OT Remote Access Is an Efficiency Tool: Why Operational Friction Matters More Than Security Theater
Ian Schmertzler, Co-CEO, Dispel
Ian Schmertzler, Co-CEO, Dispel
Ian Schmertzler, Co-CEO, Dispel
Jan 8, 2026
Jan 8, 2026
Jan 8, 2026
min read
min read
min read
Article
Article
It’s the first Wednesday since people got back from the holidays in Austin, which means the flowers are blooming, the sky is blue, and the entire defense industrial base is trying to get through the door to a low slung chili shack on the north side of town at the exact… same… time… some people never learn.
It is also that time of year when boards and marketing departments ask for colorful but clear-eyed opinions on the state of the cyber market in operational technology. As someone who has spent the last eleven years working in this bizarre arena and is currently standing in line for the aforementioned chili parlor, I have some opinions. For this blog post, the ask was to talk about one topic: the relative importance of efficiency versus security for commercial industrial entities when looking specifically at remote access solutions. This post was not written with AI. The opinions are my own.
Why New OT Cybersecurity Firms Are Struggling
Secure, in its purist form, means audited alignment with all of the sub controls found within the NIST 800-53 High baseline and the NIST 800-82 overlay. That is a lot of controls and, more importantly, most of them cannot be provided by a product unless the company building that product implements strict internal operational controls. The combination of technical, operational, and audit requirements make Secure next to impossible for a firm to achieve within the investment horizons of venture funds. Just getting there took us three more years than originally forecasted, and several tens of millions of dollars more than I care to think about.
The issue with selling a product that is less than truly Secure is someone will eventually roll down the NIST 800-53 set of controls like a checklist, find a weakness, and blow the proverbial door open. At that point, your business as a supplier of “secure” products is done. We can’t compete on cost with companies willing to skip over security controls in order to get sales.
The result of the barriers to achieving true product “Security” has been predictable – firms invest in reducing the scope that potential customers use to define Secure. In civilian OT cyber settings, the products we historically competed with were VPNs tied to an on-prem jump box. These days, the only thing that has changed is the on-prem box has a Guacamole server running on it with a prettified front end. Is it secure? No, absolutely not. Is it cheap? Yes.
What Drives OT Remote Access Buying Decisions
There are only two reasons why a remote access product marketed as “secure” makes its way into a non-government OT environment: (1) it makes the OT environment more efficient or (2) it checks a box on a Governance Risk and Compliance sheet. It is neither because the product itself really is secure nor because it makes the OT environment more secure. Security does matter if you are replacing a pre-existing system, but with 40% of industry participants in the 2025 SANS survey indicating this will be the first year they invest in “secure remote access,” brownfield is not where the money is at for established firms like ours.
The pitch for Dispel’s product that got us from 20 clients to 2,000 lasted under a minute. It was, roughly, if you want to remotely access a system securely, that process requires 6 products bolted together, takes 7 to 12 minutes of a user’s time per connection event, and requires 15 minutes of administrator overhead. Dispel built an end-to-end system. By stripping out all that inter-product friction, you can get to a high value asset with Dispel in under 30 seconds, securely, with less than 1 minute of administrator overhead.
That pitch broke a mold because it got cybersecurity professionals to talk about their systems in efficiency terms. In offshore drilling, to give one example, cyber teams realized they could justify rolling out Dispel to their colleagues in Operations and Finance by pointing to the time and dollar savings of the product. In their case, the payoff time for an annual license was 43 seconds of use. They didn’t have to try arguing our system aligned them with more of the 800-82 High baseline – something no one on the other teams either understood nor cared to learn about.
The problem with that pitch is it only worked amongst firms that had already tried to secure how their systems were accessed by some other means. It wasn’t until recently that we realized just how few commercial entities had even bothered to throw a firewall up in front of their OT systems. With firms that have not yet worked the problem, we have an entirely different buyer mind state. Most don’t even use the industry standard definition of “Secure,” they just know it had better say “secure” in the marketing materials. So how do we adjust the pitch to compete for and win the business of firms that haven’t focused on OT cybersecurity before?
