One survey suggests that security maturity has risen over time, and broader executive-level responsibilities have been assigned in such organizations.

Based on a global survey conducted in early March 2025 involving 558 operational technology (OT) professionals* by a cybersecurity firm, data findings on OT cybersecurity organizational practices and impacts were shared with the media.

First, 52% of respondents had indicated that OT cybersecurity responsibility in their organizations resided with the Chief Information Security Officer (CISO) or Chief Security Officer (CSO). When asked about C-suite roles more broadly, 95% selected at least one C-suite executive in 2025. Additionally, 80% reported an intent to move OT cybersecurity responsibility under the CISO within the next 12 months.

Second, respondents reported a rise in self-assessed OT cybersecurity program maturity. In the 2025 survey, 49% selected the highest maturity level (level 4) for process maturity — where processes are continuously improved — compared to respondents from a similar survey in 2024. For solution maturity, 26% indicated their organizations had achieved visibility and segmentation (level 1), up from 20% previously, while the majority remained at the “access and profiling” phase (level 2).

Other findings

Third, a correlation was observed between higher self-assessed maturity levels and reduced incidence of reported intrusions. For example, 65% of respondents at level 4 maturity reported zero intrusions, while only 46% of those at levels 0–2 reported the same. Also:

  • Although half of all respondents experienced at least one intrusion in the previous year, the proportion reporting operational outages impacting revenue fell to 42% from 52% a year earlier.
  • 78% of respondents reported using between one and four OT device vendors.
  • Adoption rates of measures such as threat intelligence, scheduled security audits, and internal security training had each increased between 8% and 18% over the past year.
  • Business email compromise incidents had declined, alongside a drop in the number of organizations reporting brand awareness degradation or loss of business-critical data due to intrusions.
  • The expected pace of regulatory change was high, with 66% of respondents anticipating increased regulation within the next five years, and 26% indicating this was expected within one year.
  • According to Nirav Shah, Senior Vice President, Products and Solutions, Fortinet, the firm that commissioned the survey, “everyone from the C-suite on down needs to commit to protecting sensitive OT systems and allocating the necessary resources to secure their critical operations.”
  • *from sectors such as manufacturing, energy, healthcare, logistics, chemicals, and water management. Respondents, has OT and cybersecurity remit in and plant or manufacturing operations, and were from organizations with over 1,000 employees (or over 250 for some countries), and were drawn the Americas, Europe, Asia, and Africa