Full Report
New data from Black & Veatch-Takepoint Research finds a persistent execution gap in the manner cybersecurity is integrated... The post Black & Veatch-Takepoint Research finds fragmented ownership slows secure-by-design adoption, pushing cyber risk appeared first on Industrial Cyber.
Analysis Summary
# Industry News: Fragmented Ownership Stifles "Secure-by-Design" in Critical Infrastructure
## Summary
A global study by Black & Veatch and Takepoint Research reveals a significant execution gap in industrial cybersecurity, where 72% of organizations fail to integrate security into the early stages of capital projects. Despite 95% of leaders acknowledging that "Secure-by-Design" improves resilience, fragmented ownership and governance misalignment continue to push cyber risk into the post-commissioning phase.
## Key Details
- **Date:** April 14, 2026
- **Companies Involved:** Black & Veatch (Infrastructure Advisory), Takepoint Research
- **Category:** Market Research / Industry Insight Report
## The Story
The report, titled *‘Secure by design: A Market-Informed Guide to Cybersecurity for new Critical Infrastructure,’* surveys over 450 global respondents to identify why cybersecurity remains a downstream consideration. The research finds that while the "awareness" phase of industrial cybersecurity has peaked, the "implementation" phase is stalling.
The core issue is a structural disconnect: 68% of respondents cite unclear accountability as the primary barrier, while 57% point to poor alignment between asset owners and engineering/construction contractors. Because cybersecurity is often omitted from the initial project scope or Front-End Engineering Design (FEED) stage, it is treated as a technical add-on rather than a fundamental engineering requirement. This results in "reactive security," where operational teams inherit vulnerable systems and are forced to implement costly, disruptive retrofits once the assets are already live.
## Business Impact
### For the Companies Involved
- **Black & Veatch:** Positions itself as a strategic advisor capable of bridging the gap between traditional engineering/construction and cybersecurity.
- **Takepoint Research:** Reinforces its status as a leading intelligence provider for the OT (Operational Technology) and ICS (Industrial Control Systems) sectors.
### For Competitors
- Professional services and engineering firms that fail to offer integrated cyber-physical design will likely see increased friction with clients who are tired of post-deployment "bolt-on" security costs.
- Pure-play cybersecurity firms may face more competition from traditional Engineering, Procurement, and Construction (EPC) firms moving into the security advisory space.
### For Customers
- **Asset Owners:** Faces higher Total Cost of Ownership (TCO) due to retrofitting costs; 61% of respondents believe early adoption would lower overall lifecycle costs.
- **Operational Teams:** Inherit "technical debt" and heightened cyber risk profiles from the moment of commissioning.
### For the Market
- Shifts the conversation from "why" we need security to "how" we govern it during infrastructure builds.
- Highlights a growing trend where cyber-resilience is becoming a prerequisite for national security and public safety compliance.
## Technical Implications
The report emphasizes that the most critical technical decisions—ICS architecture, network segmentation, and secure connectivity protocols—are made during the pre-FEED and design stages. When security is delayed, the "window of influence" closes, making it technically difficult to implement granular access controls or robust monitoring without disrupting the physical process.
## Strategic Analysis
- **Market Positioning:** Black & Veatch is advocating for a shift where cybersecurity is treated as a core engineering discipline, similar to structural or electrical safety.
- **Competitive Advantage:** Early integration is linked to 78% reduced downtime, providing a clear operational advantage to those who can execute.
- **Challenges:** Overcoming "siloed" budgeting where the capital expenditure (CapEx) team is incentivized to lower initial build costs, ignoring the long-term operational expenditure (OpEx) of poor security.
## Industry Reactions
- **Charlie Sanchez (Black & Veatch):** Explicitly states that "if it isn’t defined in the project scope, it won’t be delivered," placing the responsibility squarely on procurement and project definition.
- **General Consensus:** Experts agree that the "execution gap" is a governance failure, not a technical one.
## Future Outlook
- **Predictions:** Expect more stringent "Secure-by-Design" requirements in government contracts and critical infrastructure regulations.
- **What to watch for:** A rise in "Cyber-aware EPC" (Engineering, Procurement, and Construction) contracts where cybersecurity milestones are legally mandated in the build phase.
## For Security Professionals
Practitioners must move "upstream" in the business process. Influence needs to be exerted not just on the IT/OT network, but on the procurement officers and engineering leads who define the scope of new capital projects. If survival depends on resilience, security professionals must become stakeholders in the construction and design lifecycle.