By Alain Sanchez, EMEA Field CISO at Fortinet
Executive Summary:
The role of the Chief Information Security Officer (CISO) has transcended the traditional boundaries of IT Security. With the rapid convergence of Information Technology (IT) and Operational Technology (OT), critical infrastructures are subject to more and more legal requirements. From national logistics to massive retail ecosystems – critical infrastructures are now digitized and under siege. Driven by stringent new legal mandates across EMEA and a surge in real-world disruptions, boardrooms are recognizing that cyber resilience is no longer an IT spending, but a fundamental pillar of national security and business continuity. This article explores why a unified, high-performance architectural approach is the only way to secure and protect the critical infrastructures of our modern society.
The role of the CISO is undergoing a profound and irreversible mutation. Historically, our mandate was relatively confined: secure the data, protect the intellectual property, and ensure the enterprise network remains uncompromised. Over the last five years, new dimensions have emerged in our job description; the perimeter we are tasked with defending has exploded outward. We are no longer merely custodians of digital information; we are the guardians of the physical world.
The critical infrastructures that sustain our societies, from logistics and energy to healthcare, finance, and even sprawling retail ecosystems, have now reached such levels of digitalization, and are so interconnected, that they become themselves one fabric of interdependent added-value. That very value represents the ultimate target of attacks aimed at destabilizing our societies.
The Shifting Legal Framework: From Recommendations to Strict Mandates
Over the last six months, spanning late 2025 into the first quarter of 2026, during my regular discussions with cyber officers all around the EMEA, I witnessed the shift first hand. Lawmakers under the direct leadership of governments have scrutinized the role of Operational Technology as part of the value chain. The legal framework they have created is designed to counter the impact of cyber-attacks on national stability.
This extended mandate, as well as the role critical infrastructure has been assigned to in relation to national defense, have changed the tone of the regulatory environment. Regulatory bodies have moved from issuing “suggestions” to enforcing “strict mandates.” Specific laws have been enacted to shift the burden of proof and the legal fallout directly onto the Board of Directors. For example, the SARB & FSCA Joint Standard 2 of 2024, which officially commenced in June 2025, explicitly mandates cyber resilience for the financial sector. Under these frameworks, the board is ultimately responsible for cybersecurity.
The talk around critical infrastructure regulation is no longer about it being a localized compliance exercise. It is accompanied by severe ramifications, including personal liability, penalties, demotions, and even potential jail time for gross negligence. Furthermore, modern directives like POPIA Section 19 and the Cybercrimes Act Section 54 dictate stringent, rapid-response reporting, often requiring organizations to report breaches within 72 hours and to adhere to a strict 2-hour recovery rule.
When a cyberattack can trigger a ‘force majeure,’ effectively stopping national logistics and causing a catastrophic loss of trade volume that no IT patch can ever recover, the paradigm has shifted.
A Surge in Real-World Disruption
This sweeping legislative reform did not occur in a vacuum; I saw it catalyzed by a surge in debilitating cyberattacks on critical infrastructure over the same timeline. Cyber adversaries have realized that crippling physical operations yields far more leverage than stealing data alone.
A breach is now universally recognized as a “material event,” forcing boards to manage the immediate dip in investor confidence and shareholder value. However, when leadership steps up, the outcome changes. I saw exemplary board-level transparency during a prominent insurance company massive data breach by taking immediate ownership through a CEO-led response and refusing to pay the ransom. This meant the company protected its reputational trust, and its stock recovered quickly.
The IT/OT Convergence: Why Silos Must Fall
The rapid expansion of the threat perimeter is intrinsically tied to the convergence of Information Technology (IT) and Operational Technology (OT). In the past, industrial control systems, manufacturing floors, and logistics networks operated in air-gapped isolation. Today, technology acts as the primary enabler for innovation, turning these once-isolated systems into integrated, accessible networks.
To protect converged IT/OT environments, CISOs are aware that they must adopt a holistic view. As I emphasized during a recent executive briefing, “There is no way compliance can be achieved in silos.” Strategic assessment integration is absolutely key. In the Financial Services Industry (FSI), for example, customers do not leave a bank simply because of a slow app; they leave because they no longer trust the institution to protect their life savings.
A Unified Architecture for the Modern Threat Landscape
How do we operationalize this holistic vision? Addressing these complex requirements demands a framework that seamlessly bridges compliance, operations, and networking without stifling business agility. It requires an architectural philosophy grounded in integration.
- Unified Secure Access Service Edge (SASE): This provides the necessary compliance edge by utilizing local enforcement Points of Presence (PoPs) to ensure that highly sensitive data never leaves its legal jurisdiction.
- Intelligent Automation via SecOps: Modern SecOps platforms correlate events, assess incidents, and act on responses automatically. This is critical to slashing the time required to detect, contain, investigate, and remediate threats—shrinking response windows from weeks (or sometimes 21 days) down to less than a single hour.
- Dynamic Secure Networking: CISOs need granular network data to dynamically prove segmentation. You must be able to demonstrate to a regulator that a virus originating in a retail bookstore’s point-of-sale system cannot laterally reach a core banking database, while simultaneously measuring and proving a 2-hour recovery time objective. New legal requirement calls for a unified platform.
- Purpose-Built Performance: None of this visibility matters if it introduces latency into critical environments. In OT, millisecond is the time base. Security must offload resource-intensive tasks to deliver low-latency, real-time network security functions without compromising operational speed.
Digital trust is the absolute foundation of modern business success. Proactively leveraging security is no longer just about defense; it is a strategic differentiator designed to drive consumer trust.
The days of viewing cybersecurity as a purely technical discipline are behind us. Whether we are securing a national railway logistics hub, protecting a financial institution’s core assets, or safeguarding a retailer’s omnichannel network, the mandate for the modern CISO is clear.
Cyber resilience is an operational mandate, compliance demands deep integration, and the board is ultimately accountable. By adopting a unified, high-performance approach to IT and OT security, we can keep the cyber attacks at bay and ensure the critical infrastructures remain resilient.
