Episode 28 — Balance Security Versus Operations: Governance Structures and Decision Authorities

In this episode, we’re going to tackle a tension that shows up in almost every real industrial environment: the push and pull between protecting systems and keeping the process running smoothly. For brand-new learners, it can seem like security and operations should always want the same thing, because both want the organization to succeed. In practice, they often experience the world differently. Operations lives in the reality of uptime, safety, and production commitments, where even small disruptions can create big ripple effects. Security lives in the reality of threats, vulnerabilities, and the uncomfortable truth that many damaging events begin with small cracks that were ignored because they were inconvenient. When these worlds collide without a clear way to decide, people either fight, stall, or work around each other, and none of those outcomes are good for safety or resilience. The solution is not to declare one side the winner, but to build governance structures and decision authorities that make tradeoffs explicit and consistent. By the end, you should understand what good governance looks like in O T, who should have authority over different kinds of decisions, and how those structures help security support operations without being swallowed by operational pressure.

Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.

To build a strong foundation, it helps to define governance in plain language as the system for how decisions are made and who has the right to make them. Governance is not a single committee meeting, and it is not only documentation. It includes roles, escalation paths, approval rules, and how conflicts are resolved when priorities compete. In O T, governance matters more than many people expect because decisions often involve safety, production, and specialized equipment, and the wrong decision can create physical consequences. Governance also helps reduce the risk of decisions being made in panic, because it creates an agreed framework before an incident occurs. If teams only discuss authority during a crisis, the crisis will usually win, and the result may be risky shortcuts that become permanent. A well-governed environment can move faster under stress because people know who decides, what evidence is needed, and what the boundaries are. Beginners should understand that governance is not about adding delay; it is about preventing chaos and reducing the long-term cost of ad hoc choices.

The phrase balance security versus operations can be misleading if it sounds like a zero-sum game, because in healthy environments security and operations actually reinforce each other. Security reduces the likelihood of disruptive events that operations hates, while operations discipline, like good maintenance routines and change control, reduces the chaos that attackers exploit. The conflict often comes from different time horizons. Operations is pressured by today’s production and today’s safety concerns, while security is pressured by the future risk of compromise that could disrupt many days or many plants. Governance helps because it creates ways to compare those time horizons using shared criteria, like the impact of downtime, the risk of unsafe conditions, and the probability of a disruptive incident. It also creates clear rules for exceptions, because exceptions will happen, and the danger is not the exception itself but the untracked, unowned exception that never gets revisited. When governance is strong, both sides can compromise without feeling like they are surrendering, because the compromise is structured and accountable.

Decision authority is the heart of this topic, and it begins with recognizing that not all decisions should be made by the same group. Some decisions are primarily operational, like when to run a process changeover, how to schedule maintenance, or how to adjust production rates to meet demand. Some decisions are primarily security, like how to manage identities, how to monitor for suspicious activity, or how to set standards for remote access. Many decisions are shared, like when to patch a critical system, how to segment networks, or how to accept a vendor’s risk. Shared decisions need a mechanism for resolving disagreement without endless debate. This is where defined authorities matter, because someone must have the power to decide after consultation, and that power must be accepted as legitimate by both sides. In O T, legitimacy often comes from being anchored in safety and business objectives, not from organizational charts alone. Beginners should take away that unclear authority is itself a risk, because it leads to inconsistent and delayed decisions, which can be more dangerous than making an imperfect decision quickly.

One useful way to think about governance structures is that they create “lanes” for decisions, with rules for when a decision stays in a lane and when it must escalate. Routine decisions should be handled at the lowest level that has enough knowledge and accountability, because pushing every choice to senior leadership slows everything down. For example, routine access requests for a well-defined role can be handled by a standard process. Routine system updates in noncritical zones might follow a standard maintenance schedule and approval process. But certain decisions should automatically escalate, such as changes that affect safety-related systems, changes that could stop production, or changes that open new connectivity paths into sensitive zones. Escalation triggers should be clear, because ambiguity creates arguments, and arguments waste time. Good governance makes it easy to do the safe, normal thing and harder to do the risky, exceptional thing, without making it impossible when there is a genuine operational need. Beginners should see governance as a design for decision flow, not as a pile of meetings.

