What's driving the need for cybersecurity in ESG [Q&A]
Environmental social and governance (ESG) policy sees businesses seek to implement ethical practices to safeguard, not just the business, but its ecosystem of partners and customers and the wider world.
We spoke to Tim Wallen, regional director for the UK, US and emerging markets at Logpoint, to discuss the reasons why cybersecurity needs to be incorporated into ESG reporting, and how this can be achieved.
BN: What exactly is ESG?
TW: ESG seeks to measure how responsible a company is.
Short for environmental, social and governance, it comprises standards that determine a business's overall impact on the society and the environment, while also looking at how robust and transparent its governance is in categories such as leadership, audits, internal controls, and shareholder rights.
An example of a responsible organization might be one that looks after employees and partners, has a credible net-zero carbon-emissions strategy, and demonstrates sound management practices.
BN: Why is ESG so important?
TW: ESG is important for several reasons. According to Capital Group, almost nine in 10 investors (89 percent) consider ESG issues as part of their investment approach.
However, even for those business that aren't looking for investment, adopting an ESG framework has many other benefits. Not only can it build customer loyalty and improve financial performance, but it also has the potential to make operations more sustainable and enable firms to gain a competitive edge.
BN: Where does cybersecurity stand in relation to ESG at present?
TW: Cybersecurity has traditionally been viewed as a relatively isolated technology issue. However, there's a strong argument that it should be regarded as a key ESG concern.
If we look at the United Nations Sustainable Development Goals (SDGs), which are applicable across industry globally, cybersecurity forms part of both SDG 9 by supporting a resilient infrastructure, and SDG 16 by supporting effective, accountable and transparent institutions, and public access to information.
Increasingly, companies have a responsibility to protect their data and their systems on behalf of users and to ensure economic stability. However, at the present time, cybersecurity tends to be treated as a separate governance issue outside the scope of ESG.
Going against the traditional grain and considering cybersecurity as an ESG metric is still a relatively new stance. However, it's one that looks set to expand moving forward. Simply put, there's growing impetus to include cybersecurity within ESG.
BN: Why should cybersecurity be incorporated into ESG reporting?
TW: Like other ESG issues, cybersecurity is emerging as a major consideration for investors, owing to its connection with both financial and investment risk, growing regulatory scrutiny, and potential for real-world impact.
Spikes in cyberattacks due to the commercialization of malware through RaaS (Ransomware as a Service), the vulnerability of organizations in the light of supply chain attacks, and the volatility of global relations which is driving heightened risks from nation state actors, have all bolstered awareness. And investors are now increasingly demanding the establishment of effective and efficient models that enable them to integrate cybersecurity into their investment decisions.
Alongside climate change and geopolitical conflict, cybersecurity is undoubtedly a leading global risk.
BN: How can organizations govern cybersecurity responsibly?
TW: Moving forward, the C-suite should look to report on cybersecurity as part of ESG. However, there's still an over-reliance on compliance regulations with cyber insurance used as a safety net.
This simply isn't enough. To govern cybersecurity responsibly, organizations need to focus on establishing more effective means of threat detection, response and reporting.
Here, technologies can help. With Security Orchestration and Response (SOAR), for example, organizations can automate the investigation of security incidents, as well as provide case management tools to help analysts automate response to incidents, all with a detailed and recorded audit trail.
With that said, organizations should prioritize the big picture over any individual tool, working to develop a seamless converged security setup.
It's a case of combining technologies to improve outcomes. Collecting event data produced by any device, application or endpoint within your infrastructure helps you visualize the data and put it into context, enabling you to make decisions and act quickly.
Given that organizations have a growing responsibility to protect their data and their systems on behalf of users, particularly within the growing context of ESG, such solutions have never been more important.