Executive Summary
In today’s industrial environment, companies are facing accelerated transformation driven by new regulations, increasing digital connectivity, and the growing complexity of operational systems. While initiatives such as NIS2 drive the baseline for cybersecurity and governance, they also arrive at a time when industrial organizations have more data than ever. Yet, much of this data still fails to translate into actionable insight.
The challenge is not only technical but structural. OT responsibility is often fragmented across IT, operations, suppliers, and partners. This fragmentation limits visibility, weakens security posture, and makes it difficult to scale value-creating digital capabilities across the organization.
The impact is both financial and operational. Underutilized data constrains performance improvements, while weak or uneven controls increase the likelihood and cost of disruptions—downtime, safety incidents, and reputational damage. Many organizations therefore over-invest in compliance while under-realizing business value.
This paper argues that OT security and data strategy must be treated as one roadmap. When aligned, compliance becomes the starting point for stronger operations and measurable outcomes. The paper outlines a three-stage approach that organizations can follow to move from risk-driven compliance toward progressive value creation:
The core challenge is not the lack of technology, data, or governance; it is the absence of an integrated strategy that reflects organizational realities and technical debt. Without this integration, organizations risk investing heavily in compliance while failing to capture the larger operational and financial value available through secure and structured industrial connectivity.
Introduction
Industrial environments have evolved from isolated, manual systems into highly connected and automated operations. Connectivity through the Internet of Things (IoT) and digital integration has enabled real-time monitoring, remote access and advanced analytics across industrial environments, fundamentally expanding the potential value of operational technology (OT).
At the same time, many systems now being connected were not designed for secure operation. Legacy infrastructure is being integrated into modern networks, increasing both exposure and complexity. As a result, industrial organizations are now working in a dual reality of greater capability alongside greater risk. In many environments, this becomes visible when a production disruption cannot be traced across systems due to inconsistent data and fragmented ownership.
Regulatory frameworks such as NIS2 are appearing in response to this shift, introducing stricter requirements for cybersecurity and accountability. However, the dominant response remains compliance-driven, prioritizing speed and minimum viability to meet regulatory thresholds rather than addressing underlying structural challenges or unlocking the broader value potential of connected operations.
This raises a critical question: are organizations investing in compliance in a way that limits the full value of industrial connectivity? This paper argues that compliance should not be treated as a constraint, but as a catalyst, forming the foundation for measurable business value.
Problem Statement
Industrial organizations currently face a convergence of increasing cyber risk, regulatory pressure and underutilized data potential.
Manufacturing is one of the most targeted sectors globally, and most OT environments report cybersecurity incidents with operational impact. At the same time, regulatory requirements such as NIS2 are raising expectations for risk management and accountability, while a substantial proportion of industrial data is still unused.
This creates a structural imbalance: increasing investment in cybersecurity and compliance without corresponding gains in operational value.
This imbalance is driven by four core challenges:
- Fragmented environments: Core systems such as SCADA, MES and ERP historically run in silos with limited interoperability. Data flows between systems are inconsistent, poorly standardized or require manual intervention, reducing reliability and limiting scalability of analytics and decision support.
- Legacy constraints: Many operational systems were not designed for connectivity and are now being integrated into networked environments without sufficient architectural redesign. As a result, efforts to enable data flow unintentionally expand the attack surface.
- Unclear ownership: Responsibility for OT environments is often split across IT, operations, suppliers, and external partners. While these stakeholders manage interconnected systems, they often work with different priorities, risk models, and levels of expertise. This leads to inconsistent security practices, lack of adoption and limited end-to-end accountability.
- Misaligned investment models: Cybersecurity and compliance initiatives are typically treated as cost centers, evaluated independently from digital transformation efforts. This separation obscures the relationship between security, data availability, and operational performance, making it difficult to quantify return on investment or prioritize initiatives effectively.
These challenges are further compounded by operational constraints. Production environments are extremely sensitive to downtime, making organizations cautious about implementing changes perceived as disruptive. As a result, many organizations work in a state of perceived compliance but continued exposure, meeting minimum regulatory requirements while carrying avoidable operational risk and unrealized value.