See what’s next for OT security. [Read the SANS State of ICS/OT Security 2025 Report →]
How OT Leaders Are Rethinking Remote Access for Operational Efficiency
The answer, I think, lies yet again in efficiency. Teams at firms that hadn’t invested a dime in OT cyber weren’t somehow living outside of the proverbial Vortex. It’s just they hadn’t realized they were in it and, now that they do, they hate everything—starting with your salesperson and whoever sent them. The things they care about, which are the things they are judged on, remain the same: uptime, availability, crew safety, and operating costs. You’ve just sent someone into their office with a presentation that offers a solution somewhere along the textbook timeline of asset inventory, risk assessment, governance model, and standardized secure remote access. It shows a 24-month timeline. It talks about advisors serving as “an extension of the team.” Unless you are bringing something more to the pitch than security, they are going to scroll to the end of that timeline, take the cheapest thing that claims to do whatever is there, and worry about the consequences of their actions later. Cheap decisions have expensive consequences, but like all of us in this chili house line: you can’t fix stupid.
Enter stage left OT DMZ Unification—now sold as “OT Fusion”—a patented means of spanning multiple secure enclaves in seconds so the resources in each enclave can selectively be allowed to reach and service those in the other attached environments. Standardized, controlled remote access is an ancillary outcome of that solution. OT Fusion, where deployed, has tended to reduce operating costs at client sites by 3%. That translates to tens of millions of dollars. The reason for those savings is you don’t have to do digital transformation at every facility by building a fresh stack—you just have to do it once and the OT Fusion system will let you port that transform to other facilities. When you are dealing with tens of millions of dollars of cost savings and a faster turn time on getting facilities online, no one cares about the few hundred thousand we insist on spending to make sure the system is by-the-book secure.
What This Means for the OT Remote Access Market
From a macro level, my guess is you are going to see a bifurcation between point solutions that can’t get out of the “sell security” mindset and platform solutions that expand their feature sets to increase the non-actuarial ROI of deployments. As with any split in a market, expect stuff to get messy. You are going to see a lot of efforts by firms that don’t have the capacity to invest in security trying to redefine “secure” away from the standards that are tough to meet. You are going to see more efforts to do multi-year lockups by said firms as a way to stave off the implications of not having a viable product. And you will probably see a price war in the commoditized domain of VPN services and jump hosts. But if you are smarter than the average bear, none of that is going to be hard to see. My advice, focus on the expected return on investment in efficiency terms, be relentless in requiring audited standards alignment in the deployment configuration of the product in your environment.
Have a great year. If you want to talk efficiency gains, reach out to me on LinkedIn.
It’s the first Wednesday since people got back from the holidays in Austin, which means the flowers are blooming, the sky is blue, and the entire defense industrial base is trying to get through the door to a low slung chili shack on the north side of town at the exact… same… time… some people never learn.
It is also that time of year when boards and marketing departments ask for colorful but clear-eyed opinions on the state of the cyber market in operational technology. As someone who has spent the last eleven years working in this bizarre arena and is currently standing in line for the aforementioned chili parlor, I have some opinions. For this blog post, the ask was to talk about one topic: the relative importance of efficiency versus security for commercial industrial entities when looking specifically at remote access solutions. This post was not written with AI. The opinions are my own.
Why New OT Cybersecurity Firms Are Struggling
Secure, in its purist form, means audited alignment with all of the sub controls found within the NIST 800-53 High baseline and the NIST 800-82 overlay. That is a lot of controls and, more importantly, most of them cannot be provided by a product unless the company building that product implements strict internal operational controls. The combination of technical, operational, and audit requirements make Secure next to impossible for a firm to achieve within the investment horizons of venture funds. Just getting there took us three more years than originally forecasted, and several tens of millions of dollars more than I care to think about.
