Fortinet Report: OT Security Governance Shifts to CISO as Maturity and Board-Level Concern Rises

Executive Summary

The governance of operational technology (OT) security is undergoing a fundamental transformation, moving from a niche factory-floor issue to a C-suite and board-level priority. According to Fortinet's 2025 State of Operational Technology and Cybersecurity Report, published on June 10, 2026, the responsibility for securing OT is rapidly consolidating under the Chief Information Security Officer (CISO). The report found that over half of organizations have already made this shift, up from just 16% in 2022, with 81% intending to do so within the next year. This centralization of security governance reflects a growing understanding of the severe business risks associated with cyber-physical systems. The study also draws a clear line between security maturity and operational resilience, noting that organizations with more advanced security practices suffer fewer and less severe operational disruptions from cyberattacks.

Regulatory Details

The report highlights several key trends and statistics regarding the state of OT security:

• Shift in Governance: The most significant finding is the shift of OT security responsibility to the CISO/CSO. This indicates that organizations are moving towards a unified cybersecurity strategy that encompasses both IT and OT environments.
• Maturity and Resilience: There is a direct correlation between the maturity of an OT security program and its effectiveness. Organizations with mature practices (e.g., network segmentation, threat intelligence integration) reported fewer intrusions and less impact on revenue and operations.
• Impact of Intrusions: While nearly half of all organizations still experienced cyber incidents that affected OT, the percentage of those that led to revenue-impacting outages decreased from 52% to 42%, suggesting that improved security measures are having a positive effect on resilience.
• Driving Factors: Key drivers for increased focus on OT security include the need for operational resilience, cost reduction (by avoiding downtime), and growing expectations of new regulatory requirements. Compliance is becoming a major objective for OT security programs.

Affected Organizations

This report is relevant to all organizations that operate Industrial Control Systems (ICS) or other forms of OT. This includes a wide range of industries:

• Manufacturing
• Energy (Oil, Gas, Electric)
• Transportation and Logistics
• Critical Infrastructure (Water, Waste)
• Healthcare (for medical devices)
• Building Management

Compliance Requirements

While the report doesn't detail specific regulations, it notes that the anticipation of new government mandates is a significant driver for improving OT security. Organizations are increasingly being required to meet standards such as:

• NIST Cybersecurity Framework (CSF)
• ISA/IEC 62443 series of standards for IACS security
• NERC CIP (for the North American bulk electric system)
• TSA Pipeline Security Directives

Organizations are expected to implement technical controls like network segmentation, access control, and continuous monitoring to meet these compliance obligations.

Impact Assessment

The findings of the Fortinet report have several business and operational implications:

• Increased Investment: The board-level focus will likely lead to increased budgets and resources for OT security initiatives.
• Organizational Change: The shift of responsibility to the CISO will require breaking down silos between IT and OT teams, fostering collaboration, and cross-training staff.
• Technology Convergence: Organizations will increasingly look for security solutions that can provide visibility and control across both IT and OT environments.
• Risk Management: OT cyber risk will be integrated into the overall enterprise risk management framework, rather than being treated as a separate, isolated issue.

Compliance Guidance

Based on the report's findings, organizations should take the following steps to mature their OT security programs:

1. Establish Clear Governance: Formally assign responsibility for OT security to the CISO and establish a clear governance structure that includes stakeholders from both IT and OT departments.
2. Adopt a Framework: Use an established cybersecurity framework like NIST CSF or ISA/IEC 62443 as a guide to build and measure the maturity of the OT security program.
3. Implement Foundational Controls: Prioritize the implementation of foundational security controls, starting with a comprehensive asset inventory, network segmentation, and robust access control.
4. Invest in OT-Specific Security Tools: Deploy security solutions that are purpose-built for OT environments and can passively monitor industrial protocols without disrupting operations.
5. Develop an Incident Response Plan: Create and regularly test an OT-specific incident response plan that accounts for the unique safety and operational requirements of industrial environments.