Operational Technology (OT) cyber risk is one of the few topics where you can brief three audiences—engineers, the Board, and a regulator—and still feel like you’ve spoken three different languages.

This talk is about that translation problem. I’ll share a practical way to explain OT cyber risk at leadership level (without turning it into either a Hollywood script or “it’s just IT”), and how the complexity increases when you also need to provide confidence to an external overseer—without over-promising, name-dropping frameworks, or producing a one-off “assurance pack” that nobody maintains.

We’ll cover:

Why OT is different in ways that matter to governance: safety, availability, lifecycle, and constraints that are genuinely non-negotiable

The Board narrative vs the regulator narrative: what changes, what must stay consistent

What credible evidence looks like (and what looks like security theatre)

The small set of artefacts that do most of the work: ownership, asset visibility, remote access, segmentation, monitoring, incident readiness

Handling the awkward questions (“So are we safe?”, “Is it compliant?”, “What’s our worst day?”) with honesty and momentum

No war stories and no named organisations—just patterns, pitfalls, and a set of reusable structures you can take back to your own environment.