C-suites step up on OT cybersecurity, and it’s paying off

There has been a significant increase in the global trend of corporations planning to integrate cybersecurity under the CISO or other executives, according to Fortinet.

Growing maturity in OT cybersecurity processes and solutions (Source: Fortinet)

OT security moves up the chain of command

As accountability continues to shift into executive leadership, OT security is elevated to a high-profile issue at the board level. 52% of organizations report that the CISO is responsible for OT, up from 16% in 2022.

For all C-suite roles, this has spiked to 95%. Additionally, the number of organizations intending to move OT cybersecurity under CISO in the next 12 months has increased from 60% to 80% in 2025.

“The seventh edition of the Fortinet State of Operational Technology and Cybersecurity Report shows that organizations are taking OT security more seriously. We see this trend reflected in a notable increase in the assignment of responsibility for OT risk to the C-suite, alongside an uptick in organizations self-reporting increased rates of OT security maturity,” said Nirav Shah, SVP, Products and Solutions, at Fortinet.

“Alongside these trends, we’re seeing a decrease in the impact of intrusions in organizations that prioritize OT security. Everyone from the C-suite on down needs to commit to protecting sensitive OT systems and allocating the necessary resources to secure their critical operations,” Shah continued.

OT cybersecurity is maturing

Self-reported OT security maturity has made notable progress this year. At the basic Level 1, 26% of organizations report establishing visibility and implementing segmentation, up from 20% in the previous year. The largest number of organizations state their security maturity is at the Level 2 access and profiling phase. The report also found a correlation in maturity and attacks.

Those organizations that report being more mature (higher of Levels 0-4) are seeing fewer attacks or indicate that they are better able to handle lower-sophistication tactics, such as phishing. It’s worth noting that some tactics such as APTs and OT malware are difficult to detect, and less mature organizations may not have the security solutions in place to determine they exist.

Overall, although nearly half of organizations experienced impacts, the impact of intrusions on organizations is declining, with a noteworthy reduction in operational outages that impacted revenue, which dropped from 52% to 42%.

Adopting cybersecurity best practices

In addition to the Levels of maturity affecting the impact of intrusions, it appears that adopting best practices such as implementing basic cyber hygiene and better training and awareness are having a real impact, including a significant drop in business email compromise.

Other best practices include incorporating threat intelligence, which spiked (49%) since 2024. Additionally, the report saw a significant decrease in the number of OT device vendors, which is a sign of maturity and operational efficiency.

78% of organizations are now using only one to four OT vendors, which indicates that many of these organizations are consolidating vendors as part of their best practices. Cybersecurity vendor consolidation is also a sign of maturity.

Unified networking and security at remote OT sites enhanced visibility and reduced cyber risks, leading to a 93% reduction in cyber incidents vs. a flat network.