Industrial Cybersecurity: 3 Ways CISOs Win the Budget Conversation

Key Highlights

• Industrial cybersecurity belongs on the operations profit and loss (P&L) statement, alongside compliance and audit costs. Reframing where it sits is the budget argument a CISO can win.
• Regulated industrial sites cut financial losses by roughly 50% in 2025, despite similar incident rates to unregulated peers.
• From 11 September 2026, the EU Cyber Resilience Act requires manufacturers of products with digital elements to report severe cyber incidents within 24 hours.

Industrial Cybersecurity Has Become a Board-Level Conversation

The August 2025 ransomware attack on Jaguar Land Rover halted production at four plants for nearly five weeks and cost the British economy an estimated £1.9 billion. For CISOs at manufacturing companies, none of this was a surprise.

Yet the funding model for operational technology (OT) security has not changed. At Accedia, we work on manufacturing cybersecurity for companies building connected products, and the pattern we see across clients is consistent: the CFO accepts the threat data, then funds OT security as an IT cost, the same as last year.

Industrial cybersecurity is the practice of protecting OT, industrial control systems (ICS), and connected products. The difference from IT security is that when it fails, factories stop running, supply chains break, and the disruption lands on the shop floor. This article shows how to reframe that spend as a compliance investment, CFOs already know how to model.

The Current Threat Picture for Industrial Cybersecurity

Manufacturing has been the most-targeted industrial sector for ransomware throughout 2025 and into 2026 because production downtime gives attackers direct financial leverage over the victim. Jaguar Land Rover was the headline incident of 2025. Still, the Dragos 2026 OT Cybersecurity Year in Review confirms what most CISOs already see in their own threat intelligence: industrial organizations have moved firmly into the center of the ransomware target list. AI is now part of the picture too, accelerating reconnaissance and credential harvesting in ways that compress attacker timelines from weeks to hours.

The texture of failure in 2026 is different from 2020. A single ransomware incident at a major manufacturer now cascades within days into supplier furloughs, dealer disruption, and contract-penalty exposure across multiple tiers of the supply chain. For manufacturers, the damage extends past production restart. Compromised firmware sits in customers' devices for months afterward, creating recall obligations, regulatory exposure, and trust damage. Recovery timelines for industrial incidents commonly run nine to twelve months, well past the operational restart, because the audit, regulatory, and contractual fallout outlast the technical remediation.

Why OT Security Loses the Budget Argument

The funding model for OT security has a structural problem. It is funded in the wrong category, it competes against the wrong peers, and the consequences of underfunding show up in operations rather than in IT.

OT Security Competes on the Wrong Budget Line

Most factory and production-line security still gets funded as a sub-line of IT security. It competes for budget against email security, endpoint protection, identity management, and SaaS posture. Those are categories where business cases are easier to argue, where return on investment is faster to model, and where tools are mature. Protecting the production environment has none of those advantages until something breaks.

The result is predictable. OT receives the residual budget after the IT competition is settled, and when ransomware lands, the residual budget covers the breach response rather than the prevention. Other parts of the Manufacturing budget have already corrected this kind of pattern by reframing technology investment around measurable cost outcomes. The same correction has not yet reached the factory floor.

The Cost Stays Hidden Until Something Breaks

What we see in practice tracks with the public data. IBM’s 2025 Cost of a Data Breach Report puts the industrial sector at $5 million per breach on average, with unplanned downtime in manufacturing reaching $125,000 per hour. The most common entry point is not a sophisticated exploit but a third-party remote maintenance connection that was never properly locked down. The audience that needs convincing is the CFO, who is reading a different P&L than the one industrial cybersecurity currently sits on.

The 2026 Regulatory Deadline Changes the Equation

What changes is the legal cost of getting industrial cybersecurity wrong. The EU Cyber Resilience Act requires manufacturers of products with digital elements to report severe cyber incidents to the European Union Agency for Cybersecurity (ENISA) within 24 hours, with penalties reaching €15 million or 2.5% of global turnover. NIS2, the EU directive on network and information security, already imposes parallel obligations, including personal liability for senior managers in some national implementations. In the US, the SEC’s cybersecurity disclosure rules already require publicly traded manufacturers to report material incidents within four business days, placing security events on the same line as financial reporting obligations.

Once incident reporting is a statutory obligation with a 24-hour clock, the spend has to move to a compliance, audit, and disclosure line. CFOs already know how to model that line. That is the reclassification.

