Q&A: Data centre cyber resilience

March 2026  |  SPECIAL REPORT: DATA PRIVACY & CYBER SECURITY

Financier Worldwide Magazine

March 2026 Issue

FW discusses data centre cyber resilience with Jon Critelli and Luke Tenery at StoneTurn.

FW: How widespread are cyber incidents in data centres today? What factors are driving the growth of attack vectors and the overall threat landscape in this sector?

Tenery: As data centres become the backbone of global artificial intelligence (AI) and digital transformation, cyber incidents are top of mind. While data centre potential seems limitless, rapid expansion significantly broadens the attack surface. More sophisticated data centres, like those developed by global technology giants, may be at less risk than those data centres developed for leasing space to data-heavy small to medium-sized enterprises (SMEs). Growth in attack vectors is driven by the massive influx of data required for AI and the complexity of interconnected infrastructure. Furthermore, persistent supply chain strains on critical electrical components – lingering post-pandemic – can introduce vulnerabilities, especially in hardware. As developers struggle with power constraints and community pressure, the rush to deploy capacity often leads to compressed timelines where security is sidelined. This makes data centres high-value targets for adversaries seeking to disrupt critical services, as any weakness in the foundational infrastructure can be exploited to compromise the vast amounts of data stored within.

FW: What factors are causing construction delays in today’s data centre projects? How are these delays forcing developers to re-evaluate their financing models and project scopes?

Critelli: Construction delays are currently driven by a combination of limitations in current local power infrastructure, local community resistance regarding rising energy rates and ongoing supply chain shortages for critical electrical components. Despite moving past the initial pandemic-driven disruptions, the demand for AI-ready infrastructure continues to outpace the delivery of essential equipment. These delays are forcing developers to re-evaluate their financing models, as extended timelines increase capital costs and delay revenue generation. In response, project scopes are being modified to include phased deliveries or smaller, decentralised designs that can bypass overstressed grids. Developers are also increasingly forced to incorporate the costs of alternative energy solutions and community benefit agreements into their financial planning to mitigate local opposition and ensure long-term project viability.

As data centres become the backbone of global artificial intelligence and digital transformation, cyber incidents are top of mind. While data centre potential seems limitless, rapid expansion significantly broadens the attack surface.
— Luke Tenery

FW: Which critical infrastructure or security components are often de-scoped or modified during project budget cuts? How does this approach affect the facility’s long-term operational resilience?

Critelli: More sophisticated, highly-funded projects often do not encounter these issues. However, in ‘lease space’ data centre developments, initial budget pressures frequently stem from the high costs of securing power grid access, navigating local community opposition and procuring specialised electrical components despite lingering supply chain strains. When these early-stage cost overruns occur, there can be ‘value engineering’ in the final phases to remain financially viable. This typically results in the descoping or downgrading of critical infrastructure, such as N+2 cooling redundancy, advanced cyber security hardware and integrated physical security systems. This undermines long-term operational resilience. By reducing redundant power and cooling buffers, these facilities become increasingly vulnerable to grid instability and the extreme thermal demands of high-density AI workloads. Furthermore, cutting security features creates significant ‘technical debt’, leaving the data centre more susceptible to cyber attacks and necessitating expensive future retrofits to support the evolving requirements of digital transformation.

FW: What are the hidden cyber risks for tenants that migrate into a facility where the developer may have trimmed security budgets to offset construction overruns?

Tenery: Tenants migrating into ‘lease space’ facilities face hidden risks when developers descope security to offset early-stage overruns caused by grid access and supply chain hurdles. If advanced cyber security hardware or integrated physical monitoring systems were downgraded to balance the budget, the facility’s baseline defence is fundamentally weakened. These hidden vulnerabilities mean tenants may lack the expected ‘buffer’ against sophisticated threats. Moreover, the ‘technical debt’ created by these cuts often results in outdated security protocols that are harder to patch. This leaves a tenant’s proprietary AI workloads and data exposed to breaches the facility was originally designed to prevent, eventually forcing tenants to incur unforeseen costs to secure an inherently compromised environment.

