Converged Security: Protecting People, Projects, and Data - Construction Leaders Podcast

Summary5 min read

Construction Leaders Podcast: Converged Security – Protecting People, Projects, and Data

Presented by the Construction Management Association of America (CMAA)
Release Date: May 1, 2025
Host: Carly Trout
Guest: Jim McConnell, Principal at Ask McConnell

Introduction to Converged Security

In the latest episode of the Construction Leaders Podcast, Carly Trout, alongside Evan Hendershot, CMAA's Director of Content, delves into the critical topic of converged security within the construction industry. Unlike the commonly emphasized safety measures, security encompasses a broader spectrum, integrating physical security, cybersecurity, fraud prevention, and more to safeguard people, projects, and data.

Guest Profile: Jim McConnell

Jim McConnell brings over three decades of experience in corporate security, having recently served as a fellow in a Fortune 25 corporate security organization. As the principal at Ask McConnell, he specializes in addressing security challenges from a converged security perspective, particularly within the construction sector. Jim is also a volunteer first responder, an adjunct professor at Texas A&M, holds 15 US patents, and is an author of books on converged security and safety metrics.

Understanding Converged Security

Jim McConnell opens the discussion by differentiating between safety and security:

"Safety is the prevention, detection, and response to accidents... Security is the prevention, detection, and response to a crime or a violation of organizational rules."
(04:39)

Converged security adopts a holistic approach, ensuring that all facets of an organization are protected. This includes not just traditional physical security measures like cameras but also cybersecurity protocols, protection of confidential project data, and securing the supply chain against fraud and compliance breaches.

Assigning Responsibility for Security

A pivotal question raised is: Who is responsible for converged security within an organization? Jim emphasizes the importance of clearly defining roles:

"Either ask the CEO who their security person is and whoever they name is probably the first person that's responsible... sometimes the biggest challenge is some people are doing security, but it's so decentralized or disorganized that we don't know who the owner is."
(06:33)

He suggests starting with identifiable security functions such as locks and keys management, IDs and passwords, and accounts payable to determine who within the organization holds responsibility for each area.

Security Functions Often Overlooked in Construction

Jim identifies key security functions that the construction industry might not fully consider:

Cybersecurity Resilience:

"What happens if all the laptops and tablets and computers related to that project are no longer available?... How fast could you recover?"
(09:50)
Supply Chain Fraud Prevention:
Ensuring subcontractors and suppliers adhere to security and compliance standards to prevent fraudulent activities within the supply chain.
Financial Fraud Detection:
Addressing risks such as invoice fraud, where payments might be rerouted illegitimately.

These areas highlight vulnerabilities that, if unaddressed, can lead to significant disruptions and financial losses.

Risks of Inadequate Security Measures

Jim elaborates on the potential consequences of neglecting converged security:

Cyber Incidents:
Disruptions in critical computing resources can derail project timelines, especially during critical phases like bidding.
Supply Chain Compliance Failures:
Violations by subcontractors can lead to contractual penalties and damage relationships with clients.
Financial Fraud:
Fraudulent activities can result in substantial financial losses and tarnish the organization's reputation, especially when dealing with government contracts.

"If you don't have a backup all the things that would be related to it and security there. That's scary."
(11:55)

Role of Construction Managers in Security

Carly Trout inquires about the specific responsibilities of Construction Managers (CMs) concerning security. Jim advocates for empowering CMs with practical tools and knowledge:

"Can I give them a number that they can call?... some of that checklist may not just be physical security things, there may be some cyber elements."
(14:33)

He recommends integrating security checklists into existing management plans and conducting regular security briefings akin to safety briefings. This proactive approach ensures that CMs remain vigilant and responsive to potential security threats on-site.

Future of Converged Security in Construction

The integration of physical and cybersecurity requires a nuanced skill set from on-site construction staff. Jim discusses the necessity for increased awareness and training:

"There's more training than just the checklists need to happen... If you see something, say something. It works here in the security at a construction site."
(18:32)

He highlights the growing intersection of technology and construction operations, such as the use of GPS and telematics in fleet management, which necessitates a heightened awareness of potential cyber threats alongside traditional security measures.

Resources for Implementing Converged Security

For organizations looking to assess and enhance their security posture, Jim recommends utilizing self-assessment tools available on his website:

"I have a checklist area there. There's a self-assessment that's not specific to construction... it really steps through a number of key security functions."
(20:45)

He advises involving multiple stakeholders in the assessment process to gain a comprehensive understanding of the organization's security strengths and gaps.

