The post promotes a new podcast series, “The OT Podcast: A CISO’s Guide to OT Security,” created by Chris McLaughlin (CISO at Johns Manville and former vice chair of the ISA Global Cybersecurity Alliance advisory board). It’s aimed at CISOs and security leaders coming from an IT background who are finding that “standard IT security playbooks” often don’t translate well to industrial environments. The key reason is priority mismatch: in OT, availability and safety are treated as non-negotiable, so controls that might introduce downtime (or even the risk of downtime) can be rejected. Episode 1 frames this as a “CIA + Safety” mindset and calls out common mistakes—like assuming patching works the same in OT, excluding OT teams from incident response, and trying to copy/paste IT frameworks instead of using OT-specific guidance like ISA/IEC 62443 and NIST SP 800-82.

Episode 2 turns that viewpoint into a practical “seven-step” approach for building an OT security program that operations will actually support. The steps emphasize earning trust and building context before deploying tools: start with realistic risk discussions to get buy-in, add an “OT translator” who can bridge engineering and security language, learn the plant’s critical processes firsthand, and inventory assets using passive methods that won’t disrupt operations. From there, the post highlights segmentation aligned with zone-and-conduit thinking (62443), delivering early operational value (e.g., validating backups and failover readiness), and then formalizing governance—kept grounded through tabletop exercises, hands-on training, and participation across operators, maintenance, and contractors.

Source: https://gca.isa.org/blog/listen-a-cisos-guide-to-ot-security