Working on data center projects for multiple hyperscalers across EMEA, Sergiu Rezmives, CC, has followed both market demand and staffing trends in the sector with interest. He explains why the current push toward modular and autonomous data centers is being driven by a shortage of key skills and the people with them.
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
During my work with some of the largest ecommerce facilities, data-sensitive environments and data centers across, I’ve seen how optimization efforts such as cost saving, modularity, automation and reduced on-site staffing are creating cybersecurity risks that most practitioners haven’t conceptualized yet. The faster the data center industry moves toward “lights-out” facilities, the more exposed we become: they are scaling faster than the potential workforce can keep pace with. The cybersecurity gaps emerging now are rooted less in malware or misconfigurations, but rather in the people who aren’t there.
Making Sense of the Shift
If we understand this shift early and engage with it, we can shape how these facilities are built, secured and governed. If we don’t, we’ll be reacting to systems designed without us and without the required safeguards.
First, here are the risks I’m already seeing:
- Rogue Hardware: When skilled technicians are stretched thin, fewer eyes inspect equipment. Compromised or fraudulent hardware might slip into production during routine shipments or rushed deployments.
- Robot and Automation Misuse: As operators lean more on automated handlers and remote-management systems, the control layer attack surface increases exponentially. The potential for compromise here isn’t theoretical; I assure you that robots and automation are capable of making physical changes inside a facility faster than any team can respond on foot.
- Fragile or Unfinished Interfaces: Under pressure to meet project timelines, I’ve seen teams sometimes accept temporary power, cooling, or data interfaces that were meant to be “fixed later.” These shortcuts stay in place longer than intended, becoming easy entry points.
- Understaffed Project Teams: When teams coordinating IT/OT, mechanical, electrical and security functions have insufficient capacity, I’ve spotted gaps appearing between systems: delayed deliverables turn into attack opportunities, audits fall behind, documentation trails break, oversight thins out and so on. These gaps are an attacker’s dream come true.
- Emergency Outsourcing: During crunch periods, contractors often bring in sub-contractors, who bring in more sub-contractors. Supply chain vetting gets skipped and access expands informally. Sensitive information has quickly spread to people far outside the intended knowledge boundary.
None of this is hypothetical. Technical debt isn’t just hidden in code. It lives in unfinished maintenance, incomplete handovers, inconsistent documentation and “temporary” safety measures that stay in service far too long. They are the result of the real weak spots that are created when a workforce is overextended, as well as when the market is pushing ahead at full speed.
None of us will need reminding that even small oversights can lead to big consequences. A mislabeled breaker, a missing diagram, a forgotten device in a ceiling void... Any of these can escalate sharply when combined with a targeted intrusion or cascading technical failure.
The Broader Picture
Here’s the pattern I’ve seen repeatedly, whether running physical security programs, working with MEP contractors, or supporting hyperscaler design teams:
- Unrealistic job descriptions that don’t match the actual work
- Specialists stretched across multiple large sites
- Project timelines that move faster than training pipelines
- Optimization efforts that quietly shift risk to the edges of the system
When the available workforce can’t supply enough electricians, fiber technicians, cooling specialists, operators or security designers with the skills we need, we compensate with speed, automation and assumptions that often go untested. This, I suspect, is where the next wave of data center cybersecurity problems will come from. No, not zero-day exploits, but the simple fact that too few people are available to maintain, verify and secure facilities at the physical layer.
The Shortage Will Grow
Current market trends are clear: smaller teams, more automation and more modular infrastructure. To this we can add AI, digital twins and standardized pods that promise faster builds and leaner operations. As the industry moves toward a world where racks and modules are designed and behave like hot-swappable components, expectation of (and dependency on) clean integration and flawless coordination only grows.
Consequently, my sense is that the people who should be shaping that future – cybersecurity professionals with experience across physical, IT, OT and operational risk – are often not included early enough now. This problem will continue to grow as once systems are fully deployed, the window to influence them closes.
Resolution
To directly counter the risks created by an overstretched workforce and fast-moving market, here are my closing thoughts on how and where cybersecurity practitioners – and perhaps broader cyber authorities – should step in, now, not later:
- Push for Security Standards: For modular power, cooling and data interfaces
- Work with Broader Disciplines: Like mechanical, electrical, robotics and automation, not only IT
- Test Environments: Complete testing before things go live, not during the first operational crisis
- Build Cyber-Physical Frameworks: Do not separate IT and OT checklists
- Challenge Unrealistic Role Requirements: Carry this out before resource gaps turn into operational vulnerabilities
- Insist on Proper Documentation, Share and Learn from Mistakes: Do this so the same issues don’t repeat across regions
The stakes are high: data centers are becoming the nervous system of modern society. How we secure that system will determine whether it stabilizes our future or risks becoming its biggest point of failure.
Sergiu Rezmives, CC, has 14 years of experience in the security industry. He focuses on physical security design, implementation and project management and has held management, technical, project and consultancy roles. His work focuses on assessing cyber dependencies in physical security systems and challenging controls that do not reflect real-world threat models.
