At first glance, the topics of cybersecurity and environmental, social and governance (ESG) initiatives seem a bit distant from one another. Despite several sources publishing their linkages (e.g., KPMG and ISACA), cybersecurity remains much more linked to the governance aspects of ESG as opposed to the environment and social aspects. But cybersecurity is a function of trust, not just risk. And this requires longer-term views, not shorter-term ones.
Jack Freund points out in his ISACA Journal article “Cyber ESG Synergy: Protecting the 4th Industrial Revolution” the extent to which cybersecurity is linked to broader ESG concerns. While Jack takes a view that the governance aspect of the ESG triad is most related to cybersecurity, I would like to offer a different one – I argue that thinking about the social elements of cybersecurity can result in far better ecosystem outcomes than primarily governance.
Can Risk Management Frameworks Address Trust?
Risk management frameworks are typically challenged with questions such as, “Would our customers believe our infrastructure is safe?” This is sometimes taken as a given, and not a risk, which results in a market failure.
It is indeed not a top priority for an enterprise to consider the social elements of cyber risk. But the financial sector has an important counter-example, through the PCI-DSS standards, that suggests a longer-term view of cyber risk in the context of trust is highly beneficial to the sector.
Cybersecurity as a Social Good
Cybersecurity falls under the classic definition of a “social good.” In short, “social goods” are goods that benefit broad groups of people in many ways. Given how almost every system today is comprised of some sort of digital system, almost every system requires cybersecurity controls to ensure we can continue building a future we can all trust.
Academics agree. In an article Is Cybersecurity a Social Responsibility, the authors opine that the lack of cybersecurity reflects a certain breach of stakeholder trust, such as ensuring data privacy and security. To that effect, enterprises upkeep cyber defenses as a means to maintain this trust, which can be embodied through corporate social responsibility (CSR) objectives. For example, Singpost, Singapore’s postal services, spells out cyber risk, data privacy and tech risks as key tenets within their CSR mandate.
However, there does not exist a meaningful way to incorporate social risk into our existing frameworks today. Moreover, even if enterprises wanted to fulfil CSR objectives, they might not know how.
The Social Dynamics of ‘Fear’ and ‘Hope’
Perhaps one of our failings as a cybersecurity community is to over-emphasize the governance angle. A usual narrative goes like this:
“If your firm does not comply to X, a fine of up to $Y will be imposed on your firm.”
This is an example of a fear-based statement. In return, the cybersecurity industry responds with fear-based marketing campaigns.
But we have established that the foundational underpinning of cybersecurity is trust. And trust takes time to build. Trust is not a short-term objective.
Fear-based marketing works for short-term objectives. Compliance is one such example. But building of social goodwill is not a short-term endeavor. This requires a different type of marketing strategy: hope-based.
And the “social” element of the ESG triad offers opportunities to sell hope.
Stakeholders Step Up
The social aspects of cybersecurity have certainly gone noticed by those who look carefully.
One such example is the rise of non-profits stakeholders such as MITRE and sector-based information sharing and analysis centers (ISACs) to reinforce domains of cybersecurity. These have resulted in frameworks and guidelines used today, such as MITRE ATT&CK and CAPEC databases being used for the threat modeling practice and a plethora of red and blue team functions, whereas ISACs have been instrumental in bringing together member organizations to share cyber intelligence even if they may be commercial rivals.
There was no such need to share information from a governance perspective.
Let’s View Cybersecurity from a Social Lens
The communication surrounding the key issues in cybersecurity have long been focused on governance. A key means to fulfil cybersecurity objectives is in fact a governance framework that informs the enterprise of risk and compliance activities. But cybersecurity is more foundational than governance. Cybersecurity in a digital world is the means to which we establish trust. And trust is what keeps societies together.
We can all clearly do better in the cybersecurity domain by viewing cybersecurity from a social lens – one that members of society all care about even if not obvious to them.