Every year, the commercial real estate industry pours more money into connected building technology, and every year a stubborn gap persists between the ROI promised in the vendor deck and the ROI that actually shows up in net operating income (NOI). The reflex is to blame the tech: the wrong platform, the wrong integrator, the wrong analytics.
In this episode of the podcast, Fred Gordy of KMC Controls and co-host Rob Murchison of Intelligent Buildings argue that the real villain is somewhere else entirely. The ROI leaks out through unmanaged risk, weak governance, invisible assets, and unclear ownership, long before the technology has a chance to underperform.
3 Foundational Questions
Fred opens with a diagnostic he has used across hundreds of building assessments. Before any discussion of frameworks or standards, he asks owners three things: Do you know what you have? Do you know how it is connected as a network? And do you know who has access?
The uncomfortable truth, he says, is that the majority of owners cannot answer any of the three. That is not a technology failure. It is an information failure, and it makes every downstream decision on analytics, energy optimization, or tenant experience shakier than it should be.
Rob adds the good news: getting the visibility is not as hard as owners fear. What usually stops people is not the cost of the tooling, but the fact that no one has been made responsible for asking the questions in the first place.
The Air-gap Myth
A common pushback from IT teams is that the building automation system (BAS) is air-gapped and therefore not their problem. Fred dismantles the assumption with examples. Air-gapped water utilities in the US have been attacked after someone plugged in a device that quietly added remote access.
In one case he and Rob worked on, a commercial real estate owner had outsourced its parking system to a contractor who ran it on “their own network.” A walkthrough revealed a wireless access point that the contractor had installed. When a bomb threat later forced the building to be evacuated for two days, the lost rent and ROI were very much the owner’s problem, regardless of whose network the parking system technically lived on.
The lesson is that air-gapped is a design intent, not an operational state. If no one is watching, the gap closes, usually by accident, sometimes by a contractor trying to be helpful.
From Cybersecurity to Operational Resilience
Fred has deliberately reframed how he talks to owners. Cybersecurity is an IT word that rarely lands in the boardroom. Operational resilience does. If the building stays up, ROI stays up, reputation stays intact, and tenant confidence holds. And when something does go wrong, it rarely matters in the moment whether the cause was a cyber intrusion, a piece of failed equipment, or a human error.
What matters is recovery. Without documented processes and a governance model, recovery turns into what Fred calls response paralysis, everyone in the room looking at each other while the clock runs and the losses mount.
The People Problem
Technology fixes are the easy part. People are harder. Fred looks first at how staff treat the systems. If the building control head-end sits on an engineer’s desk while they check Facebook, that is the canary in the mine. No one would tolerate the same casual use of a SharePoint server, yet it is routine for the system that actually runs the building.
It is also important to understand the mindset of the people closest to the equipment. Facilities staff are fixers. Their job is to keep the building running, and if a hardening checklist gets in the way, they will, as Fred heard from a facilities manager two weeks before the recording, “bypass security” rather than fail to deliver.
That is not malice; it is incentives. Governance has to be designed with those incentives in mind, and it has to be translated for every persona in the organization, not just handed down as a stack of rules.
Rob widens the lens to the stakeholder map: dozens of vendors across HVAC, lighting, access control, video surveillance, Wi-Fi, riser management, water quality; facilities managers; property managers; asset managers; CIOs and CTOs; and, at the top, the owner. Alignment across that group is the real governance challenge.
Who Owns the OT Risk?
The cleanest answer, Fred says, comes from ISA/IEC 62443, the standard he has worked on as part of the ISA 99 committee. The asset owner is ultimately 100 percent responsible. If it ever comes to litigation, that is who will be named.
In practice, though, 80 to 90 percent of owners have defaulted the responsibility to their vendors, who, as Fred puts it bluntly, become the owner’s risk, because they are making every day-to-day decision in the absence of instruction.
The fix is not to blame vendors. They did not ask for the job. The fix is for the owner to take the helm, set the vision, and turn vendors from a source of risk into a risk partner. That is the governance conversation.
The Final Word on ROI
Asked for one takeaway for CTOs and property owners, both guests circled back to the same ground. Fred: be honest with yourself about the three questions: what you have, how it is connected, who has access. Rob: it does not have to be Pandora’s box. Visibility first, access control next, and the rest of the puzzle starts to assemble itself. The point of the exercise is not security for security’s sake. It is to stop risk from standing between the owner and the ROI gains that smart building technology was supposed to deliver in the first place.
A comment from the audience summed it up neatly: ownership of this problem usually lands on facilities, which is why it gets dismissed. To unlock the ROI value, it has to move up the chain, out of the facilities closet and into the asset management conversation, where it belongs.