Key Takeaways

Converged Security is essential for protecting all aspects of construction operations, blending physical security with cybersecurity and fraud prevention.
Clear Responsibility: Organizations must designate specific individuals or teams to oversee various security functions to avoid decentralization and confusion.
Proactive Measures: Implementing security checklists, conducting regular briefings, and integrating security into management plans empower Construction Managers to maintain vigilant oversight.
Continuous Learning: Staying informed about emerging security threats and equipping staff with the necessary training ensures resilience against potential disruptions.

Notable Quotes

"Safety is the prevention, detection and response to accidents... Security is the prevention, detection and response to a crime or a violation of organizational rules."
— Jim McConnell (04:39)

"Either ask the CEO who their security person is and whoever they name is probably the first person that's responsible..."
— Jim McConnell (06:33)

"If you see something, say something. It works here in the security at a construction site."
— Jim McConnell (18:32)

Conclusion

Jim McConnell's insights underscore the indispensable role of converged security in the construction industry. By adopting a unified approach to security, organizations can better protect their people, projects, and data, ensuring sustained success in an increasingly complex landscape.

For more information and resources, visit askmcconnell.com.

Loading summary

Transcript29 lines

[00:03]
Carly Trout
Welcome everyone to today's episode of the Construction Leaders Podcast, presented by cmaa. I'm Carly Trout. And before we welcome today's guest, I would like to introduce a new voice from CMAA. My colleague Evan Hendershot is CMAA's Director of Content, and he'll be here with me today to dive into the world of security. Welcome, Evan. Thanks for joining.
[00:27]
Evan Hendershot
Hi, Carly. Thank you for having me. And I'm excited to be here in my first CMAA podcast.
[00:32]
Carly Trout
Awesome. So let's jump into today's topic. Understandably, in construction, we talk a lot about the importance of safety, as we should. But we don't often hear about the related topic of security. More specifically, we'll be talking today about converged security, which is the unified approach to safeguarding every facet of your organization, from physical security to cybersecurity investigations, executive protection, fraud prevention, law enforcement support, and more. We'll explore how all of these critical areas come together to protect your people, your data, and your assets. Here to talk about the operational concepts that drive converged security is Jim McConnell, the principal at Ask McConnell. Jim has had the privilege of working in corporate security for over 30 years, most recently as a fellow in a Fortune 25 corporate security organization. He is now serving clients, including from the construction industry, by solving key security pain points from a converged security perspective. Jim is a volunteer, first responder and and adjunct professor at Texas A and M. He also has 15 US patents and recently published a book on converged security metrics and another on converged safety metrics. And just a teaser, he'll be doing a webinar for CMAA as well on safety metrics, so be on the lookout for that. Jim, welcome to the podcast.
[02:13]
Jim McConnell
Oh, such an honor. CMAA is a great organization and hopefully I can contribute a little bit, get some people thinking around these different areas and improve their environment and their operations and do a little bit more thinking and balancing the safety and the security side. So honored to be here and welcome to conversation.
[02:33]
Carly Trout
Great. We're excited to get started. We usually kick things off by having our guests just briefly introducing themselves to our listeners. So maybe you could tell us how you get started doing the work you're doing and specifically how you got involved in construction.
[02:49]
Jim McConnell
Sure. I started out in what we might call the IT world today. It was not called that back then, but just people having software problems and little IT help desk. That drove into a interesting opportunity for me to be exposed to security very early on in my life and career. And that drove into getting my first security job about 30 plus years ago. And from there got the unusual opportunity and blessing to experience a number of different areas of security across the corporation. So physical and cyber and fraud and all the things that in the convert security model, which was an unusual career path, I know, but that drove me into the opportunities to support the faith based community. So I do a lot of pro bono work in the faith based community. So that grounded me into folks that don't have a lot of money but still have the same needs as large environments. And then as I started my own consulting and training company, I had a couple clients very quickly on that were in the construction industry. And then I had some folks ask me to participate in some bids for some school buildings, school build outs from the environment and so started to enthrall on that. Have taken my first three OSHA classes from Texas A and M Teaks. I'm digging right into it, learning a lot about it and learning maybe where some of the gaps are that I have already discovered.
[04:15]
Carly Trout
Great. And selflessly being involved in the construction industry. We are happy that you have joined this realm and are doing the work you're doing. So in the intro I did give an overview of converged security, but I'm sure you can explain it better if you can let us know what it entails and maybe what the difference between security and safety are.
[04:40]
Jim McConnell
