Estimated Reading Time: 7 minutes
What is ESG?
Over the last five years or so, the term ESG has become a relatively common parlance in the corporate world. The term ESG stands for Environmental, Social, and Governance, and it relates to how corporations oversee each of these areas as part of their day-to-day business. Activist shareholders and board members are leveraging the ESG concept to push companies into being good ‘corporate citizens.’
At a high level, those terms are defined as:
- Environmental – How does the company manage its impact on the environment (carbon footprint, greenhouse gases, ground pollution) and its ability to manage business resiliency in light of a changing environment?
- Social – How does the company deal with social issues such as community involvement, equality in both treatment and pay,
- Governance – How does the company manage shareholder input, how are executives compensated, and have internal controls been developed to elicit transparency throughout all levels?
Corporate ESG Responsibility
The growth of ESG via ‘activist inventors’, shareholder pressure, and earnings drivers over the past 36 months has been nothing short of astounding. Some of the largest global companies, such as Apple, Google, Cadbury, and The Southern Company, along with many others, have all been under immense investor pressure to develop long-term ESG strategies.
Companies are now paying special attention to their impact on social and environmental issues more than ever before. From pay transparency and diversity to international labor laws; from solar-powered plants to carbon reclamation projects and minimizing e-waste, companies are now monitoring and reporting on how they are being good corporate citizens.
However, a key point to remember is that ESG practices do not begin and end at the corporate walls, but are extended to business partners, third-party vendors, and any other contractors engaged by the company. For example, if a company is using a third party to manufacture key parts for a device they’re manufacturing, it is its responsibility to ensure that the third party isn’t polluting the area, using forced (child) labor, or putting their workers in harm’s way. In fact, it’s not difficult to find news stories of electronics and textile manufacturers getting into trouble for ignoring what is occurring within their supply chains. All of these topics fall under the purview of the corporate ESG program.
Why Does ESG Matter to a CISO?
At first blush, your initial reaction may be… Oh.. hey… governance – I get that.., but there is substantially more a CISO can use to tie into the company’s ESG strategy that will not only justify more budget but enhance the reputation of the security program as being a business enabler rather than ‘The team of no!’.
It’s safe to say that, for the most part, the day-to-day activities of a security team have very little to do with the environment. Deforestation, Pollutive Emissions, and Carbon Sequestration are generally not terms you’ll hear the security team tossing around like they do SBOM, XDR, or SOAR.
That said, from a strategy perspective, the CISO can not only support the environmental initiatives within their enterprise, but they can build up some serious goodwill in the process.
More and more, CIOs have ESG-focused objectives (MBOs) driven by their boards. As such, those CIOs are pushing cloud-first initiatives for most new infrastructure projects and developing strategies to reduce overall power consumption and the environmental impact of their data centers by significant levels. From a pure IT perspective, the best way to reduce power usage is to reduce the physical footprint, resulting in more and more legacy infrastructure being moved to one of the leading cloud providers. (Note: For the purpose of this article, let’s leave the shifting of the impact from one place (the data center) to another (the cloud) for another time.)
From a security perspective, being in lockstep with the CIO and being able to support and drive cloud-first efforts is a critical success factor in today’s ESG world.
Unfortunately, cloud ownership and controls have gotten away from most security teams. Whether it is because they turned a blind eye to its occurrence or far more the case, they have treated it like just another piece of infrastructure, many enterprise security teams find themselves behind the curve when it comes to cloud oversight. Make no mistake – your development teams are actively using AWS, GCP, Azure, Salesforce, or others, whether you admit to it or not.
Security teams must be able to proactively engage and support the move to the cloud, which has significantly different risk profiles than our legacy infrastructure environments. Understanding how identity management, data management, and workload protection change in a cloud model is crucial to finding solutions to support the move to cloud services. Proactively having a cloud security solution in place to manage these fundamentally different controls is key to success going forward.
By enabling your CIO to strategically move to the cloud and satisfy their ESG goals, you not only support the direction of the security program but do so in a way that supports strategic corporate initiatives.