Why Current Approaches Fall Short
Four dominant patterns explain why current efforts are falling short.
1. Tool-centric implementation without integration/adoption strategy
Data becomes inconsistent across systems, processes are duplicated and interoperability is limited. Security controls are not aligned to unified architecture. These controls are difficult to standardize post-implementation, resulting in uneven protection across the environment and increased operational complexity.
2. Compliance-driven execution without strategic alignment
This reactive model leads to minimum-viable implementations that achieve formal compliance but do not improve underlying resilience or visibility. Over time, IT/OT initiatives are perceived as cost-heavy and disconnected from business outcomes, reducing executive engagement and limiting strategic investment.
3. Overestimation of adoption rates in transformation programs
Solutions are adapted locally to fit existing constraints, often prioritizing short-term delivery metrics over long-term value realization. As a result, programs may report success against project KPIs while not delivering measurable operational or financial benefits. In some cases, newly introduced systems increase risk exposure, requiring added remediation efforts that erode the original business case.
4. Misalignment between IT & OT capabilities and operating models
At the same time, responsibility for OT is often distributed across fragmented teams. Organizations may lack dedicated OT security capability, and outsourcing models that are effective in IT do not always translate to OT environments.
The core issue is not a lack of investment, but a lack of integration. Without a unified strategy connecting security, data and operational outcomes, current approaches will continue to deliver suboptimal results. Organizations rarely fail because they do not try hard enough; instead, they often stumble when they try to manage greater complexity before setting up clear control and structure.
Proposed Solution: From Compliance to Value
Industrial organizations must move from fragmented initiatives to an integrated approach that aligns cybersecurity, data strategy, and operational outcomes. The goal is not to implement more tools, but to progressively reduce complexity, establish control and enable value.
The strength of this approach lies in its ability to integrate compliance into a broader strategic context. Rather than treating regulatory requirements as a constraint, organizations must use them to justify and accelerate investments that improve both security posture and operational performance. This shift enables organizations to move beyond reactive compliance and toward intentional, value-driven transformation.
Three-Stage Approach
Each stage addresses a specific failure pattern named in current approaches.
1. Stabilize (0–6 months)
Focus: Regain control over fragmented environments
Establish asset visibility across OT environments, including unmanaged and legacy systems. Reduce uncontrolled access by tightening identity and network controls. Introduce baseline monitoring to detect anomalies and create a minimum level of situational awareness.
Rather than introducing new platforms, the priority is to create a consistent view of what exists today and where risk is concentrated.
2. Structure (6–18 months)
Focus: Replace inconsistency with standardization
Define and enforce network segmentation across IT and OT, including clear boundaries and controlled communication paths. Introduce secure intermediary layers (e.g., DMZ) to govern data exchange. Standardize data flows based on defined use cases rather than ad hoc integrations.
Security is integrated into architecture design rather than applied retrospectively. Exceptions are explicitly named and managed, rather than informally accepted.
3. Scale (18+ months)
Focus: Convert structure into value
With structured and secure data flows in place, organizations can begin to integrate OT data into operational and business decision-making. Use cases such as predictive maintenance, production optimization, and traceability become practical at scale.
Security transitions from a constraint to an enabler, supporting reliable data exchange, trusted operations, and, in some cases, product-level differentiation.
Governance aligns IT, OT, and business leadership to ensure that investments are evaluated not only on compliance, but on measurable performance impact.
Supporting Dimensions
While this model provides a structured path forward, its success depends on how organizations approach several supporting dimensions.
Data Utilization
A common challenge across industrial environments is not the absence of data, but the inability to use it effectively. Organizations invest in systems that generate large volumes of operational data, but without a clear structure for how that data is to be used, its value remains unrealized.
Use cases that are directly tied to operational performance must be explored and defined. Predictive maintenance is often the most immediate opportunity, enabling earlier detection of equipment issues and reducing unplanned downtime. Energy optimization can provide measurable cost savings, particularly in high-consumption environments. Production efficiency improvements, supported by real-time visibility, allow organizations to name bottlenecks and improve throughput.
