{"id":7987,"date":"2026-05-01T09:00:00","date_gmt":"2026-05-01T09:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7987"},"modified":"2026-05-01T09:00:00","modified_gmt":"2026-05-01T09:00:00","slug":"managing-ot-risk-at-scale-why-ot-cyber-decisions-are-leadership-decisions","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7987","title":{"rendered":"Managing OT risk at scale: Why OT cyber decisions are leadership decisions"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The first time I approached an OT environment, I assumed that the strategies effective in IT cybersecurity would be equally applicable. I was wrong. The experience revealed a fundamental difference, highlighting the need for a distinct approach to OT cyber risk management.<\/p>\n

The mistake was not technical. It was conceptual. I was treating OT as another security domain that needed stronger controls, better tooling and greater discipline. But OT lives under different conditions. Systems stay in service for years, sometimes decades. Patching is limited. Change windows are negotiated. Vendor dependencies are part of daily operations. Asset visibility is often incomplete and the highly distributed environments depend heavily on third-party access.<\/p>\n

In summary, OT cyber risk fundamentally constitutes a challenge of leadership and governance. The primary concern at scale is not isolated technical controls at individual sites, but rather the enterprise\u2019s ability to ensure consistent decision-making across all sites through clearly defined roles and shared accountability.<\/p>\n

OT changes the nature of cyber risk<\/h2>\n

Boards have improved their cyber oversight of IT, but OT requires a different perspective. Here, cyber risk goes beyond data and compliance into operational processes, industrial assets and critical services.<\/p>\n

OT architecture begins in the physical world, moves through control systems and operations networks, and increasingly connects to enterprise systems and cloud services. This creates a consequence profile distinct from IT, in which cyber risk directly affects physical operations.<\/p>\n

OT operating constraints include long asset lifecycles, incomplete asset visibility, embedded third-party access, fragmented ownership across engineering, operations, site leadership, vendors and security. IT cyber assumptions often fail in OT because risk and responsibility structures diverge fundamentally.<\/p>\n

The governance baseline for OT remains thin, as reflected in recent World Economic Forum research<\/a> that highlights broader issues of leadership and oversight. Only 16 percent of organizations with industrial environments report OT security issues to their boards and just 20 percent maintain dedicated OT security teams. Furthermore, in only 36 percent of cases is the CISO directly responsible for OT security. These low levels of reporting and responsibility indicate not only a maturity gap in organizational processes but, more critically, a substantial accountability gap that directly reinforces the thesis: OT cyber risk management at scale is fundamentally a challenge of leadership and governance, rather than solely a technical concern.<\/p>\n

At scale, a local weakness becomes an enterprise coordination issue. Differences in maturity, ownership, vendor dependencies and business priorities create uneven exposure. The board question is not whether OT controls exist, but whether the enterprise can make consistent, defensible decisions about OT cyber risk before and during disruption.<\/p>\n

At scale, incident outcomes become leadership outcomes<\/h2>\n

Effective OT oversight shifts from control-by-control discussions to scenario and consequence analysis.<\/p>\n

Common OT exposure paths include remote access abuse, shared accounts, weak segmentation, infected maintenance media, compromised workstations and poorly governed vendor connectivity. In OT, these exposures have direct operational consequences. A SCADA compromise can reduce visibility across power operations. Poor remote access governance can degrade rail operations. Infected media can trigger plant downtime. Unauthorized parameter changes can force emergency shutdowns and manual safety validation.<\/p>\n

OT risk appetite cannot be reduced to the enterprise itself. OT impact may extend to the economy, environmental, critical services and, sometimes, human safety. As the consequences broaden, oversight standards must rise. A technical control gap is one risk. A governance structure that cannot support safe, coherent decisions under pressure is a different order of magnitude in terms of exposure.<\/p>\n

In OT, incident outcomes are determined by leadership choices made before disruption begins.<\/p>\n

Should the organization isolate quickly to stop propagation, or continue operating in a constrained way to protect essential output?<\/p>\n

Should authority be centralized to improve consistency, or federated to improve speed and local judgment?<\/p>\n

Should the organization restore quickly, or verify process integrity first and accept a longer recovery path?<\/p>\n

Should vendor and remote support remain broadly enabled for operational convenience, or be reduced because it has become part of the real perimeter?<\/p>\n

