The Consulting Frustration Angle

Jan 14

The $75,000 Risk Assessment That Changed Nothing: Why OT Cybersecurity Consulting Is Broken….

Recently I was talking the risk manager for a mid-sized food processing facility. His company had completed an OT cybersecurity risk assessment engagement with a consulting firm. Their final deliverable, a lengthy PDF document, now sits untouched on a SharePoint site.

"We paid $75,000 to be told our systems are at risk," he told me. "But when I asked what to do first, where to actually start, they told me everything was 'high priority.' Their cheapest recommendation is over half my total annual budget."

This isn't an isolated incident. It's becoming the norm.

The Expensive Theater of Modern Risk Assessments

The OT cybersecurity consulting model is fundamentally broken for small and medium-sized organizations. Here's how it typically works:

A consulting team arrives on-site for a few days. They interview staff, photograph equipment, and run some network scans. Six to eight weeks later, you receive a beautifully formatted report that:

Maps your environment to NIST, ISA/IEC 62443, or another industry framework
Identifies dozens or hundreds of "findings"
Recommends solutions that exceed your annual IT budget
Provides generic remediation guidance that doesn't account for your operational constraints

The report looks impressive. It checks compliance boxes. And it's almost completely useless for actually improving security posture.

Why the Current Model Fails

They don't understand YOUR context.

That 1990s-era Allen-Bradley PLC controlling the mixing line? The consultant's report says it's "end-of-life" and recommends replacement. What it doesn't say is that replacement requires a three-week production shutdown you can't afford, recertification that takes six months, and finding technicians who understand systems your equipment vendor no longer supports.

Generic frameworks treat all risks equally. But in your world, some risks are theoretical while others could shut down production tomorrow. The difference matters enormously, yet most assessments fail to make these distinctions in ways that align with operational reality.

They're optimized for billable hours, not outcomes.

Traditional consulting engagements are structured around time and materials. More complexity means more hours. More hours means higher revenue. There's no incentive to make risk assessment simple, fast, or actionable.

I've reviewed assessments where consultants spent weeks documenting network architecture that the client already had mapped. Or writing 40 pages explaining what SCADA systems are to an audience of process engineers who've worked with them for 20 years.

The expertise gap is real.

Many cybersecurity consultants excel at IT security but struggle with OT realities. They don't understand why you can't "just patch" a critical system that requires 99.9% uptime. They don't grasp why network segmentation isn't as simple as adding a firewall when you have serial protocols and multicast traffic.

So their recommendations, while technically sound in an IT context, are operationally naive in an OT environment.

The Hidden Cost: Paralysis

The real downside to these expensive, unusable assessments is they create organizational paralysis.

After spending significant budget and political capital on an assessment that yields no actionable path forward, leaders become cynical about cybersecurity initiatives. "We already did that and got nothing useful" becomes the response to future proposals.

Meanwhile, the actual risks remain unaddressed. The vulnerabilities persist. The exposure grows.

What Actually Works

Effective OT risk assessment requires three things that traditional consulting rarely delivers:

1. Context-Specific Analysis

Risk must be evaluated in the context of YOUR specific environment, constraints, and priorities. A pharmaceutical manufacturer and a water treatment plant might have similar SCADA architectures, but completely different risk profiles, operational constraints, and regulatory requirements.

Assessment approaches must account for:

Your actual operational windows and maintenance schedules
Your existing technical capabilities and staff expertise
Your realistic budget and resource constraints
Your specific threat landscape and asset criticality

2. Prioritization That Reflects Reality

Not all risks are equal. Not all recommendations are feasible. Effective assessment separates:

Critical risks requiring immediate action vs. long-term architectural improvements
Quick wins that improve posture with minimal disruption vs. major initiatives
Controls you can implement with existing resources vs. those requiring external help

The goal isn't a comprehensive catalog of every possible security measure—it's a roadmap you can actually execute.

3. Continuous, Not Point-in-Time

Your OT environment changes. Equipment is added or decommissioned. Threats evolve. Treating risk assessment as a once-every-three-years compliance exercise misses the point entirely.

You need ongoing visibility into your risk posture that adapts as your environment changes—not a snapshot that's outdated before the ink dries.

Moving Forward

There’s an uncomfortable truth that needs to be acknowledged: small and medium organizations are priced out of premium risk assessment services, while many so-called specialized services deliver questionable value even to those who can afford them.

SMBs face the same threats as enterprise organizations. Ransomware doesn't check revenue before attacking. Nation-state actors targeting industrial sectors don't discriminate based on company size.

Yet we've created a model where effective OT risk assessment requires enterprise budgets and enterprise resources.

There's a better way. Risk assessment can be accessible, actionable, and aligned with operational reality. It can focus on helping organizations improve rather than documenting everything they're doing wrong.

But it requires rethinking the fundamental approach: moving from expensive consulting theater to tools and frameworks that empower organizations to understand and address their risks in context.

Your operations deserve protection. Your budget deserves respect. And your risk assessment should deliver both.