Cybersecurity in Manufacturing: Why Cultural Alignment Is Now a Critical Control

When it comes to cybersecurity, the manufacturing floor isn’t just another network—it’s a living system, deeply integrated with decades-old processes, lean teams, and mission-critical operations. That’s why, despite growing awareness, many manufacturers still find it difficult to implement robust OT (operational technology) cybersecurity. It’s not a technology gap. It’s a leadership and culture challenge.

During IIoT World’s Manufacturing Day session, sponsored by Fortinet, a key message emerged: bridging the divide between IT and OT cultures—and shifting ownership of OT security to the executive level—is now essential to mitigating risk and avoiding catastrophic downtime.

CISO Ownership Signals Maturity

A growing number of manufacturers are moving ownership of OT cybersecurity out of plant-level operations and into the hands of the CISO. That’s more than a reporting change. It signals a recognition that OT security is no longer a niche technical concern—it’s a strategic business risk that affects brand, revenue, and safety.

But ownership alone isn’t enough. As several panelists noted, IT and OT teams often speak different languages. For any security program to succeed, the CISO’s office must invest in change agents—trusted individuals within OT who understand cybersecurity but can advocate in the language of operations.

From Mandates to Partnerships

Security strategies fail when they’re enforced top-down without buy-in from operators. OT teams are focused on production uptime and safety. Cyber policies that disrupt workflows—or are delivered without empathy—can quickly create resistance.

The panel emphasized an alternative: align cybersecurity goals with existing safety frameworks. If cyber threats are presented as safety hazards—which they increasingly are—operators are far more likely to engage. Framing security in terms of preventing industrial accidents or protecting workers from unsafe overrides makes the conversation real.

Data Is the Foundation, Not the Destination

Effective OT cybersecurity begins with asset visibility. You can’t defend what you don’t know you have. Yet many manufacturers still rely on outdated spreadsheets or the institutional memory of a few key staff. Passive monitoring tools that map devices, identify vulnerabilities, and track network activity—without disrupting production—are fast becoming table stakes.

But visibility only matters if it’s tied to action. Segmenting the OT network, especially from the business network, is one of the highest-impact, lowest-disruption moves a manufacturer can make. It’s the essential first control before introducing more advanced protections like access controls or behavioral analytics.

Security Is a Business Risk—And a Business Decision

One of the session’s most pragmatic takeaways was around security exceptions. Manufacturers can’t always patch on IT’s schedule. Sometimes a system must run unpatched for years until the next scheduled maintenance. That’s acceptable—but only if the risk is documented, accepted by business leadership, and mitigated through layered defenses and monitoring.

Cybersecurity teams cannot bear sole responsibility for those decisions. Risk must be owned—and understood—by the business. Formal exception processes and documentation protect both security professionals and the organization itself.

Invest in Relationships, Not Just Tools

There’s no silver bullet for securing OT environments. But one thing is clear: success hinges as much on cultural fluency and leadership alignment as it does on firewalls and sensors.

Cybersecurity leaders must learn to speak OT. OT professionals must be brought into strategy, not compliance afterthoughts. And CISOs must become translators and facilitators, not just enforcers.

Because in manufacturing, trust is a prerequisite for change—and culture is the real control surface.