The Gap Is Real and It Is Getting Wider
Here is a scenario that plays out repeatedly across industrial sectors: an organization decides it is time to build a serious OT security program. The CISO drafts a job description for an OT Security Engineer. The description goes live. And then the waiting begins, because the pool of people who actually hold the combination of capabilities that role requires is very small, and every one of them is already fielding multiple offers.
The industrial cybersecurity sector has a workforce problem that no amount of salary inflation will quickly solve. The issue is not a shortage of cybersecurity professionals in general. It is a shortage of professionals who hold a specific combination of capabilities: deep understanding of industrial control systems and operational technology, combined with substantive cybersecurity knowledge and skills.
These two knowledge domains have historically developed in entirely separate professional communities. Control system engineers learn PLC programming, process instrumentation, DCS configuration, and industrial network architecture. Cybersecurity professionals learn network security, vulnerability analysis, incident response, and threat intelligence. The Venn diagram of professionals with genuine competency in both remains small, and demand has accelerated dramatically as organizations have moved from hoping their OT environments would stay invisible to accepting they need real programs.
Why Traditional Hiring Does Not Solve This
The instinct of most organizations facing a skills gap is to hire their way out of it. For OT security, this approach has structural limits.
Posting a job description for an "OT Security Engineer" draws from a very small pool of qualified candidates, and those candidates are receiving competing offers from oil majors, utilities, government contractors, and national laboratories. Many smaller industrial operators simply cannot compete on salary with the organizations also hunting from the same thin pool.
Beyond compensation, there is a cultural dimension that is easy to underestimate. Experienced OT security professionals often have strong preferences about work environment. Many prefer facility-based roles where they can develop genuine process knowledge, and they are skeptical of organizations where OT security is functionally subordinated to an IT security team with no operational technology understanding. Candidates who have spent years learning the difference between a DCS and a SCADA system, who understand why you cannot just reboot a PLC, are not excited to join a team where that knowledge is neither valued nor understood.
The organizations that have built the strongest OT security programs did not primarily hire their way to capability. They built it.
Path 1: Cross-Training IT Security Professionals for OT
The most scalable approach is developing OT security competency from an existing IT security talent base. This requires deliberate investment in OT-specific knowledge, not just the assumption that cybersecurity skills transfer automatically.
Some things transfer well. A security analyst who can read packet captures and identify anomalous behavior in TCP/IP traffic can learn to apply the same skills to Modbus, DNP3, and EtherNet/IP. Vulnerability assessment methodology transfers, though the tooling and constraints differ significantly. Incident response process and documentation skills apply broadly. Governance, risk, and compliance knowledge is highly transferable, especially for frameworks like IEC 62443 and NERC CIP.
But some things require deliberate learning that no amount of IT experience provides. Industrial process knowledge, understanding what a DCS actually controls, what a safety interlock does, why a PLC cannot simply be rebooted, requires immersion in the operational environment. OT network architecture, historians, engineering workstations, field buses, protocol gateways, and their operational roles, is not intuitive without structured exposure. And the awareness of safety systems, specifically why a security action that seems entirely reasonable from an IT perspective could be catastrophically dangerous in a SIS context, must be explicitly taught. This last point is not theoretical. It is the kind of gap that creates serious incidents.
The most effective accelerators for OT cross-training are time on the floor and structured mentorship. Embed IT security staff in operations teams for rotation periods. Two to four weeks working alongside a control system engineer, observing what they do and why, builds process intuition that no classroom training replaces. Pair those rotations with structured access to OT training labs where staff can interact with PLCs, HMIs, and industrial network equipment safely. Assign specific vendor product training from Siemens, Rockwell, or other relevant vendors, which is often more practically useful than generic courses.
Path 2: Developing OT Engineers into Security Practitioners
The complementary approach is investing in the cybersecurity development of existing control system engineers. This path produces professionals with deep process knowledge who add security capability, and in our experience at Beacon Security, it often produces the most effective OT security practitioners.
The reason is simple: OT engineers already understand what they are protecting. They know what a logic change to a specific PLC actually means for the process. They know which communications are normal, which devices should never initiate connections, and which process values should never change outside normal operating ranges. That contextual knowledge is the hardest dimension of OT security to acquire, and these professionals already have it. All they need is the security lens.
