OT security specialists remain one of the hardest roles to fill in cybersecurity. Skills gaps have overtaken headcount shortages as the top workforce challenge, and IT experience alone is not enough for operational technology environments.
← Back to Insights
Forbes recently called operational technology “cybersecurity’s blind spot.” That label is generous. For most UK critical national infrastructure organisations, OT security is not a blind spot. It is an open wound.
Cyber attacks on UK utility companies surged 586% from 2022 to 2023. The threat landscape has shifted. The talent landscape has not kept pace. OT Security Engineer and SCADA specialist vacancies routinely sit unfilled for six months or longer. Not because budgets are missing. Because the people are.
The conversation has moved on from headcount. Skills gaps have overtaken staffing shortages as the top workforce challenge across the sector. 60% of organisations now identify skills gaps as the greater problem, compared to 40% citing raw staffing shortages.
The detail is worse. 35% of organisations report moderate gaps affecting 10 to 29% of required skills. 13% report major gaps exceeding 30%. Only 19% consider their teams fully skilled for the threats they face.
These are not theoretical numbers. They translate directly into unpatched SCADA systems, misconfigured industrial firewalls, and incident response plans that assume every environment looks like a corporate network.
This is where most hiring strategies fail. Organisations write job specifications by copying their IT security requirements and adding “OT” to the title. It does not work.
An IT security professional understands network segmentation, vulnerability management, and threat detection. These skills matter. But they are not sufficient when the environment includes programmable logic controllers, legacy protocols with no authentication, and systems that cannot be taken offline for patching without shutting down a water treatment plant or a power substation.
The difference is operational consequence. When a corporate server goes down, productivity suffers. When a SCADA system fails in a live environment, physical safety is at risk. Understanding that distinction is not something you learn from a certification. It comes from time spent in operational environments where availability is not negotiable.
Job specifications increasingly demand IEC 62443, Modbus, DNP3, and PROFINET fluency alongside NIST SP 800-82 Rev 3 knowledge. These are the right requirements. But posting them in a standard cyber security job advert and expecting a flood of qualified applicants misunderstands the market entirely.
IT/OT convergence is creating an interdisciplinary skillset that barely exists at scale. The candidates who genuinely understand both worlds are rare. They tend to come from one of two routes: control systems engineers who developed a security mindset, or IT security professionals who spent years embedded in industrial environments.
Neither route is fast. It takes 12 to 18 months to train an IT security analyst to become genuinely OT-literate. That timeline assumes dedicated mentoring, access to live OT environments, and an organisation willing to invest in development rather than expecting a finished product on day one.
Most organisations are not set up for that investment. So they wait for the perfect candidate. And they keep waiting.
When we assess candidates for OT security roles, we look beyond certifications and keyword lists. Genuine OT fluency shows up in specific ways.
Candidates who understand why you cannot run a vulnerability scan on a live PLC the same way you would scan an enterprise server. Professionals who know that “patching” in an OT environment means coordinating with operations teams, scheduling maintenance windows months in advance, and sometimes accepting that a patch simply cannot be applied. People who understand the Purdue Model not as an exam answer but as a lived framework they have implemented or maintained.
The best OT security hires tend to ask questions about the environment before they ask about the technology stack. They want to know what is being controlled, what the safety implications are, and what the operational constraints look like. That mindset cannot be screened for with a standard competency framework.
Organisations that succeed in filling OT security roles do several things differently.
They write job specifications that reflect the operational reality of the role, not a repurposed IT security template. They assess candidates on scenario-based understanding, not keyword matching. They engage with the market through specialist channels rather than generalist job boards. And they move quickly when the right candidate appears, because that candidate will have other options.
The regulatory environment is tightening. The threat landscape is escalating. The talent pool is not growing at the same rate. Waiting is a strategy, but it is not a good one.
The most important cyber security hire most CNI organisations still have not made is the one that bridges the gap between their IT security capability and their operational technology reality. The organisations that make that hire now will be better positioned for what comes next.
Trusted by security leaders at



"I can't recommend Gyles and the team at Foundations enough. We struggled to find a suitable candidate for 5 months, Foundations found 3 perfect candidates in 24 hours."
Manager of EMEA & APAC Network Engineering, Equinix