Exposing the Leadership Gap

Every OT red team engagement starts with the same scoping call. The questions feel procedural at first: Who should receive the findings? Who has authority to approve scope changes? Who makes the call if we find something critical mid-assessment?

When those questions go unanswered — when the authorized decision-maker turns out to be an IT manager with no OT mandate or an operations engineer with no security authority — the Red Team has already found something. Not a vulnerability in a firewall. A vacancy in the organizational structure that shapes everything else the engagement will surface.

This is the Industrial CISO gap from the adversarial side.

When CISA's Red Team assessed a U.S. critical infrastructure organization in 2024, it didn't start at the firewall. It started with open-source research on the organization's employees, their roles and what those roles revealed about the security program. What they found before the technical phase was itself a finding. According to CISA Advisory AA24-326A, the organization's leadership had deprioritized a vulnerability its own security team had already identified and flagged. The Red Team then exploited it.

That sequence tells the story directly: the governance gap was the technical gap. Leadership's risk misjudgment left a known vulnerability open. The Red Team walked through it.

This pattern is consistent enough that serious OT red team methodologies build it into the process. Mandiant's approach requires collaboration with the organization's leadership team during pre-engagement scoping. The ISA Global Cybersecurity Alliance's assessment framework specifies that organizational inputs — including stakeholder interviews and documentation reviews — precede technical discovery. Dragos's red team services require a designated decision-maker to define scope and safety thresholds before testing begins. Those requirements aren't formalities. They surface the organizational conditions that determine what the technical phase will find.

The absence of a designated OT security executive produces specific, predictable conditions. They're not abstract governance problems. They're attack paths.

Trend Micro's April 2025 research found that 73% of cybersecurity incidents involve unmanaged assets. Unknown assets aren't edge cases in the threat landscape — they're preferred entry points. And according to SANS Institute's 2024 State of ICS/OT Cybersecurity research, organizations that map to security standards and use ICS/OT-specific threat intelligence are 53% more likely to have documented all external connections to their industrial environments — a capability strongly correlated with CISO-led programs. Without that ownership, a significant share of external connections remain undocumented and ungoverned.

Ungoverned vendor and remote access compounds the problem. Vendor connections, remote support tools and shared access mechanisms frequently bypass network segmentation assumptions built into the rest of the environment. A water treatment plant in Muleshoe, Texas was compromised through a remote access solution so poorly governed that the attacker publicly boasted about the ease of the breach.

This is what the Red Team finds in organizations without executive OT security ownership: not a single vulnerability, but a governance-shaped attack surface. In Mandiant's "Big Steam Works" engagement, a red team gained administrative control of OPC servers in six hours. The entry point wasn't a DCS vulnerability requiring sophisticated exploitation. It was weak password governance across OT systems — a failure of policy, not technology.

SANS 2024 research found that when the CISO owns ICS security, 82% of programs are mapped to security standards. When no corporate-wide policies exist, that drops to 42%. The gap isn't incremental — it's close to the difference between a governed program and an ungoverned one. CISO-led programs also detect and respond to incidents faster, reflecting the same accountability that makes every other capability function more reliably.

Fortinet's 2025 survey of more than 550 OT security professionals found that organizations at the highest maturity levels report zero intrusions 65% of the time. The relationship between leadership and measurable security outcomes holds consistently across independent research.

But title assignment isn't the same as capability. Only 46% of organizations have reached Level 4 maturity — Fortinet's highest tier — even as more than half now place OT security under a CISO. Assigning the title moves the vacancy; it doesn't close it. That distinction matters when a Red Team is scoping an engagement. The question isn't who has the title. It's who has the knowledge, the authority and the accountability to act on what the assessment finds.

This is the practical consequence the Red Team sees more clearly than any other part of a security program: excellent technical findings in a comprehensive report accomplish nothing if no accountable executive exists to drive remediation.

NIST SP 800-82 Rev. 3, the primary U.S. government guide for OT security, states this directly. The CEO or COO, alongside the CIO or CSO, "accepts complete responsibility and accountability for the cybersecurity of the OT system and for any safety incidents, reliability incidents, or equipment damage caused directly or indirectly by cyber incidents." That language exists because governance isn't preliminary to security — it's the mechanism that makes security function.

PwC's 2025 OT security analysis described organizations without executive OT ownership as experiencing funding gaps, decision-making paralysis and disorganized incident response. When a Red Team delivers findings to an organization without an accountable owner, those findings tend to stay in the report. The absence of leadership doesn't just affect the assessment — it blocks the operational methodology needed to act on what the assessment produces.

The Red Team's pre-engagement discovery phase doesn't only gather technical context. It maps the organizational conditions that will determine what the technical phase finds and what the organization actually does with the results.

Organizational structure creates the gaps that attack paths exploit — how silos in the org chart mirror the network boundaries that adversaries cross without friction. The Red Team applies that same logic in a live engagement, against your specific environment, with your specific governance conditions in scope.

When the scoping call questions go unanswered — who owns this, who decides, who acts on what we find — that's not absence of data. Those are the first findings already taking shape.

Identifying the leadership gap as an adversarial finding isn't an indictment. Organizations that see it clearly can begin closing it, whether through a fractional model, a direct hire or a defined delegation of authority. But the prerequisite is naming it clearly, in the executive briefing alongside the technical findings, as what it actually is: an exploitable organizational condition that every other security investment depends on resolving. The first question on the scoping call will tell you a great deal about what the engagement will find. Sometimes, that question alone is worth the call.