been a great and informative discussion.
The fact that BCS and IFMA have had this strategic partnership only for a little over a month ago. And we're looking forward for great things to come.
Lucian Niemeyer: All right. Appreciate it. Thank you.
Host:
[00:20:00] Thanks for tuning into the Connected FM podcast. If you enjoyed today's episode, please take a moment to rate and review the show because it really helps us reach more listeners just like you. And don't forget to hit the subscribe button so you never miss an episode. See you next tim