The article presents an empirical study of critical infrastructure service providers in consulting, energy, and mining. The study aims to investigate how such service providers perceive and explain information security and challenges in the context of an information technology-operational technology (IT-OT) interconnected environment, that is, Industry 4.0. The study is based on qualitative data from semi-structured interviews with informants holding three different types of positions at the organizations, that is, OT security advisor, business developer, and information security coordinator. The study indicatively concludes that role and responsibility significantly impact practitioners’ reasoning and standpoints. Similarly, security focuses, or prioritization, differs between IT and OT. In line with the literature, the findings indicate that mindsets or mental models need further attention. The article, thus, suggests three research directions to develop insight for expanding information security practices to encompass human and organizational challenges based on behaviors, roles, norms, and attitudes.