As more industrial environments become connected, many security leaders are discovering an uncomfortable truth: The playbook that works in corporate IT often fails on the plant floor. Chris McLaughlin, chief information security officer (CISO) at Johns Manville and former vice chairperson of the ISA Global Cybersecurity Alliance (ISAGCA) Advisory Board, recently started The OT Podcast: A CISO's Guide to OT Security. Intended for CISOs and others with an IT background, it lays out why the IT/OT gap exists, what mistakes commonly derail progress and how to build a strong operational technology (OT) security program that operations will actually support.
Episodes 1 and 2 of the new podcast have already been released. If you're interested, catch up below and subscribe wherever you listen to podcasts.
Episode 1 sets the foundation by reframing what "good security" means in industrial environments. In IT, confidentiality tends to dominate risk conversations. In OT, the priorities shift: Availability and safety are non-negotiable, and security controls that introduce downtime — or even the risk of downtime — can be rejected outright. McLaughlin introduces the CIA + S mindset: Confidentiality, integrity and availability, plus safety. For CISOs, that "+ S" is the difference between a security initiative that lands and one that gets sidelined.
The episode also calls out five recurring missteps CISOs make when engaging OT teams:
Ultimately, the core message is that OT environments have distinct constraints, workflows and risk drivers that shape program design.
Episode 2 turns that perspective into an execution plan: Seven practical steps designed to correct those mistakes and establish a resilient OT security program.
It starts with a candid admission of risk. Secure executive and engineering buy-in using realistic threat scenarios. Next, adding an OT translator to the security team will be important — someone who speaks engineering and security, and can turn misunderstandings into momentum.
Before launching tools and controls, CISOs should learn critical processes through plant tours and operator conversations, then inventory assets carefully using passive approaches that won't disrupt operations. The goal is to gain context: How systems support critical processes and how segmentation can align with ISA/IEC 62443 zone-and-conduit thinking.
Crucially, the next step involves earning trust by adding operational value — validating backups, checking failover readiness or helping make the case for modernization investments. Only then will governance stick. Implement standards-based OT governance such as ISA/IEC 62443, iterate from the most critical controls and keep the program grounded with tabletops, practical training and broad participation across operators, maintenance and contractors.
(For a full list of the seven steps and a more detailed explanation of each, listen to Episode 2.)
McLaughlin emphasizes a collaborative approach across IT and OT. Many teams can immediately start applying program fundamentals described in this podcast, including plant engagement, context-first asset discovery, standards-based governance and exercises that prepare teams to respond effectively in industrial settings.
Stay tuned for Episode 3 of The OT Podcast, where McLaughlin intends to discuss cyber threats and mitigation strategies.