Fortinet OT Cybersecurity Report: 53% of Industrial Orgs Under CISO

https://www.cybersecurity-insiders.com/fortinet-ot-cybersecurity-report-ciso-ownership/

Publish Date: 2026-06-11 16:06:00

Source Domain: www.cybersecurity-insiders.com

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

OT security governance has been moving toward the C-suite for four years, but the pace accelerated sharply. Fortinet’s 2026 State of Operational Technology and Cybersecurity Report finds 53% of industrial organizations now place OT cybersecurity under the Chief Information Security Officer (CISO) or Chief Security Officer (CSO), up from 16% in 2022. A global survey of over 700 OT professionals sits underneath that number, and the full picture is more complicated than the governance headline suggests.

The governance shift is real, but maturity self-assessments have corrected downward sharply: organizations at the highest maturity level (level 4) dropped from 49% to 17% in a single year.
Intrusions are more visible, not necessarily more frequent: 71% of respondents reported one to nine attacks, up from 47%, with Fortinet attributing much of the jump to improved detection rather than a true volume increase.
Cost reduction displaced risk reduction as the top cybersecurity performance metric in 2026, surfacing a governance tension the report does not fully resolve.
89% of respondents expect new OT regulation within five years, up sharply from 66% in 2025, and four in five organizations intend to bring OT security under CISO oversight within the next 12 months.

OT Cybersecurity Under CISO: Why the Level 4 Maturity Drop Changes the Story
Richard Springer, senior director for marketing OT solutions at Fortinet, wrote in a blog post alongside the report. He noted that industrial organizations now rely on interconnected systems, remote access, cloud-based analytics, and unified IT and OT environments to maintain production. “While this advanced connectivity offers increased efficiency and resilience,” Springer wrote, “it has enlarged the attack surface for cybercriminals, ransomware groups, and nation-state actors.”
The 53% CISO ownership figure is the headline, but the maturity-score recalibration is the operationally consequential finding. Level 4 respondents fell from 49% to 17%. Level 0 (the lowest rung) rose from 1% to 5%; levels 1 and 2 together jumped from 18% to 44%. Fortinet frames this as positive: better tools, broader security teams, and greater executive oversight exposed gaps that self-assessors previously could not see.
What the report’s framing under-emphasizes is what the recalibration implies about the governance trajectory. OT cybersecurity responsibility climbed to the CISO over four years. Simultaneously, the organizations making that governance move discovered their programs were less mature than believed. The two findings together suggest the governance shift is outpacing the operational reality it governs. A CISO who owns OT risk but inherits a level-2 program faces a structural credibility gap at the board table.
Revenue-impacting outages did fall: intrusions leading to operational shutdowns dropped from 52% to 42%, a measurable gain. Attacker dwell time data complicates that number. Fortinet found that attacks lasting weeks or months increased, even as short-dwell attacks flattened. Extended dwell creates exposure to surveillance, intellectual property loss, and physical disruption that an annual outage metric does not capture.
The hardware picture adds context: 40% of organizations report their industrial control systems (ICS) are under five years old, up from 20% the prior year. Equipment refresh is accelerating in the same period that maturity self-assessments corrected downward. Organizations modernizing hardware without closing foundational security gaps in OT cybersecurity risk expanding an already-enlarged attack surface.
Where the Governance Model Breaks Down in Practice
The governance question the report surfaces but does not fully answer is who owns OT risk in the 47% of organizations where the CISO does not. Springer’s note that responsibility is “more broadly distributed across non-technical vice presidents and C-suite leaders” in 2026 describes a model that places OT security ownership outside the security function. The NASCIO-Deloitte 2026 study found state CISO confidence dropping from 48% to 22% in a single year, a parallel signal that CISO authority and CISO confidence are not moving together.
The regulatory timing finding sharpens the stakes. Nearly nine in ten respondents (89%) now expect new OT regulations within five years, up from 66% in 2025. A 20-point shift toward the two-to-five-year horizon suggests organizations treat compliance as an imminent operational deadline. Cost reduction displaced risk reduction as the top cybersecurity performance metric. The tension between a tightening regulatory clock and a budget environment rewarding cost efficiency is not resolved in the data.
Phishing (76%) and ransomware (50%) remain the most-reported intrusion types. Network segmentation and microsegmentation remain the primary OT cybersecurity defensive recommendation, alongside secure remote access with zero-trust principles. These have anchored Fortinet’s OT guidance for three consecutive annual surveys. Level 1 and level 2 maturity rising to 44% of respondents is the counterpoint.
Three Controls That Track With the Maturity Leaders
Fortinet’s 2026 data attaches specific outcome differences to controls that distinguish higher-maturity organizations from those still operating reactively. Forrester’s 2026 threat analysis similarly names OT environments as a primary 2026 attack surface, reinforcing the urgency below.
Enforce IT/OT network segmentation before modernizing hardware – Organizations refreshing ICS equipment without closing segmentation gaps risk widening an already-enlarged attack surface. Fortinet’s data shows organizations with segmentation in place report lower business disruption; equipment refresh without segmentation transfers legacy risk to new hardware.
Anchor CISO OT ownership to a maturity-baseline audit within 90 days of governance transfer – The level-4 drop from 49% to 17% shows that improved executive visibility reveals program gaps previously undetected. A CISO inheriting OT responsibility without a baseline maturity assessment has no ground truth for board reporting on risk posture.
Build incident response playbooks that name OT-specific production scenarios – Attacker dwell times of weeks or months have increased even as short-dwell attacks flattened. Generic IT-built IR playbooks do not account for production-line continuity, plant operations constraints, or OT-specific recovery sequencing. The board table Springer describes, where OT cybersecurity is now a standing agenda item, needs playbooks that translate breach impact into production terms the C-suite can act on.

Join our LinkedIn group Information Security Community!