How designing security for human behavior, not against it, builds resilience

During a recent cybersecurity assessment at a water utility, my team discovered something common across many operational environments: unmanaged hubs and personal devices quietly integrated into daily operations.

Over time, these additions helped operators stay productive during overnight shifts or fill gaps when IT policies felt too restrictive, too slow, or simply irrelevant to real-time operations.

None of it was malicious. It was pragmatic. But that pragmatism reveals everything wrong with how most organizations approach operational technology (OT) security — and why heavy-handed IT controls often make things worse, not better.

It’s a perfect example of the IT/OT security gap in action, and it matters more than you think.

Why IT and OT Teams Assess Risk Differently

We were touring one of the utility’s filter plants as part of a comprehensive cybersecurity and physical security assessment. During the walkthrough, we noticed unmanaged network hubs scattered throughout the building, added over time to extend the network as the facility expanded and evolved.

These weren’t intentional security breaches or sophisticated intrusions. They were operator-installed workarounds to facilitate convenience in an environment that runs 24/7, where continuous operations trump everything else, and downtime isn’t an option.

Here’s what most cybersecurity professionals miss: operators and IT teams assess risk fundamentally differently.

Your IT team worries about confidentiality, integrity, and availability—in that order.

For operators, safety and availability are non-negotiable.  They’re not in the IT security business. They’re in the business of making water, manufacturing components, or keeping production lines running.

When an IT team walks into an operational environment with the same policies and controls they use for the corporate office network, they’re setting everyone up for failure.

IT says: “Here are the rules. Follow them.”

Operators say: “These rules slow me down, so I’ll work around them.”

This creates silos that plague critical infrastructure.

  • IT focuses on corporate systems, like finance, HR, and email.
  • The production floor operates in a separate world with physical equipment and a culture built around uptime, reliability, and the ” if-it-ain’t-broke-don’t-fix-it mentality.

Here's what most cybersecurity professionals miss: operators and IT teams assess risk fundamentally differently.

The IT versus OT Security Gap

Let’s look at how these silos play out in the real world, with something as basic as password policies, where these cultural divides become painfully visible. Your IT team establishes requirements: minimum length, complexity, regular changes, unique IDs, no sharing.

All perfectly reasonable.

Now watch what actually happens on the production floor:

  • Passwords get shared – because operators need to respond quickly across multiple systems.
  • Sticky notes and simple patterns are used – because complex passwords aren’t practical under pressure.
  • Predictable rotations in password creation – because frequent password changes create cognitive fatigue.
  • Shared logins – because Unique IDs can bottleneck urgent decisions.

You’ve created perfect security on paper. You’ve created a productivity nightmare in practice.
 

The operators aren't ignoring your controls because they're careless. They're ignoring them because you've built controls that fundamentally misunderstand how their work actually functions.

The Solution Isn’t More Control. It’s Better Architecture

When we discovered the use of unmanaged personal devices on the production network, we didn’t lecture the utility about policy violations. We didn’t “out” anyone. We recognized that the behavior revealed a gap between security architecture and operational reality.

Our recommendation? Implement secure, segmented guest Wi-Fi—a separate network with a direct path to the internet that’s completely isolated from production systems. Give operators a legitimate way to do what they’re going to do anyway, but do it safely.

This is the fundamental shift that’s required: security controls must work WITH human behavior, not against it.

 

The best security architecture recognizes that people will always find the path of least resistance.

Your goal isn’t to block the path of least resistance; it’s to make that path the secure one.

Breaking Down the IT/OT Wall

Network segmentation is just the start. The real challenge is cultural: breaking down the wall between IT and operations.

At Luminary ACE, our teams combine cybersecurity professionals with professional engineers specifically because both perspectives are essential.

  • The cybersecurity expert understands the threat landscape and control frameworks.
  • The professional engineer understands operational constraints and production realities.

When both sit at the table together, you get something neither could achieve alone: security solutions that acknowledge operational needs while actually reducing risk.

This means:

IT must become a partner, not a landlord.

Stop dictating solutions from the corporate office and start collaborating with the people running your production systems. They understand their environment better than you do.

Operations must have a voice in security decisions.

When operators feel heard and their constraints are understood, they become allies in security rather than obstacles to overcome.

Leadership must bridge the gap.

The most successful security transformations we’ve seen start with executive sponsorship that forces collaboration between IT and operations. When leadership treats security as an operational priority rather than an IT problem, culture shifts.

• Every security control should account for how humans will respond.

What Actually Works: The Practical Path Forward

If you’re responsible for security in an operational environment—utilities, manufacturing, critical infrastructure of any kind—here are some practical steps to bridging the IT/OT divide:

Understand how your people actually work

Not how your policies say they should work.

  • Tour your facilities.
  • Talk to operators during overnight shifts. Understand their shortcuts and why those shortcuts exist.
  • When you see workarounds, ask “why” before you say “no.”

Design for human behavior.

  • Every security control should account for how humans will respond. If your control creates friction that slows down critical operations, operators will find workarounds.
  • Design controls that make the secure path the convenient path. The goal is to eliminate the tension between security and productivity.

Segment thoughtfully.

  • Network segmentation isn’t about building walls everywhere. It’s about creating zones that match operational and business functions, with appropriate controls between zones.
  • Think about how information and people actually flow through your facility, then design your security architecture to support that reality.

Build collaboration into your structure.

  • If your IT and operations teams operate in separate silos, your security program will fail.
  • Create forums, joint projects, and shared objectives that force collaboration.

Get leadership buy-in.

  • Security transformation without executive sponsorship becomes an IT initiative that operations ignores.
  • With leadership support, it becomes an organizational priority that everyone owns.
  • The most successful engagements we’ve had started with leaders who understood that this isn’t just an IT problem, it’s a business risk.

The Human Element of Security

At its core, cybersecurity is a human problem masquerading as a technical challenge.

When we treat security as purely a technical discipline—firewalls, encryption, access controls—we miss the fact that every security control ultimately depends on human beings implementing, using, and maintaining it.

The organizations that get this right are the ones that understand their people, design for actual behavior, and build security into operations rather than bolting it on afterward.

If you’re struggling to bridge the IT/OT divide in your organization, let’s talk about what actually works. At, Luminary A.C.E. we specialize in building security programs that work with your operational realities—not against them.