In the face of growing threats and attacks, OT cybersecurity reporting is a consistent chink in the armor across critical infrastructure environments. Across many organizations, OT (operational technology) security continues to report into IT chains of command that are not visible to operations risk, leading to slower response times, limited cross-domain orchestration, and dirty boardrooms that are unaware of the weaknesses and critical needs of operational environments.
Recent cybersecurity incidents have revealed that these aging reporting mechanisms are downright brittle, especially in the haze of a cyberattack, where murky responsibilities, unclear roles, and misaligned governance stymie decisions and obscure accountability. This is more of an organizational structural problem, not only a technical one, which is costing organizations the time they cannot afford to waste.
Leaders are working on rethinking how an OT security role is positioned within larger governance models. Hybrid models integrate centralized control with empowered site-level leads that are emerging under compliance pressures, increasing under NIS2, TSA mandates, and SEC disclosure guidelines. These regulations require visibility and, more importantly, demand accountability.
If organizations want to create a united cyber defense, reporting lines must be clear, responsive, and based on the practical realities of OT environments. This includes giving OT cybersecurity a clear voice, specific authority, and a direct line to leadership. Anything less leaves critical systems vulnerable and leaders unprepared, especially when adversaries attack.
Inside OT cybersecurity reporting structures
Industrial Cyber reached out to experts to examine the most common OT cybersecurity reporting structures and where these models typically fall short when it comes to addressing real-world threats and operational risks.
Jason D. Christopher, senior vice president of cybersecurity and digital transformation for research and innovation at Energy Impact Partners (EIP), mentioned that reporting structures for OT cybersecurity typically fall in a few buckets – completely isolated based on facility or system, federated across a large enterprise, or a mix between the two.
“Many OT cybersecurity programs start organically from the bottom up, which is where the isolated programs typically fall,” Christopher told Industrial Cyber. “A hero (or team of heroes) performs some part of an OT cybersecurity program over time. There’s nothing inherently wrong with these homegrown programs, and many organizations will benefit from localized efforts early on. Over time, however, larger organizations will want to streamline and optimize these programs, which is why federated programs have some clear benefits: single chain-of-commands, centralized OT cybersecurity support and resources, and force multipliers when using similar tools and skills across multiple OT cybersecurity disciplines.”
He added that the last SANS State of ICS/OT Cybersecurity Survey identified that many programs have some sort of federated approach, with about 40% of respondents having centralized reporting to the CISO.
“Most OT cybersecurity teams either report through operational leadership, such as plant managers or chief operating officers, or fall under the CISO or IT chain. However, both approaches have their challenges,” Matt Wiseman, director of product marketing at OPSWAT, told Industrial Cyber. “Many teams lack visibility into enterprise-level threats, and IT-centric models often struggle to understand industrial protocols and safety requirements, sometimes even disrupting operations by applying unsuitable security practices.
Wiseman added that there’s also frequently a disconnect between IT and OT priorities: IT focuses on confidentiality, integrity, and availability, while OT prioritizes availability and safety first, then integrity, and lastly confidentiality. Finally, incident response can be delayed when authority is unclear or communication is siloed.
Marco Ayala, president of InfraGard Houston, told Industrial Cyber that the most common structures include centralized models (OT security reports to a CISO or Director of IT/OT security head), decentralized models (site-level OT teams report locally, especially across different business units), and hybrid models (central oversight with local execution).
“Centralized models often lack site-specific context, slowing response times,” he added. “Decentralized models suffer from inconsistent standards and resource allocation, and hybrid models struggle with unclear authority lines, leading to coordination gaps. Aside from proper funding to OT, these fall short against real-world threats due to slow decision-making, misaligned priorities, and insufficient OT-specific expertise.”
Matt Morris, CEO of Ghostline Strategies and co-founder of a stealth-mode cyber and AI start-up for critical infrastructure, told Industrial Cyber that OT cybersecurity reporting structures generally fall into three models. In the centralized, IT-led model, a unified cybersecurity team under the CISO, typically within the IT function, manages OT security.
He added that in the decentralized, operations-led model, site-level OT teams take ownership of security and report directly to local operations or engineering leadership. The hybrid model combines elements of both, with OT security leads reporting locally for day-to-day operations while aligning with centralized cybersecurity governance for tools, policies, and oversight.
Each model has benefits, but also critical flaws when facing real-world cyber threats. Centralized, IT-led structures often lack the deep operational technology expertise needed to respond effectively in industrial environments. These teams tend to focus on traditional enterprise threats, overlooking the safety, availability, and lifecycle demands unique to OT. As a result, their responses to OT-specific incidents are frequently delayed or ineffective.
