Skip to content
Knowledge base Updated: February 5, 2026

OT Security Governance: How to Build a Structure Where IT, OT, and the Board Speak with One Voice

Critical vulnerability detected in SCADA system. The IT team says it's an OT problem. The OT team responds that they don't have the budget or people for cyber security. Management is frustrated, and the risk grows by the hour. Sound familiar? This paralysis is a typical symptom of a lack of organiza

Łukasz Szymański Łukasz Szymański

In most industrial organizations, operational technology (OT) cyber security is drifting in a dangerous vacuum. It sits in a “no-man’s land” between the IT world, which has security expertise but does not understand the physical processes, and the OT world, which understands the processes very well, but has not traditionally dealt with cyber threats. As a result, when a problem arises, the blame-shifting game begins. IT points to OT, OT points to IT, and both sides often point to outside vendors.

This lack of clearly defined ownership and decision-making structure is one of the biggest, yet most often ignored, barriers to building real digital resilience. You can buy the best technologies and write the most perfect procedures, but if you don’t know who is ultimately responsible for implementing, enforcing and funding them, they will remain just a theory. OT security ceases to be a “nobody’s” problem and becomes a “shared” problem only when it is supported by a solid foundation of organizational governance.

Creating such a structure is not bureaucratic art for art’s sake. It’s a fundamental shift in the way the company is managed to break down historical silos and force all key stakeholders - Board of Directors, IT, OT, Finance and Legal - to talk in a single, consistent language of business risk. It’s a difficult process, but one that is absolutely necessary to successfully navigate an increasingly complex risk and regulatory landscape.

Shortcuts

Without a formal governance structure, why will OT security always be a “nobody’s” problem?

The “no man’s land” problem has deep historical and cultural roots. For decades, OT networks were the domain of manufacturing engineers, and their main concern was reliability and physical security. Cyber security, if it existed at all, was realized through physical isolation. The IT team, on the other hand, was building its expertise in protecting the corporate network. The result was two powerful, separate kingdoms with different goals, languages and budgets.

When IT/OT convergence broke down the walls between these kingdoms, no one took care to redefine the boundaries of responsibility. As a result, OT security has become an organizational “orphan.” The IT team doesn’t feel fully responsible because “it’s not our systems and we don’t understand their impact on production.” The OT team also doesn’t feel responsible because “we don’t have the competence, tools or budget for cyber security.”

This lack of ownership leads to paralysis. OT security initiatives get bogged down because no one has a mandate to lead and fund them. Risks are identified, but not mitigated, because it is unclear who is supposed to make the decisions. In the event of an incident, instead of a coordinated response, we have chaos and mutual blame. Without a formal structure, OT security will always be reactive and chaotic, instead of proactive and strategic.

📚 Read the complete guide: SOC: Security Operations Center - czym jest, jak działa, jak wybrać

What is organizational governance in the context of industrial cyber security?

Organizational governance is the formal system of rules, practices and processes by which an organization is directed and controlled. In the context of OT cybersecurity, governance defines the “who, what and how” of decision-making, risk management and accountability enforcement. It is the organizational backbone upon which the entire security program is based.

An effective governance model for OT is not a copy of the structure from IT. It must be specifically designed to address the unique needs and priorities of the production environment. Its goal is to create a framework that ensures that security decisions are made in an informed, consistent manner that is consistent with the business goals of the entire company, not just one department.

Good organizational governance answers fundamental questions: Who is the ultimate owner of risk in the OT area? Who sets security strategy and policies? Who approves the budget? How do we measure the effectiveness of our activities? How do we resolve conflicts between IT and OT priorities? Creating clear answers to these questions is the first step to emerging from the chaos.

Why must any effective OT security strategy start at the board level?

Many OT security initiatives fail because they are grassroots, technical projects that lack support at the highest level of the organization. OT security is not a technical problem that can be “fixed.” It’s a strategic business risk that directly affects a company’s ability to generate revenue and can lead to catastrophic financial losses and even life-threatening risks. Managing such risks is the primary responsibility of management.

