Rich with multi-generational firms steeped in traditions of craftsmanship and longtime relationships, general contractors are often regarded as venerable institutions. Yet when it comes to managing cyber security risk, some in the construction industry still have some growing to do. Mike Benz, M.S.S.T., Vice President of Information Technology at Kraus-Anderson, recently walked us through some of the cyber security challenges faced by contractors, and a new approach to identifying and addressing those challenges.
Q: You have stated that the construction industry is among the least mature industries in terms of its cyber security risk exposure and resilience. Why is that?
MIKE BENZ: Construction has not seen itself as a high-tech industry. We haven’t been transformed by radical technological changes that now define so many industries. Many general contractors focus on the enormous structures they build out of concrete and steel, just as they have for decades. From my perspective, general contractors are in the information, communication, and risk management business. Those functions are highly-dependent on information and communication technologies – areas where the industry has advanced dramatically. It is, however, in these areas where we’ve created a lot of vulnerability without necessarily realizing it.
Q: You assert that there are four questions that construction IT leaders should answer in order to address their company’s exposure to cyber risk. What are they?
- “Where is our company exposed to serious cyber security risks?”
- “What is an acceptable level of risk?”
- “How do we compare with others in our industry?”
- “What can we do to improve our maturity in areas where we are sub-standard?”
Q: How does an IT leader in this industry typically answer those questions?
MIKE BENZ: There are generally three approaches: One, hire a trusted consulting firm to review risks and recommend risk reduction strategies. This is a costly investment, which is often a lead-in to more consulting work.
Two, a company might purchase and implement security products every time they encounter a security incident. Think of this as the “Whack-a-Mole” approach.
Three, the Do-it-Yourself method. An IT leader can select a framework and follow its methodology. This represents a big investment in time and they may not get any specific recommendations for improvement.
For most companies, these are all poor choices. Many IT leaders will choose option four: Do Nothing. This, of course, allows the risk to grow.
Q: You tested the suitability of a number of frameworks for improving cyber maturity, and found each of them problematic. What were some of the shortcomings?
MIKE BENZ: They were not easy to use and they required special expertise to manage. Several were costly, few established standards, and none offered specific recommendations for improvements or described the cost/effort of implementing any of the recommendations.
Q: So in response to that need, you’ve created the Construction Maturity Evaulation Tool, or CMEnT to help construction leadership self-evaluate their cyber security risk exposure, and recommend strategies for risk reduction. On a high level, talk about the research you drew from to create this tool.
MIKE BENZ: The National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) provides a vocabulary and a framework for classifying computer security risks. It’s a great starting point, but it’s very broad and does not provide practical, actionable recommendations to reduce risk.
Q: The CMEnT is an impressive accomplishment, as you streamlined a great amount of data into a concise survey. Talk about that.
MIKE BENZ: NIST CSF and other frameworks are designed to address the problems across multiple industries, including banking, retail, healthcare, utilities, and transportation. CMEnT focuses on the areas of risk most common to the Construction industry. It asks 35 questions which can be answered in 10 minutes.
Q: The CMEnT assesses an organization’s maturity levels in five categories, based on its abilities to IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER. Would you explain each of these briefly?
IDENTIFY – what do we own that we can’t lose? (Ex. Drawings, budgets, contracts, change orders, payroll data, email, and communication systems)
PROTECT – what are we doing to protect our assets? (Ex. Encryption, multifactor authentication, antivirus, firewalls, redundant systems, or insurance programs).
DETECT- how do we know when somebody is inside of our systems, stealing our data or getting ready to lock us out?
RESPOND – how do we tell our employees and customers that we have a problem, limit our losses, and get back to normal operations?
RECOVER – how we learn from experience and reduce our future risk?
Q: The 35 questions in the online survey ask the respondent to self-rate their current state, along a spectrum of maturity. Explain these:
NONE- Company does not perform this function.
REACTIVE; Not formalized, ad hoc and reactive
FORMALIZING- Approved, but not yet implemented company wide
REPEATABLE- Approved, implemented, and part of formal operating procedures
ROLE MODEL- Company proactively adapts, based on emerging threats and tools
Q: How do the CMEnT’s results help the contractor identify areas for improvement, or priorities for improvement?
MIKE BENZ: I offered the online survey to the IT leaders at 50+ general contractors, assuring them anonymity and confidentiality, aggregating responses, comparing each participant’s maturity rating to the average scores and to industry best practices. Each participant received a 2-page report card showing their maturity graphically in comparison to others, and offering specific recommendations for improvement in areas where they fell below the average or best practices. The recommendations described the cost, effort, and relative value of each corrective action. (See images)
Q: What feedback did you receive in terms of the tool’s ease of use, and value?
MIKE BENZ: The survey took only 10 minutes to complete. A number of respondents planned to share the report card with their senior management, helping make the case for authorizing the risk-reduction efforts. Several IT leaders reported that this tool provided similar value to services offered by outside consulting firms.
Q: For you, what have been the most valuable takeaways from building and testing this tool?
MIKE BENZ: I found that General Contractors:
– Fall far short of security best practices
– Are eager to reduce their risk, but don’t know where to start
– Could easily implement a few basic improvements which deliver benefits that are higher than their cost.
Additionally, IT Leaders can improve maturity and reduce risk when they:
– Communicate individual company results to senior management
– Discuss their company’s risk tolerance
– Assign someone to be responsible for cyber security
– Build a plan to implement improvements and lower risk
– Commit to continuous improvement and communication about risk strategies with senior management
Q: Congratulations on earning your M.S.S.T. degree from the University of Minnesota. I understand your next academic goal is pursuing additional courses in the U of M’s Technological Leadership Institute (TLI). What do you hope to learn?
I am interested in the U of M’s Management of Technology (MOT) graduate program. They offer a series of courses in Creating Technological Innovation, Pivotal Technologies, and Technology Foresight & Forecasting. These will provide me with some tools for assessing technologies, trends, and their potential impact on the construction industry.