Decentralized, operations-led models offer strong situational awareness at the plant level but often fall short on cybersecurity maturity, standardized practices, and alignment with broader enterprise risk strategies. This leads to inconsistent defenses and limited visibility across sites—gaps that attackers are quick to exploit.
Hybrid or federated models attempt to strike a balance between local agility and centralized oversight. When clearly defined, they can bridge governance with frontline realities. But without established roles, effective communication, and decision-making authority, these models risk internal confusion, misaligned priorities, and sluggish incident response.
Morris noted that a broader issue across all structures is limited visibility and influence at the enterprise level. “OT cybersecurity is often buried within IT or engineering hierarchies, without direct access to boards or risk committees. This weakens urgency, underfunds initiatives, and marginalizes OT cyber as a technical issue rather than a business risk.”
Identifying that OT cybersecurity cannot be treated as a subset of IT or an operational afterthought, Morris noted that it requires dedicated leadership, integrated reporting lines, and a seat at the strategic table. “To evolve, organizations should elevate OT security leadership with dual alignment to both operations and enterprise cyber governance; ensure OT cyber risks are reported to executive and board-level risk functions; and enable shared response protocols and visibility between IT and OT teams. As cyberattacks increasingly target industrial systems, aligning reporting structures to reflect OT’s criticality is no longer optional—it’s foundational for cyber resilience,” he added.
Breaches highlight need to rethink OT cybersecurity reporting structures
Recent OT-targeted cyber incidents have exposed flaws in legacy reporting chains. The executives look into the gaps that these attacks have brought to light, and the hard lessons have industrial organizations have had to learn.
“While OT systems are not a new target for attackers, the frequency and intensity of these incidents have increased. There are certainly lessons learned from across the industry, but I think most of this can be boiled down to the type of leadership at the top,” according to Christopher. “Failures in remediating incidents (and preventing them in the first place) usually come from a lack of communication, cultural disconnects, or underestimating the industrial cyber risk.”
He added that the right leader with the right skillset can overcome all of these challenges…with the right support. “This leans heavily on the idea that industrial organizations need an industrial CISO—someone who understands both IT and OT, the culture between the two groups, and the ability to discuss threats, vulnerabilities, and impacts due to a cyber incident that impacts operations, safety, and the engineering consequences.”
Wiseman said that recent attacks like Colonial Pipeline, Oldsmar water, and ransomware incidents in manufacturing have shown how fragmented reporting can slow down decision-making, leave executives unaware of OT-specific risks, and highlight a lack of practice of crisis scenarios with an OT focus.
“The hard lessons for industrial organizations have been clear: OT threats can quickly disrupt operations and even threaten safety,” he added. “Effective governance can no longer separate IT and OT; instead, it must connect them. And when it comes to crisis response, organizations have learned they need to rehearse together across both functions to be truly prepared.”
“Incidents to date still expose inadequate network segmentation, delayed incident reporting, and weak IT-OT integration,” Ayala identified. “Lessons learned include the need for real-time monitoring, clear escalation paths, ownership and enablement, and OT-specific incident response plans. Legacy chains often failed due to siloed teams, unclear accountability, and underestimating OT’s unique risks, like physical safety impacts, environmental, or the costs for specialized process equipment.”
Morris said that recent OT-targeted cyber incidents, such as Colonial Pipeline, JBS, and Oldsmar, have exposed significant gaps in how industrial organizations structure their cyber response, particularly across IT and OT environments. These attacks revealed systemic flaws that adversaries exploit with increasing precision.
Addressing the hard lessons learned, Morris emphasized that OT security requires specialized expertise. It is not simply IT security applied in a different setting—it demands deep operational knowledge, distinct tooling, and risk models that prioritize physical safety and system uptime.
He stressed that integrated response structures are critical. Organizations must develop joint response plans that clearly define IT and OT roles, responsibilities, and communication channels, particularly for threats that cross both domains. Fast, decisive action hinges on having clear escalation procedures and delegated authority. Ideally, these are formalized in playbooks that address both site-level and enterprise-level risks.
Morris also noted that board-level visibility is essential. These incidents have made it clear that OT cyber risks are also national security risks. As a result, organizations are beginning to elevate OT security to the boardroom, where it receives the funding, governance, and attention it requires. Finally, he pointed out that compliance deadlines are adding new urgency. Emerging regulations such as NIS2, TSA directives, and SEC rules demand faster reporting and greater accountability, reinforcing the need for incident management frameworks that are streamlined and fully aware of OT realities.
Governance models shift as OT security roles get redefined
When it comes to centralized governance models, the executives analyze the role regional or site-level OT security leads should play. They also focus on how hybrid models provide the right mix of local autonomy and centralized oversight.