Sure. So whether I am doing mentoring, talking to a pastor, talking to a big corporation construction organization, I always started out with do we understand or is there a consistently within the organization around what's the difference between safety and security. Now my answers are not the right answers for everybody. I publish them on my website and stuff like that just so I'm consistent. But for me, safety is the prevention, detection and response to accidents. Spilt milk, broken glass, extension cord going across. And then security is the prevention, detection and response to a crime or a violation of organizational rules. And so when I separate those, now we understand that there's a different mindset, a different skill set and a different set of governance and procedures. So from a converged security standpoint, now we start to say when somebody says security and construction, you're talking about we put up some cameras at the construction site. Okay, that's good, good on the checklist. But what about cybersecurity? What about customer data? What about the confidential plans of saying you're doing a unique project that requires some high confidentiality? What about security with your subcontractors, background checks, et cetera? So it really encompasses all the different areas of security it doesn't mean that a particular area is prioritized higher or lower. It just says, let's think about security robustly across not just the different domains of security, but also across our organization.
[06:20]
Evan Hendershot
That's great, Jim. I think that really begs the question though, who is responsible for this converged security? You might have a competent safety person on your team, but are they the people that would be responsible for security as well?
[06:33]
Jim McConnell
It could be by default, as I always tell people, either ask the CEO who their security person is and whoever they name is probably the first person that's responsible, whether they like it or know it or not. But I, I always say when I'm talking to folks is at 3 o'clock in the morning on a Sunday when you know something goes boom in the night that's security related. Who gets that call? Is it the safety person? Okay, maybe they're not skilled, but who stands in front of the ZNN truck and the podium to answer security challenges that may be on television at that point? It is a different skill set though. I have seen both sides. Security people having some safety experience and safety people having some security experience. But we hate to say it, but the default is the CEO. But when we move it down, sometimes it could be by business unit, it could be by project. That's okay, but that is sometimes the biggest challenge is some people are doing security, but it's so decentralized or disorganized that we don't know who the owner is. And so discovering that sometimes is step one. Because again, I don't think the CEO or any of the C level suites of an organization want to be standing in front of the media answering questions or a regulator or somebody like, or a customer answering questions that they're not prepared to.
[07:52]
Evan Hendershot
Where would you suggest you start that discovery process? Is it just as simple as asking yourself that question and saying who should be in charge of these situations?
[08:00]
Jim McConnell
Yeah. So what I tend to do when I talk to clients or folks is it's a little bit of proverbial virtual or real whiteboard and says, let's just start with locks and keys. We all know that. We know it very well. We've got keys and locks, whether it's on fleet vehicles, construction vehicles, or on the door outside. There's an old saying is that why does a convenience store, it says they're 24 by 7, have locks on the doors? So same way in the construction world. So sometimes it's just, hey, who's in charge of locks and keys? Oh, even if you outsource it, somebody internal is in charge of that. That's Billy Bob. These the facilities guy. Great, let's put him on there. Who does Billy Bob roll up to? He rolls up to this level in the organizational chart. And then we go into who's in charge of say, IDs and passwords on all the computer stuff. Write that person's name in there. And again, if it's multiple people, that's fine, but it's sometimes it's just. Let's start with the things that we know. We're doing security so we don't get into all the things that we may not be doing or not doing. Well, let's just start with the simple stuff. So IDs and passwords, locks and keys are some accounts payable so we make sure we're not having fraud. In the accounts payable side, the receivable side, there's three right there. Can you name those people that are in charge of that? And then if you got that, got a starting point.
[09:22]
Evan Hendershot
Yeah, Wonderful. That's a great starting point. Beyond that, however, Jim, you have such a unique and diverse background working with a lot of different industries. For you, what are some security functions that the construction industry might not be considering? You're obviously bringing a unique background and some diverse skills from your industry experience outside of construction. So what are some things that our industry might be able to learn from those other industries?
[09:51]
Jim McConnell
Sure, I'll take two of them. Both of them relate to some work that I've done recently. One is around cybersecurity. And if we got these big construction projects and stuff like that, what happens if all the laptops and tablets and computers related to that project are no longer available? How fast could you recover? I'm not a headline person, so I'm not here to say 12 out of 10 type of thing. But what of all those computers were not available? They were blacked out. And they were blacked out for weeks. What does that do to your schedule? So one side is cybersecurity I find is weak because it's hard because it's. We're so interested in the construction industry about stuff we can touch. We build stuff that we can touch. So in the cyber world, we can't touch it, we can't feel it, we can't turn it on, turn it off easily type of thing. So that tends to be a challenge on that side. The other side is really around fraud related to your supply chain. Are we hiring people that are have a good background check? Are we our suppliers and subcontractors doing the proper things in the way of compliance in our contract. So contract compliance in our supply chain is the second one and then fraud in the financial side. So those are three, and they're not easy skill sets that may be common in a construction world. And whether you're Billy Bob the Plumber that is having a struggle with people not sharing passwords to a $600 million construction company that says, don't we have all the security in our safety team? Maybe not. So it. Those are three areas that I think that are not again, the highest priority, but are things that I consistently see missing. In some ways, it's interesting to say, I'm afraid to admit that I don't have those things covered.