Board involvement (executive sponsorship) is absolutely critical to success. It is the board that must formally recognize OT cyber security as a strategic priority. It is the one that needs to give the initiative the necessary prominence, allocate the necessary resources, and give program leaders a strong mandate to act and overcome internal resistance. Without this support “from the top,” any attempt to effect change will be blocked by organizational silos and budget battles.

The NIS2 directive further reinforces this need by making members of governing bodies directly liable for negligence in the area of cyber security. Management can no longer claim that “it’s a matter for IT.” It must actively oversee the process, understand the key risks and make sure the company has an effective strategy to mitigate them.

Who is ultimately responsible for OT security: the CISO, COO, or someone else entirely?

One of the first and most important decisions in building a governance model is to clearly define ownership. Who is the one person in the organization who is ultimately responsible for the success or failure of the OT security program? There is no one-size-fits-all answer to this, and the choice of model depends on the culture and structure of a given company.

In some organizations, this responsibility is assigned to the **Chief Information Security Officer (CISO) **. This is logical, as the CISO has the most expertise in security. The challenge, however, is that the CISO traditionally comes from the IT world and may not have sufficient understanding and authority in the OT world. For this model to work, the CISO must have a very strong mandate from the board and work closely with operations management.

In other companies, responsibility rests with the Chief Operating Officer (COO) or head of production. This model ensures that safety is tightly integrated with operations, but carries the risk that it may be pushed to the back of the line in the face of pressure to meet production goals. A hybrid model is also increasingly emerging, in which a dedicated position is appointed **OT Security Manager **, which reports either to the CISO or jointly to the CISO and COO.

How to set up a cross-functional steering committee that becomes a bridge between IT and OT?

Regardless of who is the ultimate owner, no single person can manage such a complex area alone. The key to success is the establishment of a cross-functional steering committee, which becomes a formal platform for cooperation and decision-making. It is this committee that is the “bridge” where representatives of all the feuding parties meet.

The committee should include key decision makers from different parts of the organization. It must include representatives from IT management (e.g., CIO), IT security (CISO), OT operational management (e.g., Plant Director, Chief Engineer) and business. Depending on the needs, experts from legal, HR or purchasing can also be invited to participate in the meetings.

Such diverse representation ensures that all perspectives are taken into account when making decisions. It also ensures that decisions made by the committee will have support throughout the organization and will be implemented effectively, rather than being boycotted by individual departments.

What are the key tasks and powers of the OT security steering committee?

The steering committee is not a discussion circle. It is a formal decision-making body with a clearly defined mandate and responsibilities. Its main task is strategic oversight of the entire OT security program. It is responsible for approving the overall security strategy, policies and standards.

The committee’s key tasks also include risk management at the strategic level. The committee regularly reviews the most important risks in the OT area, assesses their potential impact on the business and makes decisions on their acceptance, transfer or mitigation. It is the steering committee that approves key projects and allocates the necessary resources and budget for their implementation.

The committee also serves as a forum for conflict resolution. When a dispute arises between IT and OT over priorities or how to implement a particular security feature, the steering committee is the instance that listens to the arguments of both sides and makes the final, binding decision based on the overriding interest of the entire company.

Pillars of effective organizational governance (Governance) in OTs

PillarTargetKey Action1. board supportEnsure strategic priority, mandate and resources.Active involvement of management in overseeing the safety program.2 Clear AccountabilityEliminate the problem of “no man’s land” and lack of ownership.Formal assignment of ultimate responsibility for OT security (e.g., to CISO/COO).3. steering committeeCreating a platform for cooperation, decision-making and conflict resolution.Establish a cross-functional team with representatives from IT, OT, security and business.4 Common Risk ModelCreating a single, understandable language for assessing and communicating risks.Implement a risk assessment framework that links technical vulnerabilities to business impact.5. common policiesEnsure consistent and realistic security policies for the entire organization.Jointly develop policies and standards that are acceptable and enforceable in OT.