Christopher said that site-level OT security leaders are vital for federated models. “They are the champions for cybersecurity for these facilities, many of which serve local communities. They will also be the first line of defense during cybersecurity incidents and will already be on-site. Centralized OT teams may be hours away, and quick, in-person expertise can be an invaluable resource when responding to cyber threats. That said, in many small towns or rural communities, it will be extremely difficult to hire a dedicated OT cybersecurity professional, and it would be a mistake to think this person’s time would be 100% dedicated to OT cybersecurity. “
He noted that in the last SANS State of ICS/OT Cybersecurity Survey, over half of the respondents spent less than 50% of their time on OT cybersecurity. “It would make sense that on-site personnel should be flexible team members with a skillset to support OT cybersecurity, and leveraging ample support from centralized resources. This is very similar to how industrial organizations approach safety, where the concepts are baked into the team and culture with corporate support.”
“In centralized governance models, regional or site-level OT security leads play a vital role. They bring real-time situational awareness, ensure that centrally defined policies are effectively enforced on the ground, and coordinate incident response with local teams,” Wiseman said. “Hybrid models can offer the best of both worlds. By keeping strategy, tools, and compliance centralized, organizations maintain consistency and control. At the same time, empowering local leads allows for flexible execution, asset-specific adjustments, and faster containment during incidents.”
Ayala detailed that in centralized models, regional/site-level OT security leads should handle local implementation, real-time monitoring, and incident response while aligning with enterprise policies. “Hybrid models balance autonomy (local decision-making for site-specific risks) with oversight (centralized standards, resource allocation). Success hinges on clear roles, regular training like ISA, and defined escalation paths to avoid conflicts.”
“In centralized governance models, regional and site-level OT security leads are indispensable,” Morris said. “They serve as the frontline of cyber defense, equipped with deep knowledge of local systems, vendor environments, and operational constraints. Their proximity to industrial processes—whether it’s SCADA networks, PLCs, or bespoke legacy systems—makes them uniquely positioned to identify context-specific risks and act swiftly when incidents occur.”
He added that hybrid models, when well-executed, provide the right mix of centralized governance and local agility. “Central teams own enterprise strategy, tooling (e.g., SIEMs, asset inventories), and threat intelligence, while site-level leads manage day-to-day execution, contextual adaptation, and rapid response. This federated approach allows for scalability, consistency, and resilience—without sacrificing operational nuance.”
However, Morris said that success hinges on clear communication protocols, well-defined roles, and shared tooling.
Compliance pressures reshape OT cybersecurity reporting structures
Regulatory frameworks like NIS2, TSA security directives, and the SEC cyber disclosure rule are shifting the accountability landscape. The executives focus on how OT cybersecurity reporting structures are evolving to meet these new compliance pressures in critical infrastructure sectors.
Christopher said that regulations are always a mixed bag of challenges and benefits, but a clear win for accountability is the visibility regulations provide to boards of directors and other executives.
“Over the past few years, we’ve seen the largest increase in ICS/OT-specific cybersecurity regulations ever,” he added. “While the changes may take some time to fully appreciate, we’ve already seen an increase in executive-level tabletop exercises and scenario analysis specific to OT cybersecurity in the board room. While there are not many cybersecurity experts on boards, they are becoming increasingly ‘cyber literate’ and already speak the language of ‘risk management,’ which has a clear path to better accountability and reporting structures as a result.”
Wiseman identified that to keep up with a reshaped accountability across critical infrastructure, “organizations are making CISOs clearly accountable for OT security as well as IT, formally defining OT-specific roles, such as OT CISOs or site cyber coordinators, and improving reporting pipelines to boards and regulators to include OT visibility. As a result, many organizations are merging IT and OT security teams under unified governance while still maintaining the domain expertise and specialized controls needed to protect operational environments effectively.”
“NIS2, TSA directives, and SEC rules demand stricter incident reporting (e.g., 24-hour notifications under NIS2) and board-level accountability,” Ayala said. “Reporting structures are shifting to include dedicated OT security roles reporting to CISOs, cross-functional IT-OT committees, and direct board access for cybersecurity leads. Compliance pressures push for risk-based assessments and unified governance to meet deadlines like NIS2’s October 2024 enforcement.”
Morris noted that compliance is now a governance issue, not just a technical one. “Meeting today’s regulatory expectations means OT cybersecurity must be embedded in leadership structures, backed by clear accountability, and visible at the highest levels of the organization.”
Optimized OT cybersecurity reporting structures key to unified cyber defense
Clear reporting lines are essential during high-impact incidents. The executives evaluate how optimized OT cybersecurity reporting structures improve coordination between OT and IT teams during cross-domain cyberattacks.
