kras99 -


How to put cybersecurity sustainability into practice

Cybersecurity sustainability practices involve mitigating cyber-risk without burning out people -- or burning through resources. Explore what that looks like on the ground.

At its core, sustainability is about using resources in a way that avoids exhausting them and strategically meets today's needs, while also preparing for the needs of tomorrow. Environmental sustainability, for example, aims to conserve natural resources, such as water, forests and fertile land, so future generations can thrive.

Similarly, cybersecurity sustainability means investing time, attention and capital in a way that mitigates risk, minimizes cost and maximizes effectiveness both now and in the long term.

To put these ideals into practice, consider what sustainability looks like across the three pillars of security: people, process and technology. Here are some examples.

Sustainability and people

Most companies mandate annual security awareness training as part of their compliance and risk management programs. Too often, this means doing the bare minimum -- requiring employees to passively view short informational videos, for example. Such one-and-done, box-checking exercises are typically a poor use of time and resources and fail to engage people in any active or meaningful way.

A more sustainable approach to security awareness training continuously seeks to change the real-world outlook and behavior of employees to generate ongoing ROI. By offering substantive and interactive security awareness training, beyond an obligatory 30-minute video, organizations can impress upon users the seriousness of cyber-risk and the important role they play in mitigating it. By giving people the skills to recognize potential threats -- educating them on emerging phishing campaign tactics, for example -- and the tools to report them, security leaders can create a legion of on-the-ground first responders.

An engaged and educated workforce is the front line of sustainable cybersecurity.

As more people in the workforce become cyber-aware, the practice of identifying and reporting threat activity eventually becomes second nature and spreads to new and existing employees. An engaged and educated workforce is the front line of sustainable cybersecurity.

Sustainability and process

Organizations typically codify security processes via documented policies or, ideally, automation. But even automated processes often require an element of human intervention that can create cybersecurity sustainability problems.

Consider password policies, which affect almost everyone. A strict, cumbersome reset process that requires excessive overhead for users, whether employees or customers, quickly becomes expensive and hard to sustain. For example, imagine you're a business user who tries twice to log in to your account but fails, and the system automatically locks you out. You then must call a staffed help desk and wait 45 minutes for an agent to become available to reset your account. That's an inefficient and unsustainable process that burns time, energy and attention, arguably without proportionally lowering cyber-risk.

A better process can reduce friction and improve cybersecurity sustainability. Instead of locking out a user after two failed logins, for example, do the following:

  • increase the threshold to five;
  • implement user entity and behavior analytics on the back end to keep closer tabs on what the user is doing; and
  • lock the account if the user performs risky, atypical or unauthorized activity.

You could further ease the burden on the help desk by automating password resets for low-risk accounts. The end result: increased user productivity, shorter help desk waits and less agent burnout.

Sustainability and technology

Cybersecurity sustainability sometimes overlaps with environmental sustainability, especially when it comes to the technology we choose. Consider working with vendors that support environmental, social and governance missions, such as cloud providers that power their data centers with renewable energy or companies that responsibly recycle servers, laptops and other gear when they reach end of life.

Another important way to support sustainable technology is by working with vendors that support the right to repair, especially when it comes to batteries. For battery-driven devices, including laptops, tablets, phones and IoT devices, the battery is often the first thing to fail or wear out. If an entire device needs to be discarded just because of a worn-out battery, a huge amount of good, still-workable tech goes to waste. Vendors that allow organizations to replace worn-out batteries and repair small issues in their hardware support sustainability, leading to cost savings for your company. That's a win all around.

Next Steps

10 cybersecurity tips for business travelers

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing