I just wrapped my session at the SANS ICS Security Summit 2026 — "From Dwell Time to Dollars: Quantifying the Financial Value of Faster OT Incident Recovery." Here's the short version, and where you can download the full slides and technical paper.
The problem I keep running into: OT cybersecurity teams know their incident response needs investment, but the funding argument is weak. "The risk is red. The mitigation is $2M." That works for prioritising. It does not hold up in a budget review.
The 2025 SANS State of ICS/OT Security survey gave me a starting point. It breaks the incident timeline into three stages — compromise-to-detection, detection-to-containment, and containment-to-remediation. When I looked at the year-over-year data, cumulative mean response time increased by 27 days from 2024 to 2025. Every one of those days is business exposure: lost production, scrap, restart costs, contractual penalties, and executive scrutiny.
So I asked a simple question: if we improve a stage of incident response, what does that mean in dollars?
Using DeNexus DeRISK CRQ, I modelled a representative $400M manufacturing facility with very low response maturity. The baseline exposure was material — roughly $27M expected loss (6.7% of revenue), $69M at VaR95, and $807M at the extreme tail. I then ran 15 what-if projects: three response stages across five maturity levels. Each one answers a single question — if this stage moves up a maturity level, how does the loss distribution change?
The pattern was clear. Detection-to-containment delivered the strongest early-stage financial benefit. But recovery doesn't disappear — as a program matures, restoring and validating trusted operations becomes a larger share of the remaining loss.
The point isn't the exact numbers; your facility will differ. The point is that incident response maturity can be converted into a financial risk discussion. Instead of "the risk is red," the conversation becomes "expected loss drops by $6M, the mitigation is $2M." That's a language finance, risk committees, and boards actually use.
The technical paper includes the full model, the maturity-to-time mapping, a step-by-step method for applying the percentages to your own facility, and a funding-request worksheet.
Dwell time is a cyber metric. Recovery time is a business metric. The slides and paper show how to connect the two.
→ Download the slides and technical paper: https://www.denexus.io/sans-ics-security-summit-2026
The model behind this session runs on DeRISK CRQ — part of the DeRISK platform, DeNexus's system for quantifying, reducing, and transferring OT cyber risk. See how it works: https://www.denexus.io/derisk-platform