A common governance problem in O T is the emergency exception that becomes the new normal. Imagine a vendor needs urgent remote access to troubleshoot a failure, so a path is opened quickly to restore service. That may be the right operational choice, but if there is no rule for closing the path, logging what happened, and reviewing the access afterward, the temporary door stays open forever. Over time, many temporary doors accumulate, and the environment becomes porous in ways no one can fully explain. Good governance treats emergency actions as legitimate but bounded. It defines who can approve emergency access, what minimum controls must still be in place, what must be recorded, and when a review must occur. This supports operations by enabling rapid response while still protecting the environment from long-term drift. Beginners should remember that security does not lose because an emergency happens; security loses when emergencies become a habit and no one cleans up afterward.

Another source of conflict is the difference between safety authority and security authority, and how those authorities interact. In many industrial contexts, safety has special weight because safety decisions can prevent harm to people and the environment. Security decisions may also support safety, but they can sometimes be perceived as competing, especially if a security control affects the availability of a safety-related function. Good governance recognizes safety as a primary constraint and ensures security controls are designed to respect safety requirements. This does not mean security is secondary in importance, but it means security must be implemented in a way that does not create unsafe conditions. For example, if a security control could block necessary communication, governance should require an operational safety review and testing before it is deployed. In return, safety governance should also respect that insecure systems can create unsafe outcomes, because attackers can disrupt or manipulate processes. Beginners should learn that safety and security are not separate worlds; they are connected, and governance is how you manage that connection responsibly.

Decision authorities also need clear information inputs, because you cannot balance tradeoffs if you are guessing. Governance should define what evidence is required for certain decisions, such as asset criticality, known vulnerabilities, observed threats, and operational constraints like maintenance windows. For example, a decision about delaying a patch might require understanding how exposed the system is, what compensating controls exist, and what the operational impact of patching would be. A decision about segmenting a network might require understanding data flows and process dependencies so segmentation does not accidentally break operations. When inputs are defined, decisions become less personal and more systematic. This reduces conflict because people argue less about opinions and more about facts that can be verified. Beginners should understand that governance is not only who decides, but what information is used to decide, and good governance improves the quality of that information over time.

There is also an important cultural aspect: governance should create a habit of collaboration rather than blame. In many environments, security teams fear being blamed for downtime, while operations teams fear being blamed for risk acceptance. If blame drives decisions, people hide problems, avoid documentation, and bypass controls to protect themselves, which increases risk. Good governance creates shared accountability by making risk decisions transparent, documented, and approved by the right authorities. That way, accepting risk is not a secret, it is a deliberate choice with an owner and a review plan. Similarly, implementing controls is not an ambush, it is a planned change with testing and operational input. Beginners should see that governance structures are partly about psychology: people cooperate more when they feel decisions are fair and when their expertise is respected.

Incident decision-making is where governance is tested the most, because stress can push teams toward extremes. One extreme is to shut everything down to be safe, which can cause unnecessary operational harm. Another extreme is to ignore security concerns to keep running, which can allow a problem to spread and become worse. Governance provides a middle path by defining who leads, who advises, what thresholds trigger containment actions, and what steps are required before returning systems to service. In O T, incident governance often includes decisions about isolating zones, switching to local-only operations modes, and prioritizing restoration of certain functions before others. These decisions should not be invented during the incident, because the cost of improvisation can be high. Beginners should learn that governance is a form of preparedness, and preparedness is a form of resilience.

As we wrap up, balancing security versus operations is not about choosing one over the other, but about building decision structures that make tradeoffs consistent, accountable, and aligned with safety and business objectives. Governance defines how decisions are made, while decision authorities define who has the right to decide in routine and exceptional situations. Strong governance creates clear lanes, escalation triggers, and bounded exception processes that enable fast operational response without creating long-term security drift. It respects safety constraints while recognizing that insecure systems can create unsafe outcomes, and it improves decision quality by defining what evidence and context are needed for high-impact choices. Most importantly, it builds trust by making risk acceptance and control implementation transparent and fair, which reduces the urge to bypass or fight. If you can explain how governance structures prevent chaos, how authority prevents endless conflict, and how both support stable operations and safer security outcomes, you will have the mindset needed to evaluate real-world O T security programs.

Episode 28 — Balance Security Versus Operations: Governance Structures and Decision Authorities
Broadcast by