Introduction: Why the Culture Conversation Still Needs Attention
Most of the ICS/OT cybersecurity community already recognizes that culture matters as much as compliance, if not more. Yet despite that awareness, compliance still dominates the conversation, the funding, and the focus.
Why does this imbalance persist?
How does it affect real outcomes?
And what can be done to shift from acknowledgment to action?
While frameworks, audits, and controls provide structure, culture remains the under-leveraged pillar of ICS/OT cybersecurity maturity. Yes, we need policy, standards and procedures – but we need those to be practiced. And we need people who are empowered, aligned, and invested in doing so.
The Compliance-First Mindset in ICS/OT
Compliance delivers necessary outcomes: regulatory alignment, audit readiness, and risk reduction. Standards and regulations like 62443, NERC CIP, and NIST SP 800‑82 help formalize good practices and provide assurance to stakeholders.
But compliance also encourages a minimum-viable approach of meeting expectations rather than exceeding them. It promotes a static, checklist-driven mentality that doesn’t account for the evolving nature of threats, systems, and operations.
When compliance gets all the attention, culture gets treated as intangible, unmeasurable, or worse, optional.
Why Culture Must Lead
Culture turns policy into practice. It fills the space between procedures and behaviors, between documentation and decision-making.
A strong cybersecurity culture in ICS/OT:
- Internalizes security as a shared responsibility.
- Empowers operators, engineers, and leadership to engage with security meaningfully, not mechanically.
- Normalizes continuous learning and adaptation, making the organization more resilient to both known and unknown risks.
And to be frank, leadership plays a pivotal role here. Culture needs to be modeled, not mandated.
Evolving ICS/OT Programs Through Culture-Driven Approaches
The most effective programs are tailored from the ground up to reflect industrial realities.
What this looks like in action:
- Program design starts with process safety, reliability, and operational goals—not just threat models.
- Cross-functional collaboration becomes routine, not exceptional. Engineering, safety, and cybersecurity are communicating and aligning in strategy, not just incident response.
- Security practices are embedded in operations, from shift handovers to maintenance schedules. They’re not bolted on after deployment.
This is less about fixing friction and more about building frameworks that reflect how OT actually works.
Culture and Compliance Together: Not Either/Or
In reality, culture and compliance are complements.
- Compliance sets the baseline rules, thresholds and structure.
- Culture elevates the practice of behaviors, values and adaptability.
Governance, risk, and compliance (GRC) functions should reflect evolving understanding, not just enforce fixed templates. With culture in the driver’s seat, compliance becomes a vehicle for trust and resilience and not simply an audit success.
Practical Steps to Build ICS/OT Cybersecurity Culture
- Define Business-Aligned Objectives
What must the OT cybersecurity program achieve for the business? Objectives might include improved system trustworthiness, maintained or increased uptime, or enhanced operational predictability. Reduced risk scores are affirmation, but they are not foundation. - Appoint Culture Stewards Across Domains
Identify and empower individuals from engineering, safety, operations, and cybersecurity to be champions. They don’t want to go down from ransomware any more than you. - Develop Role-Based Training with Context
Go beyond policy education and help people understand the why, not just the what of security. Use scenarios relevant to actual, real-world workflows and risks. - Establish Two-Way Feedback Loops
Since culture thrives on conversation, use check-ins, retrospectives, and informal listening sessions to gather input and adjust direction. - Measure What Matters
Move past phishing tests and compliance scores and track things like shared ownership of security actions, language used in meetings, and proactive decision-making around OT change management.
Realistic, Non-Tool-Based Outcomes
When culture is driving the program, the outcomes go beyond tools and alerts:
- Language evolves and security is naturally part of project planning, operational updates, and team retrospectives.
- Trade-offs are owned, not avoided. Teams can articulate and manage security-related decisions in context.
- Trust is built, not just between teams and systems, but across the organization.
- People connect their role to cybersecurity, even in moments without screens or policies.
This is the heart of mature security: not just capability, but confidence and clarity in how we act.
Conclusion: From Awareness to Action
Everyone knows culture matters. But knowing isn’t doing. Compliance can, and should, continue to guide the ICS/OT security journey. But without culture, it doesn’t ready any asset owner for the long-term resilience.
So ask yourself and your organization:
- Are expectations clear, achievable, and aligned with operations?
- Is feedback incorporated into how we improve our cybersecurity posture?
- Are we having the conversations that help culture mature, not just policy advance?
You don’t need more awareness. You need more movement.
