Part 5: Roles and Responsibilities in OT Security – Who Owns What?

In the previous part of this series, we explored what a solid OT security architecture looks like, complete with segmentation, monitoring, access controls, and incident readiness. However, even the most well-designed architecture is at risk of failure without clearly defined roles and responsibilities, and effective collaboration among the individuals responsible for its management and maintenance.

OT security is not a standalone concern. It is situated at the intersection of information technology, operations, engineering, security, and business leadership. This underscores the critical importance of considering both technological and non-technological factors when assessing the impact of AI. Success is contingent upon effective governance, clear ownership, and seamless cross-functional alignment.

In this post, we will examine the human aspect of OT security:

• Who owns OT security?
• How do IT and OT teams collaborate?
• What governance models work in the real world?
• And how can organizations build a culture of shared responsibility?

The Shared Challenge of Ownership

In many organizations, the security responsibility falls under the IT department’s purview. This model suits office networks, cloud systems, and corporate endpoints well. However, the situation becomes more complex when it comes to OT.

Different groups, such as plant managers, control engineers, and facility technicians, often manage operational environments. Historically, these groups have been responsible for availability and safety, not cyber risk. These teams may hesitate to adopt IT security policies they perceive as intrusive or disruptive. Conversely, corporate IT teams may lack the operational context to fully understand OT systems or protocols.

The result? There is a gap in ownership.

This discrepancy is precisely where risk flourishes.

Key Roles in an OT Security Program

Let’s examine the critical roles involved in OT security and the responsibilities they typically carry:

1. Chief Information Security Officer (CISO)

• Defines overall security strategy and governance
• Ensures OT security is aligned with enterprise risk frameworks
• Champions investment and board-level visibility
• Often lacks direct operational authority in OT environments

2. OT or ICS Security Lead / Architect

• Acts as the bridge between IT security and OT engineering
• Designs OT-specific security controls and architectures
• Understands both technical and operational constraints
• Frequently found in more mature or regulated organizations

3. Operations / Plant Manager

• Responsible for uptime, safety, and productivity
• Gatekeeper for changes in OT systems
• May see security controls as potential disruptors
• Needs to be involved in security planning—not just informed after the fact

4. Control System Engineer / Technician

• Manages PLCs, HMIs, SCADA systems, and field devices
• First responder for abnormal behavior or system failures
• Key stakeholder in implementing and maintaining security controls
• Needs education and support, not blame or bureaucracy

5. IT Security / SOC Team

• Provides tools, monitoring, and incident response capability
• Often responsible for integrating OT into SIEM, threat intelligence, etc.
• Needs to adapt tools and processes for OT-specific limitations

6. Third-Party Vendors and Integrators

• Often have remote or on-site access to OT systems
• May introduce vulnerabilities if not properly governed
• Must be subject to onboarding, access control, and audit policies

Three Models of Governance: Centralized, Federated, Hybrid

Organizations adopt different governance structures depending on their maturity, size, and regulatory requirements. There are three standard models to consider:

1. Centralized (Security-Led)

The CISO’s office drives security strategy, tooling, and decisions.
Operations must comply with group-wide security policies.

Good for consistency and compliance
Risk of friction with operational teams

2. Federated (Operations-Led)

Security responsibility is pushed to the business units or plants.
Central IT provides guidance but does not enforce controls.

Respects operational autonomy
May lead to fragmented or inconsistent implementations

3. Hybrid (Collaborative Governance)

Central security team defines standards, provides shared services (e.g., monitoring, identity), and supports plant-level teams.
Local OT teams implement controls with flexibility within a common framework.

Balance of agility and consistency
Requires clear roles and communication

The hybrid model is increasingly regarded as the best practice, especially in large, decentralized organizations with complex industrial operations.

From Friction to Alignment: Building a Collaborative Culture

The distinction between IT and OT is frequently cultural rather than technical. To establish trust and alignment, it is essential to adhere to the following guidelines:

Start with joint risk assessments

Get IT and OT stakeholders in the same room to identify and prioritize real-world threats.

Create shared KPIs

Define success in terms of both security outcomes and operational impact (e.g., zero unplanned outages from security activity).

Empower cross-functional teams

Establish working groups or “Cyber-OT task forces” that include engineers, operators, and security professionals.

Train OT personnel in cybersecurity—and vice versa

Awareness is a force multiplier. Training should be tailored to each audience and grounded in real scenarios.

Avoid blame culture

Mistakes will happen. The goal is improvement, not finger-pointing. Security is a team sport—especially in OT.

Conclusion: Security Is Everyone’s Job

Ensuring adequate OT security is not the responsibility of a single department; instead, it demands a collective mindset across IT, OT, and leadership. Technology alone is insufficient; it requires effective processes, accountability, and mutual respect.

Organizations that have succeeded in this area have treated OT security as a business function, rather than merely a technical challenge. They embed it into operations, align it with strategy, and make it part of how the business runs, not something bolted on after the fact.

Next: Navigating the OT Security Market

In the sixth installment of our series, we will examine the evolving landscape of OT security solutions:

• What types of tools and platforms exist?
• How are vendors positioning themselves?
• What role do managed services play?

We will help you comprehend the intricacies of marketing jargon and determine the optimal blend of technology and partners to bolster your OT security strategy.