The Hidden Crisis: Why Gatekeeping in OT/ICS Security is Costing Us Everything

Every day, somewhere in the world, a talented cybersecurity professional considers transitioning into OT/ICS security. And every day, we find ways to push them away. The cost? Our critical infrastructure remains dangerously exposed while we argue about who is "qualified" to protect it.

The Gatekeeping Paradox

We tell talented IT security professionals:

"You don't have industrial experience."

So they stay away.

We tell OT engineers and plant operators:

"Cybersecurity is too complex for you."

So they stay away too.

Meanwhile, threat actors aren't asking for credentials. They're not checking whether their targets have the "right" background. They're simply finding the gaps we've left wide open while debating who deserves to be in this field.

The Uncomfortable Truth

After years in this field, working across multiple continents and countless industrial environments, I've come to one inescapable conclusion:

We need more people securing OT/ICS systems, not fewer.

The real skill isn't being born into OT. It never was. The real skill is having the courage to learn, adapt, and bridge the gap between two worlds that have operated in silos for far too long.

What Real Leadership Looks Like

I have immense respect for professionals like Mike Holcomb, who has openly shared invaluable training resources for free, helping thousands of professionals enter this field. That's what building a community looks like. That's what securing our future requires.

Many OT/ICS environments might seem complex or intimidating from the outside. But here's what I've learned: defending them against cyberattacks doesn't have to be. Anyone can learn to protect critical infrastructure—whether you're from IT or OT—as long as you believe in the mission and have the determination to be there.

The Two Challenges That Keep Me Up at Night

The two biggest challenges in OT cybersecurity today aren't technical. They're human:

1. The shortage of experienced OT cybersecurity professionals — We simply don't have enough people, and we're making it worse by gatekeeping.
2. The lack of proven industrial best practices at scale — Every environment feels like it's reinventing the wheel.

Two Worlds, One Mission

In my daily work, I constantly see the fundamental disconnect between IT and OT expectations. In IT, confidentiality typically sits at the top of the security triad. In OT? Availability is everything. A system that's secure but offline might as well be destroyed.

The expectations are different. The mindset is different. The language is different. Bringing these two worlds together requires tremendous effort—both technically and organizationally. But it's not impossible. I've seen it done. I've helped make it happen.

A Call to Action

We need to stop gatekeeping and start building real capability.

The "us vs. them" mentality between IT and OT only serves one purpose: leaving the back door wide open for adversaries who don't care about our internal politics.

Instead of checking boxes on rigid requirements lists, we should focus on:

• Cross-training programs that bridge the IT/OT divide
• Mentorship that welcomes newcomers rather than intimidating them
• Knowledge sharing that elevates the entire community
• Humility to recognize that every expert was once a beginner

The question isn't whether someone has the "right" background. The question is: are we willing to welcome everyone who wants to protect the systems that keep our society running?

I believe we must. The alternative is unacceptable.