The Budget Conversation That Never Goes Anywhere
Every quarter, the same scene plays out in industrial boardrooms. Someone from the security or engineering side presents a budget request for OT security. The CFO asks a perfectly reasonable question: "What exactly are we mitigating here, and how do we know this is the right number?"
Then the loop starts. The security team cites threat reports. Finance asks for data specific to their environment. Security explains that visibility is too limited to provide that data. Finance asks why they should fund something when the numbers do not show a clear problem. Security says the numbers are incomplete because the funding has not been there to build visibility. Round and round, quarter after quarter, while the actual work sits undone.
The pattern is remarkably consistent across energy, manufacturing, water, and oil and gas. And the core issue is not a budget disagreement. It is that the whole conversation is built on the wrong question.
The question is not "how much should we spend on OT cybersecurity?" It is "what are we actually building, and does it serve the business beyond just cyber risk?"
The Visibility Gap Nobody Wants to Acknowledge
Before any framework discussion, there is an uncomfortable reality to address: the data that most investment conversations rely on is fundamentally incomplete.
Industry estimates suggest that fewer than one in ten OT networks worldwide has meaningful network monitoring in place. That means every statistic about OT security incidents, every trend report, every sector benchmark, reflects only the small minority of environments where someone was actually watching.
Here is what that looks like in practice:
| What the data says | What it actually means |
|---|---|
| "We have not had an OT security incident" | There is no mechanism to confirm whether one occurred or not |
| "Our sector has low incident rates" | Our sector has low detection and reporting rates |
| "Our preventive controls are working" | Nobody has verified whether they have ever been tested by an actual adversary |
| "We do not need monitoring because nothing has happened" | Without monitoring, there is no way to know if something did happen |
This is not theoretical. OT assessment work routinely uncovers conditions that point to past unauthorized access: configuration changes with no documented change records, network connections that nobody on the operations team knew existed, devices communicating with external addresses that were never authorized. These findings do not come from environments that reported incidents. They come from environments that had no idea anything was wrong.
The absence of detected incidents is not evidence of safety. It is evidence of a monitoring gap. Building an investment strategy on that absence is like a hospital deciding it does not need diagnostic equipment because nobody has been diagnosed recently.
A Three-Tier Framework That Actually Works
Rather than framing OT security investment purely as a cyber risk line item, it is far more productive to organize the conversation around three distinct tiers. Each has its own justification, its own stakeholders, and its own success criteria.
The Investment Pyramid
Think of OT security investment as a pyramid with three layers. Each layer supports the one above it, and skipping a layer undermines everything built on top.
Most investment conversations jump straight to the top. That is exactly the problem.
Tier 1: The Compliance Foundation
This is the non-negotiable base. Every industrial organization operates under some combination of regulatory requirements, industry standards, legal obligations, and insurance policy conditions that mandate specific security capabilities. These are not optional, and the consequences of ignoring them are concrete: fines, enforcement actions, loss of operating licenses, and personal liability for executives. Nobody needs a threat briefing to understand a regulatory penalty.
Here is the insight that often gets lost: the sectors with the strongest OT security posture are the ones where compliance forced sustained investment. When regulation requires specific controls, organizations fund them consistently, year over year, without an annual debate about whether the investment is justified. That consistency is what builds actual capability over time.
Compliance alone is not sufficient. But it is the foundation that makes everything else possible.
Tier 2: Operational Capability (Where the Biggest Gap Lives)
This is where things get interesting, and where most organizations have the widest gap.
Tier 2 is not about cyber threats. It is about the operational capabilities that any well-run industrial organization should have, capabilities that happen to also form the foundation of effective cyber defense.
Root cause analysis. When production goes down, can the organization determine why? Equipment failure, contractor error, configuration change, network issue, or cyber event? Most operations teams cannot answer this quickly, because they lack the visibility to distinguish between these causes in real time.
Recovery confidence. Not aspirational targets in a policy document. Actual validated numbers based on exercises where someone timed the restoration. The gap between documented recovery time objectives and what organizations can actually achieve is consistently one of the most eye-opening findings in readiness assessments.
Change awareness. When a new device appears on the OT network, a PLC program gets modified, or a firewall rule changes, does anyone know? Is there a process for determining whether the change was authorized? In most environments, the honest answer is no.
Real-time visibility. Can the operations team see what is actually happening on the OT network? Not just process values on the HMI, but actual network communications, device health, and protocol-level activity?
These are not cybersecurity capabilities. They are operational capabilities. Every one of them delivers value that has nothing to do with hackers:
| Capability | Cybersecurity Value | Operational Value |
|---|---|---|
| Network monitoring | Detect unauthorized access and lateral movement | Troubleshoot network issues, find bottlenecks, catch misconfigurations |
| Asset inventory | Know what to protect, identify unpatched systems | Know what you have, plan maintenance, manage lifecycle replacements |
| Change detection | Detect unauthorized logic modifications | Verify maintenance was done correctly, track configuration drift |
| Backup validation | Enable recovery from ransomware or destructive attacks | Enable recovery from hardware failure, human error, natural disasters |
| Incident response plan | Coordinate response to cyber attacks | Coordinate response to any operational disruption |
| Network segmentation | Limit adversary lateral movement | Contain network faults, improve performance, reduce broadcast storms |
This dual-purpose reality is the key to breaking the budget stalemate. When the CFO asks about ROI, the answer should not be "it reduces cyber risk." The answer should be "it gives us root cause analysis for any production disruption, validated recovery capability, real-time visibility into our networks, and it also happens to be exactly the foundation we need for cyber defense."
