Has ESG Become aWake-Up Call for Cybersecurity?

John P. Gormally, SR
4 min readAug 23, 2022

--

Thunderstorm in Southern California

Even with ransomware costing billions of dollars in losses and cyber insurance claims, organizations are still impacted beyond the checkbook. Brand imaging, lawsuits, loss of respect in the industry, and mass departures of crucial personnel all stem from people’s perceptions of the organization’s actions during a crisis.

Attacks on the rise

Cyber incidents happen every day. Email phishing, brute force, and even employees leaving with a host of USB sticks, organizations face countless and often unreported cyber attacks. Exposure to corporate data, employee information, and access to the global supply chain are frequently targeted by hackers and cybercriminals.

These attacks have driven the cost of cyber insurance premiums higher. Many insurance companies spend more time evaluating claims to ensure the clients have done all the due diligence. Cyber insurance has become more critical to organizations to help offset the risk to the company.

Access to global talent is still a challenge.

A critical part of ESG centers around organizations’ strategy relies on executing human capital management and compliance with the various labor practices.

Does the organization follow national and international hiring and compensation and invest in the welfare of its employees?

Another challenge for organizations seeking to maintain their ESG is the sustainability of qualified resources.

Highly experienced cybersecurity experts, experienced personnel with a cyber risk management background, and professional engineers who understand physical infrastructure are in huge demand. Maintaining these critical resources directly impacts the organization’s risk scoring.

So, how would Environmental, social, and governance(ESG) scoring change the mindset from the boardroom down to the intern to finally place cybersecurity corporate governance at the top of the organizational priority list?

Are organizations taking ESG more seriously?

Well, that depends on the organization’s seriousness about its overall ESG and sustainability scoring. ESG is more than just cybersecurity threats and critical infrastructure management. The ESG scoring system is broken out into several areas of observation, including:

  • Social awareness — the culture of diversity within the organization
  • Sustainability of resources
  • Environmental impact issues with maintaining legacy critical infrastructure
  • How the organization interacts with the community
  • Ethical behavior of the organization and their leadership
  • Global trade governance and compliance
  • Global human resource management and labor practices

Each area contributes to a scoring system similar to Dunn & Bradstreet. Organizations seeking to do business with other companies often ask for a D&B number, among other reference credentials.

If an organization is found to discharge raw sewage into a protected lake without claiming initial responsibility, this could directly impact their ESG. Adding cybersecurity risks in the fold for a moment, what if the organization suffered from several breaches, including data exfiltration, ransomware extortion, and account takeover?

How would these events impact the ESG score?

ESG is gaining momentum globally where countries, multinational companies, and learning institutes have become aware of the importance of having a positive score. The global investment community also researches many perspectives on ESG scores as part of their due diligence.

Direct connection between risk management and ESG

ESG at every level correlates in some form back to organization risk management. How organizations score in the social, environmental, and governance areas will long impact where the organization will be considered sustainable, friendly, and low risk.

By having cybersecurity events impact the sustainability score of an organization?

Absolutely.

Data loss directly impacts the customer and business partners’ confidence in the organization for each security event. Who would want to do business with an organization with a high ESG risk score?

What is the role of the CIO and CISO in ESG?

Technology consumption has a massive role in the sustainability of the environment and corporate resources. The need for expensive commercial property will drop if an organization decides to standardize on the remote workforce. The land could be used for other purposes to serve the environment better.

Suppose the CIO moves all applications to an ESG-friendly data center and shuts down legacy data centers. In that case, this action could positively impact the environment along with better sustainability of corporate resources, including cost saving, risk reduction, and critical human capital management.

Suppose the CISO does move all security operations to remote managed services yet suffers several severe cybersecurity attacks. Did the organization jeopardize its ESG status by outsourcing every aspect of security protection?

Will ESG help move cybersecurity to the top of the list?

Acquiring and managing an ESG score takes continuous decision-making and evaluation of the corporate environment, resources, and technology consumption expectations.

Thanks to alignment and connection risk, as organizations continue to be impacted by hacking events with an impact on the ESG, cybersecurity will be on top of the company’s sustainability list.

Suppose an organization decides to pursue a digital transformation strategy. This is an opportune time to implement an ESG culture. By phasing out legacy cybersecurity and infrastructure technologies, organizations can enable more sustainable capabilities to deliver their services to clients and employees.

Without cybersecurity in the organization, what will happen to the brand, the customers, the global supply chain, and most of all, the employees?

Cybersecurity sustainability is the company culture, not some cool logo.

All the best,

John

--

--

John P. Gormally, SR
John P. Gormally, SR

Written by John P. Gormally, SR

John P. Gormally is a fictional and non-fictional cybersecurity blogger and writer based in Lake Forest California.

No responses yet