The Shift Toward a Business Outcomes Mentality in OT Cybersecurity

• By Jacob Chapman
• April 04, 2025
• ISA
• Feature

Throughout the past decade, some things in the OT Cybersecurity industry have not changed (or at least, changed very little). A small percentage of asset owners have detection tools deployed at scale (despite it being an established product market). Systems remain inherently vulnerable, asset owners continue to struggle to maintain OT cybersecurity talent, and comprehensive risk management programs are very rare.

However, what has changed is recognition of the risk, mindshare amongst organization leaders and regulations which are beginning to include punitive remedies including legal and financial penalties under certain conditions. Recent examples of the latter include (i) the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which drove the requirement for covered entities to report cybersecurity incidents, and (ii) Transportation Security Administration (TSA) directives which place requirements for network segmentation, access controls, monitoring and detection, and patching across transportation entities such as airports and railways.
 
These shifts are driving formal responsibility and accountability toward CISOs, as well as prioritizing a focus on business risk (vs. technical mindsets) amongst the CISO population. And thus, the question they are increasingly asking is: “for my OT cybersecurity investments, can I demonstrate the business outcomes it achieved?” What “business outcome” means will vary by project. It could be, has the monitoring and detection tool investment improved operational resilience/uptime in a measurable and demonstrable way? Or, has the security program improvements reduced the time needed for, and increased the accuracy of, the company’s compliance reporting? But, to put it simply, the question is: “has what I’ve done even worked?”
 
That question has been notoriously difficult to answer. Even insurance providers–the actuarial masters of the universe with ostensibly the greatest amount of OT Cybersecurity incident data on-hand–have struggled to quantify the risk for one simple reason: the numbers are too volatile. For practitioners, service providers and vendors, this poses as both a challenge and an opportunity. While it is difficult to answer, those that can will certainly earn the attention (and the dollars) of CISOs.
 
For the industry to prove business outcomes, such as x, y and z, data that comes from providers and users alike is needed, and tracking of that data before and after solutions are implemented. Projects to address this challenge exist and are in the works. One such example is the Emerging Threat Open Sharing (ETHOS) project, formed by a collection of organizations and with a goal of making an open-source platform available for real-time, anonymous threat information sharing. As an example, the ETHOS platform would allow for organizations to be alerted when a security threat occurs at another participating organization, without disclosing any sensitive data about the source, and would be available to organizations regardless of what technologies they do and don’t have. 
 
While–yes–information sharing such as (but not only) ETHOS would be an important step towards knowing “is what we’re doing even working?” it would also drive progress forward in many other areas. The Cybersecurity and Infrastructure Security Agency (CISA)’s Director, Jen Easterly, has long professed the need for government and commercial collaboration to progress the industry and shore up our critical infrastructure defenses. And further, impact data is what will evolve leading OT Cybersecurity standards–such as ISA/IEC’s 62443 series of standards, a consensus-based set of requirements and guidance, from being based primarily on expertise to being additional reinforced and refined by demonstrable data.
 
Ultimately, the shift in mindset towards business outcomes is timely, and needed. It will drive demand for data which we must have. It will promote collaboration between governmental and commercial entities–even competitors–and steer both users and providers alike towards solutions that make a real impact.

About The Author

Jacob Chapman has a professional background in automation engineering, project management, account management, industrial networking and ICS cybersecurity within the food and beverage, pharmaceutical and energy generation sectors, among others.  In his role as Director – BD & Alliances at Nozomi Networks, he leads the organization’s partnerships with strategic OT OEMs and technology vendors.
 
Within the ICS cybersecurity community, he participates in international societies and standard bodies – including serving as an advisory board member to ISA’s Global Cybersecurity Alliance, a member of the Cybersecurity Committee of ISA’s Smart Manufacturing & IIoT Division, and a contributor within the ISA99 standards development committee.

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..

Subscribe