“Just Migrate to the Cloud” and Other Bad Advice for OT Security Leaders

The Audacity of Demanding Change

If you’re a security leader working with operational technology (OT) and cyber-physical systems (CPS), there’s one piece of advice that’s likely raised your eyebrows – and your blood pressure:

“Just migrate everything to the cloud.” 

Or perhaps: 

“You just need to update your legacy systems.” 

Or even: 

“Change your entire infrastructure – and then our solution will work.” 

If you’ve been on the receiving end of pitches like these, you’re not alone. It’s actually quite common for vendors to expect customers to implement large-scale changes to accommodate their security solutions. 

But for the practitioners tasked with providing secure remote access to OT systems and protecting industrial operations, advice like this isn’t just tone-deaf – it’s fundamentally unworkable. 

When your systems are safety-critical, always-on, and often decades in the making, changing them isn’t a quick fix. It’s a calculated risk – and one you might not actually need to take. 

Because here’s the truth: the best security solution is the one that works with what you already have. Not the one that needs you to rebuild everything before it can even be deployed.

Now, let’s look more closely at the real cost of rebuilding your infrastructure for a new security tool and why security should fit your existing environment (not the other way around). 

Why “Just Change Everything” Doesn’t Work in OT 

Security vendors love to recommend infrastructure changes as a starting point. But for OT teams, these changes come at a high cost. 

After all, industrial environments aren’t blank slates. They’re built on decades of optimization, with systems that are tuned, trusted, and, yes, sometimes a little out of date.  

But here’s the thing: they work. 

And ripping them out to meet a security vendor’s expectations isn’t just an enormous hassle. It’s also a huge risk. 

CISOs and other security leaders in industrial organizations understand that change – especially the kind that touches infrastructure – is never “just” anything. 

In information technology (IT) environments, cloud migrations, frequent updates, and patching exercises are routine. But OT and CPS are different: 

• Operational availability is king. Disruption too often leads to downtime. In some sectors, even a few seconds offline could spell danger, rippling through production lines, energy grids, or supply chains. 

• The cloud isn’t always an option. From compliance constraints to air-gapped networks, many OT environments can’t (or won’t) adopt cloud-first solutions, limiting the effectiveness of solutions that require cloud connectivity.

• Legacy systems still run the show. They’re essential, not optional – and for good reason. They’re stable. They’re critical. And they’re not going anywhere. 

When a security vendor overlooks these realities and suggests changing your entire setup to make their own lives easier, they’re not solving your problem – they’re creating a new one. 

Security Solutions Shouldn’t Ask You to Change – They Should Adapt to You 

Too often, secure access tools are still built with IT environments in mind. Then, when those tools fall short in OT settings, the burden is placed on the organization to adapt. 

But let’s flip the question: Why should your systems bend to fit someone else’s solution? 

Wouldn’t it make more sense for a solution you're buying to fit the infrastructure?  

Indeed, security should fit around your reality – not demand a different one. 

The last thing OT security leaders need is another vendor telling them to modernize. Instead, they need a secure remote access solution that: 

• Deploys quickly, quietly, and without disruption – without needing to overhaul existing infrastructure.  

• Integrates with what already works – so users don’t have to learn new systems or alter existing workflows, making adoption easier and faster. 

• Seamlessly adds modern security protections to legacy systems – closing off a common access point for attackers without introducing instability through unnecessary change. 

• Supports secure remote access without requiring a cloud migration – so you get to keep your systems where you want them and see results without spending months (and millions) just getting set up.

Because at the end of the day, good security doesn’t force transformation – it supports it. 

A Shift in the Industry (Finally!) 

Let’s be clear: OT environments will continue to evolve. Modernization, digitalization, and connectivity demands are part of today’s landscape. 

But there’s a difference between strategic process and reactive change. Replacing your systems to fit a vendor’s tool isn’t progress - it’s a workaround. And in safety-critical environments, workarounds don’t cut it. 

Thankfully, the tide is beginning to turn.  

Some secure access vendors are beginning to recognize the need for a different approach – one that doesn’t treat OT like an afterthought. These vendors offer tools that are infrastructure-agnostic, modular, and built to deploy seamlessly in even the most sensitive environments. 

Cyolo is one example. 

Founded by a former CISO who experienced the challenges of OT access firsthand, Cyolo was created to solve two core problems:  

1. Security shouldn’t force change management. 

2. Security should boost (not inhibit) both productivity and operational agility. 

Cyolo’s approach is refreshingly simple – provide secure remote access that doesn’t require cloud connectivity, doesn’t demand downtime, and doesn’t treat legacy systems like liabilities. 

Whether or not you’re currently in the market for a new access solution, this shift in mindset – toward solutions that adapt instead of disrupt – is one worth watching. 

Want To Go Deeper? We’ve Got a Guide for That 

If you’re exploring your next secure remote access move, it pays to ask the right questions upfront – before committing to a solution that demands more than it delivers. 

Need help navigating the process of choosing the right SRA solution for your OT environment? Get your copy of The Manufacturers’ Guide to Secure Remote Access for OT.

Inside, you’ll find 8 questions every security leader should ask before selecting an SRA tool.

Don't work in manufacturing? Don’t let the guide’s name fool you. Whether you’re in energy, oil & gas, or any other industrial sector, this guide will help you ask the right questions, spot the wrong answers, and choose a solution that fits your needs and your tech stack.