(and maybe fewer OT Security Pro’s than originally thought)

Kelly Shortridge gave a great keynote on DevOps coming to the OT world at S4x20. I originally asked Kelly to give a talk on DevSecOps. She pushed back on the use of that term because security isn’t separate or special from other DevOps responsibilities.

The real “DevSecOps”: DevOps will be held accountable for security fixes.

Are we making the same mistake with the thought that we will need a large population of OT Security professionals?

If you are pursuing an OT Security professional career, don’t panic. There is an ongoing need for OT Security professionals to help with security requirements and design, prepare and work the SOC, create and audit security governance, assist with development of OT security operational processes, participate in cyber risk management, be on red and blue teams, and more. There is still a large gap between the market needs and market supply.

It is a question of scale. Do we need 2x or 3x the available supply of OT Security pro’s? Or 10x or 100x?

If we follow the Sec in DevSecOps is unnecessary because it is part of DevOps argument, then we would need more OT professionals who have security as one part of the role and a smaller number of OT Security professionals. The OT professionals would handle ongoing security operations including applying security patches, insuring the cyber assets are in a hardened state, managing user authentication and authorization, security log management, recovery, and other tasks.

Perhaps I’m in the OT security bubble, but I don’t hear a lot about a severe shortage of OT professionals. This may be due to the tired IT v. OT, IT/OT convergence discussions, with an assumption that IT will take over OT. In a sense this is not wrong.

The IT world is not homogenous. In large companies the people responsible for desktop support are not responsible for the network infrastructure. There are specialized teams to support the e-commerce environment where the cost for every minute of downtime is known. There are often specialized teams for ERP, databases, web apps. Sometimes these teams are based on a technology, and sometimes they are based on business function. I’ve encountered IT teams that are responsible for trading desks, finance systems and other environments that are separate, for a specific purpose, and critical to the company.

OT professionals could be a team or department under IT, or they could be under Operations. By now we have seen a variety of structures work for OT security, and the same will be true of OT. I’m partial to it being part of IT, or maybe just T. (ht: Patrick Miller).

OT like other specialized T is different in two important ways:

  1. The business drivers and metrics will be different then generic IT and other specialized IT. This will impact primarily processes, and to a lesser extent people and technology.
  2. The technology at Level 1 and below will be OT specific and require the OT professional to learn the appropriate skill sets.

Perhaps the most important item for the OT Security community is the OT professional needs to take on OT operational security as a task they own. We need to help with this and ease the OT professionals path.


Mark Hyman, an ICS security recruiter with VMG, and I will be answering ICS security career questions on the Sep 29 episode of Unsolicited Response. Record your question at dale-peterson.com (click on the Record Your Question button), email s4@digitalbond.com or message me here at LinkedIn. Questions being accepted through Friday.