"Would you be willing to pay for outside help to address your cybersecurity issues?" Walt, here are my two cents, based on some bizarre experiences.
As so many other things in life, industrial control system (ICS) security is mostly about the money. As anybody can guess, I'm getting several requests these days for consulting and for giving talks. Funny enough, especially what look like the more serious requests often turn out to be blunt attempts to exploit our hard work on Stuxnet for free. (I spent over $100,000 on our Stuxnet research.)
So, for example, the World Institute for Nuclear Security (an organization associated with IAEA) invited me to speak at their conference without an honorarium and even expected me to cover travel and accommodation by myself. A vendor consortium consisting of the big names in automation rejects my request for honorarium because they "are a non-profit organization." A European government invites me to talk at its annual CERT conference with no compensation "because they are a government." (We still laugh about that one.) A defense contractor inquires about "collaboration" on cybersecurity issues in its weapon system, indicating that its staff doesn't have a clue, and is never heard of again after receiving a moderate quote for consulting services. The list could go on.
Anybody may forgive me if I have come to think that so many players in the ICS security game really don't belong there, as they're just looking for a free lunch to pimp up their marketing collateral. I'm afraid that some time the society may have a price to pay for this ignorance. Anyway, to close somewhat more optimistically, there are a few others who treat the subject more seriously, evidenced by how they open their pocket books. And, as the saying goes, you get what you pay for.