How Cybersecurity and Sustainability Intersect

Enterprises are pouring dollars into cybersecurity and sustainability initiatives. While the latter might seem like a technical investment and the former a commitment to environmental, social, and governance (ESG), there is opportunity in the intersection of the two.  

Both cybersecurity and sustainability have a material impact on businesses. And for either initiative to succeed, leaders must instill an enterprise-wide commitment into their culture. Applying a cybersecurity lens to sustainability and vice versa can help strengthen enterprises, but how can leadership teams take advantage of these opportunities? 

Sustainability and the Cybersecurity Triad 

The confluence of cybersecurity and sustainability isn’t necessarily the same for every enterprise. “I think [it] is one of those things where it really sort of depends on who the client is, who the company is, and how they are looking at the world,” Anuj A. Shah, managing director at Stax Consulting, a business consulting services company, tells InformationWeek. 

But the CIA triad (confidentiality, integrity, and availability) gives all enterprises a starting point to think about their operations and sustainability. Without the three sides of this triangle, businesses cannot sustain operations.  

Related:Sustaining Future Workers and Consumers Moves Up in ESG Efforts

“Without those controls, then the confidentiality of systems [and] of data, the integrity of the data or the systems and … then critically the availability of those systems and the data and the infrastructure that supports … operations just wouldn't be there,” explains Conor Hogan, global practice director, data governance, digital trust, consulting services at BSI Group, a business improvement solutions company.  

Additionally, sustainability leaders need access to an enterprise’s safeguarded data. “Sustainability practitioners need to get really good at understanding and using data to do the job effectively. They want their impact to scale. They need to understand how to use, manage, get, interpret data,” Ryan Lynch, practice director, sustainability at BSI Group, adds. Questions of access and responsible use fall squarely into the realm of cybersecurity.  

Strong cybersecurity protocols can create a foundation for sustainability initiatives. Imagine an enterprise decides to adopt a new technology to improve its sustainability. While that technology could drive energy savings, it also adds to an enterprise’s attack surface.  

“If you think about things like renewable energy, smart grids and all of the modern technology that is more efficient … than it has been before, how [do] you actually run that and continue to make sure that it sustains itself against cyberthreats?” asks Hogan. The answer, of course, lies in an enterprise’s cybersecurity strategy.  

Related:AI, Data Centers, and Energy Use: The Path to Sustainability

Cybersecurity and ESG 

Sustainability has its own triad: ESG. How does an enterprise impact the environment and society, and how it is tracking and sharing that information?  

The environment -- the “E” of ESG -- is likely the first area that comes to mind when thinking about sustainability. How can cybersecurity have a positive impact on the environment? Cybersecurity is vital to protecting and managing data, which enterprises continue to amass and leverage in myriad ways.  

“It sits somewhere and … that means that it is drawing electricity from a grid,” says Hogan. “So, the more data we create the bigger the materiality of that impact to the world.” 

Where does an enterprise store its data? “Moving IT from on-prem to the cloud [is] a great way to drive energy savings,” Bala Krishnapillai, vice president and head of the IT group, Americas at Hitachi, an IT consulting and services firm, points out. Making that transition is not possible without considering cybersecurity. Enterprises are responsible for protecting their data in the cloud.   

Related:The Tug-of-War for Cyber Resilience to Guard Water Utilities

How much data does an enterprise need? Backups are an essential part of cyber resilience, but keeping all data that an enterprise collects indefinitely is not a sustainable practice.  

“Implement appropriate data retention schedules and actually put them into effect. So only retain data that you need, have appropriate schedules of data literally being wiped or getting overwritten in terms of backups … to minimize physical green footprint,” Hogan recommends.  

Today, society and the digital world are inextricably linked. People entrust their personal data to a multitude of organizations out of necessity. The critical infrastructure that sustains daily life relies on technology. That personal data and critical infrastructure are vulnerable to cyberthreats. Enterprises have a responsibility to individuals and society as a whole to recognize those threats and reduce risk.  

