SJUK hears exclusively from Louise Bulman, Vice President International of Dragos about why operational technology cyber-risk must be treated as more than an IT concern.
UK organisations have weathered a sharp rise in cyber-incidents over the past year.
Disruptions across manufacturing, retail and logistics have revealed how exposed modern operations can be when digital systems, physical equipment and global supply chains intersect.
Yet despite growing concern at the leadership level, many board discussions still orbit familiar IT territory with limited attention given to the industrial systems that keep essential services functioning.
Operational technology sits at the heart of these risks. These systems control everything from assembly lines to energy distribution and when targeted by cyber-adversaries the consequences reach far beyond data loss.
Recent industry analysis shows a steep rise in ransomware targeting industrial environments with threat actors now building capabilities designed to interrupt physical processes.
This shift demands a strategic response, yet operational technology (OT) continues to be underestimated by leadership teams accustomed to viewing cyber-risk through a corporate IT lens.
A large proportion of today’s exploitable weaknesses lie within OT environments that were never designed for the connected era.
Their foundations were built around reliability and safety, not adversarial threats or remote access.
When these systems become entangled with modern business networks, the attack surface grows in ways that are often poorly understood at board level.
This creates a critical oversight.
IT outages may lead to inconvenience and temporary disruption. OT failures can result in halted production, compromised safety systems and operational losses that accumulate by the hour.
Many leaders respond instinctively to real-world scenarios that quantify these stakes, such as understanding what a plant makes in a day and what is lost if operations are down for a week.
These tangible impacts bring OT risk into sharper focus and establish a more meaningful foundation for strategic discussion.
Recent incidents underscore why OT security must be treated as a strategic priority.
For example, Jaguar Land Rover (JLR) confirmed a cyber-incident on September 1, 2025 that forced the company to proactively shut down parts of its global IT systems, disrupting manufacturing and retail operations.
The impact was severe – manufacturing operations were halted for nearly five weeks, causing significant financial and operational losses.
Beyond JLR itself, the disruption rippled across its multi-tier supply chain and downstream entities such as dealerships, illustrating how a single breach can cascade through an entire ecosystem.
For boards, this is a stark reminder that OT vulnerabilities are not isolated technical issues – they can trigger systemic failures that affect revenue, reputation and partner relationships.
Board-level thinking on cybersecurity no longer occurs in a purely technological or financial vacuum.
Global political tension, uncertainty in supply chains and the rise of cyber-activity linked to state interests now exert direct influence on security planning.
For UK organisations, this means that investment decisions increasingly depend on external forces.
Tariffs and currency fluctuations can limit access to industrial components, delaying efforts to secure vulnerable assets.
International regulation is gradually raising expectations for resilience and incident reporting, particularly in sectors tied to national infrastructure.
As a result, security priorities are shifting and boards must navigate a landscape where geopolitical dynamics carry as much weight as technical assessments.
Even without geopolitical strain, OT security decisions are becoming inherently more complex.
They involve finance teams assessing cost, engineering teams safeguarding uptime, operations teams protecting performance and compliance teams tracking evolving regulation.
Each group approaches the risk from a different angle. Without alignment, organisations face stalled programmes and inconsistent investment.
This complexity extends into the technical domain.
OT environments often blend legacy equipment with modern digital controls, which makes it difficult to determine which improvements offer meaningful risk reduction without interrupting production.
Many organisations struggle because they lack a clear picture of their current OT security posture.
Metrics alone rarely resolve the issue.
Leaders benefit more from scenario-based thinking that tests where failures could originate and which resources are needed to prevent them.
One of the most important cultural shifts is the expectation that security leaders address OT directly at board level.
When leadership teams raise questions about OT risk, silence or deflection undermines trust.
Boards increasingly see OT as a core source of revenue and continuity, they also expect cyber-leaders to demonstrate the same depth of understanding across industrial environments as they do within corporate IT.
For boards, addressing this gap starts with treating cyber-risk as a standing governance issue rather than an episodic update.
That means focusing on a small number of critical controls that protect the most important business operations and ensuring there is regular, structured engagement with senior management to track how cyber-resilience supports wider organisational outcomes.
A practical starting point is adopting recognised frameworks such as the SANS ICS 5 Critical Controls – which provide clear guidance on prioritising actions that deliver the greatest risk reduction in industrial environments.
The most effective boards ask how security investment reduces operational disruption, protects revenue and safeguards trust, rather than relying solely on technical indicators.
Where this discipline is missing, recent high-profile cyber-incidents have shown how quickly security failures can escalate into regulatory scrutiny, prolonged outages and lasting reputational damage.
Stronger decision-making begins with establishing which sites, assets and processes matter most to the continuity of operations.
When boards and executives prioritise these environments, it becomes easier to anchor conversations in business reality rather than broad technical theory.
Leaders can then judge which controls and capabilities are essential and which can be sequenced over time.
A practical way to bring structure to these conversations is to adopt a clear prioritisation model.
One approach used widely across industrial environments categorises actions into those that must happen now, those that can be addressed next and those that should never be pursued because they consume resources without reducing risk.
This model replaces ambiguity with a shared language that supports operational, financial and technical alignment.
Real progress also requires meaningful collaboration between IT and OT teams.
Their responsibilities are intertwined but their cultures and operating models can differ significantly.
Boards set the tone by asking the right questions and ensuring that both functions contribute to an integrated view of risk, visibility and incident response.
This top-down direction is often more effective than expecting every site or plant manager to interpret requirements independently.
The convergence of operational dependence, geopolitical uncertainty and maturing cyber-threats is reshaping board-level responsibility.
OT security has become a strategic concern, not a technical niche.
Boards that recognise this shift can strengthen their organisation’s resilience, improve the clarity of investment decisions and foster better coordination between teams that have traditionally worked in silos.
Looking ahead, the organisations that thrive will be those whose leaders engage deeply with the realities of their industrial environments.
This means asking sharper questions, demanding clearer insight into the risks that threaten continuity and ensuring that security decisions support long-term business performance.
Critical operations underpin the stability of the economy and society.
Leadership attention, applied early and consistently is now essential to protecting them effectively.
