Skip links
Schedule A Meeting
Cabreza

Bridging the Divide: How Cybersecurity Architects Can Secure OT Without Owning It

Introduction: Securing What You Don’t Control

In large industrial enterprises, securing operational technology (OT) has evolved from a nice-to-have to a regulatory and business imperative. Yet for cybersecurity architects, this mission comes with a twist: you’re often responsible for security outcomes on systems you don’t own.

That’s because OT environments—factory floors, control systems, SCADA networks—typically fall under the purview of engineering, not IT. As attacks on industrial infrastructure increase, so do expectations for IT security leaders to engage, influence, and protect OT assets.

So how do you secure OT without direct control? Through governance, empathy, and a collaborative use of cybersecurity resources.

Governance in the Gray Zone: Where IT and OT Overlap

While IT and OT have distinct priorities, their networks are increasingly intertwined. As a result, risks once isolated in one domain can now propagate to the other.

But here’s the catch: OT teams often lack the funding, headcount, and security experience to manage these risks. Meanwhile, IT security leaders are held accountable for enterprise-wide protection—including OT breaches.

This creates a unique opportunity for shared governance and strategic co-investment.

The Budget Bridge: A Practical Collaboration Strategy

🔑 Callout: Using IT Cybersecurity Budget to Secure OT—Smartly

Many IT security programs already carry budget lines for tools, audits, and risk mitigation. Here’s how you can leverage that budget collaboratively:

  • Fund centralized solutions that support both domains:
    Example: Deploy an enterprise-wide Security Information and Event Management (SIEM) system and extend visibility to OT endpoints. The OT team benefits from detection and analytics; you gain visibility into industrial environments.
  • Sponsor shared training and tabletop exercises:
    Bring OT stakeholders into cyber resilience simulations funded by your IT security budget. This builds awareness, trust, and response maturity.
  • Co-fund network segmentation projects:
    Use IT funds to upgrade firewalls, DMZs, or remote access controls that protect both IT and OT infrastructure. Ensure OT operations help shape the design.
  • Offer “starter funding” for OT security maturity assessments:
    Pay for a third-party risk assessment or IEC 62443 gap analysis, then hand over results and roadmap ownership to the OT team.

This isn’t about taking over—it’s about seeding progress and demonstrating value that earns goodwill and deepens collaboration.

Finding Common Ground: Speaking the Language of Risk and Uptime

As a cybersecurity architect, you’re trained to think in threat models and frameworks. OT teams, on the other hand, live and breathe uptime and physical safety.

To bridge the gap:

  • Translate security concerns into operational risk scenarios (e.g., “A ransomware attack could halt production for 3 days”).
  • Position security improvements as enablers of safety and system reliability.
  • Lead with business continuity and resilience outcomes, not mandates.
Establishing Collaborative Governance Models
  1. Create a Cyber-Physical Security Council

Bring together IT, OT, compliance, and safety leaders to:

  • Prioritize cross-domain risks.
  • Approve common controls and procedures.
  • Coordinate responses to blended threats (e.g., a phishing attack leading to a plant shutdown).
  1. Draft a Joint MoU or RACI Model

Clearly document:

  • Who owns which assets and risks.
  • How changes are approved across domains.
  • Which teams lead incident response in OT environments.

The result? Clarity, coordination, and a foundation for co-investment.

Designing Defensible Architecture Without Ownership

Use your influence to build trust-based reference architectures:

  • Define safe network segmentation models tailored for ICS environments.
  • Establish remote access guidelines that satisfy both IT security and OT operations.
  • Align with frameworks like IEC 62443, and help OT map out next steps for implementation.

Remember: you’re a guide, not a gatekeeper.

Final Thoughts: Aligning Incentives, Sharing Wins

Securing OT without owning it is one of the toughest assignments in cybersecurity. But it’s also an opportunity to evolve how security is delivered in industrial enterprises.

By leveraging IT resources to enable OT resilience, architects can lead with influence instead of control—and drive shared outcomes that benefit the entire organization.

✅ Your Next Steps

  1. Identify joint infrastructure or tools that serve both IT and OT.
  2. Propose a shared funding model for at least one OT security initiative.
  3. Launch or participate in a cross-domain governance council.
  4. Co-develop an OT risk assessment roadmap with engineering leaders.
  5. Track and report shared wins across IT and OT teams.

Want to create a governance model or co-investment strategy that actually works? Get in touch with Cabreza — we help cybersecurity architects and operations teams build bridges that last.

CISO decides how to split budget between IT and OT security initiatives.

You may also like

NIS2 cybersecurity regulation has arrived
6 days ago

NIS2 Is Here

Security architects in industrial sectors: discover how to build NIS2-compliant OT cybersecurity programs with a focus on governance, policy, and architectural standards.

6 days ago

Tools Deployed, Questions Remain

Cybersecurity architects and leaders face challenges after deploying security tools. There also needs to be focus on operationalizing these tools through policies, processes, and governance frameworks.