On 18 October I was in Bergamo for NoHat 2025, and I found myself thinking about how easy it is to live in a bubble when you work with technology. We think we understand cybersecurity because we know how firewalls work, how to configure an authentication system, how to handle vulnerabilities in a web app. Then you hear from someone who works with critical infrastructure or with AI systems, and you realise your mental model maybe covers 20% of the picture.
It isn’t that what we know is wrong. It’s that the world is wider and more complicated than we tend to admit when we’re immersed in our own specific patch.
Key takeaways
Industrial systems run with non-negotiable legacy, quarterly or yearly patching windows, protocols from the ’90s: the rules of application security don’t transfer.
Before judging how industrial companies “should be doing it”, it’s worth listening to the people actually running those systems—the gap is epistemic, not motivational.
The professional bubble often mistakes a subset for the whole: recognising that is the first form of cross-domain competence.
Questions & answers
What is NoHat 2025 and why does it matter?
A cybersecurity conference held in Bergamo on 18 October 2025, with a particular focus on OT (Operational Technology) and critical infrastructure. It’s one of the few venues where the classic IT-security world (web applications, cloud, SaaS) actually talks with the people protecting industrial plants, SCADA systems, power grids.
Why does someone working in web security see only 20% of real cybersecurity?
Because industrial and critical scenarios operate with different threats, constraints, and consequences: a ransomware on a SaaS produces days of downtime; an attack on a chemical plant can produce physical casualties. Systems are often non-negotiable legacy, patching windows are quarterly or yearly, and the protocols are the same as the 1990s. The web-security mental model covers a narrow subset of the problem.
What should a generalist technologist take from this difference?
Epistemic humility. What we know about security in our domain isn’t wrong—it’s partial. Before pronouncing on “what industrial companies should do”, it’s worth having spoken with the people who actually run those systems. The context gap is wider than the technical one.