Webinar: Bridging IT–OT Gaps: OT-Led Data Transformation in Action

Register Now
Get In Touch
Get In Touch

Compliance Is Not Readiness: What Critical Infrastructure Leaders Get Wrong About Cyber Security

For many critical infrastructure organizations, compliance is the benchmark leaders focus on when evaluating Cyber Security performance. Policies are documented. Controls are referenced. Frameworks are reviewed. Checklists appear complete. On the surface, everything looks aligned with industry standards.

This confidence is understandable. Compliance frameworks such as NERC CIP, NIST CSF, ISO 27001, IEC 62443, and TSA Pipeline Security were created to guide organizations toward responsible Cyber Security practices. But these frameworks were never designed to guarantee security. They were created to establish minimum expectations.

This is where many leaders misunderstand the role compliance plays in Cyber Security readiness. They assume that because documentation exists, or because a previous audit was successful, their environment is secure. That assumption creates a significant and often costly gap between compliance and true readiness.

The Core Misconception: Documentation Is Not Execution

Compliance frameworks establish what should exist. They do not verify what actually happens inside your OT environment. Many organizations produce documentation that appears complete yet does not reflect day-to-day reality.

For instance, access control policies may specify that all accounts require MFA, but shared credentials may still exist within engineering teams. Backup policies may look strong on paper, yet the actual restore process has not been tested for years. Asset inventories may be included in compliance reports, but in practice, many organizations have never validated the full list of systems, network segments, or dependencies.

Auditors care about evidence. They look for proof that a control is not just documented but consistently followed. They examine whether processes operate as intended. They test whether governance structures reinforce security or simply describe it.

Documentation without execution is not readiness. It is a risk.

Why Compliance Is Not Enough for OT Environments

Critical infrastructure environments have unique challenges that compliance frameworks cannot fully address. OT systems are built for stability and safety. They rely on legacy components, vendor-managed equipment, and networks that were never designed for modern Cyber Security expectations.

Compliance frameworks assume a level of visibility and control that many organizations do not actually possess. For example:

  • Legacy PLCs cannot support modern identity requirements
  • Remote access for vendors may bypass centralized controls
  • Segmentation described in documents may not match real traffic paths
  • Systems may be managed through manual processes rather than automated enforcement
  • Maintenance windows may be limited, delaying security changes


Leaders often believe compliance is enough because these constraints make deeper Cyber Security maturity feel difficult. Compliance becomes the “achievable” outcome. Yet attackers do not follow compliance boundaries. They exploit what is real, not what is documented.

This gap between compliance expectations and operational reality creates a significant blind spot.

The Compliance Readiness Gap in Canada

The 2025 Canadian National OT Cyber Security Report highlights a clear pattern. Many critical infrastructure organizations believe they are compliant, but when asked to demonstrate control execution, they struggle.

Several findings stand out:

  • Asset inventories remain incomplete
  • Identity governance is inconsistent across OT and IT systems
  • Remote access control evidence is difficult to produce
  • Change management documentation does not match actual changes
  • Segmentation diagrams do not reflect true network pathways


The report does not show a lack of effort. It shows a lack of alignment between compliance documentation and operational practice.

This is the compliance readiness gap.
It is one of the most common, yet least discussed challenges in critical infrastructure Cyber Security.

Why Passing an Audit Once Does Not Prove Security

Many organizations point to previous audit results as signs of strength. While audits are important, they do not always reveal deeper issues. They often focus on a defined subset of systems or controls. They evaluate specific timeframes. They rely on samples.

None of this guarantees that your environment remains compliant, or that security controls are functioning today the way they were months or years ago.

OT environments evolve constantly. New connections appear. Temporary changes become permanent. Vendor systems introduce new pathways. Teams shift roles. Processes that were followed during audit preparation may not be followed consistently once the audit concludes.

Readiness is not a snapshot.
Readiness is a continuous operational posture.

Compliance Without Maturity Creates a False Sense of Security

Compliance frameworks are not designed to measure:

  • process consistency,
  • governance strength,
  • cultural adoption,
  • organizational capability,
  • or operational reality.