“Attackers do not care if you have an IT team and a separate OT team for security. They are simply attacking the organization. So, internally, it’s vital to minimize friction as much as possible,” Christopher said. “This includes communication across teams, which may be larger than just ‘IT’ and ‘OT,’ and should include legal, engineering, HR, and even media relations, who will be extremely active during a cyber incident. The best way to understand if your communications and workflows are optimized is to test them before an incident occurs.”
He added that tabletops and simulations are great ways to understand your gaps and shore them up before the really bad day occurs.
Wiseman highlighted that clear reporting lines are especially crucial for major incidents that span both OT and IT. “Optimized structures—like joint or federated security operations centers (SOCs), predefined escalation paths with cross-functional incident commanders, and shared threat intelligence and playbooks—allow teams to coordinate more smoothly. They help contain attacks faster, minimize operational downtime, and ensure legal and reporting requirements are addressed quickly and effectively.”
“Optimized structures use cross-functional teams with clear reporting lines to a central incident response coordinator,” Ayala said. “Joint IT-OT playbooks, regular drills, and shared visibility tools (e.g., ICS network perimeter monitoring) ensure faster response. Defined roles prevent overlap, while unified command structures streamline decisions during cross-domain attacks, minimizing downtime and safety risks… which are top of mind and priority.”
Morris said, “Optimized frameworks significantly elevate OT–IT collaboration during cross-domain cyber incidents by bringing unity, clarity, and agility to response efforts, enabling cohesive action instead of operational friction. I am a big believer in the ICS4ICS system when it comes to dealing with incidents.”
He identified several key impacts observed in practice. Organizations were able to contain evolving threats more quickly, especially those that spanned both IT and OT environments. Escalation processes and executive reporting became more coherent, helping to reduce confusion and finger-pointing during incidents. Post-mortem analyses and lessons learned were better aligned across teams, due to the adoption of a shared incident response framework. Most notably, true operational synergy emerged, with IT and OT teams working from the same threat narrative, coordinated, confident, and capable.
Closing the gap: Ensuring OT cyber isn’t an afterthought
In many organizations, OT security teams struggle for influence. The executives explore how companies can ensure OT cybersecurity isn’t sidelined, especially when IT controls the budget, sets the strategy, and dominates board-level discussions.
“There is no one-size-fits-all approach for streamlining and popularizing OT cybersecurity. These conversations require cultural change management and will not be built overnight,” Christopher said. “Unfortunately, many organizations are reactive in this area and do not make adequate investments until after an incident. We can, and should, do better.”
Pointing to the last SANS State of ICS/OT Cybersecurity Survey, he added, “that leadership in this area really matters. When an industrial CISO ‘owned’ OT cybersecurity, they were twice as likely to have mapped their programs to standards, showing strengths and weaknesses across their program. They also perform annual security assessments and are 53% more likely to have mapped all external communications to ICS/OT networks compared to organizations that have not centralized their OT security programs.”
Christopher added that based on this data, it’s a clear recommendation for organizations to centralize their OT cybersecurity efforts with a clear champion and sufficient resources to enable change.
“Companies need to give OT cybersecurity a strong, visible voice. Appointing a dedicated OT security leader who reports directly to the CISO or even the board is a key step,” Wiseman said. “Involving OT leaders in security committees and budget planning, and regularly briefing the board on the operational impact of OT breaches, further strengthens its position. By taking a risk-based approach that connects OT security to core business objectives such as enterprise risk, safety, and business continuity KPIs, organizations can ensure OT cybersecurity is a strategic priority.”
Ayala said that to avoid sidelining, “OT security teams need direct reporting to the CISO or board, not IT intermediaries, priorities and bias are very realized when you are in the thick of it. I have witnessed a shift where IT and sometimes OT leadership roles are increasingly reporting to the Chief Financial Officer (CFO) in certain organizations, though it’s not yet a universal standard. This shift reflects the evolving role of CFOs, who are transitioning from traditional financial stewards to strategic leaders with broader oversight, particularly in digital transformation and operational efficiency.”
He added that companies can integrate OT risks into enterprise risk frameworks, allocate dedicated OT budgets, and train boards on OT’s unique stakes (e.g., safety, operational continuity). Cross-training IT and OT staff and showcasing OT’s business impact elevate its strategic voice.
“To ensure OT cybersecurity gets the attention it deserves, organizations must move beyond treating it as a subset of IT and instead recognize it as a core pillar of operational resilience,” according to Morris. “That means elevating OT security within governance, budgeting, and strategic decision-making processes.”
He concluded that “OT cybersecurity must be positioned as mission-critical. With executive sponsorship, dedicated resources, and a seat at the strategy table, OT cyber can drive both resilience and competitive advantage.”