How to create a common risk management model that all parties understand?

One of the biggest challenges in communication between IT and OT is the lack of a common language to describe risk. The IT team talks about “CVSS 9.8 vulnerabilities,” while the OT team talks about “production stoppage risk.” For the steering committee to make informed decisions, it needs a common, unified risk management model that can translate technical risks into their real business impact.

Such a model must combine elements from both worlds. Risk assessment should start with identifying the technical vulnerability and the likelihood of its exploitation (IT domain). But a key second element must be an assessment of the potential business and operational impact (OT domain). This impact should be expressed in terms that management can understand: potential financial loss, downtime, risk to human safety or reputational risk.

With this approach, the committee’s discussion is no longer abstract. Instead of arguing about CVSS assessment, the team discusses a specific scenario: “Risk R1, exploiting vulnerability X in system Y, has a probability of occurrence of ‘Low,’ but its potential impact is 12 hours of downtime and losses of €2 million. Do we accept this risk or invest in mitigating it?”

Why do security policies and standards for OT need to be created collaboratively rather than imposed by IT?

Many organizations make the mistake of simply trying to extend their existing corporate IT security policies to the OT environment. Such a top-down approach is doomed to failure in advance. Policies created for the office world are often unrealistic and unworkable on the shop floor.

A policy that mandates monthly password changes on all systems may be a good standard in IT. But in OT, where driver passwords are often permanently written into many applications, such a change is a gigantic and risky project. Imposing such a policy without consultation will lead OT engineers to ignore or bypass it, seeing it as just another unintelligent invention of “those in IT.”

This is why policies and standards for OT must be developed collaboratively, within a steering committee. The process must involve OT engineers who know best what is technically and operationally feasible in their environment. The goal is to create a set of policies that realistically improve safety, while being practical and acceptable to the people who will have to follow them on a daily basis.

What are the first steps in building a new management structure in your company?

Building a governance model is an evolutionary process that must begin with small but fundamental steps. The first step is to get a formal endorsement and mandate from the board. A solid business case should be prepared to show the board why the current lack of structure is a serious risk and why an investment in governance is necessary (the argument of NIS2 requirements can be used here).

The second step is to establish an informal cross-functional working group, which will be the nucleus of a future steering committee. The purpose of this group is to conduct an initial diagnosis of the current state - identifying key stakeholders, assembling existing policies and procedures, and creating a first high-level risk map.

The third step is to hold the first formal meeting of the steering committee, under the auspices of a board member. At this meeting, the committee’s charter (its goals, composition, authority and frequency of meetings) should be formally approved, and a work plan for the coming months should be agreed upon. The most important thing is to get off the ground and create a formal platform for regular dialogue.

How does the new structure help resolve conflicts and build a culture of cooperation?

The main value of a formal governance structure is that it replaces chaos, informal arrangements and competency disputes with a transparent and agreed decision-making process. The steering committee becomes the official and only place to resolve strategic dilemmas and conflicts at the interface between IT and OT.

When an issue arises, it is no longer a “hot potato” tossed between departments. It is formally put on the committee’s agenda. Both sides have the opportunity to present their arguments based on a common risk model. The decision that is made is a joint decision made by representatives of all parties involved, not a unilateral decree of one department.

Regular meetings and working together to solve problems within the committee naturally build mutual understanding and trust. IT engineers begin to understand the limitations and priorities of OT, and OT engineers begin to appreciate the security perspective. Over time, the culture of conflict and rivalry begins to give way to a culture of partnership and shared responsibility.

What indicators (KPIs) should the steering committee track to measure progress?

