The CDO Stack: Filling the Gaps in Your Cybersecurity Arsenal

Deloitte’s John D'Angelo on making sure your defenses are up to the challenge.

The other day, I had a discussion with leaders from one of our clients, and we had a good laugh about technology hype cycles. Those cycles are often reflected (hopefully not amplified) in this column, as I aim to shed light or add perspective on topics that are top of mind for our clients.

Certainly all things artificial intelligence and, in particular, generative artificial intelligence have been in the current cycle. And in the not-too-distant past, crypto and the metaverse have occupied cycles. One topic that deserves to be front of mind, but has mostly existed below the level of hype cycle, is cybersecurity.

istockphoto-1255099806-Image by NatalyaBurova
Image by NatalyaBurova/iStockphoto.com

I’m prompted to discuss cyber because of a couple of recent client interactions and my realization that it’s not a topic with which all companies feel comfortable, or comfortable discussing. From my experience, clients aren’t comfortable (for prudent reasons) in sharing their own cyber incident experiences, nor do many seem to be confident that their own plans, defenses and capabilities are up to the challenge. I understand the general reticence about the topic, but I realized how few forums there are to share experiences and reactions when there is a breach. Notwithstanding, I thought it important to give some basics about what you can and should do to prepare. To that end, here’s some advice from Deloitte’s leaders of cyber and strategic risk on preventing or responding to ransomware incidents, which have been on the rise:

Map out the most critical systems and assets: Chief Information Security Officers and Chief Information Officers could identify the assets (software, hardware, OT, process, people) that may be most essential to the organization’s mission-critical operations. At a minimum, they could implement basic cyber hygiene (password complexity, rotation, backup patches and vulnerability management, robust threat monitoring) for this manageable universe of assets. These minimal steps could help minimize the damage if an attack happens.

Prevent compromised information technology from spreading to operational technology: CISOs and CIOs could create a physical and logical separation of networks and data for different organizational units between corporate IT and OT (in this case, building-level operational technology). The idea is to help protect operational critical building technology from being rendered useless even if corporate IT systems become infected. While an infected IT system is not an ideal situation, cyber issues at the property are the stuff of nightmares.

John D'Angelo
John D’Angelo

Prioritize adoption of “Zero Trust”: Zero Trust is a new security paradigm where an organization commits to never trust, always verify as it relates to access. Staff may consider instituting systemwide safeguards by resisting trust for every transaction or action—even if they are recurrent or internal activities.

Pursue strategic initiatives for future resilience: CISOs and CIOs could review business continuity and disaster recovery processes for single points of failure (technical and human) in order to help support rapid response to an attack. Hire skilled cybersecurity leaders and staff that can provide a good balance of business acumen and the technical experience to help respond to an attack or threat. 

Proactively plan for a crisis: CISOs and CIOs should regularly perform cyber-simulation exercises to test incident response readiness and to help prepare for future disruptions. This may include crisis-management scenarios—with an emphasis on occupant safety, internal and external communications, and quickly restoring the mission-critical operations.

With large, single monetary transactions (assets purchase/sale), high-volume financial transactions (rent), and critical asset-level operations all in play, the real estate industry makes an enticing target for cyber criminals. For plenty of reasons, the topic is on the minds of Deloitte’s clients. Our annual survey of commercial real estate clients, conducted last summer, indicated that cyber was one of the most significant risks, ranked by potential financial impact, identified by client executives. As we interact with audit and risk committees of real estate clients, cyber is frequently listed as the highest priority topic. Hopefully you feel good about your operations against the recommendations above. If not, it’s worth being honest about why not and if that should change.

John D’Angelo is a managing director with Deloitte Consulting LLP and the real estate solutions leader, designing solutions to address client challenges and push the industry forward. With more than 30 years of experience as a management consultant to the global real estate industry, John has helped some of the biggest names in real estate leverage technology and use data to optimize and transform their operations.

Read the May 2024 issue of CPE.