As an industry, our modus operandi has been to connect everything to everything else. Plant, sensors, access control, lifts, lighting, room booking, visitor management, energy platforms, workplace apps, tenant experience tools, you name it, we integrated it. And good job we did, AI enablement needed it! The commercial case for doing so sounded sensible enough: better data, better operations, better experience, better performance.
What has been less sensibly discussed is that, in making buildings more connected, we have also made them more exposed.
A modern smart building has moved beyond being a physical asset supported by technical systems. It is part of an organisation’s digital DNA, whether the organisation has fully accepted that fact or not. Once building systems are IP-enabled, remotely accessible, integrated with enterprise platforms, or connected to cloud-based applications, they cease to be an isolated engineering concern and become part of the wider attack surface. At that point, cybersecurity is not an optional extra for particularly nervous clients. It is now a fundamental part of the building brief.
This matters because the consequences have moved passed a few awkward headlines for the real estate team. A cyber incident affecting building systems can now disrupt operations, compromise safety, expose personal data, interrupt critical services, impair tenant confidence and, in some sectors, create material business continuity risk. For owners and occupiers alike, the question is no longer whether smart technology introduces cyber risk. It plainly does. The real question is whether that risk is being governed with the seriousness it deserves. Too often, it is not.
Part of the problem is structural. Smart buildings sit in the weird place between corporate IT, operational technology, real estate, facilities management, external vendors and specialist integrators. Everyone touches the risk; nobody fully owns it. Meanwhile, the market has been enthusiastic in deploying connected technologies without always being equally disciplined in defining security architecture, access controls, patching responsibilities, vendor obligations or incident response procedures. It turns out that adding connectivity is easier than adding governance. Few will be surprised.
The answer, however, is not for corporate IT to respond by treating the building as a suspicious foreign power and blocking anything with a BMS attached to it. That may reduce immediate anxiety, but it does not solve the problem. In fact, it often makes matters worse by driving operational systems into unmanaged corners, encouraging workarounds, and deepening the institutional divide between those who run the business and those who run the building. The role of corporate IT should be neither passive approval nor reflexive obstruction. It should be active stewardship.
That means engaging early in design, procurement and delivery, not being invited in after the systems are installed and everyone has already become emotionally attached to the architecture diagram. It means helping define network segmentation, identity and access management, remote access policies, data flows, vendor assurance requirements and monitoring arrangements. It means recognising that building technology is now part of the enterprise environment, but one with different operational constraints from laptops and SaaS platforms. Chiller plant is not a finance server, and pretending otherwise is not a strategy.
Owners and occupiers, for their part, need to become more disciplined clients. Cybersecurity should be specified contractually, not appended politely at the end. The operating model should identify who owns cyber risk across the asset lifecycle, who maintains what, how systems are updated, how third-party access is controlled, and what happens when something goes wrong. If those questions have no clear answer, the building is not smart. It is merely connected.
The industry has spent years discussing what smart buildings can do, and rather less time discussing what they can now expose. The next phase of market maturity will be defined by whether owners, occupiers, IT leaders and delivery teams can treat cybersecurity as a core condition of operational trust. A building that is digitally enabled but not defensible is a liability with a user manual.
In Dr Marson’s monthly column, he’ll be chronicling his thoughts and opinions on the latest developments, trends, and challenges in the Smart Buildings industry and the wider world of construction. Whether you're a seasoned pro or just starting out, you're sure to find something of interest here.
Something to share? Contact the author: column@matthewmarson.com
About the author:
Matthew Marson is an experienced leader, working at the intersection of technology, sustainability, and the built environment. He was recognised by the Royal Academy of Engineering as Young Engineer of the Year for his contributions to the global Smart Buildings industry. Having worked on some of the world’s leading smart buildings and cities projects, Matthew is a keynote speaker at international industry events related to emerging technology, net zero design and lessons from projects. He is author of The Smart Building Advantage and is published in a variety of journals, earning a doctorate in Smart Buildings.