The Great Divide: Why IT and OT See the World So Differently (Part 2: Personnel)

Hey everyone, Joe Baxter here again. Last time, we explored the fundamental differences in priorities between IT and OT, and how these core objectives shape everything they do. If you missed it, go check out Part 1: Priorities – it sets the stage for today's topic: Personnel.

Because IT and OT have such distinct missions and priorities, it naturally follows that the people who work in these domains, as well as the structure of their roles, are also profoundly different. Understanding these human elements is crucial for anyone trying to bridge the IT/OT divide.

Dedicated Roles vs. "Bolted On" Responsibilities

In the IT world, most personnel have a clearly defined, dedicated role with a specific IT title. Think Network Administrator, Help Desk Specialist, Database Administrator, and so on. This is especially true in cybersecurity, where you find dedicated Security Analysts, Incident Responders, and CISOs. 

On the flip side, in OT, personnel who are also charged with cybersecurity generally continue in their primary operational roles. Their titles remain things like SCADA Engineer, Process Control Engineer, or Automation Specialist. These critical cybersecurity functions have often been "bolted on" to their existing workloads as additional responsibilities, usually without any other duties being streamlined or reduced. Imagine being responsible for keeping a complex industrial process running 24/7 and now being told you're also the cybersecurity expert for it. That's the reality for many OT professionals.

The Certification Divide: Formal Paths vs. On-the-Job Learning

For the IT professional, industry certification has long proven itself as a recognized mechanism for career advancement. Beyond the vast array of technology-specific certifications, many IT cybersecurity certifications boast well-known track records spanning two decades. Organizations like the International Information System Security Certification Consortium (ISC2) foster highly visible credentials like the Certified Information Systems Security Professional (CISSP). The SANS Institute and the Information Systems Audit and Control Association (ISACA) offer some of the most highly regarded certifications for mid-career cybersecurity professionals, often requiring years of proven work experience and recommendations in addition to proctored testing, such as ISACA's Certified in the Governance of Enterprise IT (CGEIT). 

This creates a clear, obvious career path for the entry-level IT professional, with growth and advancement opportunities built into job titles (e.g., Administrator I, Administrator II) and performance assessments.

In stark contrast, the OT engineer supporting cybersecurity tends not to seek additional industry certifications. While some may carry the PE (Professional Engineer) designation, few IT certification bodies fully recognize the unique needs or actively promote additional training for this subcategory of personnel. The SANS Institute does maintain a Common Body of Knowledge (CBK) on OT cybersecurity topics and provides excellent guidance, but widespread adoption among working OT engineers for these specific certifications appears limited. The OT cybersecurity professional often doesn't see a change in job title, is frequently not measured on cybersecurity performance, and generally falls much later—if not near the end—of their career path when these responsibilities are added.

The SOC Question: Centralized vs. Dispersed

IT budgets often provide for a dedicated Security Operations Center (SOC). Many IT SOCs maintain staff round the clock, constantly monitoring for threats. OT, however, rarely deploys its own dedicated SOC. And while there's a push to pipe OT cybersecurity events into existing IT SOCs, the fundamental differences in priorities (as we discussed in Part 1) often make this intermingling risky. An IT SOC might not fully grasp the critical timing or safety implications of an OT alert, potentially leading to delayed or inappropriate responses.

The Working Environment: Office vs. Field

Finally, the day-to-day working environments of IT and OT personnel couldn't be more different. IT personnel often enjoy proximity to coworkers, allowing them to easily draw on colleagues for troubleshooting help and support in challenging situations. As IT moves to cloud environments, instant chat and telepresence technologies take on many aspects of collaboration, making a remote IT workforce possible and productive.

OT personnel, on the other hand, often reside "in the field," wearing Personal Protective Equipment (PPE) such as hard-toed boots and fire-retardant (FR) clothing. They frequently do not possess adequately secure remote access technology and must travel across widely dispersed geographical areas for most true hardware failures. The OT professional may also be tasked with Safety Observation Tours (SOT) and other Preventative Maintenance (PM) procedures to be completed by any entity personnel upon any visit to a site. ³

The overall differences in their working environments are perhaps best exemplified by the ever-present cans of half-used hornet spray scattered liberally throughout the OT technician's truck cab and toolbag. That's not something you'll find in a typical IT server room!

These profound differences in personnel structure, career paths, security roles, and working environments create unique challenges and opportunities for securing our increasingly converged IT and OT landscapes. In the next installment, we'll explore how these differences impact security strategies themselves. Stay tuned!

Joe Baxter, Network Architect, IT & OT Veteran