Information Security & Cybersecurity are environmental, social and governance issues. Here's why!

Information Security breaches and cyber-attacks present a huge risk to the stability and value of companies. A standard framework for measuring risk would help organizations to manage it.

In recent months there have been an increasing number of cyber-attacks on critical infrastructure, financial networks, healthcare, and other networked systems. Information and cybersecurity risks are the most immediate and financially material sustainability risk that organizations face today. Those that fail to implement good governance, using appropriate tools and metrics, will be less resilient and less sustainable. This in turn has an impact on the other organizations they rely on, and ultimately on the stability of companies, communities, and governments.

Here are three reasons why information security and cyber risk needs to be included in a sustainable strategy:

1. It presents a threat to value: Intangible value – the value of assets that are not physical in nature – now represents 90% of the asset value in organizations, having more than tripled in the Standard and Poor’s 500 index (S&P 500) during the past 35 years. During the COVID-19 pandemic, organizations took an accelerated shift to digitize their assets. Perhaps the most critical intangible asset in determining the value of a company today is data – be it personal data, financial information, security data or behavioral data. As companies grow, their intangible value grows too, which increases the potential impact of a cybersecurity breach. In this context, it is not surprising that cybercrime for economic profit is projected to increase. To manage their cybersecurity, companies need to shift their thinking. Rather than trying to protect every single computer or system from attack, they need to focus on protecting the critical assets – the ones without which the organization can't operate. So, in the event of a breach, value is not lost, or the loss is minimized.
2. It presents a threat to society: In the spirit of customer convenience, organizations across industries have rapidly adopted digital transactions. These are near-ubiquitous across government services, financial and insurance services, healthcare, and utilities, as well as consumer goods. This creates increased cybersecurity risks. In 2021, records were broken for identity theft, up 23% over the previous all-time high. Data breaches can have a huge impact on people. Hackers have increasingly targeted healthcare data and institutions, with an impact on the quality of care for the community as a whole. A disruption to the utility industry, such as the attack on Colonial Pipeline in the United States, can also lead to temporary income loss, further affecting the community.
3. Insurance can't mitigate the risk indefinitely: Instead of implementing governance around information security and cybersecurity, organizations have heavily relied on insurance to manage the risk. But as courts rule in favor of policyholders, insurers will continue to narrow the scope of the cyber policy coverage, limiting the extent to which organizations can rely on it to mitigate the risk. In any case, an insurance claim can severely impact an organization’s ability to be insured; insurance alone is not a substitute for good governance. As demand for cyber insurance increases, there is a growing gap in coverage. This makes understanding and managing the risk more important than ever, especially as regulatory fines alone can bankrupt an organization.

A standard framework for measuring cyber risk would help organizations and regulators to understand it and manage it as part of their sustainable strategy. Companies including Apple, Amazon, Microsoft, and Netflix have a greater reach in numbers of engaged customers and yearly revenue than whole countries like Canada, Brazil, and Spain. Government regulations alone cannot realistically manage all companies, due to the complexity of continuously evolving new business models and the growing size of many technology companies. A standardized framework for analysis could set a precedent for effective governance.

There must now be a different approach to cybersecurity. Our current approach is unsustainable — Ken Xie, Founder, Chairman of the Board and Chief Executive Officer, Fortinet

What's the challenge?

The critical technology transformations on which future prosperity relies – ubiquitous connectivity, artificial intelligence, quantum computing and next-generation approaches to identity and access management – will not just be incremental challenges for the security community. Unless action is taken now, by 2025 next-generation technology, on which the world will increasingly rely, has the potential to overwhelm the defenses of the global security community. Next-generation technologies have the potential to generate new cybersecurity risks for the world, and at this stage, their full impact is not well understood. There is an urgent need for collective action, policy intervention and improved accountability for government and business. Without these interventions, it will be difficult to maintain integrity and trust in the emerging technology on which future global growth depends.

It is necessary to identify what approaches are required to manage cybersecurity risks in the face of the major technology trends taking place soon:

• Skills gap: There is already a global capacity shortage in cybersecurity (specialists and throughout the wider workforce) and as new technologies emerge, the skills gap in delivering cybersecurity will widen.
• Fragmented approaches: Emerging technologies are driving an increasing interdependence and entanglement between policy and technology at a time when the global governance of cyberspace is weak.
• New approaches: Existing operational-security capabilities and technologies will not be fit for purpose, so mitigating threats and responding to incidents individually and collaboratively will require new approaches.
• Underinvestment: Security is not being considered as an integral component of technology innovations and as such, proper investment is not being made into support (knowledge, guidance, research investment) and incentives (market forces, regulation) for developing emerging technologies securely.
• Ambiguous accountability: Shared dependence widens the pool of actors affected by the resilience of a part of the ecosystem, built can also create ambiguity in the accountability for ensuring this resilience.

Security must be more proactive and future-proof if we are to out-innovate the attackers — Nikesh Arora, Chief Executive Officer and Chairman, Palo Alto Networks, USA

A new approach to dealing with information security & cybersecurity risks is needed. The security and technology community, industry, business, government leadership and the international community must intervene to ensure that security issues are addressed in such a way that the benefits of emerging technology are inclusive.

Do you have an Information Security & Cybersecurity Framework?

Does your Security Framework to protect your Customer & Employee Experience; to leverage your Leadership & Strategy; and to accelerate execution with Innovation & Agility?

Is your company ISO 27001 certified?

Are you interested in protecting the information of your company, customers, and personnel?

We are here to help!