A Leadership Lens on ICS/OT Security Leading Into 2026

As 2025 comes to a close, one message stands out across every industrial sector I worked with this year. From conducting ICS/OT incident response tabletops, OT network security assessments, OT visibility solution selection and deployment to aligning ICS/OT cybersecurity programs to common frameworks, I’ve learned that the biggest opportunities in ICS/OT security are no longer just technical. They are leadership, governance, and clarity-of-role opportunities.

Cyber incidents are continuing to occur across industrial environments. According to the SANS State of ICS/OT Security 2025 Report, more than one in five organizations (21.5%) experienced a cybersecurity incident this year, with 40% of those events disrupting operations and nearly 20% taking over a month to remediate. Amid these ongoing attacks, the organizations that recovered fastest, minimized safety impact, and maintained stable engineering operations were those where leadership defined how decisions are made, who holds accountability, and how teams coordinate in the wake of a breach.

Where Leaders Are Still Struggling

I consistently observed two main leadership barriers (but also several wins!) during my field work on manufacturing sites, electric power substations, maritime ports, energy systems, pharmaceutical production, and transportation systems this year. First, many organizations still suffer from unclear roles between OT, IT, engineering, and cybersecurity teams. During real incidents and tabletop exercises, delays often stem from uncertainty over who leads containment, who decides to fight through an attack while maintaining safety, or who has authority to isolate controls systems if it comes to that. This leaves teams hesitating at critical moments where there is zero time to waste.

Second, many facilities still operate with limited OT network visibility. The SANS State of ICS/OT Security 2025 Report found that only about one in eight organizations have full visibility across the ICS Cyber Kill Chain, with monitoring strongest at the enterprise level (Purdue Level 3) but dropping sharply at the controller and field device layers (Levels 2 and 1). Without a consolidated view of engineering assets, all inventoried remote access pathways, and internal east/west industrial protocol network monitoring, leaders often make decisions without a clear engineering informed picture. It also slows response and increases risk during high-pressure events.

What High-Maturity ICS Facilities are Doing Differently

The organizations that performed best in 2025 shared a common pattern. Their leaders aligned governance and investment decisions to safety and operational risk first. They embraced the differences between IT security and ICS/OT security and viewed securing ICS/OT environments as business critical.

In addition, mature leaders have defined responsibilities clearly across OT, IT, engineering, and respective security teams, removing ambiguity long before an incident occurs. They spend time testing their decisions and dedicating ICS/OT incident response plan in tabletop exercises. And they are running their ICS/OT dedicated incident response plan in exercises quarterly now, rather than just annually. Those priorities mirror what the SANS report identified as the top areas of investment across the industry: asset visibility, threat detection, secure remote access, and vulnerability management — capabilities that directly reduce downtime and safety risk.

Join My Webcast: Building a Safety-Aligned ICS/OT Cybersecurity Program

I’ll be diving deeper into these themes in my upcoming SANS webcast on Dec. 9, 2025, Building a Safety-Aligned ICS/OT Cybersecurity Program. During the webcast, I’ll outline the most common leadership pitfalls I’ve seen across industrial sectors during my 2025 field work. I’ll also expand on how to avoid them with actionable engineering tasks and leadership moves.

You can register for the upcoming webcast here. I hope to see you there!