From Visibility to Action
In this chapter, we aim to explore how organizations identify cybersecurity risks, manage system vulnerabilities, and translate these insights into concrete actions. Many organizations align their cybersecurity governance with established frameworks like NIST which defines a five-phase lifecycle: Identify, Protect, Detect, Respond, and Recover. While these frameworks aim for comprehensive protection, operational constraints in OT environments result in persistent implementation gaps.
Beyond the inherent complexity of assets in OT environments, staffing is another key factor. In our survey, only 49% of organizations reported that OT cybersecurity personnel make up more than half of their total security workforce (OT and IT combined). Having limited staff tasked with highly complex responsibilities has prevented many enterprises over the past few years from effectively executing the full cybersecurity governance lifecycle described above. In addition, constrained security budgets often make it difficult for organizations to follow this lifecycle in a disciplined manner. The result is frequently an overinvestment in early-stage security activities, leading to an unbalanced approach that emphasizes the front end at the expense of later stages.
Skip to
Vulnerability Management / Patching
Security Measures
Security Partners & External Resources
The Visibility-Action Gap
Vulnerability Management / Patching
"You can't protect what you can't see" is a common refrain in OT security, but ironically, enterprises that only focus on visibility have lost sight of the end goal: action. Action requires visibility into where vulnerabilities exist, how they're exposed, and what remediation is required. Vulnerability management translates visibility into patching decisions, compensating controls, and incident response. However, visibility and action remain disconnected in practice. Organizations may know which vulnerabilities exist but struggle to address them because of operational constraints, legacy system limitations, and resource gaps. The 90% frequency vs. 24% coverage gap below illustrates this disconnect—awareness of the problem does not guarantee the ability to fix it.
Higher Frequency with Lower Coverage
According to our survey (C1), 90% of respondents apply patches frequently or very frequently. Yet when asked about coverage (C2), only 24% report that more than 90% of their assets receive those updates. Figure 4.1 breaks this down further: across all respondents, 57% have inventoried critical assets and achieved coverage above 70%, while 19% reach only 50% or above. Such coverage levels would be considered highly inadequate in IT environments. However, in OT environments, as our reports over the past several years have consistently shown, these figures have become the industry norm.
Figure 4.1: Security Update Frequency vs. Asset Coverage
Challenges Applying Patches
The greatest obstacles to comprehensive security updates in OT environments stem primarily from technical limitations. The most significant breakpoints are compatibility issues related to end-of-life systems (51%) and insufficient visibility and control over organizational assets (46%). For example, on October 14, 2025, Microsoft officially designated Windows 10 as an end-of-support product. From that point, nearly 46% of Windows devices worldwide--and a higher share in OT environments--stopped receiving security updates from Microsoft. Third-party software vendors typically follow Microsoft's lead, which means these long-lived assets in OT environments are destined to become blind spots for security updates.
Figure 4.2: Top Technical Barriers to Comprehensive Patching*
*Overall composition shown. Click chart for industry-specific breakdown.
The lack of asset visibility represents another major technical challenge. The challenge involves several layers of difficulty: first, accurately identifying the device; then determining its actual location within the OT environment; and finally, establishing the ability to control or manage it. What is considered routine in IT environments becomes a significant challenge in OT. That complexity is also why many organizations, once they commit resources to improving asset visibility as part of their cybersecurity initiatives, discover that they have entered a complex maze and a potential budget black hole.
Figure 4.3: Factors Influencing Patch Deployment Decisions*
*Overall composition shown. Click chart for industry-specific breakdown.
Operational Needs Drive Patch Prioritization
Because it is not feasible to deploy all security updates at once, CISOs inevitably establish their own prioritization criteria. Our survey found that respondents place the greatest emphasis on assets critical to operations (58%), followed by assets related to regulatory compliance (56%). Although the differences among the factors are relatively small, the prioritization of security updates is driven more by operational and business considerations than by purely technical ones.
