The IT cybersecurity industry has been evolving for decades building defenses, responding to new threats, and learning from its own missteps. As cybersecurity for Operational Technology (OT) and Industrial Control Systems (ICS) continues to mature, there’s a valuable opportunity to build on those lessons and forge a more resilient path forward. OT/ICS environments have unique challenges, but they also have the benefit of hindsight. By learning from IT’s successes and failures we can avoid repeating history and better secure our critical systems from the start.
Compliance Isn’t Security
One of the early missteps in the IT cybersecurity space was an excessive focus on compliance rather than actual risk reduction. Too often, organizations pursued “checkbox security”, meeting the minimum requirements of a standard without truly addressing the underlying risks. This approach can lead to wasted time and money, as teams prioritize the quickest or cheapest route to compliance, even when those actions do little to improve the organization’s security posture.
A classic example (while not directly from cybersecurity) comes from the utility sector. Some utilities are required to trim trees a certain distance from power lines. On paper, this mitigates storm damage. But when trees are allowed to grow around the lines, the spirit of the requirement is missed. Technically compliant? Maybe. Effective? Not at all.
Another key issue with compliance-focused cybersecurity programs is the near impossible task of crafting perfect regulations, ones that strike just the right balance between protecting critical assets and addressing evolving threats, all while ensuring efficient use of resources. The lack of a “perfect” regulatory framework can lead to gaps where organizations meet the letter of the law without meaningfully reducing risk.
A clear example comes from the IT world and the PCI DSS standards, developed to protect credit card information. Although well-intentioned, these standards unintentionally incentivized organizations to engineer systems to be “out of scope.” As a result, potentially vulnerable systems were excluded from security protections not because they posed no risk, but because they were no longer covered by regulatory requirements.
This same pattern has been echoed in the OT space through NERC CIP standards, which aim to secure the Bulk Electric System (BES). Some organizations have tried to downplay the criticality of their systems to avoid regulatory scrutiny. In a 2024 report, the Federal Energy Regulatory Commission (FERC) found that some entities were classifying multiple systems within a single facility as separate “Control Centers” to reduce each one’s individual risk profile under the standards, essentially gaming the system to avoid stricter obligations.
This leads to a constant cycle of rule revisions and debates over applicability. While the goal is to close loopholes, this ongoing tug-of-war drains time and energy from where it’s needed most: actually reducing cybersecurity risk. Ultimately, when compliance becomes the destination rather than a stepping stone, organizations risk losing sight of their broader responsibility, to secure critical infrastructure in a meaningful and sustainable way.
The Pitfall of Perimeter-Only Thinking
Another misstep in the evolution of IT cybersecurity was the overreliance on perimeter defense. Firewalls, once heralded as the ultimate safeguard, became the centerpiece of many security programs. This perimeter-focused approach left end users vulnerable once those outer defenses were breached, with few (if any) controls in place to mitigate damage from within.
As organizations layered on more technology, new problems emerged. Alert fatigue, driven by the sheer volume of irrelevant or false-positive notifications, diluted response effectiveness. This in turn gave rise to the adoption of Security Information and Event Management (SIEM) tools to manage the noise. Yet even SIEMs require thoughtful configuration, tuning, and human expertise to deliver real value.
The reality is that no single tool whether it’s firewalls, antivirus software, Intrusion Detection/Prevention Systems (IDS/IPS), or even the more modern Extended Detection and Response (XDR) solutions can guarantee protection against cybersecurity threats. Every tool has limitations, and even the most advanced can be rendered ineffective if relied upon in isolation.
Ultimately, the failure isn’t in using these technologies it’s in treating them as silver bullets instead of components in a layered, risk-based security strategy.
The Danger of the Cybersecurity Silo and the “Culture of No”
A third common misstep in IT cybersecurity has been the tendency for security teams to operate in isolation disconnected from the broader business they are meant to support. This siloed approach often gives rise to what’s known as a “Culture of No,” where cybersecurity teams are seen primarily as gatekeepers, focused on denying requests and blocking initiatives rather than enabling secure innovation.
In practice, this disconnect creates friction. Employees, frustrated by rigid restrictions, find their own workarounds which introduces unmanaged, unapproved solutions that introduce even greater risk. This phenomenon, known as Shadow IT, became especially visible in the widespread use of personal tools like Dropbox or Google Drive when corporate systems failed to meet users’ evolving needs for remote access and collaboration. Rather than empowering the business, this posture undermines trust and security alike. Effective cybersecurity requires active collaboration, empathy, and an understanding that security should be a business enabler, not a business obstacle.
Collaborating for Security: Aligning OT/ICS Cybersecurity with Operational Priorities
To advance cybersecurity in the industrial space, the OT/ICS security community must move beyond mandates and embrace collaboration. Cybersecurity cannot succeed in isolation particularly in critical infrastructure sectors where uptime, safety, and reliability are non-negotiable. When security professionals approach operations teams with prescriptive demands (especially without first establishing mutual trust) resistance is almost guaranteed. This adversarial dynamic not only erodes cooperation but ultimately undermines the organization’s ability to reduce risk.
Instead, OT/ICS cybersecurity leaders should begin by listening. Engage with operations teams to understand their pain points, workflows, and constraints. When cybersecurity solutions are aligned with operational needs, they become enablers, not obstacles. For example, maintaining an accurate asset inventory is a challenge shared by both cybersecurity and operations. Leveraging network visibility tools that can automate asset discovery helps both teams, reducing manual effort while enhancing cyber hygiene.
This kind of win-win collaboration requires more than just technology. It demands a shared vision. A successful OT/ICS cybersecurity program depends on fostering cross-functional partnerships between cybersecurity, compliance, and operations built on respect, transparency, and common goals. These relationships enable the development of programs that are not only technically sound but also operationally feasible.
Cybersecurity professionals in industrial settings must refocus their priorities: from enforcing controls to reducing real-world risks, from checking boxes to enabling resilient operations. This mindset shift will pave the way for both short-term wins and long-term program maturity.
How Enaxy Can Help
At Enaxy, we specialize in bridging the gap between cybersecurity and operations. Our team works directly with industrial organizations to build tailored OT/ICS cybersecurity programs that align with operational realities not against them. Whether it’s deploying asset discovery tools, designing risk-informed segmentation strategies, or guiding teams through NERC CIP, ISA 62443, or NIST frameworks, we meet you where you are.
We’ve helped energy, manufacturing, and infrastructure clients across North America strengthen their security posture without sacrificing uptime or straining operational teams.
Let’s turn cybersecurity into a strategic asset. Contact us at info@enaxy.com to start a conversation. We’re ready to help you build a safer, more resilient industrial future.