Oftentimes, three-letter acronyms trend and become buzzwords. At other times, they act as catalysts by influencing the business environment in which an organization operates. Such acronyms include CSR (corporate social responsibility), GRC (governance, risk, and compliance), and the most recent one, ESG (environmental, social, and governance). These are important business concepts that drive investment considerations and organizations’ cybersecurity commitments to customers. A common factor amongst CSR, GRC, and ESG is the role of governance in steering an organization’s vision, mission, and operations. Governance provides a structure to improve decision making and utilization of resources to achieve objectives.
Understanding ESG
Though ESG gained traction within the last 2 years and became a major investment consideration, it evolved from a 2004 initiative by the United Nations in cooperation with the International Finance Corporation (IFC) and the Swiss government to integrate environmental and social factors in corporate governance. The central idea of ESG as an investment framework is that by incorporating environmental and social policies in corporate decisions and processes, organizations are better positioned for a more sustainable and favorable market outcome. It is now mainstream for investors to assess environmental, social, and governance risks and opportunities in the selection of their investment portfolios.
There are three main pillars in the ESG framework: environmental, social, and governance.
Environmental: This pillar tasks organizations to consider the effect of their products, services, and actions on the environment and encourages the implementation of policies and processes to reduce adverse impact.
Social: This pillar focuses on an organization’s social responsibility to internal and external stakeholders, particularly its position on social issues such as diversity, equity, and inclusion, racial and gender justice, community involvement, and data protection.
Governance: This pillar is the foundation of the ESG framework as it focuses on the systems, policies, and processes organizations have in place to govern operations, influence corporate culture, identify and address risk, and align with compliance and regulatory requirements. For instance, investment in cybersecurity controls is an example of governance action to ensure that the organization implements adequate customer data protection.
ESG as a Risk Indicator
ESG is an approach to understanding internal and external factors that could pose risks to an organization’s opportunities to remain operational and sustainable. A fundamental focus of ESG is to identify such factors, assess their risks, and implement controls to mitigate the impact on the business.
During a conversation with a CRM vendor, I inquired about their business continuity and disaster recovery capabilities. I wanted to know if the vendor could quickly restore operations should a tornado or hurricane impact a location. This is not just an environmental challenge that organizations should consider, there is also a cybersecurity implication. For example, in the event of a ransomware attack, if the backup site is inaccessible because of hurricane or tornado damage, the business’ ability to recover from a disruption could be delayed.
Prior to the popular adoption of cloud infrastructure, a good practice was to ensure that a cold or warm site was far from the main company location. A major reason for such practice was to minimize the susceptibility of both locations to similar geographical vulnerabilities, especially inclement weather. It is even more crucial to understand how cloud services and web application providers protect against environmental factors such as a tornado or hurricane. Dependence on vendor applications puts customers at risk if adequate contingency capabilities are not in place, including data centers that are built to withstand environmental disruption.
Importance of Governance
Whether it is a decision to build a facility that can withstand structural damage caused by weather, or establish a socially responsible and cybersecurity-centric culture, governance is pivotal. As ransomware and other cyber threats continue to be successful, cybersecurity has become a governance responsibility. More than ever before, governance plays a principal role in protecting against cyber threats and other business risks. It is imperative that decision makers consider environmental, social, and governance challenges that could impact their ability to deliver critical mission objectives and remain profitable in an extremely competitive and saturated market.
Cybersecurity is Integral to Successful Implementation of ESG
Yes, cybersecurity is integral to all three pillars of ESG, playing a significant role in an organization’s successful ESG adoption. The relationship between cybersecurity and environmental factors transcends building environmentally sustainable facilities and ensuring alternate sites are unsusceptible to environmental disruption. With the proliferation of smart buildings and the Internet of Things (IoT), the integration of information systems and physical structures creates opportunities for cyber threat actors to disrupt critical infrastructure or transform IoTs into exploit bots that could amply a Distributed Denial of Service (DDoS) attack.
Just like weaponizing IoTs, successful unauthorized control of critical infrastructure components could also result in large-scale disruption and destruction. Such an attack is not imaginary, but very possible when cybersecurity controls are not properly implemented. In 2021, a Florida water treatment facility was successfully compromised due to outdated software and a weak password. The timely containment of the attack prevented potentially catastrophic results.
Social considerations are becoming mainstream cybersecurity conversations. Besides the importance of having a diverse cybersecurity workforce, there has been an increase in socially motivated hacktivism. Misinformation and phishing attacks leverage social media platforms, making it more challenging for cybersecurity professionals to prevent such attacks. Successful ransomware attacks against critical infrastructure directly impact society. From the cost of meat going up because of an attack on a major meat seller, to the disruption of a major US fuel distributor, which created artificial scarcity and subsequent disruption of social life, social and psychological effects of cyber threats are becoming critical to an organization’s sustainability. Businesses which fail to protect customer data are not only faced with compliance fines, but they also lose existing customers and new opportunities. More than ever, customer trust is closely entwined with adequate protection of customer data.
The social implication of cybersecurity has led to a new scientific investigation known as social cybersecurity. Social Cybersecurity is an emerging field of study which explores the relationship between cyber-mediated environments and human behavior, sociocultural structures, and political systems. The focus areas of this study are “social media and cyber-attacks, cyber team training, and threat prediction”.
An organization's commitment to cybersecurity is reflected in its governance and business operations. Appropriate funding as well as enabling a culture of compliance and cybersecurity are tangible evidence to show that such an organization is committed to the ESG framework.
GRC Helps Organizations to Achieve ESG
Although ESG is an emerging framework, implementing it may be exigent. However, organizations with an existing GRC process can quickly adapt and reap the benefit of implementing ESG controls. According to OCEG, GRC is the “integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity”.
A well-established GRC effectuates the right risk management program to identify environmental, social, and compliance risks that could adversely impact the organization. Effectively mitigating ESG risks requires the implementation of appropriate controls. For instance, environmental risks which pose threats to critical infrastructure could be effectively managed with an intuitive industrial control system. Social cybersecurity risks could cause serious business disruption; hence, implementing a robust cybersecurity program enhances preventive and responsive controls.
Demonstrating compliance is an integral component of ESG and GRC. Non-compliance with regulations or sustainability expectations could cause financial, economic, and social repercussions. It is important for organizations to implement a compliance program that provides reassurance to internal and external stakeholders that a company can be trusted.
ESG has come to stay, and its influence will continue to grow. Beyond the buzzword, organizations that embrace the framework will reap the benefit of successful implementation. Organizations do not need to wait till they fully grasp the scope of the framework, they can leverage current GRC processes to align with their ESG objectives to achieve sustainability and profitability.
About the Author: Funso Richard is an Information Security Officer at a healthcare company and a GRC Thought Leader. He writes on business risk, cybersecurity strategy, and governance.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.