Carly Trout (4:15)

Great. And selflessly being involved in the construction industry. We are happy that you have joined this realm and are doing the work you're doing. So in the intro I did give an overview of converged security, but I'm sure you can explain it better if you can let us know what it entails and maybe what the difference between security and safety are.

Jim McConnell (4:39)

Sure. So whether I am doing mentoring, talking to a pastor, talking to a big corporation construction organization, I always started out with do we understand or is there a consistently within the organization around what's the difference between safety and security. Now my answers are not the right answers for everybody. I publish them on my website and stuff like that just so I'm consistent. But for me, safety is the prevention, detection and response to accidents. Spilt milk, broken glass, extension cord going across. And then security is the prevention, detection and response to a crime or a violation of organizational rules. And so when I separate those, now we understand that there's a different mindset, a different skill set and a different set of governance and procedures. So from a converged security standpoint, now we start to say when somebody says security and construction, you're talking about we put up some cameras at the construction site. Okay, that's good, good on the checklist. But what about cybersecurity? What about customer data? What about the confidential plans of saying you're doing a unique project that requires some high confidentiality? What about security with your subcontractors, background checks, et cetera? So it really encompasses all the different areas of security it doesn't mean that a particular area is prioritized higher or lower. It just says, let's think about security robustly across not just the different domains of security, but also across our organization.

Evan Hendershot (6:20)

That's great, Jim. I think that really begs the question though, who is responsible for this converged security? You might have a competent safety person on your team, but are they the people that would be responsible for security as well?

Jim McConnell (6:33)

It could be by default, as I always tell people, either ask the CEO who their security person is and whoever they name is probably the first person that's responsible, whether they like it or know it or not. But I, I always say when I'm talking to folks is at 3 o'clock in the morning on a Sunday when you know something goes boom in the night that's security related. Who gets that call? Is it the safety person? Okay, maybe they're not skilled, but who stands in front of the ZNN truck and the podium to answer security challenges that may be on television at that point? It is a different skill set though. I have seen both sides. Security people having some safety experience and safety people having some security experience. But we hate to say it, but the default is the CEO. But when we move it down, sometimes it could be by business unit, it could be by project. That's okay, but that is sometimes the biggest challenge is some people are doing security, but it's so decentralized or disorganized that we don't know who the owner is. And so discovering that sometimes is step one. Because again, I don't think the CEO or any of the C level suites of an organization want to be standing in front of the media answering questions or a regulator or somebody like, or a customer answering questions that they're not prepared to.

Evan Hendershot (7:51)

Where would you suggest you start that discovery process? Is it just as simple as asking yourself that question and saying who should be in charge of these situations?

Jim McConnell (8:00)

Yeah. So what I tend to do when I talk to clients or folks is it's a little bit of proverbial virtual or real whiteboard and says, let's just start with locks and keys. We all know that. We know it very well. We've got keys and locks, whether it's on fleet vehicles, construction vehicles, or on the door outside. There's an old saying is that why does a convenience store, it says they're 24 by 7, have locks on the doors? So same way in the construction world. So sometimes it's just, hey, who's in charge of locks and keys? Oh, even if you outsource it, somebody internal is in charge of that. That's Billy Bob. These the facilities guy. Great, let's put him on there. Who does Billy Bob roll up to? He rolls up to this level in the organizational chart. And then we go into who's in charge of say, IDs and passwords on all the computer stuff. Write that person's name in there. And again, if it's multiple people, that's fine, but it's sometimes it's just. Let's start with the things that we know. We're doing security so we don't get into all the things that we may not be doing or not doing. Well, let's just start with the simple stuff. So IDs and passwords, locks and keys are some accounts payable so we make sure we're not having fraud. In the accounts payable side, the receivable side, there's three right there. Can you name those people that are in charge of that? And then if you got that, got a starting point.

Evan Hendershot (9:21)

Yeah, Wonderful. That's a great starting point. Beyond that, however, Jim, you have such a unique and diverse background working with a lot of different industries. For you, what are some security functions that the construction industry might not be considering? You're obviously bringing a unique background and some diverse skills from your industry experience outside of construction. So what are some things that our industry might be able to learn from those other industries?