How To Reclassify Industrial Cybersecurity at Board Level

The Industrial Cybersecurity Data That Wins the CFO Conversation

The line you take into the CFO meeting is this: regulated industrial sites suffer roughly 50% fewer financial losses than unregulated peers, despite similar incident rates. Compliance and financial posture turn out to be the same thing.

This objection takes a recognizable shape across the manufacturing clients Accedia works with. What the CFO actually disputes is the categorization of the spend, not the threat data behind it. From the engineering side, we see two patterns most often. The first is the CISO who has been making the same case to the same CFO for two or three budget cycles, getting incrementally more, never enough. The second is the CISO, whose CFO asks the same return-on-prevention question every quarter. The work in both cases is the same. Move the spend off IT and into compliance. The numbers that matter are already in the CFO's spreadsheets.

How To Reframe Industrial Cybersecurity Costs For The CFO

The three reframes below change where industrial cybersecurity sits on the budget page.

• From IT cost to compliance and disclosure cost: Open with: "From September, our incident-reporting exposure belongs with our audit and disclosure costs, not with the IT budget." That puts security in a category CFOs already model.

• From return on prevention to non-compliance exposure: Start with: "I cannot model the return on prevention because the counterfactual is invisible, but I can model our non-compliance exposure to the dollar, and the numbers are sitting in the same risk register we use for audit findings." Penalty cap, average breach cost, reputational and audit consequences, supplier contract clauses. Each of those numbers already lives in someone's spreadsheet at the company. The work is to use them.

• From risk avoidance to operating licence: Frame it like this: "From 11 September, cybersecurity becomes part of being licensed to sell into the EU market for any product with digital elements. That is the same investment category as ISO certification or product safety testing." An operating licence is the language CFOs hear without needing translation.

Where To Start with Industrial Cybersecurity

None of what follows is an 18-month programme. Each move below delivers measurable progress in a single quarter without disrupting production.

OT Asset Visibility Comes First

You cannot defend what you cannot see, and the first hour of any incident response depends on being able to answer the question of what was affected. The first-quarter version aims for partial coverage, not completeness. Scope the inventory to a single line or single facility, document what is there and what is not, and use the gap analysis to fund the second iteration.

For a premium electric vehicle manufacturer, Accedia has been working with, continuous asset discovery on cloud-connected production environments is what keeps the inventory live as the environment changes. The technical work is integrating asset discovery into existing production and cloud monitoring stacks, then building exception workflows for unmanaged endpoints. The lesson from that engagement was about cadence rather than tooling. The inventory is never finished, so you stop trying to finish it and start trying to keep it current.

Segmenting Third-party Remote Access Comes Second

Around half of OT incidents start with unauthorized external access, mostly through third-party remote maintenance. Yet only a small minority of organizations have remote access controls designed for OT. The first-quarter version is one remote-access path per third party, time-bounded, monitored, with a session recording trail and a clear policy of what gets revoked when an engagement ends. This is unglamorous work, and that is the point.

Working with a connected-product manufacturer, our team has run penetration tests and security assessments on connected-product software. The technical work in third-party access segmentation is identity-based access broker integration, session monitoring, and policy enforcement at the OT network boundary. Across this kind of engagement, the most common finding is a third-party access path with no clear owner. The work is to find these and assign one before the audit does it for you.

Tabletop the Reporting Obligation Comes Third

The first time you discover your incident response plan does not survive a 24-hour reporting clock should not be when the clock is running. The first-quarter version is a two-hour tabletop with security, legal, communications, and operations leadership in the same room. Run a hypothetical incident against the September 2026 reporting window. Document what your team could not do within 24 hours. That gap analysis is your next quarter’s roadmap. In our experience, the legal and communications gaps are usually larger than the technical ones, and the tabletop is the cheapest way to surface them.

The Bottom Line for Manufacturing CISOs

Manufacturing CISOs making real progress on industrial cybersecurity have reclassified the spend from an IT cost into a compliance and disclosure investment, where CFOs already know how to model the risk. They back that move with visible engineering work: an asset inventory scoped to a real production line, a session-recorded path for every active third-party connection, and a documented gap analysis from a tabletop exercise. The reframe earns the budget. The work earns credibility.

Accedia's cybersecurity team works with manufacturers on penetration testing, asset discovery integration and security assessments, with TISAX certification for automotive engagements. Talk to our cybersecurity team about industrial cybersecurity work in your environment.