The issue with selling a product that is less than truly Secure is someone will eventually roll down the NIST 800-53 set of controls like a checklist, find a weakness, and blow the proverbial door open. At that point, your business as a supplier of “secure” products is done. We can’t compete on cost with companies willing to skip over security controls in order to get sales.
The result of the barriers to achieving true product “Security” has been predictable – firms invest in reducing the scope that potential customers use to define Secure. In civilian OT cyber settings, the products we historically competed with were VPNs tied to an on-prem jump box. These days, the only thing that has changed is the on-prem box has a Guacamole server running on it with a prettified front end. Is it secure? No, absolutely not. Is it cheap? Yes.
What Drives OT Remote Access Buying Decisions
There are only two reasons why a remote access product marketed as “secure” makes its way into a non-government OT environment: (1) it makes the OT environment more efficient or (2) it checks a box on a Governance Risk and Compliance sheet. It is neither because the product itself really is secure nor because it makes the OT environment more secure. Security does matter if you are replacing a pre-existing system, but with 40% of industry participants in the 2025 SANS survey indicating this will be the first year they invest in “secure remote access,” brownfield is not where the money is at for established firms like ours.
The pitch for Dispel’s product that got us from 20 clients to 2,000 lasted under a minute. It was, roughly, if you want to remotely access a system securely, that process requires 6 products bolted together, takes 7 to 12 minutes of a user’s time per connection event, and requires 15 minutes of administrator overhead. Dispel built an end-to-end system. By stripping out all that inter-product friction, you can get to a high value asset with Dispel in under 30 seconds, securely, with less than 1 minute of administrator overhead.
That pitch broke a mold because it got cybersecurity professionals to talk about their systems in efficiency terms. In offshore drilling, to give one example, cyber teams realized they could justify rolling out Dispel to their colleagues in Operations and Finance by pointing to the time and dollar savings of the product. In their case, the payoff time for an annual license was 43 seconds of use. They didn’t have to try arguing our system aligned them with more of the 800-82 High baseline – something no one on the other teams either understood nor cared to learn about.
The problem with that pitch is it only worked amongst firms that had already tried to secure how their systems were accessed by some other means. It wasn’t until recently that we realized just how few commercial entities had even bothered to throw a firewall up in front of their OT systems. With firms that have not yet worked the problem, we have an entirely different buyer mind state. Most don’t even use the industry standard definition of “Secure,” they just know it had better say “secure” in the marketing materials. So how do we adjust the pitch to compete for and win the business of firms that haven’t focused on OT cybersecurity before?
See what’s next for OT security. [Read the SANS State of ICS/OT Security 2025 Report →]
How OT Leaders Are Rethinking Remote Access for Operational Efficiency
The answer, I think, lies yet again in efficiency. Teams at firms that hadn’t invested a dime in OT cyber weren’t somehow living outside of the proverbial Vortex. It’s just they hadn’t realized they were in it and, now that they do, they hate everything—starting with your salesperson and whoever sent them. The things they care about, which are the things they are judged on, remain the same: uptime, availability, crew safety, and operating costs. You’ve just sent someone into their office with a presentation that offers a solution somewhere along the textbook timeline of asset inventory, risk assessment, governance model, and standardized secure remote access. It shows a 24-month timeline. It talks about advisors serving as “an extension of the team.” Unless you are bringing something more to the pitch than security, they are going to scroll to the end of that timeline, take the cheapest thing that claims to do whatever is there, and worry about the consequences of their actions later. Cheap decisions have expensive consequences, but like all of us in this chili house line: you can’t fix stupid.
Enter stage left OT DMZ Unification—now sold as “OT Fusion”—a patented means of spanning multiple secure enclaves in seconds so the resources in each enclave can selectively be allowed to reach and service those in the other attached environments. Standardized, controlled remote access is an ancillary outcome of that solution. OT Fusion, where deployed, has tended to reduce operating costs at client sites by 3%. That translates to tens of millions of dollars. The reason for those savings is you don’t have to do digital transformation at every facility by building a fresh stack—you just have to do it once and the OT Fusion system will let you port that transform to other facilities. When you are dealing with tens of millions of dollars of cost savings and a faster turn time on getting facilities online, no one cares about the few hundred thousand we insist on spending to make sure the system is by-the-book secure.
