ESG and cybersecurity go better together

Article | July 17, 2023

ESG and cybersecurity go better together

Companies don't normally think cybersecurity is connected to increasing diversity or reducing climate impact. They should.

Executives have heard the message loud and clear: taking environmental, social, and governance (ESG) matters seriously creates value for businesses. That’s why ESG is a top priority for many of their most important stakeholders, including regulators, shareholders, customers, and employees. The pandemic, climate crisis, social upheaval, and geopolitical unrest of the past few years have only underscored its importance.

Most executives polled rank cybersecurity as one of their top concerns, according to a recent survey from ServiceNow and research partner ThoughtLab – even as other issues, such as workforce diversity and the environmental impact of operations, compete for their attention. About half are currently working to improve data privacy and security, and six out of 10 plan to do so in the years to come. Regulatory bodies like the U.S. Securities and Exchange Commission are turning up the heat, mandating that organizations work harder to prevent—and to disclose—cyber events like data breaches.

Companies plan to increase investment in both ESG and cybersecurity, according to research from PwC, which also showed that cybersecurity is a top concern in the boardroom as well as the C-suite. To make real progress while saving time and money, executives should treat cybersecurity as an ESG issue, insists Drexel University adjunct law professor Leeza Garber, who also teaches a course on internet law, privacy, and security at the University of Pennsylvania’s Wharton School.

“There’s a clear relationship between the two,” she says. “Cyber and ESG issues can cause massive disruptions. But they can also be selling points for clients. We need to see a change in how companies handle them, and that’s going to require training, money, and openness.”

When asked if cybersecurity is an ESG issue, few executives say yes, according to Allison Pan, a senior vice president within Marsh McLennan’s Emerging Risks Group. However, that doesn’t mean they don’t treat it as such in practice. Executives might bring up the impact of cyber on equity, skills, and talent—all of which clearly fall under ESG, she says.

For example, more equitable hiring may mitigate the risk of creating software that discriminates against certain populations or communities or is prone to costly errors. Organizations like the World Economic Forum recommend hiring from a wide range of backgrounds to boost an organization’s cyber defenses, and companies are following this advice. “Many [companies] are thinking about cyber as an ESG issue already,” says Pan. “They just don’t know it yet.”

So why the disconnect? A large part of the issue is language, says Pan. ESG has become a catchall that means different things to different people. At the same time, however, some executives think it’s synonymous with environmental sustainability alone, she says. As a result, connecting cyber to ESG feels like an unnecessary leap.

Yet ESG covers a lot more than just sustainability. Many key ESG frameworks—CDP, the Climate Disclosure Standards Board, the Global Reporting Initiative, and the Science Based Targets initiative, to name a few—identify and measure risk factors that don’t appear on a standard balance sheet but nonetheless could impact a company’s core business and market cap.

“How well can you sustain your business in the face of danger? Cybersecurity is core to that,” she says.

Thus, explicitly linking cybersecurity to ESG isn’t a matter of semantics. “Cybersecurity is a crucial part of any ESG strategy,” insists Shaun McAlmont, CEO of cybersecurity training firm NINJIO. Organizations use ESG ratings to make decisions and get resources, he says. Without incorporating cyber into ESG scores, they could be leaving resources on the table that they need to build better cyber strategies.


 Facilitate Collaboration Between IT Operations Management and Security Operations with AIOps

Related articles

Automating Risk and Compliance
Automating Risk and Compliance

New technologies are keeping corporate leaders in compliance with the fast-changing rules that affect their businesses

The future-ready manufacturer
The future-ready manufacturer

New research shows how technology investments can yield priority outcomes across the value chain


Evan Ramzipoor is a writer based in California.

Loading spinner