The saying “no man is an island” originates from the English poet and cleric John Donne, who wrote it in 1624 in Devotions Upon Emergent Occasions. Donne’s idea is simple but enduring: no individual thrives alone. We are part of one another and part of a wider whole. The phrase has since become shorthand for cooperation, interdependence, and shared responsibility.

​

At first glance, applying this idea to operational technology (OT) may seem counterintuitive. OT environments have been treated as islands by design, and for good reason. They control physical processes whose disruption can cause real harm to people, businesses, and society at large.

​

​

Why OT Was Designed as an Island

​

OT systems are often old, rely on specialized protocols, and do not support modern security mechanisms. Production environments cannot be stopped casually for updates, and in many cases patches do not exist at all. Isolation therefore became the primary way to manage risk. Connectivity was limited, change was minimized, and OT was kept as far away as possible from the internet and IT-related threats.

​

From the perspective of physical safety and operational reliability, this approach has been both rational and effective. Isolation reduced exposure and supported predictable operation in environments where failure carries serious consequences.

​

​

Where the Island Analogy Breaks Down

​

The island analogy still holds from a technical standpoint. From the perspective of security governance and risk management, however, it no longer applies.

​

Even when technically isolated, OT does not function as a detached outpost. It operates within a broader organizational, contractual, and societal system. OT has its own rules, its own language, and often its own autonomous governance. At the same time, it is deeply interconnected. Vendors access it. IT systems exchange data with it. Business continuity depends on it. National infrastructure relies on it.

​

In this context, OT resilience is never the result of a single technical control. It emerges from coordination across teams, functions, and organizations. A weakness in one place, whether internal or external, can compromise the operational capability of the entire production chain.

 

​

What We See in Practice

​

In Nordic industrial environments, this reality appears in a familiar pattern. OT teams prioritize uptime and safety. IT teams focus on compliance, identity, and data protection. Leadership often assumes that isolation equals control.

​

The outcome is fragmented ownership. Visibility remains partial. Responsibilities overlap or disappear altogether. When incidents occur, escalation is slow, not because people are incompetent, but because coordination across organizational and technical boundaries was never designed.

​

This is not primarily a tooling problem. It is a governance problem.

 

​

What the Data Tells Us

​

A report by the Finnish National Emergency Supply Agency (Huoltovarmuuskeskus), Kyberkypsyys toimialoilla 2025, identifies fragmented OT management as a significant risk to Finland’s national cyber maturity. The report notes that cyber operations targeting critical infrastructure in Europe have increased and become more deliberate. As part of Europe’s interconnected energy, telecommunications, and logistics systems, Finland is directly exposed to these developments.

​

EU-level initiatives such as NIS2, CER, and DORA have initiated progress. Overall maturity, however, remains insufficient. In many organizations, cybersecurity development is still project-driven and operating models remain unchanged. Too many companies aim to meet minimum requirements rather than build resilience.

​

One finding in the report stands out. The single most important factor separating high-maturity organizations from the rest is leadership.

​

In organizations that perform well, cybersecurity is a standing item on the executive agenda. Risks and investments are handled from a business perspective. Leadership understands that cybersecurity is not a technical issue. It is continuity, competitiveness, and national preparedness.

 

​​

Unified Security Governance

​

The same report highlights the persistent separation of OT and IT as one of the most significant risk factors. Common symptoms include:

​

• limited visibility into OT assets

• unclear responsibilities

• insufficient segmentation

• unsystematic vulnerability management

​

Building on these findings, we consistently see additional gaps in practise. These include secure vendor and subcontractor access, documented and rehearsed crisis response plans, and continuous training, including at the leadership level. Many of these practices are already routine in IT environments. Too often, they do not extend to production.

​

In today’s threat landscape, fragmented situational awareness and unclear ownership are no longer acceptable.

​

What is needed instead is unified security governance.

 

This includes shared:

• risk management model

• monitoring and alerting

• processes and responsibilities

• architecture and segmentation across networks, identities, and access rights designed as one whole

• exercises

​

Unified security governance is the ability to see, lead, and protect the organization’s entire digital and physical operating environment as a single entity where information, responsibilities, and response flow seamlessly across boundaries.

 

​

From Islands to Networks

​

OT has long relied on isolation as its primary defense. That design choice was once necessary.

 

​Today, resilience depends on unified security governance. When IT and OT operate under shared leadership, shared visibility, and shared responsibility, isolation is no longer the control mechanism. Governance is.​

​

OT is no longer an island.
Treating it as one is no longer a viable strategy.

​

Technical Team, ESFABRIK