The cybersecurity foundation for OT engineers does not have to be exhaustive to be useful. Network fundamentals and IP concepts, the threat landscape and who is actually targeting OT environments and how, basic vulnerability concepts, and an introduction to IEC 62443's zone and conduit model provide a structured language for security conversations that many OT engineers lack not because they are not capable but because nobody ever gave them the framework.
Practical mechanisms matter here. Sponsor OT engineers for structured OT security training programs through ISA, SANS, or vendor-specific curricula. Include them in cybersecurity incident exercises, tabletop scenarios build security intuition while leveraging their process expertise. And create a formal OT Security Engineer role that combines operational technology ownership with security responsibilities, with a compensation structure that reflects the hybrid value. That role recognition matters for retention.
Certification Pathways
Professional certifications provide structured learning pathways and help both individuals and employers evaluate OT security competency. A few are worth the investment:
The Global Industrial Cyber Security Professional (GICSP), administered by GIAC, is the most widely recognized OT-specific security certification. It covers ICS architecture, OT-specific vulnerabilities, security assessment, and incident response for industrial environments, and is appropriate for professionals coming from either an IT security or OT engineering background.
The ISA/IEC 62443 certification program offers role-specific certificates aligned with the standard that most regulated OT environments are expected to follow. For organizations building IEC 62443-compliant security programs, these certifications provide directly applicable knowledge rather than generic cybersecurity theory.
SANS ICS courses (ICS410, ICS515, ICS612) are widely respected as indicators of practical, hands-on training. ICS410 provides the broadest foundation; ICS515 focuses on threat intelligence and adversary analysis for ICS; ICS612 covers advanced OT incident response. These are not certifications in the traditional sense, but in practice they carry significant weight in the OT security community.
Partnering with Specialist Consultancies
For most organizations, building entirely internal OT security capability takes years. In the interim, and sometimes as a long-term structural choice, partnering with specialist OT security consultancies provides access to expertise that would be impractical to develop and retain in-house.
This is particularly relevant for periodic assessment work that requires deep specialization but not continuous engagement, for program development where external expertise accelerates the design and implementation, for incident response where specialized OT forensic capability is needed but not justified as a full-time internal role, and for managed security services for smaller organizations where a dedicated OT SOC is not economically viable.
When selecting an OT security consultancy, look past the marketing materials. The gap between genuine OT security expertise and IT security firms who have added "OT" to their service catalog is significant. Ask specifically about the team's operational technology background, the ICS protocols they work with routinely, the OT monitoring platforms they are experienced with, and the industrial sectors they have actually served. At Beacon Security, our team includes professionals who came from operations and engineering backgrounds, not just cybersecurity, and that cross-disciplinary depth is what makes the work meaningful.
Building the University Pipeline
The long-term solution to the OT security skills gap runs through universities and vocational training programs. Progressive industrial operators are beginning to invest in building the pipeline: sponsoring industrial cybersecurity coursework at engineering universities, participating in internship programs that give engineering students exposure to OT security work, engaging with ISA student chapters and ICS security competitions, and funding or co-developing curriculum at technical colleges serving industrial regions.
These investments take years to produce returns, but organizations that make them now will have preferential access to the next generation of OT security professionals as those programs mature.
The Organizational Design Question
Beyond individual hiring and development, effective OT security programs require organizational designs that position OT security professionals correctly. Two common failure modes emerge repeatedly.
The first is burying OT security inside IT security. OT security professionals reporting into an IT security organization with no operational technology representation in leadership tends to produce programs optimized for IT metrics, tools that do not work well in OT environments, and practitioners who are isolated from the process knowledge they need to be effective.
The second is siloing OT security entirely within operations. OT security professionals reporting only within the operations organization, without connection to enterprise security, tend to produce programs that understand the process well but lack cybersecurity rigor and are disconnected from threat intelligence, incident response infrastructure, and corporate security governance.
The models that work best create explicit coordination structures between operations and security, whether that is a dedicated OT security function with reporting lines to both, a matrix model, or a hybrid team with clear responsibilities and escalation paths. The exact structure matters less than the deliberate connection between the two domains.
The skills gap will not close quickly. The organizations that invest deliberately in building OT security capability today, through cross-training, internal development, strategic certifications, and smart external partnerships, will be significantly better positioned than those waiting for the market to produce the talent they need.
Beacon Security supports OT security workforce development through training programs, mentorship structures, and embedded consulting that builds internal capability over time. Contact us to discuss how we can accelerate your team's OT security competency.