The operational value alone justifies the investment. The security it enables is a massive bonus.
Tier 3: Cyber Risk Reduction
This is where most budget conversations start, and that is exactly why they stall. When the opening question is "how much should we spend to prevent a cyber attack on our OT systems?", it immediately crashes into the data and justification problems described above.
But when Tier 3 sits on top of a solid Tier 1 and Tier 2 foundation, the conversation changes completely. Now you are adding intelligence-driven detection to a network you can already see. You are adding threat-specific response procedures to an incident response plan that already works for operational disruptions. You are layering cyber defense onto an operational capability that the business already values.
Key Tier 3 investments:
- Threat-informed detection rules tuned to known ICS attack techniques, mapped to MITRE ATT&CK for ICS
- OT-specific incident response that accounts for safety constraints and continuous process requirements
- Threat intelligence that translates adversary activity targeting your sector into actionable detection priorities
- Purple team exercises that test detection and response against realistic OT attack scenarios
- Dedicated OT security expertise, internal hires, managed services, or a hybrid approach
The critical dependency: Tier 3 requires Tier 2 to function. You cannot write effective detection rules without network monitoring. You cannot do meaningful incident response without asset inventory and backups. You cannot hunt for threat activity in an environment with no visibility. Starting the investment at Tier 3 without Tier 2 is like buying advanced medical imaging equipment for a hospital that has not built the rooms to put it in.
Where Most Organizations Actually Stand
Here is a realistic maturity snapshot based on what the industry looks like today:
| Tier | Typical Maturity | What That Looks Like in Practice |
|---|---|---|
| Tier 1: Compliance | Moderate | Requirements are understood, but implementation is checklist-driven. Controls exist on paper but may not function as designed. Audit prep is stressful because teams scramble to demonstrate what should be routine. |
| Tier 2: Operational Capability | Low | The widest gap. Most organizations lack real-time OT network visibility, have never timed a recovery exercise, and cannot perform root cause analysis faster than "it took us three days to figure out what happened." |
| Tier 3: Cyber Risk Reduction | Very Low | Few organizations have OT-specific detection, dedicated OT security staff, or threat-informed strategies. Most rely on IT security tools that were never designed for Modbus, EtherNet/IP, or DNP3 traffic. |
The industrial sector as a whole is nowhere near overinvesting in OT security. The far greater risk is continuing to debate the marginal value of the next dollar while the foundation remains incomplete.
Reframing What OT Security Investment Actually Is
The fundamental problem with most budget conversations is that they treat OT security purely as a cybersecurity expense. Framed that way, the investment competes with every other IT security priority, and justification requires proving a cyber-specific risk that limited visibility may not be able to demonstrate.
But OT security investment is not just a cybersecurity expenditure. It is simultaneously:
- A regulatory compliance investment that prevents fines, enforcement actions, and personal liability
- An operational resilience investment that enables root cause analysis, reduces downtime, and speeds recovery
- A safety investment that protects the people who work in and around industrial processes
- A business continuity investment that protects revenue-generating production capability
- And yes, a cybersecurity investment that defends against adversaries with demonstrated industrial attack capabilities
When the conversation accounts for all five dimensions, the math changes immediately. The finance team sees operational resilience value they can quantify. The operations team sees tools they would use daily, not just in a cyber emergency. Legal sees compliance obligations being met. And security gets the foundation needed for effective defense.
People can die in operational environments. Equipment worth millions can be destroyed. Environmental releases can happen. Production can stop for weeks. Treating all of that as a debate about whether cyber threat statistics justify the spend misses the point entirely.
A Practical Path Forward
If your organization is stuck in the justification loop, here is how to move:
Step 1: Be honest about where you actually stand. Not where the policies say. Where you actually are. Can you demonstrate regulatory compliance with evidence, not just documentation? Can you determine why production went down within hours, not days? Can you detect unauthorized PLC logic changes? Can you actually recover critical OT systems within your stated objectives? Honest answers to these questions will clarify the investment picture faster than any threat briefing.
Step 2: Lead with Tier 2. Operational capabilities are the easiest to justify, the most broadly valuable, and the most foundational. Network monitoring, asset inventory, change detection, backup validation, and recovery testing all have clear operational ROI that stands on its own. Lead with business value. The cyber value follows naturally.
Step 3: Build integrated systems, not stacked point solutions. The monitoring platform that gives operations network visibility also feeds security detection rules. The backup program that recovers from hardware failure also recovers from ransomware. The incident response plan for operational disruptions also handles cyber incidents. Each investment should serve multiple tiers simultaneously.
Step 4: Stop waiting for perfect data. The organizations that will be strongest in five years are not the ones who found the perfect ROI formula before acting. They are the ones who recognized the foundational gaps, committed the resources, and built the capabilities that good operational practice has always required and that the current threat environment now demands.
The industry is not at risk of spending too much on OT security. It is at risk of debating while the foundation stays incomplete.
Beacon Security designs and implements OT security programs across energy, manufacturing, water, oil and gas, and chemical sectors. If your organization is working through the OT security investment conversation, contact us to discuss a structured approach.
