In 2010, operational technology security was an emerging field. The term “OT security” was seldom used. SCADA vulnerabilities were mainly theoretical discussions, not priorities on the boardroom agenda. Genuine experts were scarce, both locally and internationally.
Fifteen years later, we’re proud to say we’re still here.
OT security is fundamentally about maturity. You can’t shortcut the experience of working across mining operations in the Pilbara, power generation facilities in Europe, water treatment plants facing regulatory pressure, and manufacturing sites balancing uptime with risk. You can’t rush the learning that comes from watching organisations make the same mistakes over different decades, with different technologies, and under various threat landscapes.
Those 15 years taught us things that take time to learn. Pattern recognition across sectors. Understanding what actually works versus what sounds good. The kind of insight that only comes from sustained presence in a rapidly evolving field.
Here’s what that experience revealed.
The same mistakes, different decade
After 15 years in the field, certain truths become impossible to ignore. We identified six critical pitfalls early in our work, and every single one still shows up today. Different sectors, different technology generations, same fundamental problems.
Organisations spend millions on technology stacks that become their greatest vulnerabilities. They deploy tools without a clear strategy, viewing security as a shopping task rather than a capability to develop. They implement uniform controls that create blind spots and waste resources. They treat each component equally, ignoring the risk context that determines real exposure. They allow IT and OT teams to work in silos, with no one bridging the gap between them. And they regard cybersecurity as a project with a fixed end date rather than a continuous discipline that requires ongoing effort.
The most stubborn pattern? Organisations feel good buying technology. Vendors understandably reinforce this narrative. Spending seems to signify progress. New tools appear to offer protection. But products are not programmes, and deployment is not strategy.
One thing has genuinely improved: awareness. In 2010, convincing leadership that OT environments faced real cyber risks was the challenge. Now, organisations accept they need dedicated OT security focus. They understand the threat is real and are willing to invest.
But they are still doing it backwards.
The sequence matters as much as the substance. Yet organisations consistently reverse the order: purchasing before planning, deploying before defining requirements, hiring after the architecture is locked in. The result is skilled people trying to retrofit strategy into decisions that have already been made.
Maturity means recognising these patterns. It means understanding that awareness without methodology is just expensive noise.
The product vs capability blind spot
After 15 years, the underlying pattern behind these issues is clear to us.
Organisations fundamentally misunderstand what security truly is. They see it as a product, but it is actually a capability.
This isn’t necessarily a knowledge gap. Leadership teams aren’t ignorant; they care deeply about operational continuity, reputational risk, and regulatory compliance. They are prepared to allocate a significant budget. They understand the importance of cybersecurity. However, they lack a strategic framework to assess it.
Without that framework, they default to transactional thinking. What do we buy? What tools do we deploy? What compliance checklist do we satisfy? These are not bad questions; they are incomplete. They skip the foundational work of understanding what you are protecting, why it matters, who is accountable, and how success will be measured.
The result is organisations trapped in a cycle of spending without strategy. They acquire visibility tools but do not build the capability to act on what they see. They deploy monitoring but do not integrate it into operational decision-making. They hire skilled people but do not give them the authority, alignment, or resources to drive real change. This is the difference between mature firms and newcomers.
Mature firms recognise that security is not something you purchase. It is something you build, align, sustain, and evolve. Newcomers are still selling solutions to problems that were never properly defined. Fifteen years in the field teaches you to spot this blind spot instantly and to know how to address it.
The lessons that shaped our thinking
One turning point changed how we understood our role. We entered engagements expecting the work to involve technical assessments, risk analyses, and framework reviews. And it was. But we quickly realised that the real problem was often organisational, not technical.
Clients started telling us something surprising. The facilitation we provided between OT and IT teams was as valuable as the final report. In some cases, more valuable. One client called it “marriage counselling.” The phrase stuck because it was accurate.
