________________________________________________________________________________________________________________________
The glaring gap in technology risk accountability
As the threat landscape rapidly evolves, a critical question arises: who is responsible for ensuring that technology-related risks are properly accounted for in building design?
Traditionally, the AEC industry relies on an array of specialized professionals: architects ensure aesthetic and placemaking integrity, engineers handle structural and mechanical systems, together with functionality, while general contractors manage the physical build. Yet, technology and its associated risks have no clear owner. IT consultants and systems integrators may be brought in to deploy solutions, however, they are rarely involved in the architectural or engineering design process. This creates a fragmented approach to technology risk management, with cybersecurity often considered an afterthought rather than an integral design element.
The limitations of traditional engineering disciplines
Part of the challenge lies in the educational foundations of the AEC industry. Traditional engineering disciplines, such as electrical and mechanical, are not inherently trained to assess or mitigate cybersecurity risks.
Electrical engineers, for example, are experts in designing power distribution systems, integrating lighting, and specifying energy management systems. However, they are not typically trained to consider the cyber vulnerabilities of smart meters, connected devices, or remote monitoring platforms. Similarly, mechanical engineers who design HVAC systems may focus on performance efficiency and occupant comfort; nonetheless, they are not equipped to address the cybersecurity risks of IoT-enabled controls or network-connected components.
Even as building systems become increasingly digitized and connected, most engineering education programs have not evolved to incorporate cybersecurity risk management as a core competency. This skills gap leaves AEC professionals ill-prepared to identify and mitigate the technology risks inherent in modern buildings.
Introducing the technologist of record( ToR)
To address this growing gap, the industry should consider introducing a new role: the technologist of record( ToR). Modeled after the architect of record or engineer of record, the ToR would be a designated authority responsible for the technological integrity of a building throughout its lifecycle. This role would ensure that technology systems are properly designed and integrated, and also compliant with cybersecurity standards, resilient against evolving threats, and futureproofed for emerging technologies.
The ToR’ s key responsibilities would be threefold. First, conducting technology risk assessments during the conceptual and design phases, identifying potential vulnerabilities in networked systems, IoT devices, and software platforms. This includes evaluating risks related to data privacy, access control, and system interoperability.
Second, the ToR would establish cybersecurity and resilience standards for the building’ s technology infrastructure. This includes specifying equipment performance, configuration, and documentation requirements. They would also apply industry frameworks, such as NIST, ISA, or relevant smart building security standards.
And third, the ToR would facilitate closer collaboration across disciplines. Just as architects and structural engineers collaborate, the ToR would work alongside MEP engineers, contractors, and owners to integrate technology risk mitigation into the broader design process. This ensures that cybersecurity and technology resilience are baked into the building’ s DNA, not bolted on later.
16