How Cybersecurity Can Steer Organizations Toward Sustainability
COMMENTARY
Inadequate cybersecurity architecture can cause irreparable damage to an organization, which is why boards and C-suite executives are heeding recommendations to implement policies and procedures to mitigate risk. In addition, boardrooms are also paying attention to other hot topics, including diversity, equity, and inclusion (DEI) and sustainability. So it's worth asking what cybersecurity personnel can do to support these initiatives.
Security leaders are in a unique position to not only protect the organization, but also to help direct it toward a more sustainable future. There are several ways they can support the three pillars of ESG: environmental initiatives, social responsibility, and corporate governance.
By "environmental initiatives," we're talking about how organizations affect the environment, such as carbon emissions, resource consumption, and waste output. Security personnel can make a palpable, positive impact on their organization's environmental initiatives with a few key implementations.
Endpoint management solutions. At the beginning of the hardware and software life cycle, cybersecurity personnel should make judicious purchases. Endpoint management software, for example, can be helpful, as such tools save energy by automatically installing patches and putting endpoints into sleep mode when devices are idle or threatened. [Editor's note: The author's company is one of many that sell endpoint management software.]
E-waste management. Cybersecurity teams already monitor corporate devices to maintain compliance and robust network security; they should collaborate with IT personnel to prolong these devices' lifespans via patching and software updates. By reusing and refurbishing hardware, security personnel and IT folks can work together to lower operational costs and reduce their company's environmental footprint.
Supply chain audits. To reduce greenhouse gas emissions effectively, it is also necessary to conduct supply chain audits. Security personnel should periodically orchestrate environmental audits of all the vendors within their supply chain. This entails an assessment of vendors' energy consumption and waste management, among other things.
Energy-efficient data storage and processing. Security personnel should make data center cybersecurity a priority. Data centers use a ton of energy and often contain sensitive information. A successful cyberattack on a data center would likely result in fines, loss of trust, and a rise in energy consumption to get operations back on track.
This pillar is concerned with the relationships that one's company has with various people and communities. In addition to diversity and inclusion, we believe that companies should consider digital inclusion and the ability to contribute to economies in underdeveloped regions.
Eco-friendly product procurement. While procuring software and hardware, cybersecurity professionals are usually focused on robust security, compliance, and cost. However, they should also be cognizant of their potential vendors' sustainability practices. In addition to making sure that downstream vendors don't introduce any cyber-risks, security teams should assess the overall environmental and social impacts of their third-party products.
It's important to assess the average lifespan of third-party vendors' products, as well as any applicable energy efficiency ratings or environmental certifications. By choosing energy-efficient vendors that are committed to sustainable manufacturing practices, cyber personnel can bolster their own corporate reputation and attract environmentally conscious customers.
For organizations that sell cybersecurity tools, it's wise to consider digital inclusion. A component of social responsibility, digital inclusion is the idea that people of all socioeconomic backgrounds should have access to technologies. By keeping cybersecurity software prices affordable, security companies can provide more tools to more people.
Effective data management. Cybersecurity personnel are responsible for ensuring the confidentiality, integrity, and availability of their organization's data. Without adequate cybersecurity tools, such as endpoint management solutions, identity and access management tools, and security information and event management software, organizations cannot protect their customers' data, which, of course, they have a social responsibility to do.
Governance refers to an organization's internal procedures, its ability to comply with laws, and how well the company is managed. When it comes to governance, cybersecurity professionals' knowledge and guidance is indispensable.
Materiality assessments and regulatory compliance. Given that cybersecurity professionals are well-versed in dealing with compliance requirements, the executive branch should consult with them in their efforts to comply with regulations.
Besides helping establish cybersecurity compliance and data-handling protocols, security professionals can also ensure that the organization is in compliance with environmental legislation across the globe. To do so, they should help with their organization's ESG materiality assessments.
In addition to assessing sustainability from a financial angle, ESG assessments list how operations affect society and the environment. Organizations need to have cyber personnel on their steering committees to bring a risk management lens to the conversation. By sitting on these committees, cybersecurity team members remind upper management just how invaluable they are to the organization.
Adherence to data privacy laws. Again, organizations have a social — and legal — responsibility to adhere to all data privacy laws. By doing so, cybersecurity personnel help the organization properly manage customer data, while also mitigating threats from bad actors.
As the examples above show, corporate sustainability initiatives cannot be successful without the active participation of cybersecurity personnel. Whether we are talking about environmental initiatives, social responsibility issues, or governance, cybersecurity professionals need to take their seats at the table.