Security Measures
Although visibility is commonly assumed to be a prerequisite for protection, OT environments don't require one before the other. Many organizations pursue both in parallel, and some even deploy protection solutions first, then gradually enhance visibility and refine their approach over time.
“Only 1% of organizations experienced budget reductions, indicating that the industry widely recognizes OT cybersecurity as a strategic business priority.”
Overall, OT organizations continue to favor firewall-based network security appliances (54%) and endpoint protection solutions (53%) as their primary cybersecurity defenses. These figures have remained fairly consistent over the past several years. However, when filtered by industry, noticeable differences emerge. Even with a basic understanding of variations in operational models and regulatory requirements across industries, these differences are not difficult to understand.
Figure 4.4: Current OT Security Protection Methods*
*Overall composition shown. Click chart for industry-specific breakdown.
Endpoint Coverage of Assets
Among organizations that report using endpoint protection as a cybersecurity measure, we observe clear differences in asset coverage across industries. These variations are consistent with our field experience. Upon closer examination, we believe they stem from differences in deployment complexity, the maturity of industry-wide cybersecurity standards, and variations in device characteristics and technical specifications across sectors.
For example, in the automotive manufacturing industry, both upstream and downstream partners are often required to comply with industry cybersecurity standards, such as TISAX. Given the higher proportion of Windows-based devices, this helps explain the sector's leading coverage levels.
Figure 4.5: Endpoint Protection Asset Coverage by Industry*
*Overall composition shown. Click chart for industry-specific breakdown.
Network Protection of Assets
Among organizations that report using network-based protection, deployment coverage is slightly lower than for endpoint solutions, highlighting a fundamental challenge in OT security. Network strategies often prioritize visibility and monitoring over inline protection. Organizations deploy sensors to detect threats but hesitate to enable enforcement capabilities that could disrupt operations if misconfigured.
This caution is understandable given OT's zero tolerance for downtime, yet it leaves a gap between detection and prevention. Based on our industry experience, many organizations struggle to achieve high coverage with network security devices because of concerns about operational disruption and the inability of traditional network devices to parse OT-specific protocols at Purdue Levels 0 and 1.
Figure 4.6: Network Protection Asset Coverage by Industry*
*Overall composition shown. Click chart for industry-specific breakdown.
External Partner Reliance Across OT Security Functions
Use MSSPs to achieve regulatory compliance
Seek external experts for unpatchable vulnerabilities
Rely on external support for incident response
Security Partners & External Resources
External cybersecurity partners are playing an increasingly important role within organizations, a trend we have observed over the past several years. For example, when asked how enterprises achieve compliance with cybersecurity regulations, 49% of CISOs said they would consider working with an MSSP (Managed Security Service Provider) to meet those requirements, ranking it as the top option. When asked how organizations address system vulnerabilities that cannot be patched or remediated, their first choice was again to seek assistance from external experts, with 45% of CISOs selecting this option.
External partner reliance also applies in incident response situations. When a security incident occurs, 32% of respondents said they always turn to external cybersecurity professionals for support, while 59% do so depending on the situation. Combined, 91% rely on external expertise at least some of the time, which is a reflection of the specialized knowledge required for OT incident response and the gap between internal capabilities and operational demands.
The Visibility-Action Gap
Organizations have invested heavily in visibility, with 90% performing frequent security updates, expanding asset inventories, and conducting routine vulnerability assessments. Yet this visibility translates into partial action at best: only 24% achieve comprehensive patch coverage, network protections prioritize detection over prevention, and operational constraints consistently override technical urgency.
"The path forward requires shifting from visibility-focused strategies toward protection-first approaches that work within operational constraints."
That shift means prioritizing inline defenses that prevent disruption without requiring manual intervention, compensating controls for unpatchable legacy systems, and security architectures designed for continuous operations. Organizations that successfully make this transition from seeing threats to preventing them will be best positioned to sustain both secure and reliable industrial operations.