Prasanna Govindankutty, Americas cybersecurity leader at professional services firm KPMG, offers cities today as an example of how cybersecurity and the “S” of ESG connect. “A lot of them are actually modernizing to be smart cities, and smart cities rely on digital infrastructure. And compromising that digital infrastructure will have an at-scale impact on the societies that depend on it,” he says.  

Finally, enterprises are responsible for governance. How is an enterprise operating, and how transparent are those operations? Regulations, reporting, and standards frameworks exist around both cybersecurity and ESG. “When we bring cybersecurity to that table, they provide us the governance, the risk management, the data privacy framework,” says Krishnapillai.  

Sustainability and cybersecurity work alongside one another to drive responsible corporate governance. “Sustainability and trust are two sides of corporate governance. Then …cybersecurity and data privacy could be viewed as key enablers. I think that is the way organizations should look at it,” Govindankutty expands.  

All Hands on Deck 

Cybersecurity and sustainability are discrete functions in many enterprises, yet they could benefit greatly from being de-siloed. Sustainability and cybersecurity initiatives need C-suite awareness and resources to permeate an enterprise’s culture and actually achieve their goals.  

“It's not a one-person show anymore. It's really an ownership in that responsibility and a stewardship that cuts across functional leadership across … the entire organization,” says Lynch. 

In more mature organizations, cybersecurity already has board-level involvement, which can make it easier to see and act on its intersection with sustainability. But for many organizations, cybersecurity and sustainability are separate and even back-office functions. “The cybersecurity leader should not wait for someone to come [and] invite them into these conversations,” says Govindankutty.  

The stakeholders who need to be involved in cybersecurity and sustainability extend beyond an enterprise’s four walls. Third-party vendors are a vital part of an enterprise’s ecosystem.  

“When we're doing work with clients to account [for] their Scope 3 emissions or to try to reduce the greenhouse gas emissions, we have to work across function. We have to work across their value chain with their suppliers and even the downstream stakeholders,” Lynch shares.  

Transparency into an enterprise’s supply chain not only helps enterprises from an ESG perspective, it also gives enterprise leaders visibility into their cybersecurity vulnerabilities. What are vendors doing to be more sustainable, and how are they implementing security controls to protect their customers? 

“Secure IoT devices and supply chains can help you enhance transparency and traceability in that supply chain but also then align with the sustainably goals and mitigate cybersecurity risks,” says Hogan.  

A Secure and Sustainable Future 

The confluence of cybersecurity and sustainability may not yet be fully understood, but companies will be increasingly reporting on both areas. “What we're seeing is greater regulation around disclosures of sustainability and ESG data,” says Shah. “It's going to be quite interesting to see … how cybersecurity, sustainability, ESG, [and] more standardized data, more disclosures … come together within the next couple of years.”  

As that data pours into the market, artificial intelligence will be put to work understanding it. And AI systems are only as good as the data fed to them. Once again cybersecurity will come into play, and AI use should be supported by data integrity and privacy programs.  

While AI undoubtedly opens the door for greater cybersecurity capabilities and for navigating the growing complexity of sustainability, it also comes with an environmental cost. “The explosion of various AI services, new capabilities, it drives more computer power, higher energy consumption,” says Krishnapillai.  

Enterprise leaders will likely need to find a balance between the environmental costs and benefits of AI.  

Finding that balance and understanding the impact of all sustainability and cybersecurity initiatives requires leaders to track their enterprises’ efforts. “You need to have a plan around it, an execution plan. You need to track it. You need to have budget. You need to have coordination across the organization,” says Shah.  

Enterprise leaders in cybersecurity and sustainability can identify areas of common interest and drive investment in them. Like any other strategic investment, the return can be tracked.  

“Boldly [market] some of the security and safety measures that [you] put in place, so you have the ability to measure customer interaction with your organization, third-party interaction with your organization and see if it is going up or down and map it back to those investments that you put in place,” Govindankutty recommends.  

It may take time for enterprise leaders to find the potential integrations between cybersecurity and sustainability, but they are there. “Sustainability by design and secure by design, privacy by design … adopting that ‘by design’ proactive approach [embeds] the different way of thinking in the organization,” says Hogan.