Critical Soft Skills in Critical Infrastructure

If you’re a technologist, especially if you’re coming from IT into OT, you probably already know your way around networks, endpoints, patching cycles, and incident response playbooks.

But what’s not in your runbooks, and what’s crucial when it comes to your ultimate success within OT, are your soft skills. Specifically, how well you work with people, processes, and environments.

Even if you have plenty of rizz and people generally like you, this can still be trickier than it seems when the definition of “secure” looks very different from your tech (or even workplace) roots. A manufacturing facility or dam is a long way from a cubicle. 

1. Humility: You’re (hopefully) not the smartest person in the room

Operators, engineers, and plant managers have decades of experience keeping systems running under constraints most tech and IT professionals have never encountered. They understand the physical process (and consequences of mistakes) in a way no vulnerability scanner ever will.

Your co-workers have gotten to know some of these legacy devices better than they know their own neighbors. Most operators understand highly specific quirks and idiosyncrasies in their respective environments that help them make important determinations about alerts, repair/patch schedules (if and when those are even an option), and how to maintain safety and uptime that are not included in any onboarding or orientation session. Your first job is to listen and learn from them. 

If you walk in talking about “critical patches” without understanding operational impact, you’re not going to be seen as helpful… you’ll be seen as dangerous.

What humility looks like in practice:

• Asking before telling
  
• Listening more than you speak
  
• Admitting when you don’t understand a process
  

You’ll gain a lot more respect from your colleagues if you admit what you don’t know than if you act as though you know everything. 

2. Relationship-Building: Security runs on trust

OT environments run on relationships, not just tech. The people running OT or ICS campuses often rely on archival knowledge, long-standing workflows (sometimes based on specific people and preferences), and occasionally informal communication channels.

If you’re not part of that ecosystem, you’re outside the security perimeter in a very real way.

Pro tip (yes, really): bring food. Well, good food. 

Showing up with coffee or lunch isn’t manipulation; it’s signaling that you respect people’s time and want to build rapport. It helps alleviate stress in a high-pressure environment and offers a small excuse to chat and get to know your co-workers. It also makes you an actual part of the team and helps chip away at that “new guy/gal” veneer you’ll have at first.

What relationship-building looks like in practice:

• Spending time on-site, not just remote
  
• Learning names, roles, and responsibilities
  
• Being present before there’s a problem

3. Translation: Speak both “IT” and “Operations”

One of the biggest failure points for IT-to-OT transitions, though this can be true for someone entering OT for the first time as well,  is language.

Telling an operator that a system is “vulnerable to remote code execution” doesn’t mean much if they’re thinking in terms of throughput, safety interlocks, and production schedules.

You need to translate risk into operational impact (see point one).

This can be more about vocabulary than framing. 

Instead of:

“We need to patch this immediately.”

Try:

“There’s a risk this system could be remotely disrupted, which could halt production or affect safety systems.”

Now you’re speaking their language.

What this “translation” looks like in practice:

• Framing cybersecurity in terms of uptime, safety, and reliability
  
• Avoiding jargon when it doesn’t serve the audience, though there may be some site-specific slang you’ll want to brush up on
  
• Bridging gaps between engineering, operations, and IT teams
  

4. Patience: “Right Now” isn’t always an option

Many technologists operate with urgency as the default setting. 

But in OT, urgency can be reckless.

You can’t just reboot a system controlling a live industrial process. You can’t always patch during production. And sometimes, the safest thing to do… is wait.

This is one of the hardest adjustments for IT professionals.

What patience looks like in practice:

• Working within maintenance windows (even if they’re weeks or months away)
  
• Accepting compensating controls instead of immediate fixes
  
• Understanding that “secure enough” may be the right answer for now
  

Patience in OT isn’t delaying fixing or securing; it’s risk management.

5. Curiosity: Learn the process, not just the network

If you don’t understand what the system does, you can’t effectively protect it.

OT environments are deeply tied to physical processes, regardless of what sector you’re in. Manufacturing, energy, water, and transportation all have their own logic, constraints, and failure modes. Each specific site for these will have its own workplace culture and vibe. Take the time to get to know both. 

What curiosity looks like in practice:

• Asking operators to walk you through workflows
  
• Learning how systems behave under normal conditions
  
• Understanding what “failure” actually looks like in the real world (and to the operators) 

The more you understand the process and the people making decisions behind those processes, the better your security decisions will be.

6. Negotiation: Security is a series of tradeoffs

In OT, there is no such thing as “perfect” security. Every control has a cost: performance, availability, safety, or operational complexity. Your job is not to eliminate risk entirely; it’s to reduce it without breaking the system.

That requires negotiation.

What negotiation looks like in practice:

• Collaborating on risk acceptance decisions
  
• Finding middle-ground solutions (e.g., segmentation instead of shutdown)
  
• Respecting operational priorities while advocating for security

Because in OT, “safety” and “security” don’t just mean there’s a lack of intrusion or malicious penetration into the system. It can also mean that the water flowing from people’s taps is still clean, that power transformers won’t overload, that automated train systems are running on time, and that shipping systems continue to operate. 

7. Accountability: Own the outcome, not just the recommendation

In IT, it’s often easy to recommend a fix and move on.

In OT, your recommendations have real-world consequences. If something goes wrong, it won’t just be a ticket; it could be downtime, financial loss, or safety incidents.

That means you need to think beyond the recommendation. The process is partly yours, not just the solution. 

What accountability looks like in practice:

• Following through on implementation
  
• Validating that controls work in the real environment
  
• Being present when changes are made

Tech Skills Get You In, But Soft Skills Let You Stay

The transition from IT to OT is more than just a change in technology… It’s a shift in mindset.Success in OT cybersecurity isn’t about how many CVEs you can enumerate or how quickly you can deploy patches. It’s about how effectively you can operate in an environment where availability and safety are just as critical as security.