[11:38]
Evan Hendershot
All right, Jim, so you've named a lot of potential concerns so far and obviously those come with a lot of opportunities too.
[11:46]
Jim McConnell
But.
[11:46]
Evan Hendershot
But is there a risk to not having a lot of these security or safety functions in place? What's the potential risk to the construction industry?
[11:56]
Jim McConnell
Sure. So let's stick to those three so we don't overcomplicate it with more. So if we look at the cyber side again, what if the computers were not available? What if you're getting ready to put out a bid and the deadline is 5pm today and the computer that has all of the cost assessments are on there just goes away. It's got those going crossbones on the screen and says, I own all your data. How do you do that? Do you have a backup all the things that would be related to it and security there. That's scary. I hope that never happens. Let's go on the supply chain side. What if we had a supplier that was not meeting your customer security or safety or other requirements? Do you understand the contract and what those provisions are? And what if there is a crime or security violation on the site and the customer is investigating it and finds it one one of your subs, are you prepared to support them from an investigative standpoint or a response standpoint? And now you've got this flow down in the contracts that says, oh, I didn't tell them that the client said X, Y and Z. I didn't tell my subs that they also need to follow X, Y and Z direct, normally called flow down. Guess who's responsible? Me as the prime. It's hard to pass that those fines down, et cetera. And then a third area in the fraud area. Wow. What if you get a. An invoice that gets paid for $50,000 and you find out that when it was Paid it got rerouted to a bank account overseas. And you don't think that happens? I can tell you for a fact that it does happen because I have, I'm working, I'm helping a client right now in that particular situation. Can a subcontractor, especially in larger projects, can a subcontractor be doing things that are fraudulent? And of course, if you're working with a government customer, fraud's a big deal. And what if that customer gets on their ethics hotline? A call about fraud in the project, who handles that? How's it handled? Who's the investigator?
[13:58]
Carly Trout
I wanted to circle back on the responsibility of all of these different things that we're talking about. I know you talked about the general contractors and subcontractors, but I'm wondering if you can tie in the construction managers being at sort of the level that oversees the project. Many times, for example, with safety, ultimately the general contractor is the one that boots on the ground that are responsible for site safety. But talking about security, is that similar with security and what is the CM's role in security?
[14:33]
Jim McConnell
Yeah, if I had to educate those cms at any point, the first thing I would educate them is less about security, but who to report. Now again, you think just call 911? No, they're not going to call 911 on most things, but if they see a security vulnerability, they see a gate that was left open that could cause a security issue. So my first thing, sometimes as simple as, I'm not trying to add more onto their crazy plate, but can I give them a number that they can call? 24 by 7, 365. Maybe it's on a placard on the gate or whatever that says who to call and they're going to reach a security person. They're not going to reach a call center that just handles voicemail kind of thing. So they're going to reach a security person. So to me there's some education on some, maybe the four or five top five things that they should probably look out for, check around, maybe give them a laminated checklist before shift and after shift that's just security related so they can go down and check those things. Hey boss, if you could just check these five or 10 things and if you have an issue, give 1, 800 a call, here's my number, et cetera. So top 10 kind of things for them to check before and after and then who to call. So if we just start with that, they of course then have some responsibility at that point, but they Are the eyes on the ground. Again, I'm not here to make them security experts. I'm not necessarily making here to make them safety experts. What I am bringing them to is kind of like we have OSHA 10 and OSHA 30. I want to give them the OSHA 10 and OSHA 30 version of security while they're there. And by the way, some of that ties into for example, if they're passing out a lot of construction environments now have tablets and full computer setups, especially with trailers on bigger projects, etc. Some of that checklist may not just be physical security things, there may be some cyber elements. Make sure all the computers are locked before you leave, make sure they're unplugged, whatever the requirements are. So give those top 10 and have them responsible for those basic things. And then of course we bring on resources, call them inspectors or whatever they want to call them. Bring on resources that come and check the place out more thoroughly on some regular basis in support of that construction manager.
[16:49]
Carly Trout
Yeah, I love a checklist. So it sounds like a really good practice. And you know, I'm wondering that construction managers have tools like the safety management plan and the project management plan. Would you recommend that that's a good place for this checklist or to outline sort of procedure there?
