What the OT vCISO Measures First:
The Honest Maturity Baseline

According to Fortinet's 2025 State of Operational Technology and Cybersecurity Report, 81% of industrial organizations rate their OT security maturity at Level 3 or 4 on a five-level scale. That's a confident industry. Then consider this: the same survey shows that as organizations advance in genuine maturity, they discover more blind spots, not fewer. And Fortinet's own data shows the percentage of firms claiming complete OT asset visibility has declined from 13% in 2022 to roughly 5% today.

That math doesn't add up. The gap between those numbers is where security strategies quietly go wrong.

The first two articles in this series traced the accountability gap at the top of most OT security programs. With accountability clarified, the next question is: what does the program we're now accountable for actually look like? The honest answer often surprises organizations.

Self-assessment bias isn't unique to cybersecurity. But in OT environments, specific structural factors make the gap between perceived and actual maturity unusually wide.

The most common problem is measuring inputs instead of outcomes. According to the SANS 2024 State of ICS/OT Cybersecurity Survey, 84% of respondents have a policy for remote access. Only 34% test incident response using OT-specific environments. Having the policy and being able to execute it under pressure are very different things.

Compliance frameworks deepen the problem. Passing a compliance audit doesn't demonstrate operational security maturity. The APTA OT-CMF framework is explicit: an organization cannot claim a maturity level "unless they are performing all the practices successfully." Yet many self-assessment tools accept policy existence as proof of consistent practice.

Then there's the visibility paradox. Fortinet's 2025 data shows that the percentage of organizations claiming 100% OT asset visibility has been declining since 2022. As organizations gain genuine maturity, they develop a more honest picture of what they don't know. Confidence drops as capability rises. NCC Group notes that internal assessors frequently evaluate their own work, creating bias that independent assessment is designed to remove.

This is the structural problem the OT vCISO is designed to solve. Internal teams, even skilled and well-intentioned ones, are assessing their own work against standards they've internalized over time. The OT vCISO brings domain expertise shaped across multiple industrial environments, a clear sense of what genuine maturity at each level actually looks like in practice, and no organizational stake in the result being favorable. That combination produces a fundamentally different kind of assessment.

A self-survey asks whether processes exist. An external assessment asks whether they work.

That means physical inspection of the OT environment, not just document review. Network topology analysis that reveals segmentation gaps and undocumented connections. Technical validation of actual patch levels and access controls. A threat presence sweep for active indicators of compromise that existing monitoring may have missed. Dragos, which conducts OT assessments across industrial sectors, routinely finds suspicious activity that an organization's own tools had not detected.

CISA has made asset inventory the explicit starting point through its 2025 "Foundations for OT Cybersecurity" guidance, issued jointly with NSA, FBI, EPA and international partners. The framing is direct: you cannot protect what you cannot see. Physical inspection is required because environments change faster than documentation is updated.

An honest baseline, the kind the OT vCISO establishes in the early weeks of engagement, covers four areas. Each one reveals a different kind of gap, and together they define where the program actually stands.

• 1

  Governance and Accountability

  Only 39% of SANS 2024 respondents have centralized governance under a CISO. Without clear ownership, decisions about OT risk investment and response authority get made ad hoc. The accountability gap isn't just a leadership problem; it's a risk amplifier for every other gap that follows.

• 2

  Visibility

  Fortinet's 2025 data shows fewer than 1 in 20 industrial organizations can claim full OT asset visibility, a share that has been declining since 2022. This is the foundational capability everything else depends on. You can't monitor what you haven't mapped. Attack paths move through exactly these visibility gaps, the same environments where organizations believe their monitoring is adequate.

• 3

  Response Capability

  NCC Group's OT incident response data shows just over half of organizations have a dedicated ICS/OT incident response plan, and nearly one in three have no plan at all. Applying IT-centric response actions in OT environments, including aggressive containment and automated shutdowns, can halt production, damage equipment or create safety hazards.

• 4

  Recovery Readiness

  Return-to-service time has been the top OT security success metric for four consecutive years per Fortinet 2025. Yet Dragos and Marsh McLennan's 2025 OT Security Financial Risk Report estimates that in a severe worst-case scenario, global OT cyber losses could reach $329.5 billion, with $172.4 billion attributable to business interruption alone.

Investment decisions made on incorrect maturity assumptions don't just fail to improve security. They misallocate resources. According to Nexus Connect's 2025 OT security economics analysis, much of the industry's investment favors surface-level defenses while foundational architectural risks remain unaddressed. SANS 2025 data shows more than half of organizations cite compliance obligations as their primary investment driver, frequently at the expense of long-term resilience.

Organizations buy detection tools for environments they haven't fully mapped. They invest in sophisticated capabilities built on foundations they haven't validated.

That's the earliest and most important contribution the OT vCISO makes. Not an audit. Not a judgment of the existing team. A clear picture of where the program stands, built on evidence, benchmarked against real standards, translated into a roadmap that sequences the right investments in the right order.

SANS 2024 data captures what that difference produces: organizations using both ICS/OT standards and threat intelligence are described as "lightyears ahead" of peers in maturity and operational capability. They detect events faster, have better-mapped environments and are more likely to have OT-specific incident response in place.

The honest baseline isn't a confession. It's the strategic foundation every subsequent decision depends on. You can't close a gap you haven't measured. And the continuous validation loop we'll examine later in this series is what prevents the maturity mirage from quietly re-forming after the initial baseline work is done.