Should Operational Technology (OT) cybersecurity controls (like NIST) be required by law, or remain as recommendations to businesses?

Control required by law.68%

Business recommendations.31%

550 PARTICIPANTS

3.6k views1 Upvote5 Comments

Sort by:

CTO in Services (non-Government)3 years ago

I went with business recommendations purely because any regulation would need to take into account company size. Smaller companies just don't have the resourcing to implement comprehensive, documented security.

2 1 Reply

no title3 years ago

I agree, for small businesses the regulations can cost more for implementing than revenue.

Vice President of Information and Security in Manufacturing3 years ago

The landscape is a living place that is constantly changing and i believe there should be a body that develops cybersecurity standards that provides and supports all industries as a foundational framework. From that point it's a business decision to follow those standards to protect their interests.

CEO in Services (non-Government)4 years ago

Operational technology is a very broad space. I think we need to reclassify devices and "things" so that those that may impact human health and safety fall under regulated cybersecurity mandate and those that have little impact are suggested but not mandated.

Fractional CIO in Services (non-Government)4 years ago

I have a view that the requirement by law should be descriptive, not prescriptive.

The extent should be a mandate that each business has someone accountable for Cyber Security, much like jurisdictions have for privacy officers

Content you might like

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Digital transformation isn’t just about new tools, it’s about changing how teams work. Key lessons I’ve observed: 1. Start with process bottlenecks, not technology 2. Empower cross-functional teams 3. Measure outcomes, not outputs What has been the most surprising lesson your teams have learned during a transformation?

Does your org use Protection-level agreements (PLAs) when planning cybersecurity investments?

Yes, always25%

Sometimes49%

No, never17%

Not yet, but we're going to start5%

What's a PLA?2%

View Results

What sorts of challenges have you encountered in adapting your governance framework to address AI adoption across business units, and how are you attempting to resolve these?

If your organization conducted a project to automate your software testing within the past two years, how long did it take to see a return on your investment?

0-3 months7%

4-6 months43%

6-12 months29%

Longer than 1 year7%

Have not seen a return on our test automation investment8%

Don't know3%

View Results

Should Operational Technology (OT) cybersecurity controls (like NIST) be required by law, or remain as recommendations to businesses?

Sort by:

Content you might like

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Does your org use Protection-level agreements (PLAs) when planning cybersecurity investments?

What sorts of challenges have you encountered in adapting your governance framework to address AI adoption across business units, and how are you attempting to resolve these?

If your organization conducted a project to automate your software testing within the past two years, how long did it take to see a return on your investment?

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

How are U.S. CISOs Addressing Liability Risk?

CrowdStrike Outage: Impact And Recovery

Impact & Perceptions of A Privacy-First Digital Era

Challenges & Tools For A Privacy-First Internet Age

IT and Infosec Collaboration on Vulnerability Patching

Take Your Insights On-the-Go