Something doesn’t add up.
The OT security industry is spending $282 billion a year on mitigation. Cybercrime is projected to cost industrial organisations $10.29 trillion globally by 2025. And, according to a 2025 report from Fortinet, 31% of industrial organisations now report six or more intrusions per year. The investment is going in. The losses are going up. So what’s going wrong?
After over 20 years in Manufacturing Technology, including leading a global OT security transformation programme across 77 sites at a major pharmaceutical manufacturer, I’ve seen this pattern more times than I’d like. The problem is almost never a lack of technology or a lack of budget. It’s a lack of the right foundations, and a set of very human blockers that the industry still isn’t talking about honestly enough.
“The problem is almost never a lack of technology or a lack of budget.”
The blockers that don’t make it into the reports
Ask the people responsible for OT security in manufacturing businesses what actually stops progress, and you hear the same things, again and again. They tend to fall into three categories.
Denial and deflection. “We’ve got a CISO and a SOC, we’re covered.” “We have backups.” “This is like Y2K — a lot of spend and nothing will happen.” “It’s too expensive right now.” “It’s the CISO’s problem, not mine.” These aren’t fringe views. They are mainstream responses from senior leaders in manufacturing businesses, and they are still slowing programmes down every day.
Overwhelm. “There’s too much information coming out of these tools and I have no idea what to do with it.” “The big four came in and gave me a long list of things I can do.” For operations leaders without a deep security background, the volume of guidance, tooling, and competing frameworks can make the whole thing feel impossible to start. So they don’t.
Accountability gaps. “I know what I need to do, but I can’t get the funding.” “I’ve started, but my business won’t help, won’t engage, and doesn’t understand why this matters.” “I’ve got money but I don’t know where to begin.” The people who understand the problem can’t get traction. The people who control the budget don’t yet understand the problem. And nothing moves.
“The people who understand the problem can’t get traction. The people who control the budget don’t yet understand the problem.”
Why technology alone doesn’t solve it
When organisations do push past the blockers and start investing, the instinct is usually to reach for tools. Deploy a monitoring platform. Run a penetration test. Buy a new firewall. And those things have their place. But dropped into an environment without the right culture, skills, processes, and governance underneath them, they tend to create complexity rather than reduce risk.
Think of it this way: putting a turbo engine into a car and leaving the brakes, suspension, and tyres untouched doesn’t make you faster. It makes you more dangerous. The same logic applies in OT security. The technology investment only delivers when the foundations are solid enough to support it.
Those foundations aren’t just technical. They’re cultural. They include whether your operations teams understand why security matters to them personally, whether your IT and OT teams are speaking the same language or talking past each other, whether accountability for security outcomes is clear or permanently contested, and whether your leadership team can translate OT risk into business terms that actually land in a board conversation.
When those things are missing, adding more technology makes the problem harder to manage, not easier. To quote a CISO colleague, “I’ve got so much technology and data that I can’t see the wood for the trees”.
Where to start
The good news is that you don’t need to solve everything at once. The organisations that make real progress tend to share a few things in common: they get clear on what they actually have before they start layering on controls, they build accountability into the programme from the start rather than treating it as a security team concern, and they prioritise ruthlessly rather than trying to address every finding on a long list simultaneously.
Simplification, not more complexity. Foundations before tools. People and process before technology.
That’s the lens I’ll be bringing to my talk at BSides on 10 April, where we’re going to get into the specifics of why programmes stall and what it actually takes to build OT security that sticks on the factory floor.
Not sure where your programme stands?
Harpoon’s free OT security self-assessment takes around ten minutes and gives you a clear picture of where you are, where the gaps are, and what to focus on first.
Take the free OT security self-assessment
Sources
Statista; Fortinet OT Security Report; Gartner/market research summaries; World Economic Forum; Cyberproof Global Threat Intelligence. Figures are global and combine IT/OT where noted; methodologies differ by source.