[17:06]
Jim McConnell
Yeah, I'm a big fan of what my former boss used to say one pagers. That's why I bought a laminator because sometimes it's the one pagers, it's the lamination type of thing. And so there's a couple of things that I would like the CM to do. One is around this checklist, walking around inside the buildings, around side the buildings, perimeter, et cetera. The other thing is if they're doing their call it a huddle or whatever, their safety briefing or how about that, let's add in a security thing. Hey ladies and gentlemen, what would y'all do if you came up in this morning and you found the gate open just like we do a safety briefing? Can we add in one question around security maybe once a week in those briefings? And so those are again about educating because again we're dealing with a lot of subs and different things like that. Yeah, it's a combination of that. But I would love the the top 10 checklist.
[17:58]
Evan Hendershot
Without jumping too far ahead, Jim, to the future of converged security. I was curious because you mentioned how cybersecurity and physical security elements are coming together these days. Does it require a different skill set from some of the on site construction staff to be More aware of some of these tech tools when the physical and cybersecurity elements converge. And do you find that there's any resistance to some of these items or do you find that construction managers and people on site are adopting these integrated tools?
[18:32]
Jim McConnell
Well, yeah, Billy Bob the plumber did. I keep talking about, they're great at plumbing, they're great at the safety side of that. And all of a sudden the computer stopped working or they got that weird email or they got that call from the bank, whatever that is. Could that happen out at a construction site? Could a construction site get a phone call from a bad actor to kind of social engineer folks? Sure. So again, there's more training than just the checklists need to happen. But you know how many of our vehicles and fleet out there on site that have technology in them, they have gps, they have telematics that are giving information about those vehicles around run hours and oil levels, et cetera. So there's this. If you look at a big construction site, imagine how much network and Internet traffic is going on without somebody necessarily sitting at a keypad. I suspect that it's significant for the larger the project. And again, it's awareness to these folks, not asking them to do more than they're already crazy doing, but to be aware. Hey, why does this. This doesn't look normal on this bulldozer on screen, their little bulldozer screen. There's a saying that we hear at the airport. If you see something, say something. It works here in the security at a construction site or a construction company, marry the receptionist. If you see something, say something. Driver of that construction vehicle. If all of a sudden that screen goes out and turns red, you see something, say something. Don't discount it for that. It might be a security problem. Yeah, it might be just a software problem. We gotta reboot. But could it be a security problem? Let's not waste that phone call to say, hey, wait a minute, we got all of our construction trucks out here. Got a red skull and crossbones on the screen. This doesn't look right, boss, we're stopping.
[20:23]
Carly Trout
So time is flying by here. This is a great conversation, but we actually only have time for one more. So I'm wondering if you could maybe give some resources for those who are starting out. Maybe this is a new concept for them and they want to know where to look. Maybe. Do you have a self assessment for folks to go to and how to get started?
[20:46]
Jim McConnell
Absolutely. So on my website, I have a askmcconnell.com I've got a checklist area there. There's a self assessment that's not specific to construction, but to corporations and small business and large business. And it really steps through a number of key security functions, physical and cyber and fraud and everything else, and then starts to help people self assess themselves. I do encourage folks to have multiple people in your company fill it out because you might get different answers to those. But very simple. If it pops up and something on there is a it's an Excel file. So if something on there is blank, that's an answer. If you don't know the answer, that is an answer. So that may be something where, hey, we're comfortable on these five areas. We're green across the row on that one. But here's some areas that they're on a gap for them. Again, that gives you a good starting point. Not that you're going to neglect the green, not that they're running very mature. But that self assessment is there for folks to take advantage of that. And if they've got questions about that, I'd be honored to help out.
[21:50]
Carly Trout
Great. That is really good to know about. Jim, thank you so much for joining the podcast today. It was really great to speak with you and hopefully your insights can help us all build a safer and more secure future for our organizations.
[22:04]
Jim McConnell
It was an honor and hope to support CMAA in the future and lots of different areas and be a resource to your members and ultimately their clients.
[22:14]
Carly Trout
Great. So just for our listeners, as a reminder, if you'd like to learn more, you can visit askmoconnell.com construction on the next episode of the Construction Leaders Podcast, we'll be rejoined by a previous guest, Vincentesta, with Procon Consulting. This time he'll be here to discuss his take on AI and other recent headlines and their impact on the construction industry. As always, be sure to subscribe to the podcast and you can follow us on social media maahq we would also love for you to leave a review with your thoughts on today's episode and let us know what you'd like to hear in the future. On behalf of cmaa, I'm Carly Trout with Evan Hendershot. Thank you for listening.