This is where maturity assessments matter. They provide depth that compliance cannot. A maturity assessment might reveal that access control exists, but enforcement is inconsistent. It may show that change management is documented yet not followed. It may uncover that monitoring tools are present but not fully understood.

Without maturity, compliance becomes surface-level. Leaders believe they are secure because they can produce documents, not because their Cyber Security practices are strong.

Three Signals Your Organization Is Not Audit Ready

Critical infrastructure leaders should pay close attention to these signs:

1. Your documentation and your actual environment do not match.

If diagrams, inventories, or access lists feel outdated, they probably are.

2. Controls rely heavily on tribal knowledge.

If a few key individuals “know how things work,” auditors will find inconsistencies. 

3. Evidence is scattered across multiple teams or systems.

If you cannot easily prove control execution, you are not audit-ready. 

These signals do not indicate failure. They indicate opportunity. Recognizing them early helps organizations avoid nonconformities, delays, and unplanned remediation efforts.

The Path From Compliance to Readiness

Leaders can strengthen readiness by shifting focus from documentation to capability. This shift begins with asking deeper questions:

  • Can we demonstrate how our controls actually operate?
  • Do we know how identity is managed across all systems, not just some?
  • Can we explain every remote access pathway?
  • Do our inventories reflect reality or assumptions?
  • Does governance reinforce Cyber Security or merely describe it?


Organizations that challenge their own assumptions make faster progress. They move from minimum expectations toward true resilience.

Readiness Builds Trust and Reduces Risk

When organizations strengthen compliance readiness, they achieve more than audit success. They improve operational integrity. They reduce uncertainty. They build confidence among executives, regulators, and operational teams.

Compliance is a milestone.
Readiness is a mindset.
Maturity is a capability.

Each reinforces the other, but compliance alone is never enough.

A Logical Next Step

If this perspective resonates, the deeper dive is inside the full ebook, The Pathway to OT Cyber Resilience. It explains:

  • The compliance readiness gap
  • Why maturity assessments reveal real capability
  • The difference between posture, readiness, and risk assessments
  • How roadmaps convert insight into action
  • Lessons from real incidents affecting critical infrastructure


You can access the full guide through Dexcent’s resource library.

Andrew Capper

Vice President of Industrial Digital Transformation

Linkedin Envelope
Read Bio

Andrew Capper is Vice President of Industrial Digital Transformation at Dexcent, helping industrial organizations improve data-driven decision-making by optimizing the data journey, reuniting siloed information, and delivering a trustworthy version of the truth.

With more than 25 years of experience, he is known as a results-driven leader who delivers on commitments and tackles complex information management challenges with a practical, human-centric approach. His work spans digital transformation strategy and roadmaps, governance, digital maturity assessments, and performance measurement through clear KPIs and metrics. Andrew is a NAIT graduate with training in Instrumentation Engineering Technology and Security Systems, and he brings a strong focus on safer, more effective operations from data producers through to data consumers

Nader Asgharinia

MP, P.Eng.

Vice President of Enterprise SCADA & Advanced Applications.

Linkedin Envelope
Read Bio

Nader Asgharinia, PMP, P.Eng., is Vice President of Enterprise SCADA & Advanced Applications at Dexcent, leading the delivery of complex, mission-critical solutions with a clear focus on client experience and operational excellence. With more than 30 years in business execution and over 25 years managing multi-million-dollar programs for mission-critical and SCADA systems, he brings a pragmatic, delivery-at-scale approach to every engagement. Nader is recognized for building high-performing teams, driving disciplined portfolio execution, and delivering measurable business outcomes, including significant growth in program portfolios and team capacity over time. He holds a B.Sc.(Hons.) in Electrical and Electronics Engineering from the University of Newcastle-Upon-Type in the UK, a B.Sc. in Computer Science from the University of Calgary, completed Georgetown University’s Director’s Program, is a Professional Engineer in Alberta, and a Project Management Professional.

