Year-Over-Year Evolution
Skip to
Significant Changes from Previous Year
Supply Chain Security
Security Budget and Driving Forces
Insight: The Operations-First Reality
Significant Changes From Previous Year
Despite the aforementioned chronic challenges, we have observed several significant shifts in this year's cybersecurity survey. These differences primarily stem from an overall increase in cybersecurity maturity, a refocusing of governance priorities, and evolving perspectives on legal and regulatory compliance.
Increased Security Personnel
Despite human constraints, OT cybersecurity staffing has grown significantly. Among organizations with over 2,000 employees, the share with 100+ dedicated OT security personnel more than doubled—from 23% in 2024 to 55% in 2025. The most notable growth occurred in the 101-300 employee range, which jumped from 13% to 34% of respondents.
Figure 3.1: OT Cybersecurity Staffing Levels 2024 vs. 2025
Changes in Security Vendor Selection
When seeking cybersecurity solutions, organizations are no longer focusing solely on technical specifications and capabilities. Instead, they are placing greater emphasis on a service provider's alignment with international cybersecurity frameworks and on transparency regarding SBOMs and supply chain information. Support for secure remote access dropped from 47% to 30%, while compliance and supply chain transparency rose. This reflects a shift from evaluating vendors on technical features alone toward evaluating their governance readiness and supply chain accountability as well.
Figure 3.2: Security Vendor Selection Criteria Year-over-Year
Shifts in Technology Adoption Strategies
The technology roadmaps outlined by CISOs provide a clear path for organizations to gradually mature their OT cybersecurity posture. In earlier years, the focus was primarily on establishing various protections across different security controls to strengthen the underlying security foundation. However, over the past two years, this vision has expanded to include supply chain security management and integrated platforms for security governance and risk control.
This evolution reflects a shift from deploying multiple point solutions toward integrated protection strategies. Early-stage security programs often accumulate tools organically, addressing individual gaps as they emerge. Mature programs consolidate capabilities into cohesive platforms that reduce operational complexity while expanding protective coverage.
Figure 3.3: CISO Technology Roadmap Evolution
Supply Chain Security
The cybersecurity posture of upstream and downstream partners directly impacts an enterprise's own security—weaknesses can cascade across the supply chain. In an effort to standardize security levels within specific industries, various vertical-specific frameworks have emerged, such as SEMI E187 for the semiconductor industry and TISAX for automotive manufacturing. However, broadly speaking, respondents remain skeptical regarding the security assurances provided by external organizations.
Supply Chain Partner Selection
Regarding supply chain security concerns, while priorities vary somewhat across industries, respondents this year placed particular emphasis on two factors: the initial security posture of devices upon arrival, and the speed of incident response following a breach. This represents a shift from checkbox compliance (i.e., whether a partner's equipment at minimum meets baseline security criteria) toward practical operational considerations.
Figure 3.4: Supply Chain Partner Security Selection Criteria*
*Overall composition shown. Click chart for industry-specific breakdown.
The industries surveyed expressed a unified expectation of their suppliers: they must maintain stringent vulnerability management policies and responsibly disclose system flaws, whether through proactive reporting (70%) or by submitting an SBOM (60%). What we are seeing here is a demand for continuous oversight rather than a one-off security audit—a highly pragmatic, results-oriented approach.
Figure 3.5: Top Supply Chain Security Concerns by Industry*
*Overall composition shown. Click chart for industry-specific breakdown.
Figure 3.6: Supplier Vulnerability Management Expectations*
*Overall composition shown. Click chart for industry-specific breakdown.
Security Budget and Driving Forces
Investment in cybersecurity is generally substantial, driven by a range of organizational factors. Enterprise assessments of these expenditures inevitably center on performance metrics and ROI. Within OT environments, the formula for weighing investment against outcomes is multifaceted, encompassing both Capital Expenditure (CAPEX) and Operating Expenditure (OPEX), as well as regulatory mandates, installation overhead, and the financial impact of system downtime.
For several consecutive years, we have observed a steady year-over-year increase in OT cybersecurity budgets. The latest data for 2025 shows that approximately 28% of organizations have substantially increased their OT security spending (more than 20% growth), and 61% have slightly increased their OT security spending (10%-20% growth). This shows that corporate commitment to securing this domain is growing year after year.