No single option is always correct. The key is whether leaders understand trade-offs before action is required. Executive decisions such as isolate versus operate, centralize versus federate and restore versus verify change outcomes. These are governance choices, not technical defaults.<\/p>\n

I have seen both sides of this in practice. In one environment, centralization accelerated capability building. It improved consistency, but it also introduced the risk of slower decisions in a crisis because authority sat too far from the operational edge. In another, responsibility was distributed across business units, which improved local ownership but increased coordination risk under stress. The lesson was never ideological. It was operational. The operating model had to match the risk reality.<\/p>\n

This is also why the strongest board-level conversations in OT are rarely about tools first. They are about decision rights, escalation logic, crisis thresholds and assurance. The NIST Cybersecurity Framework 2.0<\/a> is useful here not because it provides boards with a script, but because it explicitly frames cybersecurity as part of how organizations understand and manage cyber risk.<\/p>\n

What boards should ask now<\/h2>\n

Boards do not need to become technical experts in OT. They do need to demand decision-grade oversight.<\/p>\n

First<\/strong>, clarify the operating model. Who owns OT cyber risk across the enterprise? Where does business unit accountability sit? Which decisions are centralized and which are delegated? Who has authority in a crisis when continuity and containment are in tension? If these answers are unclear, residual risk is likely underestimated.<\/p>\n

To help make this concrete, consider two common operating models. In a centralized model, OT cyber risk governance, tooling decisions and incident response authority reside primarily at the enterprise or group level, typically under the leadership of a central security or risk function. Local sites implement enterprise direction but have limited autonomy to define controls or crisis actions. In contrast, a federated model grants more decision rights to individual business units or operating sites. Here, local leaders often own OT cyber controls, incident triage and vendor management, while the central organization coordinates standards and provides guidance. Each model brings different trade-offs in consistency, speed and local adaptation. Directors should ask management to clarify which approach is in place today and why it fits the organization\u2019s risk profile.<\/p>\n

Second<\/strong>, identify the two or three OT cyber scenarios that would most impact continuity, key operations and external defensibility. Scenarios should be concrete enough to guide priorities, budget and crisis preparation. Generic statements about protecting critical infrastructure are not enough.<\/p>\n

Third<\/strong>, require assurance. Boards should ask whether a baseline exists and whether it has been independently tested for effectiveness. Governance and assurance should sit above the technical baseline and operating model. In OT, site assessments, adversarial simulations, tabletop exercises and validation of remote access controls provide more insight than maturity scoring.<\/p>\n

Fourth<\/strong>, address innovation. AI and cloud are changing operational environments, even when adoption begins at the physical layer. The leadership agenda is moving toward governance, resilience and control of increasingly complex digital dependencies. For OT, boards should treat these shifts as operating model and assurance questions, not just technology questions.<\/p>\n

This is where the board agenda becomes practical. Directors should ask management to clarify decision rights, define the top OT cyber scenarios, establish an enterprise minimum baseline for priority environments and run independent assurance on the sites or operations that matter most. These are not technical housekeeping tasks. They are the foundations of defensible oversight.<\/p>\n

This article builds on a recent RSAC session on managing OT risk at scale<\/a>, but the lesson is broader. OT cyber risk at scale is not simply a controls problem. It is a leadership problem because real outcomes depend on governance, accountability and pre-agreed trade-offs. The organizations that navigate OT disruption better are usually not the ones with the most ambitious slide decks. They are the ones who decided in advance how they will govern, escalate, verify and recover.<\/p>\n

That is what the shift boards should insist on. In OT, resilience is built by decisions made before the incident alarm sounds.<\/p>\n

This article is published as part of the Foundry Expert Contributor Network.<\/strong>
Want to join?<\/a><\/strong><\/p>\n

<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The first time I approached an OT environment, I assumed that the strategies effective in IT cybersecurity would be equally applicable. I was wrong. The experience revealed a fundamental difference, highlighting the need for a distinct approach to OT cyber risk management. The mistake was not technical. It was conceptual. I was treating OT as […]<\/p>\n","protected":false},"author":0,"featured_media":7988,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7987","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7987"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7987"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7987\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7988"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7987"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7987"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7987"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}