Cybersecurity is about more aspects of ESG than just governance

Security operations teams must increasingly do their bit to help their employers achieve environmental targets, which may require some system and strategic changes.

For several years now, annual sustainability reports by listed Australian companies have provided a window into cybersecurity strategies employed at these companies. But in spite of the report name, there is often no link between security and sustainability in the information presented.

As these reports cover environmental, social and governance (ESG) practices, addressing cyber risks comes under the governance piece. Yet, the security team — through its choices of hardware, software and services — has a contribution to make on the sustainability front as well.

It is commonly acknowledged that IT infrastructure and data centres are large energy users. Teams in these spaces have worked to become more efficient: rightsizing infrastructure provisioning to fit workloads, utilising more renewable energy sources, hosting equipment in data centres that are rated to be efficient with power and water consumption and the like.

That same level of investment and effort is yet to be brought to bear on the work of the security team and their technology stack. One reason for this is likely to be the intense pressure that security teams are under to protect ever-increasing attack surfaces and ward off a constantly evolving spectrum of cyber threats.

But this is likely to change.

Security teams need to be prepared to contribute to more than the governance aspect of ESG — they need to contribute to the environmental goals of the organisation as well.

This is starting to be seen in several initiatives. These include the adoption and implementation of more energy-efficient security systems, together with a greater emphasis on proactive and preventative security.

Energy-efficient systems

As with other types of information technology, it continues to be the case that the efficiency of security systems is improving over time with each iteration or update.

A key performance indicator is the energy consumption per gigabit of data throughput for a piece of equipment. Next-generation security gateways are a security-specific example of hardware that continues to get more efficient with each new generation of the technology.

As a case in point, a recent Check Point ESG report showed that a current-generation security gateway uses 73% less power consumption per throughput (Gbps) compared to the previous model. This reduction comes alongside a 112% improvement in threat prevention capabilities, meaning the newer version is more efficient than its predecessor in multiple contexts, not just in energy usage concerns. And, to be clear, this kind of improvement is seen consistently between versions of systems.

This illustrates that next-generation security technologies can simultaneously enhance protection and energy efficiency. By aligning to this cadence of technology upgrades, organisations can consistently reduce their environmental footprint while maintaining effective security controls.

Proactive detection and remediation

Another beneficial strategy when seeking to run security operations more efficiently is to focus more on preventative and proactive forms of security.

The logic here is that reactively dealing with security incidents is an intensive exercise. It is taxing on the individuals that have to perform this work, but also in financial terms. We know that the financial implications of a breach continue to increase over time. One aspect of financial implication is the energy-intensive processes such as restoring backups, along with rebooting, restoring and/or rebuilding entire systems.

Clearly, energy efficiency is not the primary goal of incident response. But from a broader ESG perspective, there is interest in organisations having strong cyber risk and security controls together with layered protections in place to mitigate against the risk of an attack, and/or to detect and isolate any infected infrastructure early on, such that any financial, productivity and bottom-line costs can be avoided. As energy is a considerable financial input to IT costs, it makes sense not to add to these costs due to a cyber incident taking place.

Preventative measures are also required because some existing and emerging types of attacks can run up big energy bills if they go undetected. Cryptomining malware, for example, remains a persistent threat despite its peak in 2018 when it affected 40% of analysed organisations. Even recently, malware such as XMRig has been detected targeting gaming engines. The collective energy consumption of cryptomining is estimated at a staggering 125 terawatt-hours annually — highlighting the need to quickly detect this kind of malicious payload before it can be used to run up a big bill.

Data poisoning in AI systems represents another emerging concern. These attacks compromise machine learning models, often requiring complete retraining to remediate — an extremely energy-intensive process. As organisations increasingly rely on AI-powered tools for decision-making, protecting these systems also means avoiding redundant and costly training cycles that consume substantial computational resources.

The combined benefit

Cybersecurity is more than a governance play — it also has a growing role in helping meet the environmental aspects of an organisation’s ESG strategy. By considering the energy implications of security operations, maintaining infrastructure that is both secure and sustainable, and prioritising a proactive security approach, organisations can protect both their business interests and environmental resources.

Les Williamson, Regional Director Australia and New Zealand, Check Point Software Technologies

Top image credit: iStock.com/Vertigo3d