Progress Beats Perfection in OT Cybersecurity
Reflections from an OT Cybersecurity Practitioner

Across the previous parts of this series (Part 1, Part 2 & Part 3), I’ve reflected on recurring patterns that shape OT cybersecurity maturity far more than technology alone. Governance structures influence intent. Visibility determines the quality of decisions. Incentives quietly guide behaviour.

Taken together, these factors explain why many organisations genuinely want to improve their OT cybersecurity posture, invest time and effort, and still find progress slower than expected.

A final pattern often emerges at this point: waiting for perfection.

In OT environments, the idea of a “finished” or “fully mature” cybersecurity state is appealing but unrealistic. Systems are legacy by design. Operational constraints are real. Safety cases, certification requirements, vendor dependencies, and uptime expectations all limit how quickly and how far change can go.

Yet many programmes stall not because action is impossible, but because action is deferred until it can be done perfectly.

Perfect asset inventories.
Perfect segmentation models.
Perfect governance structures.
Perfect end states.

In practice, perfection becomes a moving target. The environment changes, priorities shift, and new constraints emerge before the previous ones are resolved. The result is analysis paralysis, where risk is understood, documented, and accepted repeatedly, but rarely reduced.

More mature organisations approach this differently. They recognise that OT cybersecurity maturity is directional, not binary. Progress is measured in momentum, not completion. Controls do not need to be perfect to be effective, but they do need to exist.

Establishing a realistic baseline is often the most important step. Not a theoretical baseline aligned to best-case assumptions, but one grounded in operational reality. What can be implemented safely today? What can be improved incrementally tomorrow? What decisions genuinely reduce risk rather than simply move it around on paper?

In these environments, “good enough” is not a compromise. It is a conscious choice that enables learning, adjustment, and improvement over time. Imperfect controls are refined. Early decisions are revisited. Assumptions are tested against reality. Progress compounds.

This approach also reduces friction. When teams are not asked to deliver perfection upfront, conversations become more honest. Trade-offs are discussed openly. Ownership becomes clearer. Action becomes easier.

Importantly, progress-led organisations do not abandon ambition. They simply sequence it. Long-term goals remain, but they are reached through deliberate, incremental steps rather than deferred until conditions are ideal.

At OTIFYD, we consistently see that organisations which prioritise progress over perfection move faster, encounter fewer surprises, and build more resilient cybersecurity postures over time. The difference is rarely dramatic. It is the accumulation of small, sensible decisions made early and revisited often.

OT cybersecurity does not fail because organisations aim too high. It stalls when action is delayed waiting for certainty that never fully arrives.

There is no such thing as perfect OT cybersecurity. There is, however, a pragmatic, resilient, and achievable position that every organisation can work towards.

The final question in this series is a simple one:

Are we waiting to be ready, or are we ready to begin?

By Serkan Yusuf (February 2026)