kras99 - stock.adobe.com
When something is sustainable, it can grow and support itself for a long time rather than burning out quickly. An all-out sprint is powerful but short-lived, while a slower-paced run or jog can carry a person 26.2 miles to the finish line of a marathon. Environmental sustainability, for example, promotes choices -- such as water conservation and recycling -- that help keep our world healthy and productive for the long haul.
Sustainability principles can benefit cybersecurity programs too, making them both more effective in terms of long-term cyber-risk mitigation and more responsible in terms of community impact.
Although you may not have heard the term sustainable cybersecurity yet, it's going to be important for organizations going forward. With forethought and planning, organizations can incorporate sustainable security practices that will continue to mitigate risk for years and decades to come.
Why do sustainable cybersecurity practices matter?
By installing automatic light sensors in the office, a company might reduce its energy use and lower its electric bills, improving both environmental and financial sustainability outcomes. Similarly, sustainable cybersecurity practices carry technical, financial, regulatory, social and reputational drivers and benefits. These include the following:
1. Better cyber-outcomes
An unsustainable cybersecurity strategy will reach a point of diminishing returns when it becomes less and less effective at mitigating risk. For example, every organization needs security-aware users, yet too many have aging, static training programs that don't help people learn. Making employees watch the same 10-year-old phishing prevention video annually won't change their behavior or improve their understanding of today's threats.
In contrast, a dynamic security awareness training program that evolves to reflect emerging threats -- and continually addresses perennial ones in fresh ways -- can better sustain user interest and engagement. In turn, users become a sustainable part of the solution as active frontline responders.
On the tech side, sustainable cybersecurity practitioners think strategically and long term when making major architectural decisions:
- Unsustainable: taking on digital transformation and going to the cloud without a clear security plan.
- Sustainable: developing a long-term strategy for managing cross-cloud security activity and ensuring all new partners and providers fit into that strategy.
2. Cost control
Viewing cybersecurity as a sunk cost to appease auditors or as a reactive response to the latest attack inevitably leads to expensive and avoidable exposures. These add up to a financially unsustainable cyberstrategy.
Practitioners of sustainable cybersecurity, on the other hand, proactively set goals and priorities at the start of the year to address their biggest vulnerabilities. They see related expenses, which they build into budget planning, as important investments in the overall health of their organizations:
- Unsustainable: repeatedly paying ransomware fees to unlock files because no one made a business continuity plan.
- Sustainable: implementing endpoint detection and response, building a 3-2-1 backup strategy and establishing -- and practicing -- an incident response plan and other standard operating procedures.
3. ESG advancement
The business world is buzzing about the need to improve environmental, social and governance (ESG) practices. Investors and customers are becoming increasingly socially conscious and looking to entrust their money to companies that reflect their values and minimize ESG-related risk. Many want to see businesses implement net-zero energy approaches, for example, and prioritize social equity and employee well-being in their hiring and retention practices.
ESG is already on IT's radar, with CIOs paying closer attention to issues such as environmental sustainability in the supply chain and ethical data-handling practices. Now it's time to bring cybersecurity into the mix. J.P. Morgan Global Research recently said it considers cybersecurity a key metric under ESG's social pillar, calling it "so much more than a technology issue." Organizations have growing societal as well as legal obligations to respect consumer privacy, protect employee data and comply with government regulations, such as GDPR and CCPA. In some industries -- critical infrastructure and healthcare, for example -- community safety, economic stability and human lives could be at stake in the event of a significant cyber attack.
Security leaders can advance their ESG interests and help make their organizations more attractive to investors and consumers by taking the following actions:
- committing to effective and sustainable cybersecurity practices that strategically mitigate risk and improve cyber resilience over the long term;
- reviewing hardware and software supply chains to make sure they reflect high-level ESG goals -- environmental, sociopolitical, etc. -- and don't introduce undue third-party cyber-risk; and
- reporting key cyber-risk and resilience metrics to stakeholders to demonstrate transparency and build trust.