FOCUS
Security Assessment between IT and OT: an integrated approach to Corporate Security
Why companies must assess their security posture; how the scenario changes between information and industrial systems; two real-world examples.
During the European Cybersecurity Awareness Month 2025, we focus on the topic: Cybersecurity Assessment – From Risk to Remediation.
In the first half of 2025, over 1.2 million alerts of exposed data were recorded in Italy (source: CRIF Cyber Observatory, La Repubblica). This figure paints a clear picture: no sector is immune from cyber threats.
Banks, insurance companies, public institutions, manufacturing industries—all organizations today face a risk that is not only IT-related but also strategic and operational.
In this context, the Security Assessment is a fundamental tool to understand one’s exposure, map vulnerabilities and gaps, and build a concrete improvement plan. Its strength lies in its ability to embrace both the IT (Information Technology) and OT (Operational Technology) domains, highlighting differences and priorities while maintaining a consistent methodological approach.
IT and OT: different priorities, same goal
The principles of security—Confidentiality, Integrity, and Availability—apply to both domains, but operational priorities differ.
- In IT, the focus is often on Confidentiality (protection of sensitive data): networks, servers, cloud, and information assets.
- In OT, the top priority is operational continuity and physical safety: a plant shutdown caused by malware or an attack on control systems can lead to major economic losses, production stoppages, or even risks to human safety.
“
“It’s precisely the difference in priorities that makes an integrated IT/OT approach essential: only by seeing both ecosystems as parts of the same puzzle can companies build truly effective security,”
says Simone Ogadri, Cybersecurity Engineering Manager at Italtel.
Security Assessment: the tool to build your security
A Security Assessment is a comprehensive analysis that evaluates a company’s security level across three main dimensions:
- Technological → not only perimeter defense but deep analysis of systems, networks, and applications.
- Organizational → processes, procedures, roles, and policies affecting security.
- Regulatory → compliance with standards and regulations such as NIS2, ISO 27001, IEC 62443, NIST CSF, and the Machinery Directive.
The NIS2 Directive requires organizations to adopt a structured approach to cyber risk management, demonstrating awareness of their exposure and implementing appropriate, proportional, and documented security measures. In this context, the Security Assessment becomes the key tool for compliance—it enables organizations to evaluate their current security state, identify vulnerabilities, compliance gaps, and operational continuity risks across both IT and OT.
The process begins with field data collection: interviews with IT and OT teams, network architecture analysis, and vulnerability assessment campaigns. This reveals hidden issues and turns analysis into measurable actions. Duration ranges from a few weeks (for medium-sized enterprises) to several months (for multinationals with complex IT/OT infrastructures).
“
“A crucial phase is identifying gaps—not only technical (insufficient hardening, lack of segmentation, missing access controls, exposed applications) but also procedural and organizational misalignments that may pose risks. Here the analysis becomes deeper, reaching the core of corporate governance”
adds Simone Ogadri.
Once the assessment base is established, a risk analysis follows, applying standards such as ISO 27005, ISO 31000, and IEC 62443, supported by risk matrices and existing or custom threat catalogs. Risks are classified by probability and impact, and best-practice countermeasures are defined to prepare a remediation plan.
The risk analysis results lead to an updated Gap Analysis document, enriched with elements needed to implement the security measures defined by the NIS2 Directive.
Next comes the remediation roadmap—a structured plan of concrete, progressive actions. This goes beyond fixing single vulnerabilities: it defines an evolutionary path, which may include adopting Zero Trust Architecture, strengthening access control systems, and introducing continuous monitoring.
“
“A Security Assessment is a journey—from awareness to risk analysis to an operational plan that makes the organization safer, more resilient, and ready for future challenges. The result is not just a list of issues, but a clear, actionable vision that guides the company in targeted and sustainable decisions.”
continuous Simone Ogadri.
Choosing the right partner
An effective Security Assessment requires a partner with cross-disciplinary expertise—combining regulatory knowledge (NIS2, ISO, IEC), technical know-how (IT, OT, cloud, networking), and organizational vision (processes, governance, risk management).
“
“The key is to rely on a specialized consultant who ensures a structured methodology and tangible results. Our field experience demonstrates this value: we’ve supported companies in various sectors with complete Security Assessments. In the insurance sector, we strengthened the security and aligned policies of a major European group. In the industrial sector, a NIS2-oriented assessment for a leading scanner manufacturer improved incident management, OT resilience, and operational continuity”
concludes Simone Ogadri.
In a world of exponentially growing threats, the Security Assessment is not a formality but a strategic investment. It helps organizations protect their value, ensure operational continuity, and safeguard their reputation.
Above all, it proves that IT and OT can no longer be treated as separate worlds—only an integrated approach can build tomorrow’s security today.
TECH KEYWORDS
CYBERSECURITY ASSESSMENT
RISK MANAGEMENT
OT SECURITY
NIS2 COMPLIANCE
ZERO TRUST ARCHITECTURE
SHARE THE PAGE
