From legacy to resilience: Enabling cyber-physical security In today’s digital-industrial era, the boundary between IT and OT has all but disappeared. While strict air-gapped segregation of IT and OT systems used to be the norm in OT governance frameworks for years, contemporary advances in technology and expectations of connectivity between systems is making such practices untenable. Sectors such as manufacturing, energy, transportation and critical infrastructure systems now see IT and OT systems increasingly converge, driving efficiencies and innovation but also needing to apply more advanced segmentation to control risk exposure. Many industrial environments remain ill-equipped for the speed and complexity of modern threats. OT systems are typically averse to rapid modernization due to their close integration with core business functions and their typically long investment horizons. Survey data reveals that, despite growing awareness, governance practices around OT remain inconsistent and often siloed within operational teams. 10% 20% 40% 30%Our chief information security ofﬁcer (CISO) is responsible for both IT and OT Responses (%) from those respondents with OT in their organization36% We monitor OT security32% We have a dedicated OT security team20% Our board receives reports on OT security16% 0%With regard to OT security, the following statements apply to our organization:Best practices in OT governance FIGURE 27 Only 16% of organizations with industrial environments report OT security issues to their boards, and just 20% maintain dedicated security teams. Meanwhile, 32% of organizations actively monitor OT systems with specific security tooling, yet in only 36% of the cases is the CISO directly responsible for OT security. These findings indicate that OT protection is still mainly a priority for industrial environment specialists, and that bridging cultural gaps between IT and OT environments is paramount to mitigating the increasing cybersecurity risks. The lack of board-level oversight not only delays investment but also limits enterprise-wide understanding of risk exposure. This governance gap poses systemic implications: as is the case with IT, when disruptions in industrial systems similarly occur their effects cascade far beyond a single organization – to suppliers, partners and even national economies. Cyber regulations in an era of fragmentation As nations strive to limit the exposure of their (digital) economies to global cyber challenges, the variation of approaches has added a new layer of complexity to the organizations that try to navigate a patchwork of regulations. The proliferation of cybersecurity and technology regulations globally reflects an accelerating effort to codify trust and accountability in the digital domain. However, these developments also highlight how regions are advancing at different speeds and with differing priorities, leading to a patchwork of obligations that can be difficult for multinational organizations to reconcile. Security leaders globally continue to recognize the value of regulatory frameworks in strengthening the cybersecurity ecosystem. This year’s survey found that 74% of respondents hold a positive view of the effectiveness of cyber- related regulations. Security leaders globally continue to recognize the value of regulatory frameworks in strengthening the cybersecurity ecosystem. Global Cybersecurity Outlook 2026 36