Graphic from original article by Cobus Pool PhD
A hard truth the OT cybersecurity job market is quietly revealing
In a recent LinkedIn post, Cobus Pool PhD , a long-time OT and ICS practitioner with decades of industry experience, shared the results of an informal experiment he has been running for just over a year. His goal was simple: observe how OT, ICS, and CPS cybersecurity roles are being defined through real job postings.
He is careful to note that this was not a scientific study. The data set is limited, LinkedIn is not a representative labor market, and the results are not statistically rigorous. But as someone with roughly 30 years in the field, his conclusion is still deeply concerning. Not because the data is perfect, but because the patterns are painfully consistent with what many of us have experienced firsthand.
What the experiment surfaces is not merely a talent shortage. It reveals a deeper issue: the industry still does not have a shared understanding of what an OT cybersecurity role is supposed to do.
That lack of clarity shows up repeatedly in job advertisements. Roles intended to protect physical systems focus almost entirely on network engineering and access management. Control equipment is mentioned sparingly, often limited to PLCs, SCADA, or DCS layers, while field devices, instrumentation, actuators, motor control centers, and safety systems are largely absent. Requirements demand years of experience that do not align with the actual responsibilities, often paired with entry-level compensation. Certifications are treated as gatekeepers rather than value-adds. And compliance language dominates, while real risk management is barely acknowledged.
Perhaps most telling is what is missing. Risk assessment is rarely mentioned. Asset and dependency modeling is almost nonexistent. Process stability, fault analysis, lifecycle management, and safety impact analysis are treated as peripheral, if they appear at all. The physical process itself, the thing that ultimately carries consequence, fades into the background.
These are not isolated hiring mistakes. They are signals of a systemic misunderstanding of OT cybersecurity as a discipline.
For more than a decade, we have said there is a talent shortage in OT cybersecurity. What this informal experiment actually reveals is something more troubling: we still do not agree on what the role is (or should be).
That confusion shows up everywhere in job postings.
Roles that claim to protect physical systems describe success almost entirely in network terms. Entry level positions demand seven or more years of experience, often in the wrong disciplines. Certifications substitute for understanding. Compliance is confused with risk management. And the physical process itself, the thing we are supposedly protecting, barely appears.
These are not hiring mistakes. They are symptoms of a structural misunderstanding of OT cybersecurity.
OT cybersecurity is not an engineering replacement role
One of the most important points in the discussion is implicit rather than explicit. OT cybersecurity was never on a mission to replace engineering expertise.
In effective organizations, OT cybersecurity does not do the work of engineering, operations, or maintenance. It orchestrates, synthesizes signals and results, and prioritizes across those disciplines.
In senior leadership roles, I relied on engineering teams to be the doers. Designing control systems. Operating and maintaining physical processes. Managing safety, reliability, and lifecycle realities.
Cybersecurity teams, in both IT and OT, played a different role. Translating operational reality into risk narratives leadership could act on. Coordinating response across silos. Ensuring decisions were informed, proportional, and aligned to business outcomes.
When we hire OT cybersecurity professionals as if they must be deep experts in every instrument, actuator, and control loop, while also serving as network defenders and compliance officers, we guarantee disappointment on all sides.
Why job descriptions drift toward the wrong signals
Several patterns repeat themselves.
Network first thinking dominates because it is observable, tool driven, and familiar. Certifications become proxies for judgment because many hiring teams lack OT context. Compliance language replaces risk language because it feels safer to auditors and regulators. Threat centric activities crowd out consequence based thinking because they are easier to measure.
What goes missing is the hard work of contextual risk orchestration. Asset and process dependency modeling. Consequence first risk evaluation. Stability and fault analysis before declaring incidents. Integration of safety, reliability, and cyber decision making. Lifecycle governance for systems designed to run for decades.
This gap is not solved by better tools alone. It is solved by clarifying the role.
Reframing the OT cybersecurity role
An OT cybersecurity specialist should not be defined solely by how many protocols they recognize or how many dashboards they can operate. Those skills matter. In fact, they are necessary. The growing body of OT-focused education and certification paths, including those developed by SANS and others, have materially improved baseline competence and shared language across the discipline. That progress should be acknowledged and preserved.
But technical mastery alone should not define the role.
At the organizational level, OT cybersecurity specialists create value by understanding what matters physically, not just digitally. They translate engineering and operational reality into cyber-relevant risk signals that leadership can reason about. They coordinate IT, OT, safety, reliability, and operations without forcing one discipline to dominate the others. And they enable executive decision-making by reducing ambiguity, not by adding more alerts, dashboards, or compliance artifacts.
This is where the role shifts from technical execution to organizational leverage.
Orchestration matters more than ownership because OT risk spans functions that no single team controls. Consequence matters more than probability because physical outcomes, not theoretical likelihoods, drive business impact. Context matters more than alerts because leaders need clarity on what decisions are required, not more telemetry.
Engineers remain engineers. Operators remain operators. Certification-trained specialists remain essential contributors. OT cybersecurity, when done well, becomes the connective tissue that aligns those disciplines into a coherent risk and decision framework rather than another operational bottleneck.
This is the difference between building capable practitioners and building a function that executives can trust.
Why this matters now
The global imbalance in job postings, the compliance heavy role definitions, and the unrealistic experience requirements are not labor market quirks. They are signals that the industry is scaling the wrong mental model.
If we continue defining OT cybersecurity roles around checklists instead of consequences, certifications instead of context, and detection instead of decision making, we will continue to struggle with hiring, retention, credibility, and effectiveness.
A call to rethink, not just rehire
It is time to rethink our approach to OT security. But rethinking starts with the role, not the requisition.
If this resonates, it is likely because you have felt this tension firsthand. The next step is not debating tools or certifications. It is agreeing on what the OT cybersecurity function is actually accountable for.
That conversation is overdue.