These use cases should not be approached as isolated analytics initiatives. They depend on consistent data flows, reliable system integration and a foundation of secure and structured OT environments. Without this, even well-designed analytics solutions will not scale or deliver sustained value.
Security as a Value Driver
Cybersecurity in industrial environments is often positioned as a mandatory cost, often motivated only through compliance requirements. This perspective significantly understates the broader impact of effective security.
A well-designed security posture directly supports operational stability. Reduced exposure to cyber incidents lowers the likelihood of unplanned downtime, which in industrial settings represents one of the highest sources of financial risk. At the same time, stronger controls reduce the cost and complexity of responding to incidents when they occur.
Beyond internal impact, security also increasingly plays a role in external trust. As supply chains become more interconnected, customers place greater emphasis on data integrity and reliability. The ability to prove secure and controlled operations becomes a differentiator, extending to product-level considerations where secure data handling and system integrity are part of the value delivered to the customer.
Operating Model Decisions
There is no single “correct” operating model for managing IT/OT environments. Organizations must make deliberate decisions about ownership, capability and responsibility based on their specific context.
There are situations where asserting internal ownership is suitable, especially when business operations are uniquely tailored or connected to exclusive systems. Internal teams often have the deepest understanding of the equipment and its role in production, which can be critical for effective management.
Managed services can be helpful, especially when organizations need specialized cybersecurity knowledge or continuous monitoring. Collaborating with outside providers gives organizations the ability to scale up easily and tap into specialized knowledge that might be challenging to develop within their own teams.
A hybrid model can offer a practical approach. Core operational knowledge stays internal, while specific capabilities are supported externally. This allows organizations to balance control with flexibility.
Industrial environments rarely operate in a fully standardized state. Legacy systems must be managed through containment and controlled integration while organizations progressively transition toward scalable and secure architectures.
Regardless of the model chosen, the key requirement is clarity. Roles, responsibilities and accountability must be well-defined across IT, OT and external partners. Without this, even well-designed technical solutions will not deliver consistent results.
Conclusion
The challenge facing industrial organizations is not a lack of data, technology or governance; it is the absence of integrated strategy.
Across many environments, heavy investments in cybersecurity, compliance and digitalization are already underway. However, when these efforts are approached independently, they do not deliver their full potential. Data is still underutilized; security is treated as a cost center and transformation initiatives struggle to scale.
Compliance, particularly in the context of frameworks such as NIS2, should not be viewed as the end goal. It is a baseline, a necessary foundation for operating in an increasingly connected environment. The real opportunity lies in how these requirements trigger the design of stronger, more integrated systems and clear progressive strategy.
When OT security and data utilization are aligned with operational goals, they form a value creation engine. Importantly, this does not require immediate large-scale transformation. Progress can begin with targeted, high-impact improvements that build toward a more structured and scalable approach over time. Organizations that align OT security and data utilization with operational goals transform compliance from obligation into advantage.
About the Author
Joanna Swanson is an advisory consultant specializing in large-scale industrial business transformation initiatives. She has led and coordinated complex IT/OT initiatives across global manufacturing and regulated environments, ensuring alignment between technical teams, business stakeholders and executive leadership. Her work focuses on translating regulatory and operational requirements, such as NIS2, into structured programs that deliver measurable outcomes. Joanna brings a governance-driven and pragmatic approach to transformation, with experience supporting initiatives across more than 30 countries. She holds a Global Executive MBA and a Master of Engineering Management from Duke University and a Bachelor of Science in Aerospace Engineering from United States Naval Academy.
Company Profile
Accelerated Growth was founded in 2014 with a clear intention: to create its own path in a consulting industry often driven by quick fixes and short-term results. From the outset, the firm focused on defining who it is, what it stands for, and how it delivers value. This early clarity shaped both its internal values and the added value it brings to clients, ultimately forming its core principle:
“At Accelerated Growth, we lead with expertise, navigating the challenges of a rapidly changing world. Our focus on digitalization and transformation helps businesses adapt, innovate, and thrive.”
The company’s mission is straightforward: to embody “Consultancy as it should be.” This means putting client needs first, delivering tangible and measurable results, and building long-term relationships grounded in trust, transparency, and excellence.
