The Role Nobody Owns

Fortinet's 2025 State of Operational Technology and Cybersecurity Report found that 52% of organizations now assign OT security responsibility to the CISO or CSO, up from just 16% in 2022. Problem solved.

Except it isn't. Fortinet's same report found only 35% of those organizations have a mature, fully integrated IT/OT security operations model. The title changed. The capability didn't follow.

That gap is not a personnel failure. It's a structural one: the absence of dedicated OT security executive leadership.

The CISO role was built for IT: confidentiality, integrity and availability, in that order. Data protection, access controls, endpoint security, cloud risk, regulatory compliance. The IT CISO knows this terrain.

OT environments work differently in almost every important dimension. The priority order inverts to availability, integrity, then confidentiality. A control system taken offline to prevent a data breach hasn't protected the organization. It has created a different kind of crisis.

OT environments run on equipment with 15-to-20-year lifecycles, where a patch that takes 10 minutes in IT can require weeks of vendor coordination, production window planning and safety review. Industrial protocols like Modbus, DNP3, EtherNet/IP and PROFINET don't behave like IT protocols under standard security tooling. An attack on a safety instrumented system doesn't compromise records. It can compromise people.

As Control Engineering noted in January 2025, securing OT environments requires a unique blend of IT, operational and domain-specific expertise, a combination that is hard to come by and takes years to develop.

The IT CISO typically has one of those three. Two, if they've made a genuine effort to bridge the gap. As PwC's 2025 OT security research notes, accountability for OT risk "typically spans security, operations, engineering and compliance," with no single executive owning the domain with depth enough to drive it forward. The consequence, per PwC: "funding gaps, decision-making paralysis and disorganised incident response."

When OT security lacks dedicated executive leadership, the consequences are measurable.

Dragos' 2026 OT Cybersecurity Year in Review found an 8-to-1 gap between organizations with comprehensive OT visibility and those without. Organizations with that visibility contained OT ransomware incidents in an average of five days. The industry-wide average was 42 days.

The financial stakes are escalating. IBM's 2024 data puts the average industrial sector breach cost at $5.56 million, an 18% year-over-year increase and the largest cost increase of any sector studied. Manufacturing accounted for more than two-thirds of ransomware victims in 2025, according to Dragos, while 119 ransomware groups impacted 3,300 industrial organizations, a 49% increase in group count from the prior year.

Response without OT-specific leadership is often improvised. SANS' 2024 State of ICS/OT survey found only 56% of respondents had an ICS/OT-specific incident response plan. Halliburton's August 2024 incident put the stakes in board-level terms: a $35 million pre-tax charge, disrupted billing operations, suspended share buybacks and a required SEC 8-K filing. Industrial cyber risk is no longer an operational abstraction. It's a shareholder event.

A full-time CISO salary runs $245,000 to $402,000 annually. An executive combining OT domain expertise, ICS/SCADA knowledge, safety system familiarity and board-level communication capability commands a premium above even that range. For most industrial organizations, manufacturing plants, utilities and energy operators outside the Fortune 500, that hire is prohibitive without an established ROI story.

Even organizations that can fund the role struggle to fill it. The global cybersecurity talent shortfall is estimated at nearly 5 million positions. OT-specific security expertise is a scarce subset of an already constrained pool. The result is organizational inertia: the IT CISO carries OT responsibility on paper, multiple teams share accountability informally and nobody owns it with enough domain expertise to drive the program forward.

Boards are beginning to sense the problem. Alignment between boards and CISOs on OT oversight has dropped from 84% in 2024 to 64% in 2025, according to Industrial Cyber. Even as formal CISO ownership of OT increased, board confidence in that leadership declined.

When OT security has genuine executive ownership, the program looks measurably different.

SANS 2024 data found that when an industrial CISO owned OT cybersecurity, 82% of those programs were mapped to standards, compared to 42% in organizations without clear executive ownership. Organizations with dedicated ICS/OT leadership were 53% more likely to have documented all external connections to their industrial environments. Detection speed improves. Response coordination improves. Board communication becomes substantive.

The industrial security executive translates the realities of the plant floor into risk language the board can act on, ensuring security investments reflect OT priorities rather than defaulting to IT frameworks. SANS' 2025 Leadership Lens identified the consistent pattern: organizations that performed best treated ICS/OT security as a business-critical discipline and aligned investment to operational risk first.

The fractional OT vCISO model was built for this problem.

A fractional engagement provides OT-specific executive leadership at a fraction of the cost of a direct hire, typically $50,000 to $150,000 annually, representing 60-75% savings compared to full-time employment. It bypasses the six-to-12-month hiring timeline for a scarce talent pool and provides access to OT domain expertise most mid-market industrial organizations cannot attract full-time.

The OT vCISO establishes governance, develops the OT-specific security roadmap, ensures board communications reflect actual industrial risk and builds the program architecture that supports a full-time hire when scale and complexity eventually warrant it. This isn't a consulting engagement. It's the executive ownership layer that industrial cybersecurity programs need, and that almost none currently have.

The rest of this series examines what that leadership layer builds. Most organizations already sense the vacancy. The question is whether you close it proactively, or wait until the incident makes the case for you.