What This Means for the OT Remote Access Market
From a macro level, my guess is you are going to see a bifurcation between point solutions that can’t get out of the “sell security” mindset and platform solutions that expand their feature sets to increase the non-actuarial ROI of deployments. As with any split in a market, expect stuff to get messy. You are going to see a lot of efforts by firms that don’t have the capacity to invest in security trying to redefine “secure” away from the standards that are tough to meet. You are going to see more efforts to do multi-year lockups by said firms as a way to stave off the implications of not having a viable product. And you will probably see a price war in the commoditized domain of VPN services and jump hosts. But if you are smarter than the average bear, none of that is going to be hard to see. My advice, focus on the expected return on investment in efficiency terms, be relentless in requiring audited standards alignment in the deployment configuration of the product in your environment.
Have a great year. If you want to talk efficiency gains, reach out to me on LinkedIn.
Ready to Simplify OT Secure Remote Access?
See how Dispel helps industrial teams standardize connectivity and protect critical environments—without added complexity.
Ready to Simplify OT Secure Remote Access?
See how Dispel helps industrial teams standardize connectivity and protect critical environments—without added complexity.
It’s the first Wednesday since people got back from the holidays in Austin, which means the flowers are blooming, the sky is blue, and the entire defense industrial base is trying to get through the door to a low slung chili shack on the north side of town at the exact… same… time… some people never learn.
It is also that time of year when boards and marketing departments ask for colorful but clear-eyed opinions on the state of the cyber market in operational technology. As someone who has spent the last eleven years working in this bizarre arena and is currently standing in line for the aforementioned chili parlor, I have some opinions. For this blog post, the ask was to talk about one topic: the relative importance of efficiency versus security for commercial industrial entities when looking specifically at remote access solutions. This post was not written with AI. The opinions are my own.
Why New OT Cybersecurity Firms Are Struggling
Secure, in its purist form, means audited alignment with all of the sub controls found within the NIST 800-53 High baseline and the NIST 800-82 overlay. That is a lot of controls and, more importantly, most of them cannot be provided by a product unless the company building that product implements strict internal operational controls. The combination of technical, operational, and audit requirements make Secure next to impossible for a firm to achieve within the investment horizons of venture funds. Just getting there took us three more years than originally forecasted, and several tens of millions of dollars more than I care to think about.
The issue with selling a product that is less than truly Secure is someone will eventually roll down the NIST 800-53 set of controls like a checklist, find a weakness, and blow the proverbial door open. At that point, your business as a supplier of “secure” products is done. We can’t compete on cost with companies willing to skip over security controls in order to get sales.
The result of the barriers to achieving true product “Security” has been predictable – firms invest in reducing the scope that potential customers use to define Secure. In civilian OT cyber settings, the products we historically competed with were VPNs tied to an on-prem jump box. These days, the only thing that has changed is the on-prem box has a Guacamole server running on it with a prettified front end. Is it secure? No, absolutely not. Is it cheap? Yes.
What Drives OT Remote Access Buying Decisions
There are only two reasons why a remote access product marketed as “secure” makes its way into a non-government OT environment: (1) it makes the OT environment more efficient or (2) it checks a box on a Governance Risk and Compliance sheet. It is neither because the product itself really is secure nor because it makes the OT environment more secure. Security does matter if you are replacing a pre-existing system, but with 40% of industry participants in the 2025 SANS survey indicating this will be the first year they invest in “secure remote access,” brownfield is not where the money is at for established firms like ours.
The pitch for Dispel’s product that got us from 20 clients to 2,000 lasted under a minute. It was, roughly, if you want to remotely access a system securely, that process requires 6 products bolted together, takes 7 to 12 minutes of a user’s time per connection event, and requires 15 minutes of administrator overhead. Dispel built an end-to-end system. By stripping out all that inter-product friction, you can get to a high value asset with Dispel in under 30 seconds, securely, with less than 1 minute of administrator overhead.