FW: How do descoped facility management systems create weaknesses for cyber attackers looking to move laterally through a multi-tenant environment?

Tenery: When facility management systems (FMS) are descoped to save costs, they often lack the segmented architectures, fully configured and tested devices, and sufficiently managed and monitored infrastructure required for secure multi-tenant environments. Budget-driven cuts typically lead to the use of centralised or legacy control systems for things like cooling and power. For an attacker, a compromised FMS can provide a gateway to move laterally across the facility. By gaining access to shared infrastructure controls, an adversary could jump from operational technology into the IT networks of various tenants. This vulnerability is exacerbated by reduced granular monitoring, allowing attackers to disrupt cooling or intercept data traffic across the shared environment, effectively turning a single infrastructure weakness into a widespread breach that threatens every occupant.

Cutting security features creates significant ‘technical debt’, leaving the data centre more susceptible to cyber attacks and necessitating expensive future retrofits to support the evolving requirements of digital transformation.
— Jon Critelli

FW: From a national security perspective, how does the systemic vulnerability of data centres that cater to public use and smaller enterprises present opportunities to adversaries looking to disrupt the broader economy?

Tenery: Systemic vulnerabilities in data centres catering to public use and smaller enterprises pose a significant national security risk. These facilities are most prone to ‘value engineering’ due to cost overruns from power and supply chain constraints. Adversaries recognise that disrupting these mid-tier hubs can trigger a domino effect, compromising small businesses and public services that lack the resilience of tech giants, while having an outsized impact on the services supply chain SMEs and public firms are a part of. By targeting facilities with downgraded security and cooling redundancy, state-sponsored actors can achieve widespread economic disruption with minimal effort. This creates a ‘weakest link’ scenario where the cumulative failure of less-secure data centres undermines national stability and sabotages the broader economic infrastructure.

FW: What proactive steps should operators and their tenants take during the final phases of commissioning to ensure that presumption of compromise or zero trust strategies are maintained despite any earlier budget cuts?

Critelli: During final commissioning, development and operations teams must prioritise rigorous failover testing to map specific vulnerabilities created by descoped or reduced scope cooling and power redundancies. They should establish manual procedural overrides and strict physical access audits to compensate for any missing automated monitoring hardware or downgraded electrical components.

Tenery: As they transition to digital defences, cyber security professionals must conduct effective due diligence and often implement more advanced controls such as software-defined zero trust architectures and aggressive micro-segmentation to mitigate potential risks associated with ‘value-engineered’ FMS from tenant IT environments. By mandating continuous assurances of security and operating under a presumption of compromise, these teams provide a ‘defence in depth’ approach that offsets potential physical infrastructure weaknesses. This dual-pronged strategy ensures that even if the facility is lean, it maintains the operational resilience required to support high-density AI workloads and other hosted solutions rapidly being deployed in this space.

 

Jon Critelli is a partner at StoneTurn, drawing on nearly 20 years of experience advising clients on capital projects risk management, capital programme and project process reengineering, project management, control implementation, construction auditing, and the use of data analytics to optimise capital project delivery. He leverages his extensive experience across business performance improvement, project management optimisation, capital projects consulting, constructing and cost auditing, and internal audit to assist companies and their counsel across a wide spectrum of industries. He can be contacted on +1 (202) 655 4679 or by email: jcritelli@stoneturn.com.

Luke Tenery brings over 20 years of experience helping leading organisations mitigate complex cyber security, data privacy and digital risks. He applies expertise in cyber investigations, threat intelligence, incident response and information risk management to assist clients. He helps organisations across a range of industries align information security risk management with high-impact initiatives, including incident remediation, M&A due diligence and integration, cyber cost analyses, digital transformation, and development of threat intelligence programmes. He can be contacted on +1 (312) 775 1210 or by email: ltenery@stoneturn.com.

© Financier Worldwide

THE PANELLISTS

 Jon Critelli

Luke Tenery

StoneTurn

©2001-2026 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.