To ensure that the security program is not just a collection of activities, but a viable strategy, its progress must be measurable. The steering committee should define and regularly track a set of Key Performance Indicators (KPIs) that will objectively show whether the program is moving in the right direction.

These indicators should cover various aspects. They can be maturity indicators, such as percentage progress in implementing key security controls (e.g., “percentage of OT assets inventoried,” “percentage of network segmented”). They can also be operational indicators, such as “number of critical vulnerabilities detected,” “average time to remediate vulnerabilities,” or “results of simulated phishing tests.”

It is important that these indicators are presented in the form of a clear dashboard that easily communicates the health of the security program. Regular analysis of these indicators allows the committee to identify areas that need more attention and to make decisions based on data rather than intuition.

How does a mature governance model facilitate NIS2 requirements for board accountability?

The NIS2 directive introduces the revolutionary concept of personal liability of executives for cyber security. This means that in the event of a major incident, regulators can hold not only the company itself, but also specific managers accountable if they are found to have failed to exercise due diligence.

Having a formalized, documented governance model that works in practice is the strongest evidence of this due diligence. It shows that the board takes cybersecurity seriously, that it has created appropriate structures to manage the risks, that it regularly oversees the process and that it makes informed decisions based on sound information.

Minutes of steering committee meetings, approved policies, documented risk analyses and dashboards with KPIs all provide invaluable evidence that, in the event of an audit or incident, can defend the board against allegations of negligence. An investment in governance is not only an investment in security, but also in the legal protection of top management.

Is OT security a technical project or a fundamental change in company management?

After analyzing all aspects of organizational governance, the answer to this question becomes obvious. Successfully securing an OT environment will never be just a technical project involving the implementation of a few new tools. It is a fundamental transformation that touches the very foundations of business management.

It requires breaking down long-standing organizational silos, creating new decision-making structures, developing a common language and building a new culture based on partnership and shared responsibility. It is a change that must be led from the very top and involve all key functions in the company.

A purely technological approach, without a solid foundation of a mature governance model, is like building a house on sand. Even the sturdiest walls will eventually collapse. True long-term digital resilience in the industry starts not with a firewall, but with a well-organized steering committee meeting.

How can nFlo support your organization in designing and implementing an effective governance model for OT?

At nFlo, we understand that building effective organizational governance for OT security is a complex process that requires not only technical expertise, but more importantly, experience in change management and dialogue facilitation between different stakeholder groups. Our role as an external advisor is to support you at every stage of this transformation.

We help prepare the business case and presentation to the board of directors to get the necessary mandate and support for the initiative. We conduct workshops with key decision makers to help define the optimal accountability model for your company and design the charter and composition of the steering committee.

With our experience, we act as a neutral facilitator to help break down communication barriers between IT and OT and develop a common risk management model that everyone understands. We also assist in the creation of key documents, such as policies and standards, and in defining measurable KPIs. Our goal is not just to design a structure “on paper,” but to help make it real and operational so that it becomes a sustainable and effective part of your company’s management.

Learn key terms related to this article in our cybersecurity glossary:

Learn More

Explore related articles in our knowledge base:

Explore Our Services

Need cybersecurity support? Check out:

Explore Our Products

Solutions mentioned in this article that can help protect your organization:

Cybersecurity for Your Industry

Learn more about cybersecurity in your industry:

See also:

Tags:

Cybersecurity Compliance Vulnerabilities Network SOC Manufacturing & Industry

Share:

Talk to an expert

Have questions about this topic? Get in touch with our specialist.

Sales Representative
Grzegorz Gnych

Grzegorz Gnych

Sales Representative

+48 664 003 003grzegorz.gnych@nflo.pl
Response within 24 hours
Free consultation
Individual approach

Providing your phone number will speed up contact.

Want to Reduce IT Risk and Costs?

Book a free consultation - we respond within 24h

Response in 24h Free quote No obligations
Book a Call +48 22 487 86 36

Or download free guide:

Download NIS2 Checklist