No amount of technology can fix organisational dysfunction. If IT and OT teams don’t speak the same language, if ownership is unclear, and if trust is lacking, even the best framework will fail in practice. Security doesn’t operate in a vacuum. It functions within environments shaped by people, culture, authority, and priorities.
This taught us something crucial. Security isn’t just about controls. It’s about capability and teamwork. It’s about alignment before implementation. It’s about making sure those responsible for operational safety, engineering integrity, and cyber resilience can genuinely work together when it counts.
Fifteen years teach you what truly works, not just what sounds good on paper. They show you that the tough problems are rarely technical. The toughest problems are human, organisational, and strategic. Solving them demands experience, not just expertise.
The SIS Industrial Cyber Security Principle Method™ was born
Our approach didn’t come from theory. It grew from observing the same failures repeat, year after year, across different sectors and locations.
We kept noticing organisations deploying technology first, then struggling to retrofit their strategy. So now we always start with business thinking first, a risk assessment and strategic alignment before choosing any tools.
We consistently saw IT and OT teams working in silos, creating gaps that no technology could fix. Now, we bring teams together early, encouraging shared understanding and clear ownership.
We observed security being treated as a finite project, which led to drift, decay, and eventual crises. Currently, we view security as an ongoing process of capability building, not a one-time implementation.
Leadership teams often default to asking, “what do we buy” because they lack a better perspective. We now see our role as strategic mediators, helping executives view security as a business enabler rather than just a cost centre.
Our core method distils 15 years of practical experience. It’s what results when you stop chasing the latest threat briefings or vendor pitches, and focus on what truly works. The approach is methodical, repeatable, and rooted in real-world outcomes.
This represents what maturity looks like- not rigid processes for their own sake, but a disciplined approach that reflects real experience. Strategy before technology. Risk assessment before implementation. Alignment before deployment. Capability before product.
These are not abstract ideals. They are lessons learned from being in the room when things went wrong and knowing how to help organisations get it right.
What 15 years of active contribution looks like
Fifteen years in any field means more than just time spent. It involves building, teaching, and contributing to the discipline itself.
We’ve been fortunate to play an active role in shaping OT security. We created the Certified Industrial Cyber Security Specialist (CICSS) training course, which has provided around 500 practitioners with the frameworks and mindset necessary to safeguard critical infrastructure. These professionals now serve across the industry, bringing OT-specific expertise to organisations that need it.
We established one of the world’s first dedicated OT Security Operations Centres, proving that monitoring operational environments requires fundamentally different approaches than IT security. This wasn’t just theoretical; it was infrastructure, capability, and commitment on a large scale.
We’ve built one of the largest practices worldwide focused solely on OT cyber security. Not as a service line within a broader consultancy, but as a dedicated organisation tailored to the specific demands of industrial settings. This focus has enabled us to go deep rather than wide, to specialise rather than generalise.
Our methodologies have been tested and refined through more than 300 projects globally, covering mining, power, oil and gas, water, transport, manufacturing, and health sectors. These aren’t frameworks borrowed from IT and simply relabelled. They are approaches developed from scratch to tackle the real challenges of securing operational technology in constrained, high-stakes environments.
Through Dr Chris Beggs, we’ve worked to shift organisational thinking about OT cyber security. Not only what to deploy but how to approach it strategically. Not just technical controls, but business enablement. The Industrial Cyber Security Principle Method exemplifies this: a structured approach that prioritises strategy over spending, capability over products, and alignment over mere implementation.
We are proud of what we have built. We’re proud of the practitioners we have trained, the programmes we have helped establish, and the insights we have contributed to the field. Most of all, we’re grateful to the clients and partners who have trusted us with their most critical systems and given us the chance to learn, adapt, and improve.
Fifteen years isn’t the destination. It’s proof that we’ve learned to sustain, evolve, and contribute meaningfully to a discipline that grows in importance each year. And it serves as the foundation for the work still ahead.