Regarding social responsibility, security teams are again faced with a ‘what’s that have to do with us?‘ question. The truth is, many of us feel that being part of this profession has a ‘higher calling’ aspect to it, and how better to have an impact on others’ lives than to contribute to society and the social responsibility of our companies?
Diversity, Equity, and Inclusion
When it comes to the intersection of social responsibility and security, Diversity is probably top of mind for most executives. I’ve written repeatedly about the benefits of a diverse team, as well as being a focal point for addressing the significant talent gap we continue to face, so tying your diversity program to the corporate ESG program makes a lot of sense.
If you look at many ESG programs, diversity, inclusion, and compensation equity efforts have been leading initiatives for many HR teams. Developing hiring practices within your security team which aligns with your HR’s diversity program reflects your willingness to support corporate initiatives while simultaneously aligning with the higher calling we all strive for.
As a security executive, you have a unique opportunity to not only align with corporate directives, but also address one of the most significant challenges faced by the industry, so why not step up and be an active participant in the enterprise DEI program?
Privacy is an interesting conundrum for security executives. Without an adequate security program, an enterprise simply can not ensure the privacy of their customer (or patient) data, yet, many organizations look at privacy as a legal issue to be negotiated, rather than managed.
With the release of the NIST Privacy Framework, as well as the inclusion of privacy requirements in the latest NIST Cybersecurity Framework, security teams are becoming more focused on the intersection of security and privacy than ever before.
While the vast majority of security incidents have a direct impact on revenue (due to outages, recovery costs, ransom payments, etc), experiencing a privacy breach (versus a security incident) causes wide-ranging damage to the trustworthiness of your brands and how your company is viewed by the public for the long term. Considering that a recent study showed that 46% of shoppers willingly pay more for brands they trust is a key indicator of how consumers expect companies to manage their private data appropriately.
Positioning the security program as an enabler for privacy initiatives goes a long way in supporting the socioeconomic position of an organization and is in direct alignment with most ESG activities.
While it’s often easy to get wrapped up in national or global movements, don’t overlook your own backyard when it comes to being socially active. Consider developing an internship program with your local community college, or help your local high school start a coding or robotics club. A large part of the ‘social’ in ESG is the hours employees volunteer for non-profit causes, so any effort the security teams put towards assisting local STEM programs counts towards the corporate ESG goals. Additionally, programs like mentoring, hack-a-thons and other various activities focused on education are not only beneficial for the company but are incredibly fulfilling for your employees.
In light of the recent FTX debacle, Corporate Governance has not been under a spotlight like this since the days of the Enron meltdown. However, when it comes to ESG, corporate governance is looked at through a different lens than just ensuring sound financial practices.
Let’s consider the Colonial Pipeline cyberattack for a moment. Colonial spent millions on ransomware payments and recovery, but the downstream effects of long gas lines and an increase in gas prices made news around the world. And, while the frozen Texas power grid or the raging fires in southern California were not cyber-related, it’s easy to see what kind of impact a cyber breach in key locations of critical infrastructure could cause. It’s not hard to imagine the devastation that could be caused. Welcome to the intersection of governance and social responsibility.
The reality is that cybersecurity is rapidly becoming a key element of boardroom discussions specifically within the ESG conversation. Regulators are continually increasing pressure on companies to elevate the security discussion to a board level. In fact, more than half of all corporate directors interviewed by PwC last year stated that ESG is a standing agenda item at their meetings.
While most enterprises do not deal directly with critical infrastructure such as Colonial does, I would venture to guess that the vast majority of those reading this have SOX, GDPR, GLBA, HIPAA, or PCI requirements they deal with regularly. The convergence of legacy governance controls and new ESG expectations will undoubtedly continue over the next few years, resulting in a vastly different governance landscape than we have today.
Call To Action
Security executives have a unique opportunity to move their program forward by aligning with the corporate ESG direction. Invest time in understanding the drivers behind the ESG goals, and who is responsible for which activities. As a corporate leader, you need to find ways to facilitate the company’s ESG direction rather than ignoring it – or worse – standing in its way.
Copyright © 2002-2023 John Masserini. All rights reserved.