Rising cybersecurity threats and attacks are compelling industrial environments to develop high-performing cyber teams capable of effectively counter evolving attack vectors. Progressively, success in this landscape goes beyond merely employing technical experts; it requires building resilient, agile teams equipped to anticipate, detect, and respond swiftly to emerging threats.
Companies also need to maintain heightened vigilance across their cyber teams. Most often, serious cyberattacks occur during off-hours or over a weekend when the team is unprepared or cyber defenses may be less stringent. Security teams cannot be hit or miss but need to be prepared for quick and appropriate action at a moment’s notice. Technical skills are a given, but it’s equally important to foster soft skills like flexibility, communication, and holistic thinking to create cyber defenses that are truly resilient.
It has been identified that creating a mindset of trust and teamwork across multiple functions is critical. When organizations foster open communication and shared accountability, cross-functional teams can be developed to quickly respond to threats, particularly in an era of IT-OT convergence where OT (operational technology) and IT systems are more and more blending together. As these environments converge, the connected network creates new openings for attackers, demanding teams who understand IT and OT systems and can work together to close the gaps.
Mentoring and continuous education are also essential to building a better cybersecurity workforce. Experienced members need to be guiding less experienced members, letting them in on insights and expertise to develop confidence and competence. Ongoing learning helps teams keep pace with changing threats, and regular drills and simulated exercises reinforce their readiness. Such transformation of teams for real-time threat insight is also necessary. Threat feeds and analytics can be incorporated into the daily workflow, enabling teams to see when an attack is coming and better prepare for it, thereby decreasing response time and impact.
At the end of the day, operational environments require a mix of technical skills, teamwork, and agility to develop high performing cybersecurity teams. Cross-training should be nourished, and an environment where organisations can trust their staff to share knowledge and be proactive in learning from that knowledge is needed. Organizations can equip resilient teams to navigate the nuances of modern cyber threats, protecting valuable resources and ensuring business as usual in an evolving interconnected digital world.
DNA of high-impact industrial cyber teams
Industrial Cyber spoke with cybersecurity experts to identify the core traits, beyond technical expertise that set apart high-performing cybersecurity teams in industrial settings, where safety, uptime, and operational continuity are non-negotiable.
Andrea Carcano, co-founder and CPO at Nozomi Networks, recognizes that on top of technical expertise, the capacity to deeply understand the OT side of the house is not trivial. “In order to be a successful and high performing cybersecurity team, individuals need to understand how threats and issues can manifest when applied to OT since it functions very differently from the commonly understood world of IT security.”
Further, Carcano told Industrial Cyber that security teams need to align on the goals and objectives of the business and its owners and executives in relation to how cyber threats are presented, since having a false positive in an OT environment can be a lot more impactful for a business than experiencing a false positive in an IT environment.
“Security professionals need to understand the role of and connect with operators with boots on the ground working on the sites that they are aiming to protect,” according to Carcano. “It’s key to have security teams fully onboarded and integrated within a company to ensure a seamless working relationship and so other teams can understand that cybersecurity is not there to make anyone’s role harder, but to help.”
“For my security team I look for three key areas – Accountability, Teamwork and Learning Agility,” Chris McLaughlin, chief information security officer for Johns Manville (JM), a Berkshire Hathaway company. “Accountability is important because we need to have people that take personal ownership for the security of our company. Teamwork because we need to ensure that our employees are working together for a common cause.”
In OT, McLaughlin added that it is particularly important to have teamwork given the diverse skills and personality types across IT and engineering, making it critical to foster mutual respect and appreciation. “Learning Agility is so important for security. Fact is, threats and technology in security change quickly and we have to be able to adapt to those changes.”
Andres Prieto Anton, an industrial cybersecurity expert, told Industrial Cyber that high-performing teams demonstrate deep operational awareness, risk-based thinking, and calm, clear communication. “They understand industrial realities—prioritizing safety and uptime—so their cybersecurity strategies are tightly aligned with process continuity and plant reliability. They don’t treat controls in isolation, but as part of the broader mission to protect human life, assets, and production.”
Anton added that having a multi technology global knowledge team also helps to understand how to tackle the different challenges in a better way.
Building resilient cybersecurity in age of IT-OT convergence
As IT and OT networks converge, executives examine how organizations are reworking the structure, mindset, and culture of their cybersecurity teams to protect operational resilience while preserving deep domain expertise.
Carcano identified that IT and OT technology convergence is a mainstream occurrence in facilities and infrastructure across several critical industries: automation is increasingly embedded within construction, hospitals are using technology in every aspect of patient care, airports utilize biometric systems and integrated tech to increase efficiency and safety. “Sometimes, this convergence happens unintentionally – it’s a natural consequence of the digital transformation we’ve come to expect and rely upon. While beneficial overall, this convergence also lends itself to increased risk and exposure to more vulnerabilities.”
He added that IT/OT convergence without sufficient attention to cybersecurity best practices in both environments has led to a dramatic rise in security incidents, especially when taking into account the fact that every organization is at a different level of cybersecurity maturity and requires a unique plan of action to be the most effective against threats. Managing the increased attack surface of this convergence requires a shift in the way organizations structure their personalized security operations and priorities, which we’re seeing more of, but need wider adoption.
First, Carcano pointed out that security teams need to start prioritizing OT networks. “While IT security is often embedded within security strategies, it’s difficult to find funding and support for OT-specific security because there’s a lack of understanding of the unique qualities and challenges that come with it, especially when combined with IT.”
He noted that IT/OT convergence does not make them synonymous. If OT security is better understood, security teams have better visibility into how IT and OT networks present unique challenges when intertwined. “Having a strong understanding of where IT ends, where OT begins, and where the two overlap can bolster teams’ existing domain-specific expertise while enhancing operational resilience.”
