Eliminating Silos in IT/OT Cybersecurity Is a Funding Challenge, Not a Technical One

By: Tom Guarente, vice president of external and government affairs, Armis

In light of ever-increasing cyber threats from nation-state adversaries, including major spying campaigns like Salt Typhoon, the need for strong cybersecurity protection has never been more urgent. Given the reported deployment of offensive cyber measures in U.S. military operations, we should expect adversaries to counter with their own deployments.

Noting that the recently released White House “Cyber Strategy for America” appropriately focuses on securing critical infrastructure, our current reality of converged technologies necessitates a more holistic and proactive security model. While this has been an elusive goal because the federal government often lacks the mechanisms needed to fund and deploy effective security tools across both IT and operational technology (OT), the strategy appears to take a much-needed approach. While the government has traditionally focused most of its cyber operations on IT, it has begun to recognize the need to address OT, which has not been nearly as well protected.

Agencies are often stymied in their attempts to broadly apply cybersecurity across both IT and OT due to funding silos and other bureaucratic hurdles. Organizational silos often prevent government security leaders from acquiring the same cybersecurity tools as Fortune 500 enterprises. Not only are agencies siloed from one another, but organizations that manage their own cyber initiatives often find it difficult to share lessons with peers in other branches of the same department.

For example, we have seen one organization with a very mature Facilities Related Control System (an OT system used for building management, controlling electricity operations, etc.) that had been broken in half and organized by geography, each part with its own funding lines, initiatives, contract vehicles and products. This somewhat random division has made it difficult for leadership to apply the necessary tools and controls across the organization to protect systems and users from cyber threats.

Within organizations, divisions also exist between components responsible for IT (often the CIO’s team) and those responsible for OT (often the CSO’s team). These silos prevent organizations from procuring common tools for cybersecurity protection across the entire enterprise. Even when the need for such tools has been identified, organizations often cannot identify the funding mechanisms to justify a procurement. OT is segregated from the IT side with different funding lines, preventing buyers with access to IT-related funding from using it to buy an OT security tool – at least not without navigating a drastic amount of red tape to get that procurement across the finish line. And if they do, purchasing multiple point solutions introduces more complexity into an environment.

Policy decrees and executive orders mandating OT security improvements are essential catalysts, yet they frequently falter at the implementation level due to an “unfunded mandate” gap. While higher-level directives establish necessary requirements, they rarely provide the financial or structural frameworks required by lower-level offices to execute them. To be effective, these orders must evolve beyond compliance checklists to include comprehensive frameworks for longevity and continuity. This requires a dual-track funding model that covers initial capital for acquisition as well as dedicated, multi-year budgetary support for operational and expert staffing.

To bolster at-scale deployment, the plan should also include support structures, such as mobile “tiger teams” or shared-service models that provide specialized technical expertise to under-resourced offices, ensuring that OT security solutions are not only deployed but sustained throughout their lifecycle.

Bridging the gap between policy and protection means that agencies need to establish a standardized baseline for assessing converged technologies well before deployment. However, these baseline requirements will remain toothless without a radical overhaul of the procurement and authorization pipeline. Currently, processes like FedRAMP and DoD-specific cybersecurity authorizations are often opaque and sluggish, offering little transparency into optimization or timelines.

This state of gridlock suggests that these authorization bodies are understaffed and under-resourced – themselves victims of the broader funding crisis, rendering high-level security talking points irrelevant if the administrative machinery cannot process the solutions at the speed of the threat. If these authorizations are to remain a mandatory prerequisite, the FedRAMP process should adopt a model defined by clear milestones and predictable iterative outputs.

To secure critical infrastructure at scale, agency leaders must transition from ad-hoc procurement to programmatic, congressionally-funded initiatives. An effective catalyst for modernization could be the establishment of new enterprise-wide contract vehicles similar to the Global Enterprise Modernization Software and Support (GEMSS) contract, awarded in 2022. That contract gave a broad range of military organizations unlimited access to software licenses, technical support and network modernization services. By pre-negotiating pricing and centralizing funding at the department level, these types of agreements can lower the barrier to entry for individual agencies and offices.

When solution sets are structured, priced and funded for “too good to miss” enterprise adoption, they give mission owners the leverage they need to bypass traditional silos. Ultimately, these large-scale programs do more than cut costs. They promote a standardized security posture that becomes an indispensable utility, ensuring that OT defense is treated as a permanent capability.

Talking points are not enough. Agency leaders have to put money behind what they say their priorities are and increase efficiencies in delivering on those priorities when it comes to securing both IT and OT environments. We should all work together to operationalize the Cyber Strategy for America and create a new approach to protecting our nation.