With new reporting requirements looming, information security leaders’ expertise positions them as key collaborators in improving their companies’ environmental, social, and governance (ESG) posture.
The fundamental principle behind ESG is that transparency is required to understand whether business partners are ethical and making a positive impact in the world, but ESG has become something of a catch-all term for the qualities that companies want to see in their business partners.
Security underpins key aspects of ESG. Companies want to do business with organizations that are either advancing the cause of security and privacy or are at least not doing harm. How transparent companies are before, during, and after a breach tells you a lot about their corporate character. A data breach may be called a privacy responsibility or a security responsibility, but, at the end of the day, it’s a social responsibility.
Security Incidents
There are two common information security practices that can help organizations rise to meet the challenges of ESG transparency.
The first is the sharing of information regarding security incidents.
When a breach occurs, ethical companies do more than just comply with regulations that require notification to affected individuals. They publicly share details about what happened, how they were able to recover, and the corrective measures they put in place. Companies going above and beyond publish relevant TTPs (tactics, techniques, and procedures) or IoCs (indicators of compromise) to help protect other organizations from falling victim to the same threats or threat actors.
An example of exemplary behavior in this space was the SolarWinds and FireEye incident. When FireEye (now known as Trellix) was breached, the organization shared information publicly. This enabled thousands of potential victims to identify threat indicators and respond in their own environments.
Vulnerability Disclosures
The second information security practice that can benefit ESG efforts relates to vulnerability disclosures. Organizations need to know if their business partners have been affected by zero-day vulnerabilities such as Log4j. A partner that proactively alerts the organizations it does business with that such a flaw exists in its systems, and then commits to addressing it, gets a high ESG grade. Partners that don’t respond to requests for information about a vulnerability or that say such information is proprietary should be avoided.
There is a tremendous opportunity for security leaders to highlight how the valuable work they’re doing also improves their organizations’ ESG profiles, and to help their teams understand and evaluate how well their business partners are doing along those same lines.
Consider developing baseline requirements or even a custom metric. Ask yourself and your business partners: What is your average time between identification and disclosure of incidents or breaches? How many disclosures have you made in a given timeframe?
Data points such as time to disclose and time to remediate can be rolled up into a kind of security-related “ESG credit score” to provide visibility. Once you’ve done this for your security requirements, it can be easily replicated across the other ESG domains.
A connected platform can be used to operationalize the assessment and monitoring of your supply chain ESG health. After you understand and can measure what’s most important in your business relationships, you can help identify where there is room for improvement and help steer your company toward more ethical partnerships.
Environmental, sustainability, social, and governance issues are among the most visible and popular ways to evaluate business ethics today — and it’s not hard to imagine that the scope of what people care about will expand to other areas. Take this opportunity to coach business leaders on the importance of creating a culture of transparency and model what good governance looks like around identifying, drafting, reviewing, and approving disclosure material. Consider these and additional ways you and your team can add value to their organizations as ESG continues to gain momentum.