According to a new study by the Ponemon Institute, the cultural divide between IT security and OT engineering teams leaves 65% of organizations unable to develop a fully mature cybersecurity program that protects both IT and OT environments. This institutional misalignment is why only 21% of organizations have achieved full maturity of their ICS/OT cybersecurity program, in which emerging threats drive priority actions and C-level executives, and the boards are regularly informed about the state of their OT security.

Cyberattacks on critical infrastructure are increasing in frequency and severity, and organizations are struggling to keep ahead of these threats. Sixty-three percent of organizations had an ICS/OT cybersecurity incident in the past two years, and it took almost a year on average to detect, investigate, and remediate the incident. This is in part due to digital transformation and trends in industrial internet of things (IIoT) that expand risk to the OT and ICS environment.

The report finds that most organizations lack the unified IT/OT governance model for ICS security needed to drive a holistic security strategy. Only 43% of organizations have cybersecurity policies and procedures that are aligned with their ICS and OT security objectives. Barely over a third (39%) have IT and OT teams that work together cohesively to achieve a mature security posture across both environments.

Organizations face myriad challenges to having IT and OT work cohesively: 44% of respondents attribute these challenges to the differences between traditional enterprise IT security best practices and what is possible within an OT environment. For example, not all OT systems can be patched for vulnerabilities in the way IT systems can be. There’s also a lack of clear “ownership” for industrial cyber risk with 43% of organizations, which explains why less than half of boards of directors even hear about ICS and OT cybersecurity initiatives.

To top it off, 41% of organizations are unable to hire IT/OT security professionals with adequate experience. However, despite all the challenges, 50% are optimistic about the future of their ICS/OT cybersecurity program.

The annual report by the Ponemon Institute and sponsored by Dragos, Inc., surveyed 603 IT, IT security, and OT security practitioners at the managerial, director, and C-levels to examine the cultural and technical differences that exist in organizations between IT and OT teams.

Read the full report by Ponemon Institute.