Gerrit Nel

CISSP, CISM – Vice President of OT Infrastructure and Cyber Security Services

Linkedin Envelope
Read Bio

Tobias (Gerrit) Nel, CISSP, CISM, is Vice President of OT Infrastructure and Cyber Security Services at Dexcent, leading the development and delivery of practical services and solutions that integrate, complement, or replace OT infrastructure and protect OT assets from cyber threats. He is known for building resilient security frameworks, governance processes, and integrated solutions that reduce risk and support compliance across diverse industries. Gerrit has over 40 years of relevant IT/OT experience and has built and delivered highly skilled and high-performance delivery teams. His strengths include Cyber Security roadmaps, security architecture, incident response, and alignment to standards such as IEC 62443, NIST, and NERC CIP. Furthermore, he has deep foundational technical experience in Networking and OT infrastructure systems architectures that he leverages in building and leading successful delivery teams. Gerrit holds a B.Sc. in Computer Science from the University of Johannesburg and brings deep cross-sector experience supporting clients in oil and gas, mining, chemical, healthcare, financial, and government environments.

Jaydeep Deshpande

P.Eng. – President

Linkedin Envelope
Read Bio

Jaydeep Deshpande, P.Eng., is a seasoned and decisive executive with over 25 years of experience driving operational excellence, profitability, and market growth in national and multinational organizations. As President, he is recognized for his strategic leadership, disciplined execution, and ability to lead organizations through change. Jaydeep is passionate about developing people, building strong leadership teams, and fostering a positive, performance-driven culture. His expertise spans strategic planning, business diversification, financial management, and organizational transformation, with a consistent focus on delivering growth-oriented, profitable results. He holds a Bachelor of Chemical Engineering from the University of Alberta, is a Prosci Certified Change Practitioner and Project Management Professional (PMP), and has completed the CMA Accelerated Accounting Program, bringing deep financial and strategic insight to executive decision-making.

Karim Amarshi

Chairman of the Board

Linkedin Envelope
Read Bio

Karim Amarshi is Chair of Dexcent’s Board of Directors, providing governance leadership and strategic oversight to support the company’s long-term strategy and executive team. With nearly 40 years as an entrepreneur and owner-operator, he is recognized for building high-performance organizations and forging strategic alliances across Information Technology, government, health care, education, and energy. He is the former co-owner and Chief Executive Officer of one of Canada’s leading enterprise Information Technology solution providers, where he led the organization through three successful mergers and helped scale long-term client and vendor partnerships. Karim remains active across a diverse business portfolio, serving as a founding principal, officer, and advisor to organizations spanning Information Technology, hospitality, manufacturing, retail, and real estate in Canada and internationally.

Yasmin Jivraj

FCIPS, I.S.P. | Board Member

Linkedin Envelope
Read Bio

Yasmin Jivraj, FCIPS, I.S.P., is a Board Member at Dexcent, providing executive guidance and strategic oversight to support corporate management and long-term business direction. Over a 35-year career, she has held senior leadership roles across private, public, and non-profit organizations, with a track record of building operating foundations and driving profitable growth. Following a 15-year tenure as a co-owner and President of one of Canada’s leading strategic Information Technology solution providers, she expanded her governance leadership through active board service in post-secondary education and community-focused organizations. She is recognized for decisive, purpose-led leadership, clear communication, and deep expertise in technology, business models, and methodologies that help enterprise organizations advance digital transformation.

Nadir Jivraj

CEO, Board Member

Linkedin Envelope
Read Bio

As Chief Executive Officer, Nadir is accountable for providing overall leadership and Dexcent’s Industrial operational performance. Nadir has been involved as an executive sponsor with Oil & Gas and Mining companies for over 35 years, and through the years has developed a strong working relationship with the Executive leadership team of many Fortune 500 companies.

Nadir is known for recognizing value and superior investment opportunities in the technology services sector. His pursuit of highly prospective technology companies around the world has resulted in numerous company start-ups. Prior to starting Dexcent, Nadir had led companies through highly profitable business transactions, including the merger of Atlas Systems Group with CompCanada (later renamed Acrodex) in 2000 and later as Chairman of the Board of Axcend Pvt – an engineering solutions provider – based in Bangalore, India from 2004 – 2014. Acrodex and Axcend were sold in 2015