From there, Carcano added that security teams can strategize and streamline the process for their IT and OT teams to share threat intelligence and create a comprehensive and systematic security framework that integrates risk management, security testing and incident response/recovery plans.
“I am seeing quite a few mid to large sized organizations that are developing teams that include both engineering and IT,” McLaughlin said. “Each has its own set of skills and experiences and we need these to be successful.”
Anton said that organizations are “breaking down silos by embedding cybersecurity into OT context and expanding the IT cybersecurity training and generating specific OT cybersecurity training to the manufacturing workers: with the risk approach vision, that is easier to understand for them. The convergence of IT and OT is not just technical (the easy part) it’s also cultural mindset and a long journey.”
Crafting cross-functional trust for cyber resilience
Trust and coordination are often as critical as technical controls during incident response. The executives look into how successful teams build and sustain cross-functional trust between cybersecurity, engineering, and operations.
Carcano observes that trust is fundamental. “To build cross-functional trust between teams within an organization, there needs to be alignment that maintaining a high security posture is a mission-critical priority for the company or organization as a whole – and clearly recognize who owns what and how every department works together toward the common goal.”
“When an incident occurs, especially with cross-departmental collaboration, the temptation may be to deflect blame,” according to Carcano. “Especially as we’re just finally reaching a point where siloes between security, engineering, and operations are breaking down, it’s still a new process that teams are getting used to. That’s why establishing clear lines of communication and ownership, rewarding transparency, and making sure all teams have an understanding of how their systems and processes are intertwined are critical to success when a crisis hits. The work needs to be done long before an incident occurs.”
Most importantly, Carcano added that all teams need to keep the end goal top of mind – robust security, and minimizing risk. “Making that paramount to all teams will naturally tie them together, and it makes the minutiae of working together much easier.”
McLaughlin said he tends to think trust is built when people share a common set of goals and priorities. “Tabletop exercises that highlight a cyber threat to an OT system help everyone understand what we are trying to protect and why. Having a common enemy often brings teams together and in the case of cyber, it is clear that those who wish to hurt our company or our employees are the enemy, not each other. After that, IT needs to add value to the OT side to build trust.”
“Trust is built through ongoing collaboration, not crisis,” Anton identified. “Having a dedicated team that is able to make the link between the IT and the OT worlds, that understand each way of speaking and working, make life easier to bring trust between both worlds: and that’s important to respond to an incident because all look for the same goal.”
Mentoring and training to strengthen cyber teams
Given the ongoing talent shortage in industrial cybersecurity, the executives address hiring strategies, mentorship programs, or internal training models that have proven most effective and scalable.
“When it comes to defending against cyber threats, the most effective way to train talent in this space is through a hands-on approach,” according to Carcano. “Whether you are just starting your career or have been in the industry for a while, continuous education is paramount to successfully defending against the ever-evolving and ever-advancing threats of today. You can be the most advanced expert in the field now, but if you don’t keep studying, your knowledge and expertise is going to become outdated in a short amount of time.”
He added that companies who want to address the talent shortage head-on understand that opportunities for constant upskilling and learning, so they have the tools necessary to be successful, is the only way to best prepare and keep talent for this high-stakes role.
“Recruiting for IT/OT security people from within is usually the best way to handle the talent shortage,” McLaughlin said. “Having someone with a background in OT in a security organization helps to build credibility for the organization. It also allows employees to grow their skills.”
He said that he looks for employees that have already demonstrated Accountability, Teamwork and Learning Agility when they want to join the security team as an OT employee. “We can teach IT skills, it is hard to teach those things.”
Anton observes that for those dedicated teams to make the link, scalable models focus on aptitude and upskilling. “I am in favor of hiring candidates with adjacent experience—such as control engineers or IT generalists—and training them in OT security. Also rotational programs between IT, OT roles are proving effective in growing hybrid-skilled professionals.”
Gauging cyber team performance for operational goals
The executives identify the metrics or indicators most reliably that show that a cybersecurity team is not just technically capable, but also aligned with operational reliability and business continuity goals.
Noting this to be difficult, McLaughlin said that “Much of this is not a hard metric that I measure. The more that my team demands from engineering to be part of their process, the more comfortable I am that we are doing the right things.”
“Meaningful indicators include OT-specific detection and response times (MTTD/MTTR) joint incident drill outcomes, collaboration meetings,” Anton said. “Metrics that link cyber health to uptime, safety incidents avoided, or resilience milestones achieved better reflect alignment with operational goals than purely technical KPIs like patch counts.”
Adapting cyber teams to real-time threat intelligence
With automation, AI, and real-time threat intelligence on the rise, executives explore how the role of the human analyst is changing and how leaders can ready their teams for this shift.
“If you’re a SOC analyst, you spend 95% of your time connecting the dots on what you are seeing on your screen, and only 5% of the time being strategic or actionable with that information,” Carcano said. “We have been stuck at this capacity within the SOC for the past 10 years. Artificial intelligence is changing the game because it can now help SOC analysts focus on what is more important by reducing their time on administrative and repetitive tasks, affording them a greater amount of time to be more strategic and less tactical.”
He added that AI cannot replicate the strategic, deep thinking that a human is capable of, but can supplement it.
“This is a hard question to answer because we are so early in AI and it has grown so quickly. I worry about the impact on the next generation of cyber employees,” Anton said. “Most security people get their experience learning about cyber by doing the things that AI is starting to replace. Experienced cyber staff use AI to summarize and avoid basic tasks so they can see things that their experiences tell them. I am not sure how people new to cyber will get these experiences.”
He concluded that there is a danger in skipping some of the fundamentals that we learn from experience and we become too reliant on technology to be functional. “We will see how humans and technology evolve together.”
