Why the Chief Security Officer is emerging as a business-critical role across IT and OT

Explore key topics in this blog

  1. Why the CIO/CISO model no longer aligns with today’s risks
  2. IT and OT convergence is reshaping enterprise risk
  3. Regulation is forcing convergence, but organizations are not ready
  4. The real risk lies in governance, not technology
  5. The rise of the Chief Security Officer as a business leader
  6. Embedding security into how the business operates
  7. Security as a business discipline

For many organizations, security remains a control layer applied after the fact. That model is breaking down.

In today’s geopolitical climate, organizations are operating in an environment defined by volatility, interconnected ecosystems and persistent cyber threat. Security strategies must do more than reduce risk; they must enable speed, protect operations, sustain trust and strengthen resilience.

Against this backdrop, cybersecurity is now firmly in the boardroom, reinforced by regulations such as the EU NIS2 Directive, which introduces board-level accountability, mandatory incident reporting and strict risk management obligations across both IT and OT environments.

If cybersecurity is now a strategic business pillar, the question is no longer whether it matters, but who truly owns it.

Why the CIO/CISO model no longer aligns with today’s risks

Cybersecurity has traditionally been positioned within the IT organization, under the Chief Information Officer (CIO), with the Chief Information Security Officer (CISO) focused primarily on information security. That model reflected a world where most cyber risk was concentrated in corporate IT systems.

That world no longer exists.

Today’s enterprises operate across digitally connected value chains where IT, IoT, cloud, vendors and industrial and critical infrastructure environments are deeply intertwined. Critical processes, from surveillance systems to production lines, are now digitally exposed. Industrial IoT (IIoT) is not experimental; it is operational, often controlling safety-critical systems such as valves, temperature sensors and automated controls. These OT environments are no longer isolated, extending the enterprise attack surface.

Meanwhile, regulations are catching up. The EU Cyber Resilience Act extends accountability beyond enterprise IT into products, devices and lifestyle security, forcing organizations to think beyond traditional boundaries.

The takeaway: Cyber risk extends beyond IT, and so must its ownership.

IT and OT convergence is reshaping enterprise risk

The convergence of IT and OT is often described as unification. In practice, it brings together fundamentally different priorities:

  • IT automates information, prioritizing confidentiality and data integrity
  • OT automates physical processes, prioritizing availability, safety and physical outcomes

This convergence changes the nature of risk. In OT environments, cybersecurity is not only about availability, but also about ensuring functional safety and preventing physical harm to operators, the environment and surrounding communities. These domains also use fundamentally different languages and protocols.

In most organizations, responsibility for OT cybersecurity sits within operations, under leaders focused on production, efficiency and quality, rather than cyber risk.

The result is a structural gap in ownership. In manufacturing and energy environments, cyber incidents translate directly into production downtime, often costing millions per day, while also exposing the organization to direct business continuity, safety and reputational risk. Cyber resilience is therefore a core operational and financial KPI, exposing the limits of current governance models.

Regulation is forcing convergence, but organizations are not ready

  • European Union
    Framework: NIS2 Directive
    Strategic Impact: Board accountability, 24-hour reporting, IT + OT scope
  • USA
    Framework: CIRCIA & CMMC 2.0 (for defense supply chains)
    Strategic Impact: 72-hour reporting for critical sectors; Zero Trust mandates
  • UK
    Framework: Cyber Security & Resilience Bill (CSRB)
    Strategic Impact: Expanded scope to Managed Service Providers (MSPs); NCSC Cyber Assessment Framework (CAF).
  • Canada
    Framework: Bill C-26 (CCSPA)
    Strategic Impact: Protection of "Vital Services"; mandatory reporting to CSE; high penalties for non-compliance.
  • Australia
    Framework: SOCI Act (2025 Updates)
    Strategic Impact: 12-hour critical incident reporting; Incident Response Plans and Cyber Exercises for "Systems of National Significance" (SoNS); ransomware payment reporting.

These frameworks share a common message: Cybersecurity is now an enterprise-wide responsibility, not a departmental function. For sectors such as energy and utilities, these requirements reinforce the need to protect systems that underpin essential services and national infrastructure.

Yet most organizations remain structurally fragmented, with IT and OT risks governed separately. This creates blind spots, particularly in industrial environments that may be well-operated but under-secured.

The real risk lies in governance, not technology

Attempts to address the IT and OT divide often fall short:

  • Extending the CISO role into OT without industrial expertise can introduce operational risk
  • Delegating cybersecurity to plant operations creates capability gaps

In OT environments, even well-intentioned IT security practices, such as network scanning or automated isolation, can disrupt or damage critical systems. These are predictable outcomes of misaligned operating models.

Regulation is accelerating the need to resolve this. In manufacturing organizations, frameworks such as NIS2 extend cybersecurity obligations deep into operational environments, making OT security a regulated requirement rather than a discretionary investment.

The consequences of this divide are already visible. Organizations may be relatively well protected in IT yet remain exposed in OT environments that are increasingly targeted. These attacks are designed to disrupt operations, leading to unsafe conditions for engineers and operators, environmental damage, compromised product quality and impacts to essential services, particularly in energy and utilities.

Maturity is no longer measured only by prevention. It is reflected in the ability to contain disruption, respond transparently, recover quickly and strengthen architecture after the event. Approaches such as the Secure Swiss Utility Network (SSUN) illustrate how isolating critical communications can reduce systemic exposure for essential operations.

The rise of the Chief Security Officer as a business leader

Leading organizations are redefining the role of security.

The emerging model elevates the Chief Security Officer into an enterprise risk and resilience function, positioned beyond traditional IT or operational silos.

This role:

  • Spans IT, OT, physical security and crisis management
  • Operates with direct board visibility
  • Aligns security decisions with business continuity, safety and reputation

Attempts to stretch existing models rarely succeed. Expanding the CISO role into OT without industrial expertise introduces operational risk, while pushing accountability into plant operations exposes capability gaps.

Leading organizations are adopting a different approach. Security is structured as an enterprise-wide discipline, supported by expertise in information security and industrial security, and anchored in risk management rather than technology ownership. This creates a single point of accountability across prevention, containment, response and recovery, with the authority to balance operational continuity, safety and risk.

In this model, cybersecurity becomes part of how the business is governed, not just how systems are protected.

Embedding security into how the business operates

Elevating security beyond IT and operations reshapes how organizations make decisions, invest and operate.

Regulation is reinforcing this direction. Beyond NIS2, the EU Cyber Resilience Act introduces product-level accountability, requiring connected devices and industrial systems to be secure by design and maintained throughout their lifecycle. For industrial organizations, this extends responsibility across both operations and the products they bring to market.

At the same time, many successful attacks still begin with a single user action. Security depends on architecture, governance and everyday behavior across the organization.

  • Recognizing phishing and impersonation
  • Verifying unexpected or urgent requests
  • Using strong authentication and secure remote access
  • Protecting devices and limiting oversharing
  • Reporting suspicious activity early

Security is distributed across the enterprise, but accountability must remain clear and visible.

Security as a business discipline

Cybersecurity now sits at the intersection of enterprise risk, operational resilience and business performance.

Organizations that embed this approach are better positioned to navigate regulatory pressure, protect critical operations and maintain trust across their ecosystems. Those that do not will continue to manage cyber risk as a fragmented function, with consequences extending beyond IT into safety, continuity and reputation.

Taking an enterprise-wide approach enables organizations to achieve compliance wherever they operate and turns security into a competitive advantage.

At CGI, this is the model we apply within our own organization and across the industries we support, working with clients to embed security as a practical, enterprise-wide discipline aligned with real business outcomes.

Back to top