Nobody Owns OT Security — and That's the Real Vulnerability
Overview
Ask who is responsible for cybersecurity in a typical enterprise and the answer is clear: the CISO and the security organization. Ask who is responsible for the security of the operational technology that runs the plant, the grid, the production line, or the physical process, and the answer becomes a careful set of qualifications. The security team will say they are responsible for cyber, but OT is operated by the plant. The operations team will say they run the equipment, but security is the CISO's job. The engineers who actually understand the controllers will say their mandate is safety and uptime, not cybersecurity.
Everyone is partly responsible, which means no one is fully accountable. And this organizational gap — not any specific missing control — is the deepest vulnerability in most industrial environments. A technical weakness can be closed with a control. An accountability vacuum cannot be closed with anything except a decision about who owns the problem, and that decision is precisely what most organizations have avoided making.
The result is OT environments where security improvements stall not because anyone opposes them, but because no one owns driving them, funding them, or being answerable for them.
Why This Matters Now
The convergence of IT and OT has made this ambiguity untenable. For as long as operational environments were genuinely isolated, the lack of clear cybersecurity ownership had limited consequences — there was little external exposure to manage. That isolation has eroded, connecting operational systems to corporate networks and the internet, and turning OT into a target with real-world consequences. The organizational structure, however, has not kept up with the technical reality. The accountability model still reflects an era when OT and cyber were separate worlds, even though the threat has thoroughly merged them.
At the same time, the consequences of an OT compromise have risen — production shutdowns, safety implications, and in critical infrastructure, public impact. Regulators and boards are increasingly asking who is accountable for the security of operational systems, and organizations are discovering that they cannot give a clean answer. "It's shared between several teams" is not a governance answer; it is a description of the gap.
CISO2CISO Insight
In OT security, the most expensive thing is not the technology you haven't bought. It is the decision you haven't made — about who, exactly, is accountable when the systems that run the physical world are at risk.
Why Ownership Is So Hard in OT
The reluctance to assign clear ownership is not laziness. OT security ownership is genuinely difficult to place, for reasons rooted in how these organizations work.
The skills are split across functions. Understanding the threat requires security expertise. Understanding the consequence of a control on a physical process requires operational and engineering expertise. Neither group can own OT security alone without the other's knowledge, and the two groups have historically operated as separate cultures with different priorities, vocabularies and reporting lines.
The priorities can conflict. The security team's instinct may be to isolate or restrict; the operations team's mandate is uptime and safety. When ownership is ambiguous, these tensions go unresolved, and security improvements that carry any operational risk simply do not happen, because no one has the authority and the mandate to weigh the trade-off and decide.
The budget lines are separate. OT often sits within operational budgets oriented toward production and maintenance, not within the security budget oriented toward risk reduction. Funding OT security improvements requires reconciling these, which again needs an owner with the standing to do it.
The CISO's mandate frequently stops at the IT boundary. In many organizations, the CISO's authority was historically defined around IT, and extending it into the operational domain — where the operations leadership holds sway — is a real organizational shift that someone has to authorize.
Resolving the Accountability Gap
The solution is not to force OT security entirely onto the security team or entirely onto operations. Both would fail — security lacks the operational context, operations lacks the threat expertise. The solution is a deliberate accountability model that names a single owner while structurally requiring the collaboration the problem demands.
Name a single accountable owner. Someone must be answerable for OT security outcomes — typically the CISO, with an explicitly extended mandate, or a dedicated OT security leader reporting in a way that bridges security and operations. The specific choice matters less than the fact that one person is accountable rather than several being partly responsible.
Structure the collaboration formally. Because no single function holds all the necessary expertise, the operating model must require security and operations to work together by design — joint decision rights on controls that affect operations, shared risk assessment, and a defined process for weighing security improvements against operational impact.
Give the owner a real mandate and budget. Accountability without authority and funding is a setup for failure. The owner needs the standing to drive change across the IT/OT boundary and the resources to do it.
Make the board aware of the model. Because OT compromise carries enterprise and public consequence, the board should know who owns OT security and be able to hold that ownership accountable — which is impossible when ownership is diffuse.
Executive Framework
| Dimension | The ambiguous model (common) | A resolved model |
|---|---|---|
| Accountability | Shared, therefore absent | A single named owner |
| Expertise | Split, uncoordinated | Collaboration required by design |
| Decision rights | Unclear when priorities conflict | Defined joint process |
| Budget | Separate, unreconciled | Mandate with funding |
| When something stalls | No one drives it | The owner is answerable |
| Board visibility | "It's shared" | A clear owner to hold accountable |
What CISOs Should Do Next
- Surface the ownership gap explicitly — name the fact that OT security currently falls between functions, because the problem cannot be solved while it remains unspoken.
- Propose a single accountable owner for OT security outcomes, with a mandate that explicitly crosses the IT/OT boundary.
- Build a formal collaboration model between security and operations, with defined joint decision rights for controls that affect production or safety.
- Reconcile the budget question, ensuring the owner has the funding to drive OT security improvements rather than depending on operational budgets oriented elsewhere.
- Bring the accountability model to the board, so that ownership of OT risk is visible and answerable rather than diffuse.
- Invest in bridging the cultures, because the long-term capability depends on security and operations people who understand enough of each other's world to make good joint decisions.
Board-Level Questions
- Who, specifically, is accountable for the cybersecurity of the operational systems that run our physical operations — one named owner, or several partly-responsible teams?
- Does that owner have the mandate, authority and budget to drive security across the boundary between our IT and operational environments?
- How do our security and operations teams resolve conflicts between security controls and operational priorities — through a defined process, or by default inaction?
- If an OT security improvement is needed but carries operational risk, who has the authority to weigh that trade-off and decide?
Final Takeaway
It is tempting to think of OT security as a technical frontier — a matter of finding the right tools for environments that resist conventional security. The tooling challenges are real. But in most organizations, the binding constraint is not technical at all. It is the absence of a clear answer to a simple question: who owns this? When the answer is "several teams share it," the practical result is that improvements stall, trade-offs go unresolved, and the environment drifts while everyone assumes someone else has it.
Resolving that is not a technology project. It is a governance decision — to name an accountable owner, give them a mandate that crosses the old boundary, require the collaboration the problem demands, and make the whole thing visible to the board. Until that decision is made, the most sophisticated OT security tooling will sit on top of an organization that cannot drive it.
The real OT vulnerability in most enterprises is not an unpatched controller. It is an unassigned responsibility — and no product fixes that.
*To be continued...*
