IT/OT Convergence: An Era of Interconnected Risk and Reward

Additional resources

Common Cybersecurity Risks to ICS/OT Systems

Organizations need to protect their industrial control and operational technology systems from cyberthreats, including through regular vulnerability assessments, network segmentation and providing ongoing training on cybersecurity best practices.

Fortifying Digital Defenses: The Imperative of a Unified Cybersecurity Platform

A data-driven and cost-effective strategy—centered on governance, technology, and human expertise—is the approach organizations need to improve their cybersecurity posture and resilience.

ISACA 2026 North America Conference

Connect with IS/IT thought leadership and become inspired by informative content. Join us in Las Vegas for the ISACA 2026 North American Conference.

CCOA—Certified Cybersecurity Operations Analyst

CCOA empowers IS/IT professionals to prove their hands-on cybersecurity abilities and on-the-job skills to employers. Get started with the CCOA Review Course.

IT and OT convergence is rapidly evolving through intentional and unintentional integrations. In some cases, integration is strategic and driven by digital transformation initiatives that streamline operations and enable real-time decision-making. In other cases, the integration occurs quietly and without planning: through software updates, the addition of IoT-enabled devices, or remote access configurations that bridge previously isolated systems.

Whether deliberate or incidental, IT/OT convergence is simultaneously increasing efficiency and cyber risk through the operational combination of two traditionally siloed operating models. Shifting the operational perspective is critical. Successful IT/OT convergence involves more than connecting technologies; convergence success relies on aligning three distinct paradigms: IT Operations, OT Operations and Cyber Operations.

• IT: Operational focus on systems, networks, availability and data integrity
• OT: Operational focus on safety, uptime and real-time data.
• Cybersecurity: Must span both paradigms protecting digital assets, physical infrastructure and human safety

Cybersecurity is the connective bridge that safeguards the integrity, continuity, trustworthiness and resilient converged IT/OT operations.

Cultural Divide and Prescribed Guidelines

IT and OT have historically operated under different priorities and principles.

These foundational differences result in operational silos impacting secure and successful convergence. When teams don’t share the same risk language, response models or planning cycles, integration efforts become fragile.

This cultural divide is well recognized in cybersecurity frameworks. The Principles of Operational Technology Cybersecurity highlights that OT security is more than a technical challenge; it deeply involves people. Principle 6: “People are essential for OT cybersecurity” reinforces that secure operations rely on shared understanding, clear roles and coordinated response across disciplines.

OT professionals often follow prescribed operational procedures, while IT teams lean on iterative, agile methods. Cybersecurity must span both operational focuses and become the connective bridge that provides resilience, safeguards integrity, continuity and trustworthiness. Well-planned convergence strategies can stall or fail without a shared cyber culture, strong communication and cross-functional collaboration.

The Case for Cyber Integration

The need for cyber integration is clear, demonstrated by the expanding attack surface and the wide range of threat actors targeting converged environments. As IT and OT systems expand in connectivity, the environment exposes new pathways for both sophisticated and unsophisticated adversaries to disrupt operations, steal data or cause physical harm.

According to the 2025 OT Cyber Threat Report by Waterfall Security, nation-state attacks with physical consequences tripled in 2024. Many of these incidents weren’t zero-day exploits or complex adversarial tactics. They were indirect attacks, threats that began in IT systems and cascaded into OT environments through poor segmentation, credential theft or insecure remote access.

An IT/OT convergence side effect is that threat actors do not need to target a programmable logic controller (PLC) directly. An attack on a file server, identity provider or cloud backup platform can trigger precautionary measures, shutting down or pausing critical operations out of fear that OT systems may become compromised.

Additionally, sophistication isn’t a prerequisite for operational disruptions. In May 2025, CISA warned that even unsophisticated actors are targeting OT systems, taking advantage of exposed assets, default credentials and neglected vulnerabilities. Converged environments are complex, and that complexity itself is a vulnerability. Cyber risk exists beyond the data center or cloud provider – it extends into shop floors, pipelines, energy grids and hospital systems. Cyber integration is not an optional afterthought; it is a critical success factor.

Unified IT/OT Governance and Risk Management

Bridging the three paradigms is accomplished by establishing a unified governance and risk model creating a foundation for collaboration. The model extends beyond shared dashboards and joint meetings; it establishes a framework that reflects the unique characteristics of all three disciplines considering the following:

• Shared security policies addressing cyber resilience and safety requirements
• Joint risk assessments that consider physical impacts alongside data loss, confidentiality and availability
• Coordinated incident response plans that activate cross-functional teams
• OT cloud security strategies that address third-party access and edge device risk

This approach embeds cybersecurity into daily operations, ensuring that decisions made in one domain do not compromise or degrade the other. The importance of this convergence is reflected in the CyberSN U.S Cyber Job Posting Data Report. Roles such as Security Analyst (#2), Incident Responder (#10), and Governance, Risk, and Compliance Analyst (#6) remain among the most in-demand across the industry.

To help professionals succeed in these high-demand roles, ISACA’s Certified Cybersecurity Operations Analyst (CCOA) credential provides the expertise needed to evaluate threats, identify vulnerabilities and recommend countermeasures to prevent cyber incidents, skills essential for today’s cybersecurity operations environment.

Empower the Converged Enterprise

Secure IT/OT convergence requires people. Organizations must adopt a well-aligned workforce strategy that covers necessary cyber capabilities, career planning and cross-training opportunities. Strong IT/OT convergence strategies prioritize:

• Clearly defined roles and responsibilities. Address burnout by ensuring strong team sizing, upskilling and work-life balance.
• Create multidisciplinary career paths bridging IT, OT and cybersecurity.
• An automation-first mindset enabling repeatable, scalable and proofable environments.

Cybersecurity as the Critical Connector

IT/OT convergence is upon us, whether driven by design or through unintentional integrations. The era of interconnected risk and reward relies heavily on people and cybersecurity serving as the integrator across technical, operational and human domains.

Organizations must manage cyber risk against evolving threats by planning beyond silos, beyond systems, and even beyond data. Enable cybersecurity as the connector, where risk is managed, resilience is built, and trust is verified.

Join the conversation on the topic of IT/OT convergence at ISACA North America Conference 2025 in Orlando, Florida, during my main stage talk with Dr. Shayla Treadwell, Deputy CSO at Lumen Technologies, on 21 May.