Governance, risk and compliance (GRC) strategies are at a pivotal time where the convergence of physical security and IT systems is allowing facility managers and security professionals to optimize risk management programmes and streamline proactive threat protection.

"In the coming years, having a governance, risk, and compliance strategy will become an integral part of business planning and operations," states Greg Parker. "IBM’s 2023 Data Breach Report found that the global average cost of a data breach in 2023 was $4.45 million, a 15% increase over 3 years. The challenge though, is that businesses are currently facing competing priorities, so they are looking for ways to streamline operations while also building up risk management programmes."

According to Parker, the solutions generating the most excitement in 2023 were those that brought real-time visibility into the full building system, bridging the frequent and troublesome gap between IT and physical security teams. "Practitioners are looking for tools that will provide insights and context behind their facilities' threats, as well as help to maximize the efficiency of operations," he says.

The biggest threats in today’s security landscape

"The security landscape for building owners is multifaceted, encompassing physical security threats like break-ins, environmental risks such as natural disasters and cyber security vulnerabilities brought about by the growing reliance on smart building technologies. This dynamic landscape highlights the importance of regularly assessing and adapting security measures to address emerging threats and maintain a resilient security programme.

The Johnson Controls Tempered Airwall gateway offering, which provides zero-trust security within the fabric of Opeblue Security Lifecycle Management, was made with this in mind. In order to mitigate threats, building owners must have a clearer picture of their networks. Having a zero-trust cyber security architecture protects, connects and centrally manages access to security devices to proactively protect devices and simplify network management."

He stresses that In today’s landscape, building and facility owners can’t afford the financial, reputational and, most importantly, safety risks associated with compromised security devices.

Evolving priorities and evolving threats

Johnson Controls recently collaborated with Forrester Consulting on a survey of security decision-makers regarding the future of smart buildings and the results showed that 63% said improving occupant safety is a top priority for their building systems. When speaking directly with customers across various industries including higher education, healthcare, facilities and more, Parker says that they are currently looking to:

• Enable system-wide monitoring and optimization to achieve equipment and operational efficiency.

• Secure resources and expertise to keep all systems updated with critical patches.

• Leverage technology that factors in all building systems and operational elements such as HVAC, security, emergency response, medical and more.

• Access external resources and expertise to keep up with security updates due to labor shortages and a lack of internal support.

Challenges for building owners and operators to mitigate risks effectively

"Monitoring and managing security infrastructure is challenging for a variety of reasons. Our survey with Forrester also revealed that physical and data security still exist in silos in many cases and that organisations need help with continuous monitoring of building security systems," comments Parker. "Building security decision-makers are struggling to receive actionable insights. Nearly two-thirds of security decision-makers struggle with getting information from all necessary systems for the full context of security threats."

According to the survey many companies are looking for more co-ordinated information:

• 64% of building security decision-makers feel they need to collaborate more with IT.

• 63% of respondents said they sometimes struggle to manage and verify uptime and health of video surveillance or access control systems.

• 58% indicate their cyber security teams lack 24/7 visibility into all building systems.

• Only 42% of security decision-makers indicate their teams have 24/7 access to alerting/monitoring from all building security systems.

Integrated risk management programme

Greg Parker suggests that building owners should develop an integrated risk management programme, which can leverage data collected by many of the building systems they’ve already implemented. Risk management bolstered by connected solutions can help them stay ahead of the potential vulnerabilities that can cost time, money and reputation.

According to the recent Forrester survey, companies with the ability to monitor and manage all building systems continuously struggle less with identifying and responding appropriately to threats. "Check out Johnson Controls new Openblue Security Lifecyle Management Services offering that’s providing building owners with peace of mind in knowing that skilled engineers are leveraging secure zero-trust connectivity and data insights for proactive health monitoring, rapid remote support, and ongoing updates of their security systems and devices," says Parker.

"In today’s landscape, building and facility owners can’t afford the financial, reputational and, most importantly, safety risks associated with compromised security devices. Turning to an integrated partner will help integrate data and analytics platforms, connect and optimise risk management programmes and streamline proactive threat protection," he concludes.