Jim McConnell (9:50)

Sure, I'll take two of them. Both of them relate to some work that I've done recently. One is around cybersecurity. And if we got these big construction projects and stuff like that, what happens if all the laptops and tablets and computers related to that project are no longer available? How fast could you recover? I'm not a headline person, so I'm not here to say 12 out of 10 type of thing. But what of all those computers were not available? They were blacked out. And they were blacked out for weeks. What does that do to your schedule? So one side is cybersecurity I find is weak because it's hard because it's. We're so interested in the construction industry about stuff we can touch. We build stuff that we can touch. So in the cyber world, we can't touch it, we can't feel it, we can't turn it on, turn it off easily type of thing. So that tends to be a challenge on that side. The other side is really around fraud related to your supply chain. Are we hiring people that are have a good background check? Are we our suppliers and subcontractors doing the proper things in the way of compliance in our contract. So contract compliance in our supply chain is the second one and then fraud in the financial side. So those are three, and they're not easy skill sets that may be common in a construction world. And whether you're Billy Bob the Plumber that is having a struggle with people not sharing passwords to a $600 million construction company that says, don't we have all the security in our safety team? Maybe not. So it. Those are three areas that I think that are not again, the highest priority, but are things that I consistently see missing. In some ways, it's interesting to say, I'm afraid to admit that I don't have those things covered.

Evan Hendershot (11:38)

All right, Jim, so you've named a lot of potential concerns so far and obviously those come with a lot of opportunities too.

Jim McConnell (11:45)

But.

Evan Hendershot (11:46)

But is there a risk to not having a lot of these security or safety functions in place? What's the potential risk to the construction industry?

Jim McConnell (11:55)

Sure. So let's stick to those three so we don't overcomplicate it with more. So if we look at the cyber side again, what if the computers were not available? What if you're getting ready to put out a bid and the deadline is 5pm today and the computer that has all of the cost assessments are on there just goes away. It's got those going crossbones on the screen and says, I own all your data. How do you do that? Do you have a backup all the things that would be related to it and security there. That's scary. I hope that never happens. Let's go on the supply chain side. What if we had a supplier that was not meeting your customer security or safety or other requirements? Do you understand the contract and what those provisions are? And what if there is a crime or security violation on the site and the customer is investigating it and finds it one one of your subs, are you prepared to support them from an investigative standpoint or a response standpoint? And now you've got this flow down in the contracts that says, oh, I didn't tell them that the client said X, Y and Z. I didn't tell my subs that they also need to follow X, Y and Z direct, normally called flow down. Guess who's responsible? Me as the prime. It's hard to pass that those fines down, et cetera. And then a third area in the fraud area. Wow. What if you get a. An invoice that gets paid for $50,000 and you find out that when it was Paid it got rerouted to a bank account overseas. And you don't think that happens? I can tell you for a fact that it does happen because I have, I'm working, I'm helping a client right now in that particular situation. Can a subcontractor, especially in larger projects, can a subcontractor be doing things that are fraudulent? And of course, if you're working with a government customer, fraud's a big deal. And what if that customer gets on their ethics hotline? A call about fraud in the project, who handles that? How's it handled? Who's the investigator?

Carly Trout (13:57)

I wanted to circle back on the responsibility of all of these different things that we're talking about. I know you talked about the general contractors and subcontractors, but I'm wondering if you can tie in the construction managers being at sort of the level that oversees the project. Many times, for example, with safety, ultimately the general contractor is the one that boots on the ground that are responsible for site safety. But talking about security, is that similar with security and what is the CM's role in security?

Jim McConnell (14:33)

Yeah, if I had to educate those cms at any point, the first thing I would educate them is less about security, but who to report. Now again, you think just call 911? No, they're not going to call 911 on most things, but if they see a security vulnerability, they see a gate that was left open that could cause a security issue. So my first thing, sometimes as simple as, I'm not trying to add more onto their crazy plate, but can I give them a number that they can call? 24 by 7, 365. Maybe it's on a placard on the gate or whatever that says who to call and they're going to reach a security person. They're not going to reach a call center that just handles voicemail kind of thing. So they're going to reach a security person. So to me there's some education on some, maybe the four or five top five things that they should probably look out for, check around, maybe give them a laminated checklist before shift and after shift that's just security related so they can go down and check those things. Hey boss, if you could just check these five or 10 things and if you have an issue, give 1, 800 a call, here's my number, et cetera. So top 10 kind of things for them to check before and after and then who to call. So if we just start with that, they of course then have some responsibility at that point, but they Are the eyes on the ground. Again, I'm not here to make them security experts. I'm not necessarily making here to make them safety experts. What I am bringing them to is kind of like we have OSHA 10 and OSHA 30. I want to give them the OSHA 10 and OSHA 30 version of security while they're there. And by the way, some of that ties into for example, if they're passing out a lot of construction environments now have tablets and full computer setups, especially with trailers on bigger projects, etc. Some of that checklist may not just be physical security things, there may be some cyber elements. Make sure all the computers are locked before you leave, make sure they're unplugged, whatever the requirements are. So give those top 10 and have them responsible for those basic things. And then of course we bring on resources, call them inspectors or whatever they want to call them. Bring on resources that come and check the place out more thoroughly on some regular basis in support of that construction manager.