That pitch broke a mold because it got cybersecurity professionals to talk about their systems in efficiency terms. In offshore drilling, to give one example, cyber teams realized they could justify rolling out Dispel to their colleagues in Operations and Finance by pointing to the time and dollar savings of the product. In their case, the payoff time for an annual license was 43 seconds of use. They didn’t have to try arguing our system aligned them with more of the 800-82 High baseline – something no one on the other teams either understood nor cared to learn about.
The problem with that pitch is it only worked amongst firms that had already tried to secure how their systems were accessed by some other means. It wasn’t until recently that we realized just how few commercial entities had even bothered to throw a firewall up in front of their OT systems. With firms that have not yet worked the problem, we have an entirely different buyer mind state. Most don’t even use the industry standard definition of “Secure,” they just know it had better say “secure” in the marketing materials. So how do we adjust the pitch to compete for and win the business of firms that haven’t focused on OT cybersecurity before?
See what’s next for OT security. [Read the SANS State of ICS/OT Security 2025 Report →]
How OT Leaders Are Rethinking Remote Access for Operational Efficiency
The answer, I think, lies yet again in efficiency. Teams at firms that hadn’t invested a dime in OT cyber weren’t somehow living outside of the proverbial Vortex. It’s just they hadn’t realized they were in it and, now that they do, they hate everything—starting with your salesperson and whoever sent them. The things they care about, which are the things they are judged on, remain the same: uptime, availability, crew safety, and operating costs. You’ve just sent someone into their office with a presentation that offers a solution somewhere along the textbook timeline of asset inventory, risk assessment, governance model, and standardized secure remote access. It shows a 24-month timeline. It talks about advisors serving as “an extension of the team.” Unless you are bringing something more to the pitch than security, they are going to scroll to the end of that timeline, take the cheapest thing that claims to do whatever is there, and worry about the consequences of their actions later. Cheap decisions have expensive consequences, but like all of us in this chili house line: you can’t fix stupid.
Enter stage left OT DMZ Unification—now sold as “OT Fusion”—a patented means of spanning multiple secure enclaves in seconds so the resources in each enclave can selectively be allowed to reach and service those in the other attached environments. Standardized, controlled remote access is an ancillary outcome of that solution. OT Fusion, where deployed, has tended to reduce operating costs at client sites by 3%. That translates to tens of millions of dollars. The reason for those savings is you don’t have to do digital transformation at every facility by building a fresh stack—you just have to do it once and the OT Fusion system will let you port that transform to other facilities. When you are dealing with tens of millions of dollars of cost savings and a faster turn time on getting facilities online, no one cares about the few hundred thousand we insist on spending to make sure the system is by-the-book secure.
What This Means for the OT Remote Access Market
From a macro level, my guess is you are going to see a bifurcation between point solutions that can’t get out of the “sell security” mindset and platform solutions that expand their feature sets to increase the non-actuarial ROI of deployments. As with any split in a market, expect stuff to get messy. You are going to see a lot of efforts by firms that don’t have the capacity to invest in security trying to redefine “secure” away from the standards that are tough to meet. You are going to see more efforts to do multi-year lockups by said firms as a way to stave off the implications of not having a viable product. And you will probably see a price war in the commoditized domain of VPN services and jump hosts. But if you are smarter than the average bear, none of that is going to be hard to see. My advice, focus on the expected return on investment in efficiency terms, be relentless in requiring audited standards alignment in the deployment configuration of the product in your environment.
Have a great year. If you want to talk efficiency gains, reach out to me on LinkedIn.
Ready to Simplify OT Secure Remote Access?
See how Dispel helps industrial teams standardize connectivity and protect critical environments—without added complexity.
Products
Industries
Resources
Products
Industries
Resources
Products
Industries
Resources