Jesse Carrillo, SVP & CIO at Hines, has been a colleague and friend since we both served as Realcomm Advisory Council Co-Chairs in 2010. Jesse has a strong reputation for running a tight ship; one that embraces best practices, is efficient and cost effective, and fosters innovation and agility. Our conversations over the past few months have been on the shape of 21st century technology service delivery, especially in the real estate industry. We found time last week to take our conversation deeper and flesh out what that looks like.
Chris Saah: Jesse, we often talk informally or at Realcomm venues about the challenges we face delivering 21st century information technology, especially in the commercial real estate space. I know you have been grappling with this as you set your strategic goals with your team for the coming year. Can you share some of the direction you are setting at Hines?
Jesse Carrillo: Sure. I’ll start with one word: Security. We have a big focus and emphasis on cybersecurity for the enterprise and also for our building management/control systems. Our budget is increasing to allow us to bring in cyber experts to assess our preparedness. We have also been informed that the majority of our upcoming IT control audits will now include a cybersecurity component and my security director and I will be spending quite a bit of time working with our operations and engineering team leading these initiatives, and speaking with leadership about this topic.
Chris Saah: I’ve always known Hines to place a high priority on security. So I’m wondering, how is your focus changing?
Jesse Carrillo: We’ve always prided ourselves on our security controls and how we keep our building systems and corporate networks segregated, which is, of course, a huge area of vulnerability. As threats become increasingly frequent and sophisticated, so must be our preparedness and response. In 2015, we partnered with a cybersecurity firm and completed an initial assessment of our building systems, identified potential vulnerabilities, and have given guidance to our property management teams about how to better protect themselves. We’ve looked at areas like rogue routers, stolen credentials, SSID broadcasting with default settings, remote access tools and other potential vulnerabilities; assessed our risk in these areas; and then developed guidance for our property teams to mitigate these potential vulnerabilities.
Chris Saah: And are you following up on the guidance you’ve given to the properties?
Jesse Carrillo: Absolutely. We’ve partnered with our Corporate Operations and Engineering Services team for ongoing assessments. They regularly assess areas like energy consumption, preventive maintenance and general operating efficiency. We are leveraging their regular interaction with the property management teams to ensure we’re following best practices. We plan to employ RSA technology for general two-factor authentication, but also in order to proactively have 100% control, on a case-by-case basis, over who we allow to connect to our network systems, for example, third-party vendors and contractors.
Chris Saah: What about social engineering? As you know, many of the high profile attacks we see in the news come through this vulnerability and we’ve seen this exploited with some of our clients as well.
Jesse Carrillo: Several times a year, we remind all Hines teams about this kind of threat and give them tips on how to spot attacks like spear phishing. Next week, we are actually starting this year’s assessment of the enterprise network and looking at penetration, malware and so on; and social engineering will be a significant part of that assessment. In fact, I am actually considering mandatory annual cybersecurity training for all Hines teams.
Chris Saah: Executive sponsorship can sometimes be a challenge in areas like this that do not directly impact revenue. How have you managed that challenge?
Jesse Carrillo: The leadership at Hines understands the need for security and is very supportive. When I do have to make the case, I generally talk about reputational risk. We’ve spent 60 years building the Hines brand and we want to protect it.
Chris Saah: If you were to choose a second word to describe your focus for 2016, what would it be?
Jesse Carrillo: I’m not sure I can put it into one word. To me, it is about “front-of-the-house” focus. My team has an average tenure of over 10 years and I don’t want all of that institutional knowledge spent keeping the lights on or maintaining legacy platforms. I often tell my people to develop their greater asset which is the intellectual property they have about Hines. They know our mission, our people and our processes.
Chris Saah: You want them solving business problems, not technical problems?
Jesse Carrillo: Exactly. We all got into IT because of our curiosity; we like to tinker. That doesn’t change, we’re just redirecting it toward the business.
Chris Saah: So how exactly does that flesh out in your organization?
Jesse Carrillo: We are going to continue to be cloud-opportunistic. We’re going to pilot Office 365 for email in 2016. We won’t consider going with a big-bang approach, but more in a phased one. We’re also looking at single-sign-on solutions. We are also currently piloting a very interesting “asset life-cycle” solution. In short, we’re looking at tools to off-load those services that are required so our team can spend less time “running the shop” and focus their energy on data and business strategy.
Chris Saah: Thanks for your time, Jesse. I hope you’ll be sharing more of our insights and lessons learned at some sessions at this year’s conference. If not before, I’ll see you then.
Jesse Carrillo: Always enjoy talking tech with you, Chris. See you in San Jose!
[Article reposted from Realcomm Advisory]