A critical new role for a digital era in building design.
Modern buildings are no longer just physical structures – they are intricate ecosystems of interconnected technologies. From intelligent HVAC systems and IoT-enabled lighting to advanced access controls and building management systems (BMS), the technology stack in the built environment today is extensive and evolving. These systems enhance efficiency, sustainability, and occupant experience, yet they also introduce an ever-expanding footprint of cybersecurity threats.
The Architecture, Engineering, and Construction (AEC) community has traditionally focused on physical safety, structural integrity, and environmental performance. However, the increasing complexity and integration of technology demands a new focus: cybersecurity resilience by design. As more devices, platforms, and networks become embedded in buildings, the potential attack surface for cyber threats widens. The result? A new category of risk that extends beyond traditional physical safety and operational performance.
The glaring gap in technology risk accountability
As the threat landscape rapidly evolves, a critical question arises: who is responsible for ensuring that technology-related risks are properly accounted for in building design?
Traditionally, the AEC industry relies on an array of specialized professionals: architects ensure aesthetic and placemaking integrity, engineers handle structural
and mechanical systems, together with functionality, while general contractors manage the physical build. Yet, technology and its associated risks have no clear owner. IT consultants and systems integrators may be brought in to deploy solutions, however, they are rarely involved in the architectural or engineering design process. This creates a fragmented approach to technology risk management, with cybersecurity often considered an afterthought rather than an integral design element.
The limitations of traditional engineering disciplines
Part of the challenge lies in the educational foundations of the AEC industry. Traditional engineering disciplines, such as electrical and mechanical, are not inherently trained to assess or mitigate cybersecurity risks.
Electrical engineers, for example, are experts in designing power distribution systems, integrating lighting, and specifying energy management systems. However, they are not typically trained to consider the cyber vulnerabilities of smart meters, connected devices, or remote monitoring platforms. Similarly, mechanical engineers who design HVAC systems may focus on performance efficiency and occupant comfort; nonetheless, they are not equipped to address the cybersecurity risks of IoT-enabled controls or network-connected components.
Even as building systems become increasingly digitized and connected, most engineering education programs have not evolved to incorporate cybersecurity risk management as a core competency. This skills gap leaves AEC professionals ill-prepared to identify and mitigate the technology risks inherent in modern buildings.
Introducing the technologist of record (ToR)
To address this growing gap, the industry should consider introducing a new role: the technologist of record (ToR). Modeled after the architect of record or engineer of record, the ToR would be a designated authority responsible for the technological integrity of a building throughout its lifecycle. This role would ensure that technology systems are properly designed and integrated, and also compliant with cybersecurity standards, resilient against evolving threats, and future-proofed for emerging technologies.
The ToR’s key responsibilities would be threefold. First, conducting technology risk assessments during the conceptual and design phases, identifying potential vulnerabilities in networked systems, IoT devices, and software platforms. This includes evaluating risks related to data privacy, access control, and system interoperability.
Second, the ToR would establish cybersecurity and resilience standards for the building’s technology infrastructure. This includes specifying equipment performance, configuration, and documentation requirements. They would also apply industry frameworks, such as NIST, ISA, or relevant smart building security standards.
And third, the ToR would facilitate closer collaboration across disciplines. Just as architects and structural engineers collaborate, the ToR would work alongside MEP engineers, contractors, and owners to integrate technology risk mitigation into the broader design process. This ensures that cybersecurity and technology resilience are baked into the building’s DNA, not bolted on later.
Why the AEC industry needs the ToR
As buildings become smarter, the AEC industry continually evolves to meet the challenges of a digitally connected world. The Technologist of Record is not just a technical consultant. It is a foundational role necessary to protect building owners, operators, and occupants from the growing risks associated with technology proliferation.
Without a ToR, traditional engineering disciplines will continue to design buildings without fully accounting for the cybersecurity risks posed by interconnected systems. This oversight could leave critical vulnerabilities unaddressed, exposing buildings to potential data breaches, service disruptions, or even physical security threats.
In the future, cybersecurity resilience will be as critical as structural stability. The ToR will be essential in building the next generation of secure, resilient, and intelligent spaces. By formally recognizing the ToR as a core discipline in the building design process, the AEC industry can embrace a proactive approach to technology risk management, safeguarding both physical and digital assets.
By David Brearley, Controls and Cyber Services Director at HDR
David Brearley is Controls and Cyber Services Director at HDR. HDR specializes in architecture, engineering, environmental and construction services. While most well-known for adding beauty and structure to communities through high-performance buildings and smart infrastructure, HDR provides much more than that. The company creates an unshakable foundation for progress because its multidisciplinary teams also include scientists, economists, builders, analysts and artists. HDR’s employees, working in more than 200 locations around the world, push open the doors to what’s possible each and every day.