Our Take
OT is no longer the plant manager's problem—but treating it as purely an IT checkbox will fail.
Why it matters
As factories, utilities, and critical infrastructure become targets for cyberattacks, the IT/OT boundary is collapsing. CIOs who don't move now will be scrambling when the breach happens.
Do this week
CIO: Map your organization's OT assets and ownership (who owns it today, who's liable if it fails) by end of month so you know what rework your security model needs.
The OT responsibility gap is widening
Gartner is advising chief information officers to take direct ownership of operational technology (OT) environments rather than treating them as separate infrastructure managed by plant or facilities teams. The recommendation reflects a structural shift in how organizations should govern industrial control systems, HVAC, power distribution, and other physical-layer technology that historically sat outside IT's purview.
The business case is straightforward: OT systems now face the same attack surface as IT networks. A compromised HVAC system can be a pivot point into corporate servers. Ransomware operators target industrial control systems directly. Yet many organizations still split accountability between IT (responsible for data security) and operations (responsible for uptime), leaving gaps in threat detection, patch management, and incident response.
Gartner's guidance suggests that CIOs must either own OT directly or establish binding accountability frameworks with whoever does. The alternative is a security perimeter with a visible seam.
Your incident response plan breaks if OT and IT speak different languages
The real problem isn't technology. It's governance. OT teams operate on mean time to repair (MTTR). IT teams operate on mean time to detect (MTTD). They use different tools, different vendors, different change-control windows. A ransomware attack that hits both at once finds neither team equipped to respond to the other's reality.
CIOs who move OT under their control don't necessarily mean replacing all the switches and sensors. It means owning the security policy, the backup and recovery procedures, and the incident escalation path. It means knowing what you have. Most organizations don't.
The financial and reputational stakes are real. A manufacturing outage caused by a breach in OT infrastructure is still an outage. Regulators in critical infrastructure sectors (energy, water, chemicals) are already writing compliance rules that assume IT/OT integration.
Start by getting visibility
If you're a CIO or security leader, your first move is inventory. Work with operations and facilities to document every OT system: what it does, who manages it, how it connects to corporate networks, and what would happen if it went down for a day. You don't need to own it yet. You need to know it exists.
Second, audit your current security controls against OT realities. Endpoint detection tools designed for laptops often fail on industrial control systems. Password policies that work for office staff don't work for machines that run for years without restart. The controls are different, but the risk is the same.
Third, build a bridge with your operations leader. CIO ownership of OT doesn't mean IT makes all the calls. It means the two functions plan together, share threat intelligence, and align on recovery time objectives. Gartner's point isn't about power. It's about sealing the gap.