As operational technology networks connect to enterprise IT, organisations need security professionals who understand both domains. We explore the skills gap and how to bridge it.
← Back to Insights
The dividing line between IT and OT security is disappearing. For decades, operational technology and information technology existed as separate worlds with distinct cultures, protocols, and security models. That separation made sense when industrial control systems were air-gapped and the biggest risk to a SCADA environment was a misconfigured relay.
It no longer makes sense. As industrial control systems connect to enterprise networks and cloud platforms, the attack surface has expanded dramatically. The Dragos 2026 OT Cybersecurity Report documented a 49% year-on-year increase in ransomware targeting manufacturing and industrial environments, with 61% of intrusions now impacting OT systems directly.
For CNI organisations, this convergence creates a talent challenge that traditional recruitment cannot solve.
The ideal IT/OT security professional combines knowledge of traditional IT security frameworks with an understanding of industrial protocols like Modbus, DNP3, and OPC UA. They appreciate why you cannot simply patch a SCADA system on the same cycle as a Windows server. They understand safety implications alongside security ones.
These individuals are exceptionally rare.
Most security professionals have grown up in IT environments. They know firewalls, SIEM platforms, and cloud architecture. What they often lack is an understanding of the physical consequences when something goes wrong in an OT environment — the difference between a service disruption and a safety incident.
Conversely, OT engineers understand the operational context intimately but may not have the security architecture experience to design controls for a converged network. Bridging this gap requires deliberate effort, not a generic job advert.
The most common mistake is treating IT/OT convergence as a technology problem with a technology solution. Organisations invest heavily in network segmentation, monitoring tools, and detection platforms — then struggle to find anyone who can operate them effectively across both domains.
Another frequent misstep is writing job descriptions that demand the impossible. Requiring ten years of OT security experience alongside CISSP, CISM, and cloud security certifications describes a unicorn, not a realistic candidate. The talent pool for these hybrid roles is small enough without artificially shrinking it further.
Organisations that are succeeding in this space tend to take a more creative approach. Some are developing existing OT engineers with targeted IT security training. Others recruit IT security professionals and provide structured OT immersion programmes, embedding them alongside operational teams to build contextual understanding.
Creating hybrid roles that formally bridge both teams — with reporting lines, objectives, and career progression that span the IT/OT divide — signals to candidates that the organisation takes convergence seriously. It also creates the kind of role that attracts people with genuine cross-domain curiosity.
Critically, the search process itself needs to be specialist. The networks where these candidates exist are not the same ones that surface through generalist recruitment channels. Reaching them requires domain expertise, technical credibility, and an understanding of what motivates people who have built careers at the intersection of two traditionally separate disciplines.
IT/OT convergence is not a future trend. It is a present reality for every CNI organisation managing connected industrial environments. The security talent that bridges both worlds is a strategic asset — and one that is becoming harder to find as demand accelerates.
Organisations that treat this as a specialist recruitment challenge, rather than another line item on a generalist requirements list, will build the teams that can actually protect converged infrastructure. The ones that wait will find the candidates they need have already been placed elsewhere.
The demand for experienced CISOs in critical national infrastructure far outstrips supply. We examine what's driving the gap, how organisations can compete for scarce talent, and why traditional hiring approaches are failing.
AI spending on network automation will reach $20 billion by 2028. For CNI operators, deploying AI effectively requires professionals who understand both the technology and the operational context of critical infrastructure.
Neurodiverse professionals bring exceptional pattern recognition and analytical depth to cyber security, yet most CNI organisations inadvertently exclude them. Adapting hiring practices unlocks a strategic talent pool.
The cyber security talent market in 2026 is unlike broader tech recruitment. Clearance requirements, skills-based hiring, passive candidate pools, and rising compensation expectations create a distinct landscape where conventional approaches fail.
Trusted by security leaders at
"I can't recommend Gyles and the team at Foundations enough. We struggled to find a suitable candidate for 5 months, Foundations found 3 perfect candidates in 24 hours."
Manager of EMEA & APAC Network Engineering, Equinix
