By
Daniel Mercer
President, Council on Critical Infrastructure
February 17, 2026
For many organizations operating industrial facilities, energy systems, and critical infrastructure, cybersecurity compliance has become the dominant framework for managing operational technology risk. Regulatory checklists, audit cycles, and certification requirements consume significant resources and executive attention. Yet compliance, by its very nature, describes a minimum threshold — not a security posture. The gap between what regulations require and what adversaries are capable of has never been wider.
The consequences of conflating compliance with security are no longer theoretical. Threat actors — including nation-state groups with sophisticated capabilities and strategic patience — are actively targeting operational technology environments precisely because these systems were designed for reliability and uptime, not resilience against cyberattack. Many of these systems predate modern cybersecurity frameworks by decades. Compliance standards, meanwhile, are written to address yesterday’s threat landscape, often lagging behind current adversary tradecraft by years.
What Compliance Does Not Cover
Regulatory frameworks such as NERC CIP, IEC 62443, and sector-specific guidelines provide essential structure. They establish baseline controls, documentation requirements, and accountability mechanisms that organizations genuinely need. However, they are largely designed to address known, categorized risks within defined asset boundaries. They do not account for the speed at which threat actors evolve tactics, the complexity of interconnected supply chains, or the expanding attack surface created by the convergence of information technology and operational technology networks.
Compliance frameworks also tend to be prescriptive rather than adaptive. An organization can pass every audit requirement while still operating with unmonitored network segments, unpatched legacy controllers, inadequate incident detection, or no meaningful ability to recover from a targeted disruption.
The Strategic Reframe Leadership Must Make
Senior leadership should resist the organizational tendency to treat a clean compliance report as a risk management outcome. The more consequential questions are operational in nature: How long would it take to detect an intrusion into the control environment? What is the organization’s ability to sustain operations during a cyber-induced disruption? Are vendors and third-party integrators held to meaningful security standards, or simply asked to sign a questionnaire?
These are not technical questions. They are business continuity questions — and they belong in the boardroom alongside financial, reputational, and geopolitical risk discussions.
Moving From Posture to Resilience
Organizations that have moved meaningfully beyond compliance share several characteristics. They invest in continuous visibility across their operational technology environments rather than point-in-time assessments. They conduct realistic tabletop exercises that test leadership decision-making under operational stress. They treat vendor and supply chain risk as an extension of their own security perimeter. And they have clearly defined protocols for when — not if — an incident occurs.
The regulatory environment will continue to evolve, and compliance will remain a necessary obligation. But for organizations responsible for the systems that power communities, move goods, and sustain national security, the standard cannot stop there.
Compliance answers to a regulator. Resilience answers to reality. Leadership must understand the difference.
