• Insight

Share:

A CISO presents a modest cyber security budget to the board. The numbers are tight. The justification is careful. Every line item is defended.

Meanwhile, three floors down, engineering just approved a multi-million-dollar system upgrade. New PLCs. Network re-architecture. SCADA platform migration. The business case was built around reliability, uptime, and vendor support timelines.

Nobody called it security. Nobody tracked it as security.

But it’s doing more for security posture than half the tools in the SOC.

The problem isn’t lack of investment. It’s lack of visibility. And underneath that, it’s lack of strategy.

The Flawed Assumption: Capex is for Equipment, Opex is for Security

This is the default mental model in most organisations:

  • Security lives in the CISO’s budget
  • Engineering upgrades are about reliability, capacity, or compliance
  • The two are separate conversations with separate justifications

In OT environments, this division is artificial.

Engineering decisions are security decisions. A PLC refresh removes end-of-life vulnerabilities. A network upgrade enables segmentation and monitoring. A control system migration eliminates unsupported platforms with decade-old exposures.

These aren’t just operational improvements. They’re security transformations in disguise.

And because they’re funded through engineering CapEx, they’re invisible to security program tracking.

What Gets Hidden

The scale of invisible security investment is significant.

Engineering spend that carries major security value includes:

  • Hardware refresh cycles that remove unsupported firmware and legacy protocols
  • Network infrastructure upgrades that enable segmentation, modern switching, and traffic visibility
  • Control system migrations that move operations off platforms with known, unpatched vulnerabilities
  • Instrumentation and HMI replacements that reduce exposure and improve baseline understanding

None of this appears in the cyber budget. All of it materially improves security posture.

The result:

  • CISOs understate their program’s total investment
  • CFOs think security costs more than it delivers
  • Engineering teams don’t get credit for security contributions
  • Strategic alignment is accidental, not intentional

You end up with fragmented visibility and missed opportunities. The organisation is spending. It’s just not spending strategically.

The Real Problem: Technology Without Strategy

Here’s the core issue.

Organisations fund tangible CapEx upgrades before they’ve done the intangible strategic work.

Before the risk assessment. Before the threat modelling. Before the asset criticality mapping. Before the incident response planning.

Engineering replaces systems. Security improves. But it’s not targeted. It’s not prioritised by consequence. It’s not integrated into a coherent program.

You end up with:

  • Upgrades that miss the highest-risk assets
  • Investment spread evenly instead of concentrated where it matters
  • No line of sight between spend and risk reduction
  • Capabilities that don’t align with response plans or recovery priorities

The CapEx gets approved because it ticks an operational box. Reliability. Vendor support. Compliance. The security benefit is a side effect, not the design intent.

This is backwards.

The intangible work should come first. Then the tangible investment becomes far more effective.

The Better Model: Strategy Before Any Investment

Instead of treating engineering CapEx and security spend as separate streams, organisations should do this:

Start with the Intangible work.
Understand your critical assets, threat scenarios, and operational consequences before you plan upgrades. Know what failure looks like. Know where recovery is hardest. Know which systems carry the most business risk.

This isn’t theoretical. It’s the foundation for every decision that follows.

Map engineering spend to security outcomes.
Every CapEx decision should be evaluated not just for reliability or capacity, but for risk reduction and resilience. Does this upgrade improve our ability to detect, respond, or recover? Does it reduce attack surface? Does it remove a known weakness?

If the answer is yes, that’s security investment. Track it as such.

Track total security investment, not just cyber budget.
Give visibility to the full scope of spend that contributes to security posture. This isn’t creative accounting. It’s honest program management.

When the board sees the complete picture, the conversation shifts. Security stops looking like a cost centre and starts looking like a coordinated capability with real business value.

Align engineering and security roadmaps.
When plant upgrades and security priorities are coordinated, you get compounding value. When they’re separate, you get inefficiency and gaps.

The CISO should know what engineering is planning. Engineering should know what the security program needs. The two roadmaps should inform each other.

The shift is simple: from “security is what the CISO buys” to “security is what the organisation achieves through coordinated investment.”

What This Means For Leaders

For CISOs:
You’re probably managing a bigger program than you realise. The question is whether you’re leading it or just reacting to it.

Start tracking engineering CapEx with security impact. Build the strategic layer that turns opportunistic upgrades into deliberate risk reduction. Make the invisible visible.

For CFOs and Executives:
You’re already investing in security. You’re just not seeing the returns because the spend is fragmented and the strategy is missing.

Demand visibility. Demand alignment. Stop treating security as a line item and start treating it as a cross-functional capability that touches every major operational decision.

For Engineering and Operations Leaders:
Your upgrades have security value. Make it visible. Make it intentional.

Work with the CISO to ensure your CapEx roadmap aligns with the organisation’s risk priorities, not just production needs. You’re already contributing to security. You should get credit for it. And it should be deliberate.

The conversation that matters

Ask yourself:

  • How much engineering CapEx in the last 12 months improved your security posture?
  • Did that spend follow a strategy, or was the security benefit accidental?
  • If you tracked total security investment, not just cyber budget, what would the picture look like?

The conversation isn’t “do we spend enough on security?”

The conversation is “are we spending strategically?”

Because in OT environments, the most effective security upgrades don’t come from security budgets. They come from coordinated investment across the business, guided by clear thinking about what matters most.

Strategy first. Technology second. And visibility across both.

That’s how you turn hidden security spend into deliberate security outcomes.

Read Next

Insight

Fast Security is Fragile Security: Why OT Requires a Methodical Approach

SIS

|

October 16, 2025

The Crisis Response That Backfired A utility organisation faced mounting pressure to demonstrate progress on OT security. Internal agendas collided with executive impatience. The solution? Deploy an OT Security Operations Centre. Fast. No readiness assessment. No operational alignment. Just procurement, installation, and a dashboard to show the board. Within months, the cracks appeared. The SOC...

Read Insight >
Insight

The Principle Method: Principle #6 – OT Security Compliance

SIS

|

May 22, 2025

Compliance isn't the goal. It’s the baseline. The OT Security Compliance principle in the Industrial Cyber Security Principle Method™ helps organisations not only meet regulatory obligations but do it in a way that supports real security outcomes, not just box-ticking. Because let’s be clear: meeting compliance doesn’t mean your systems are secure.  But ignoring compliance? ...

Read Insight >
Contact us to learn more. Follow us for the latest updates

Neutralising

the threat

Protect your critical assets from the threat of cyber attack.

Get in touch with our security specialists.

Contact SIS