Even with most industrial systems connected to the internet, the greatest threat to legacy operational technology (OT) isn't a new exploit or malware strain. It's the old myth that a simple technology patch can solve human problems. Now, in a world where a single breach could halt production or pose a threat to human life, security leaders must fundamentally reimagine their roles to secure physical assets and systems.

But leaders who can navigate the collision between digital and physical worlds are also rare. Gernette Wright, IT Security Officer, Americas at global industrial tech company Schneider Electric, has built a career at that precise intersection. From his current role in industrial automation to former senior security and IT positions in manufacturing, medical device, retail, and banking, Gernette's experience and perspective is shaped by a precise combination of expertise.

From his view, a fundamental conflict is brewing between the fast-paced world of IT and the slow, deliberate lifecycle of OT. The standard IT security playbook is no longer viable on the factory floor.

• Two different clocks: While IT teams refresh technology every few years, industrial machinery operates on a much longer clock, Gernette explains. "OT teams think in decades, while IT teams think in two-year cycles. But we're not going to replace a $10 million machine just because its control system is running Windows XP. You have to plan 10 years in advance for a machine that has a 15-year lifespan. The real question is, are we bundling the right security conversations into that long-term replacement plan?"

• The hidden threat: Meanwhile, as hacktivists and state-sponsored groups intensify their attacks on manufacturing, threat actors are remaining undetected in compromised systems for increasingly longer periods. "The bad guy could be sitting in your systems for a year or more. Dwell times have been getting progressively longer over the last decade, which is why the Zero Trust model has become so critical."

The solution for security leaders is to integrate security into long-term business planning and strategy, according to Gernette. "It's a harsh reality, but you cannot easily add security after the fact. It will cost you far more in wasted time and resources. Your team will spend hours trying to figure out why a new control broke a process that was already working, when it could have been designed correctly from the get-go."

• One machine at a time: Here, Gernette recommends a methodical, low-risk implementation approach. "Work with the OT team to identify the least critical function, machine-wise. Pilot your controls there first. Plan it for a work weekend or scheduled downtime to avoid disruptions to production. Once you prove it works, you can scale the approach one machine at a time."

• A cautious approach to AI: Apply the same principles-based approach to emerging technologies like AI, he continues. "You can't just release AI into the wild without guardrails. That's setting yourself up for failure. Treat it like a new SIEM deployment: first, you train it on test data and correct its behavior in a controlled environment. You can't unleash it on your production systems without enforcing fundamental controls like strict, role-based access."

Compliance is just the price of admission in today's market, Gernette says. But ideally, it will be the natural outcome of a strong security posture, rather than the goal itself. "Just because you are SOC 2 compliant doesn't mean you are 100% secure." He recommends using a Business Impact Analysis (BIA) that makes security risks more visible and approachable to non-technical teams and business leaders across their respective areas of responsibility.

• Compliance as market access: Rather than justify security budgets with fear, security leaders can frame the conversation around enabling business strategy and winning new contracts, he continues. "Your customers are going to demand certifications. Financial services clients will require a SOC 2 report. To enter the federal space, you must comply with the CMMC. They look for these as symbols of due care, just like you look for a degree on a doctor's wall. It's a prerequisite for doing business and that makes security a competitive advantage, not just a cost center."

• Plant-floor logic: To overcome resistance, Gernette recommends translating security goals into analogies that resonate with OT teams. "Ask them, 'Should this milling machine making parts for Customer A be able to talk to the machine packaging a product for Customer B?' They'll say, 'No, of course not, they should never share data.' That's exactly what we're talking about. It allows you to set rules using plain language: 'John can talk to this PLC, but Max can't. And neither can the CEO.'"

For Gernette, he believes the cultural shift will be successful when it removes fear from the incident response equation entirely. "We've caught critical issues because employees felt safe enough to report suspicious activity immediately. They picked up the phone, and we isolated the problem before it escalated. In a world where delays can be devastating, even if a user waits until the next day to report a mistake, it could be too late."

Ultimately, resilience begins with trusting people, Gernette concludes. Because humans are the primary interface with the outside world, they represent the largest attack surface. But they're also the greatest opportunity for out-of-band detection. "I challenge the notion that 'humans are the weakest link.' I firmly believe our people are our biggest allies. They catch the threats that slip through our standard email gateways and filters."

*The opinions, views, and comments expressed by Gernette Wright are their own and do not necessarily represent those of any former or current employers.