In part two of our six-part series around the cyber security issues facing the construction industry, our Head of Customer Success, Chris Yates, now explains why cyber programmes in construction fail before they start…
CY: In the previous post, I wrote about why cyber has crossed over from an IT cost-line into a construction delivery risk. The response told me I’m not alone in seeing it. Plenty of people in the sector are quietly worried.
So today I want to start at the beginning. Because in my experience, most cyber programmes in construction don’t fail in execution. They fail in the way they get started.
If you set the first conversation up well, the rest of the journey is honest, focused and useful. If you don’t, you end up spending money on the wrong things, frustrating your teams, and discovering, usually during an incident, that you weren’t actually as protected as the slide deck suggested.
What “Initiate” Really Means
In our CyberAscend framework, Initiate is the first of five stages. It’s where we sit down with you before any tool is bought, any test is booked or any policy is written, and answer a deceptively simple question: what does “good” look like for your business?
Not for cyber security in the abstract. For your business. Your programmes, your clients, your contracts, your supply chain, your insurer, your board, your reputation.
Get that right and every later decision has a north star. Get it wrong and you’ll spend two years buying technology that solves someone else’s problem.
Three Patterns That Doom Programmes From Day One
Over the years I’ve seen construction businesses start cyber programmes in three classic ways that almost always end in regret.
- The compliance-only start. Someone a client, an insurer, a public sector framework, has asked for evidence. The conversation begins with “we need to pass this audit” rather than “we need to reduce delivery risk.” The result is a paper exercise, a certificate on the wall, and very little real change. The next audit comes round and the same scramble repeats.
- The tool-led start. A vendor or an IT partner sells in a product. SIEM. EDR. Phishing platform. None of them bad, but bought before anyone has agreed what they’re meant to achieve. Six months in, the tool is running, alerts are firing, nobody owns them, and leadership is no clearer about whether the business is actually safer.
- The IT-only start. The cyber conversation never leaves the IT team. Operations isn’t involved. Commercial isn’t involved. The COO finds out about it during the incident. By then the conversation has shifted from “how do we improve” to “how do we explain this to the client.”
The shift that matters in Initiate: Stop asking “what do we need to buy?” Start asking “what would a cyber incident actually cost us to deliver, to our clients, to our reputation, and what level of risk are we genuinely willing to accept?”
What a Good Initiation Looks Like
When we run an Initiate stage with a construction business, we deliberately keep the technology conversation in the background. The early sessions are with operations, commercial, IT and leadership in the same room. We’re trying to surface four things:
- The programmes, sites and systems that absolutely cannot go offline, and the ones that can.
- The contractual, regulatory and insurance obligations already on the table from clients and underwriters.
- The supply chain dependencies and joint-venture relationships that quietly extend your attack surface.
- The level of risk leadership is genuinely prepared to accept, not the answer that sounds best in a board pack.
By the end of Initiate, everyone in the room should be able to describe in plain English, what cyber security needs to protect, why it matters, and how you’ll know it’s working. If you can’t do that, you’re not ready to spend a penny.
A Question for Construction Leaders
If I asked your operations director, your IT lead and your commercial director the same question, “what are we protecting and why?” would I get the same answer from all three?
If yes, your Initiate stage is in good shape. If you suspect you’d get three different answers, that gap is where every later problem will be born.
What’s Next in This Series?
Once you’ve started right, the next question gets uncomfortable: where are we actually today? Not the polished answer for the client meeting, the honest one.
Â
In the next post in this series I’ll be walking through the Discover stage of CyberAscend, why so many construction businesses are unknowingly carrying risk they can’t see, and the specific things we look for when we lift the bonnet for the first time. Keep an eye out for it next week.
Want a head start?
If you’d like to see what your current cyber posture looks like through a construction-delivery lens, get in touch. We’ll run a no-obligation CyberAscend Initiate conversation with you and your leadership team, and you’ll come out of it with a clearer view of your risk, your readiness, and your next three moves.