We have a diversity problem in OT security. The obvious lack of diversity is social diversity. Racial, gender and even age diversity. It’s important the community is taking this seriously and making progress. 

However there is another type of diversity lacking that is at least equally important in my view, cognitive diversity. From Tim Ferriss’s conversation with Michael Mauboussin:

The second kind of diversity is cognitive diversity. That’s what you just described. And that’s really perspectives, point of views, mental models, training, personalities, and so forth. Nearly all the literature I’ve seen suggests that it is cognitive diversity that is the key to solving problems. 

This is most visible in the career backgrounds and roles that find their way into OT security. The gatekeeping that was a big problem in the past and remains in some places and sectors still today. Having people come into OT security from all sorts of fields of study and careers will help create some cognitive diversity. 

A lot of the cognitive diversity that enters the field is removed from the entrants as they learn and follow OT security orthodoxy. They adopt the same mantras rather than using their different “perspectives, mental models, training …” to create and promote new ideas and approaches. One of the first things I hear and read on OT security from someone who entered with cognitive diversity is the “how OT is different than IT” pablum. I’m hoping more of these new entrants will write the “3 things OT can learn and adopt from OT”, or medical science, or psychology, or …

When putting together the S4 agenda to tackle the Create The Future goal, I take a lot of time searching for alternative perspectives, new and seemingly crazy ideas, and anything that doesn’t repeat the same platitudes. They are surprisingly hard to find. 

The consistency of the approaches and recommendations and the certainty in these approaches and recommendations is a problem. Why? Because we have little or no data that most of this conventional wisdom is effective (we measure so little in OT security). Most are unproven hypotheses at best, and often better described as beliefs.

The limited evidence to date, primarily in vendor activity reports and studies, shows an increase in compromises and losses. The answer tends to be we just need to do what is recommended more and better. Perhaps this will be proven correct. Until it is we shouldn’t lock into this as the solution. And the OT security community would benefit from more cognitive diversity.