Exploring ESG through a GRC lens

Often, three-letter acronyms tend to become buzzwords. At other times, they act as catalysts by influencing the business environment in which an organization operates. These acronyms include CSR (corporate social responsibility), GRC (governance, risk and compliance) and the most recent, ESG (environmental, social and governance). These are important business concepts that guide organizations’ cybersecurity investment considerations and commitments to customers. A common factor between CSR, GRC and ESG is the role of governance in driving an organization’s vision, mission and operations. Governance provides a structure to improve decision-making and the use of resources to achieve goals.

Understanding ESG

Although ESG has gained ground over the past two years and become a major investment consideration, it evolved from a 2004 initiative by the United Nations in cooperation with the International Finance Corporation (IFC) and the Swiss government to integrate environmental and social factors into corporate governance. The central idea of ​​ESG as an investment framework is that by incorporating environmental and social policies into business decisions and processes, organizations are better positioned for a more sustainable and favorable market outcome. It is now common for investors to assess environmental, social and governance risks and opportunities when selecting their investment portfolios.

The ESG framework is based on three main pillars: environmental, social and governance.

Environment: This pillar instructs organizations to consider the effect of their products, services and actions on the environment and encourages the implementation of policies and processes to reduce negative impacts.

Social: This pillar focuses on an organization’s social accountability to internal and external stakeholders, particularly its stance on social issues such as diversity, equity and inclusion, racial and gender justice, community engagement and data protection.

Governance: This pillar is the foundation of the ESG framework as it focuses on the systems, policies and processes that organizations have in place to govern operations, influence corporate culture, identify and address risks and align on compliance and regulatory requirements. For example, investing in cybersecurity controls is an example of a governance action to ensure that the organization implements adequate protection of customer data.

ESG as a risk indicator

ESG is an approach to understanding internal and external factors that could pose risks to an organization’s opportunities to remain operational and sustainable. One of the fundamental objectives of ESG is to identify these factors, assess their risks and implement controls to mitigate the impact on the business.

During a conversation with a CRM vendor, I inquired about their business continuity and disaster recovery capabilities. I wanted to know if the provider could quickly restore operations if a tornado or hurricane impacted a location. This is not just an environmental challenge that organizations need to consider, there is also a cybersecurity implication. For example, in the event of a ransomware attack, if the backup site is inaccessible due to a hurricane or tornado, the company’s ability to recover from an outage could be delayed.

Before the popular adoption of cloud infrastructure, it was good practice to ensure that a cold or hot site was located away from the main business site. One of the main reasons for this practice was to minimize the susceptibility of the two sites to similar geographic vulnerabilities, particularly weather. It is even more crucial to understand how cloud services and web application providers protect against environmental factors such as a tornado or hurricane. Reliance on vendor applications puts customers at risk if adequate contingency capabilities are not in place, including data centers designed to withstand environmental disruptions.

Importance of governance

From building a facility that can withstand structural damage from weather to establishing a socially responsible and cybersecurity-centric culture, governance is key. As ransomware and other cyber threats continue to gain traction, cybersecurity has become a governance responsibility. More than ever, governance plays a major role in protecting against cyber threats and other business risks. It is imperative that decision makers consider environmental, social and governance challenges that could impact their ability to achieve mission critical objectives and remain profitable in a fiercely competitive and saturated marketplace.

Cybersecurity is an integral part of a successful ESG implementation

Yes, cybersecurity is an integral part of the three pillars of ESG and plays an important role in the successful adoption of ESG by an organization. The relationship between cybersecurity and environmental factors transcends building environmentally sustainable facilities and ensuring that alternative sites are not susceptible to environmental disruption. With the proliferation of smart buildings and the Internet of Things (IoT), the integration of information systems and physical structures is creating opportunities for cyber threat actors to disrupt critical infrastructure or turn IoTs into robotics. exploitation that could amplify a Distributed Denial of Service (DDoS) attack.

Much like IoT weaponization, successful unauthorized control of critical infrastructure components could also lead to large-scale disruption and destruction. Such an attack is not imaginary, but entirely possible when cybersecurity controls are not properly implemented. In 2021, a water treatment facility in Florida was successfully compromised due to outdated software and a weak password. Timely containment of the attack prevented potentially catastrophic results.

Social considerations are becoming common conversations about cybersecurity. Along with the importance of having a diverse cybersecurity workforce, there has been an increase in socially motivated hacktivism. Disinformation and phishing attacks exploit social media platforms, making it harder for cybersecurity professionals to prevent such attacks. Successful ransomware attacks against critical infrastructure have a direct impact on society. From the increase in the price of meat due to an attack on a major meat vendor, to the disruption of a major US fuel distributor, which created an artificial shortage and subsequent disruption of social life, the effects social and psychological cyber threats become critical for an organization’s sustainability. Companies that fail to protect their customers’ data not only face compliance fines, but they also lose existing customers and new opportunities. More than ever, customer trust is closely linked to adequate protection of customer data.

The social implication of cybersecurity has led to a new scientific investigation known as social cybersecurity. Social cybersecurity is an emerging field of study that explores the relationship between cyber-mediated environments and human behavior, socio-cultural structures, and political systems. The focus areas of this study are “Social Media and Cyber ​​Attacks, Cyber ​​Team Training and Threat Prediction”.

An organization’s commitment to cybersecurity is reflected in its governance and business operations. Appropriate funding as well as the establishment of a culture of compliance and cybersecurity are tangible proofs to show that such an organization is committed to the ESG framework.

GRC helps organizations achieve ESG

Although ESG is an emerging framework, its implementation can be challenging. However, organizations with an existing GRC process can quickly adapt and benefit from implementing ESG controls. According to the OCEG, GRC is “the integrated set of capabilities that enable an organization to reliably achieve its objectives, manage uncertainty, and act with integrity.”

A well-established GRC implements the right risk management program to identify environmental, social and compliance risks that could negatively impact the organization. Effectively mitigating ESG risks requires having appropriate controls in place. For example, environmental risks that threaten critical infrastructure could be effectively managed with an intuitive industrial control system. Social cybersecurity risks could lead to severe business disruptions; therefore, implementing a robust cybersecurity program enhances both preventive and reactive controls.

Demonstration of compliance is an integral part of ESG and GRC. Failure to comply with sustainability regulations or expectations could have financial, economic and social repercussions. It is important for organizations to implement a compliance program that reassures internal and external stakeholders that a company can be trusted.

ESG has come to stay, and its influence will continue to grow. Beyond the buzzword, organizations that adopt the framework will reap the benefits of successful implementation. Organizations need not wait to fully grasp the scope of the framework, they can leverage the current GRC process to align with their ESG objectives to achieve sustainability and profitability.


About the Author: Funso Richard is an information security manager at a healthcare company and a GRC thought leader. He writes on business risk, cybersecurity strategy and governance.

Editor’s note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.

Comments are closed.