the teams. As the two groups got to know each other, an awareness of each team’s culture developed. Brian Roper (Cybersecurity Manager, Silverstein Properties) concurred, “I couldn’t agree more as the human connection is one
of the most important parts of any IT project.” All the panelists agreed that personal relationships are critical to ensure success, especially as it applies to securing commercial and corporate real estate information
and operational technologies. Don Goldstein (CEO,
5Q) conveyed that it is also necessary to ensure that whatever team is supporting your OT has a good understanding of the OT functional purpose and how the underlying security is managed. While this is important for internal support teams, if any of the OT support services are outsourced, it is crucial. Don said that ANY outside firm that is brought in to help must have a good understanding of the OT—as you can’t manage or ensure what you don’t understand!
Sabine Lam (Building Operating Systems Global Lead, Google) stated that while IT policies should be applied to the OT world, you need to be pragmatic in your approach and understand that OT has a lot to catch up on. At a minimum, OT devices must meet security requirements to sit on the network. Sabine went on to say, “IT principles are guiding the solutions we are putting in place around managed networks, network scanning, password management, etc.” In my experience, and during our vendor discussions, we conveyed a similar premise. As
a device on our network, you are a guest and must abide by our rules. While we thought this was a basic tenet that everyone could support, not every manufacturer could address security deficiencies in either their products or support models.
Data privacy was raised as another concern that companies are facing with the increasing presence of OT devices. Sabine said that a key element of their device qualification process requires systems are not installed if there is any concern around data privacy, employee privacy, or GDPR compliance when PII (Personally
Identifiable Information) is captured. This has drastically limited their deployment of third-party solutions for anything that uses personal data.
Ken Kurz (CIO, COPT) agreed with eliminating the cultural barriers, as IT and OT teams should learn from each
other, “...from the facilities engineer to the boardroom, everyone has a role to play relative to risk management... the organization needs to think about it holistically.” Ken said that he believes, “showing how you can help” is a good start to building rapport between support groups and that collaboration is key. Collaboration extends beyond your organization, to other peers and industry bodies like the Real Estate Cybersecurity Consortium (RECC).
As anyone who has been on this journey can attest, it is not simple and there are many paths available. Still, not all paths lead to successful management of the problem. Like many collaborative organizations, the RECC offers
a community of seasoned industry professionals who have come together to “improve the industry.” Along
the way, we hope to provide insight and aid to others on their journey. The key message here is to collaborate and learn from others, whether that comes from within an organization, or with outside peers and associations. By collaborating with others, we have the proof that “twains can meet.” RECC is an example of how active participation from both the IT and OT sides of the commercial real estate industry is helping to bring the twains together.
Charles Meyers has over 40 years of financial systems and technology experience. Currently, he is spearheading the Real Estate Cyber Consortium (RECC) to elevate awareness across the real estate community to improve cybersecurity
preparedness for buildings and facilities. He recently retired and was formerly the SVP & Chief Technical Architect, Corporate Property Group of Wells Fargo and was responsible for emerging technologies that optimize the company’s real estate portfolio.
IT and OT teams should learn from each other... from the facilities engineer to the boardroom, everyone has a role to play relative to risk management.
 49