Carly Trout (16:48)

Yeah, I love a checklist. So it sounds like a really good practice. And you know, I'm wondering that construction managers have tools like the safety management plan and the project management plan. Would you recommend that that's a good place for this checklist or to outline sort of procedure there?

Jim McConnell (17:05)

Yeah, I'm a big fan of what my former boss used to say one pagers. That's why I bought a laminator because sometimes it's the one pagers, it's the lamination type of thing. And so there's a couple of things that I would like the CM to do. One is around this checklist, walking around inside the buildings, around side the buildings, perimeter, et cetera. The other thing is if they're doing their call it a huddle or whatever, their safety briefing or how about that, let's add in a security thing. Hey ladies and gentlemen, what would y'all do if you came up in this morning and you found the gate open just like we do a safety briefing? Can we add in one question around security maybe once a week in those briefings? And so those are again about educating because again we're dealing with a lot of subs and different things like that. Yeah, it's a combination of that. But I would love the the top 10 checklist.

Evan Hendershot (17:57)

Without jumping too far ahead, Jim, to the future of converged security. I was curious because you mentioned how cybersecurity and physical security elements are coming together these days. Does it require a different skill set from some of the on site construction staff to be More aware of some of these tech tools when the physical and cybersecurity elements converge. And do you find that there's any resistance to some of these items or do you find that construction managers and people on site are adopting these integrated tools?

Jim McConnell (18:32)

Well, yeah, Billy Bob the plumber did. I keep talking about, they're great at plumbing, they're great at the safety side of that. And all of a sudden the computer stopped working or they got that weird email or they got that call from the bank, whatever that is. Could that happen out at a construction site? Could a construction site get a phone call from a bad actor to kind of social engineer folks? Sure. So again, there's more training than just the checklists need to happen. But you know how many of our vehicles and fleet out there on site that have technology in them, they have gps, they have telematics that are giving information about those vehicles around run hours and oil levels, et cetera. So there's this. If you look at a big construction site, imagine how much network and Internet traffic is going on without somebody necessarily sitting at a keypad. I suspect that it's significant for the larger the project. And again, it's awareness to these folks, not asking them to do more than they're already crazy doing, but to be aware. Hey, why does this. This doesn't look normal on this bulldozer on screen, their little bulldozer screen. There's a saying that we hear at the airport. If you see something, say something. It works here in the security at a construction site or a construction company, marry the receptionist. If you see something, say something. Driver of that construction vehicle. If all of a sudden that screen goes out and turns red, you see something, say something. Don't discount it for that. It might be a security problem. Yeah, it might be just a software problem. We gotta reboot. But could it be a security problem? Let's not waste that phone call to say, hey, wait a minute, we got all of our construction trucks out here. Got a red skull and crossbones on the screen. This doesn't look right, boss, we're stopping.

Carly Trout (20:22)

So time is flying by here. This is a great conversation, but we actually only have time for one more. So I'm wondering if you could maybe give some resources for those who are starting out. Maybe this is a new concept for them and they want to know where to look. Maybe. Do you have a self assessment for folks to go to and how to get started?

Jim McConnell (20:45)

Absolutely. So on my website, I have a askmcconnell.com I've got a checklist area there. There's a self assessment that's not specific to construction, but to corporations and small business and large business. And it really steps through a number of key security functions, physical and cyber and fraud and everything else, and then starts to help people self assess themselves. I do encourage folks to have multiple people in your company fill it out because you might get different answers to those. But very simple. If it pops up and something on there is a it's an Excel file. So if something on there is blank, that's an answer. If you don't know the answer, that is an answer. So that may be something where, hey, we're comfortable on these five areas. We're green across the row on that one. But here's some areas that they're on a gap for them. Again, that gives you a good starting point. Not that you're going to neglect the green, not that they're running very mature. But that self assessment is there for folks to take advantage of that. And if they've got questions about that, I'd be honored to help out.

Carly Trout (21:49)

Great. That is really good to know about. Jim, thank you so much for joining the podcast today. It was really great to speak with you and hopefully your insights can help us all build a safer and more secure future for our organizations.

Jim McConnell (22:04)

It was an honor and hope to support CMAA in the future and lots of different areas and be a resource to your members and ultimately their clients.

Carly Trout (22:14)

Great. So just for our listeners, as a reminder, if you'd like to learn more, you can visit askmoconnell.com construction on the next episode of the Construction Leaders Podcast, we'll be rejoined by a previous guest, Vincentesta, with Procon Consulting. This time he'll be here to discuss his take on AI and other recent headlines and their impact on the construction industry. As always, be sure to subscribe to the podcast and you can follow us on social media maahq we would also love for you to leave a review with your thoughts on today's episode and let us know what you'd like to hear in the future. On behalf of cmaa, I'm Carly Trout with Evan Hendershot. Thank you for listening.