Figure 3.7: OT Security Budget Increases Year-over-Year
Increasing Satisfaction With OT Security Posture
Despite the various challenges and incidents previously mentioned, our multi-year survey trends indicate that enterprises feel their cybersecurity posture is gradually strengthening. In fact, 32% of respondents expressed high confidence in their organization's OT security. This growing confidence coincides with rising security budgets, though the relationship between investment and outcomes warrants closer examination. Later in this chapter, we explore the apparent contradictions between confidence levels, incident rates, and operational priorities.
Figure 3.8: Enterprise Confidence in OT Security Posture
Figure 3.9: Primary Drivers for OT Security Investment
Driving Forces Behind Security Investment
Business risk is frequently the primary driver behind cybersecurity investment. This year, respondents identified vulnerabilities in supply chain equipment or services as their greatest risk, followed by data breaches and regulatory non-compliance. Comparing this to previous years reveals a clear trend: the impetus for security investment is no longer just internal urgency; instead, external factors, industry standards, and compliance mandates have taken center stage.
Future Spending Plans
The responsibilities borne by CISOs extend beyond addressing immediate cybersecurity issues to making long-term commitments to future security. In their view, the most important forward-looking initiatives over the next two years include strengthening supply chain security (51%), establishing real-time threat intelligence platforms (41%), and implementing vulnerability assessment and patch management systems (41%). Compared with previous years, a noticeably more holistic and strategic cybersecurity perspective has emerged.
Figure 3.10: Future OT Security Spending Priorities
Top Concerns When Selecting an OT Security Solution
Cybersecurity investment decisions extend beyond cost to objectives and concerns. Across industries, one concern dominates: the complexity and burden of integrating a security solution with existing systems and processes (43%). This reinforces a core OT reality—operations always come first. Not even cybersecurity takes precedence over production. Security capabilities must be designed around uninterrupted operations as a non-negotiable premise.
Figure 3.11: Top Concerns When Selecting OT Security Solutions*
*Overall composition shown. Click chart for industry-specific breakdown.
This integration challenge helps explain why visibility-focused solutions, despite their lower implementation barriers, often fail to deliver complete risk reduction. Tools that only monitor and alert require separate responsibe mechanisms, adding complexity rather than resolving the incident. In contrast, solutions that prevent threats inline, without requiring manual intervention or workflow disruption, align more naturally with operational constraints. The 43% figure reflects a market increasingly aware that security must work within operational reality, not against it.
Insight: The Operations-First Reality
In this year's survey, we once again observed several interesting contradictions, which is why we devote this section to a deeper examination. When faced with the broad topic of cybersecurity, respondents' self-perceptions can at times become disconnected from reality. These apparent inconsistencies and blind spots have persisted over multiple years.
Insight: The Operations-First Reality
In this year's survey, we once again observed several interesting contradictions, which is why we devote this section to a deeper examination. When faced with the broad topic of cybersecurity, respondents' self-perceptions can at times become disconnected from reality. These apparent inconsistencies and blind spots have persisted over multiple years.
1. High Satisfaction Despite Challenges
94% of CISOs express satisfaction with their OT security posture, yet these same organizations report persistent challenges, including talent shortages, legacy system constraints, and limited patch coverage.
2. Legacy System Acceptance
88% of organizations consider integrating legacy and modern systems highly effective, yet identify legacy systems as their greatest challenge in defending against malware.
3. Policies vs. Reality Gap
Nearly all organizations have established cybersecurity policies, yet 60% experienced a security incident within the past year—revealing a disconnect between documented procedures and operational outcomes.
4. Visibility Without Action
Organizations invest heavily in asset visibility and monitoring tools, yet struggle with integration complexity (43% top concern) and report significant difficulty translating visibility into enforceable protection.
Our view is that stepping back and examining the broader picture may help explain the apparent contradictions outlined above. The true object of OT cybersecurity protection is not personnel, threat intelligence, data security, or even the security posture of individual machines. Rather, it ultimately protects one thing above all else: operations themselves. Nothing is more important than sustaining stable operations that continue to deliver business outcomes. This operations-first perspective explains why CISOs measure security effectiveness by operational continuity rather than incident counts alone. However, this creates a critical blind spot: threats that do not immediately disrupt production may still compromise data, create supply chain vulnerabilities, or establish persistent access for future attacks. The challenge for enterprises is implementing security that protects against both immediate operational disruption and slower-moving risks, without adding operational burden. Meeting that challenge requires defense strategies that prevent threats inline, maintain production continuity, and operate transparently within existing workflows. Organizations that successfully balance these requirements will be best positioned to sustain both secure and reliable operations over time.
