Aligning security strategy with ESG objectives: The next big issue for CISOs

Matthew Miller, a principal in Cyber Services at KPMG, had a first-of-its-kind request from a client CISO this past year:

The CISO wanted advice on responding to a board member’s question about his views on ESG and whether he was focused on it.

It was a first for the CISO as well, Miller says.

Miller says he soon realized that this CISO was one of a small, but growing, number of security leaders becoming involved in their organization’s ESG work.

“It’s early, but that conversation has started to evolve and it’s not going away,” Miller says.

ESG refers to a company’s policies and actions around environmental, social, and governance issues. Interest in ESG was once limited to investors deciding where to put their money. In those earlier days of interest in ESG, investors generally viewed ESG through an evaluation lens, studying a company’s work in those individual areas to determine whether they could help or hinder its potential future earnings.

But interest in ESG has expanded over the years. Yes, investors continue to consider how a company’s actions around environmental, social, and governance issues impact earnings. However, some now also evaluate an organization’s ESG policies to determine if they align with the investors’ own stated principles in the space. Some companies, too, now evaluate other companies—such as business partners and suppliers as well as acquisition targets—based on ESG metrics.

Interest in ESG has even spilled over into the general population. Consumers themselves increasingly look at organizational ESG policies when deciding where to spend their money, and employees are thinking about this when deciding where to work.

By the numbers

Statistics confirm the high level of attention from the various stakeholders.

According to the 2021 Global Investor ESG Survey from professional services firm PwC, 79% of investors polled considered the way a company manages ESG risks and opportunities an important factor in their investment decision-making.

Meanwhile, PwC’s 2021 Consumer Intelligence Series survey on ESG found that 83% of consumers say companies should be actively shaping ESG best practices and 86% of employees prefer to work for companies that care about the same issues they do.

All this has implications for the chief information security officer, as Miller can attest: As a result of the increasing interest in ESG, CISOs will see their role expand even further. They’ll need to shape their security and risk strategies to align with the organization’s governance objectives. They’ll have to articulate for stakeholders how their strategies support those ESG objectives. And they’ll have to help their organizations evaluate governance of other companies’ ESG stances when required.

“Governance, and cybersecurity, are big topics in the board room,” says Shane Goodwin, associate dean for Executive Education and Graduate Programs and a professor of practice in the Department of Finance at Southern Methodist University’s Cox School of Business.

Progression of the CISO role

The addition of ESG responsibilities to the CISO role is part of the ongoing evolution of the position itself, according to Goodwin, executive advisors, and enterprise security experts.

Boards and executives alike have been including security chiefs in more of the enterprise risk strategy conversations than they have in the past; this correlates to the ongoing shift from cybersecurity as a back-office function to cybersecurity as a strategic enabler.

“This is just another iteration of what the CISO role is, and another thing to add to our list,” says Brennan P. Baybeck, vice president and CISO of Customer Services at Oracle Corp. and a board member with the governance association ISACA.

For example, Baybeck says in a prior CISO post he assessed the governance programs at companies targeted for acquisition.

Such responsibilities reflect the significance of cybersecurity today, the importance of the CISO, and the expanding number of stakeholders who care about security, data privacy, regulatory compliance, and other related issues.

“The conversations around governance and ESG are happening with CISOs because no one wants to invest in a company that’s going to have a major breach or incident. And you don’t want a [corporate] partner who isn’t as buttoned up as they should be,” says Ahmed Jamil, leader of the CISO practice at Russell Reynolds Associates. “And even though some of these conversations that are happening are not under the auspices of ESG, the same types of questions are being asked of CISOs.”

Jamil sees the CISO’s primary role in ESG articulating for the C-suite and the board the company’s own cybersecurity posture, the strategy for improvement, and its resiliency capabilities as well as how all of that is managed and how it aligns with the other rules, policies and controls within corporate governance.

“CISOs are being asked to show that they have mature procedures in place to manage cyber incidents as well as reputational risks for them, customers, and partners. That’s not new, but it’s coming to the forefront with this interest in ESG,” Miller says.

He continues: “CISOs have built up in the past 20 years a capacity to understand risk, report on risk, to create transparency and talk about risks with the board. Where ESG comes in is with consumers and investors who are thinking about transparency around risk. That’s where there’s an opportunity for CISOs to start that dialogue on trust.”

Building customer trust

Miller offers a hypothetical example:

A CISO at a retailer is well-positioned to be the one to implement and then highlight how security systems can guard against fraudulent credit card, while eliminating the number of unnecessary transaction declines and simultaneously building trust with customers.

That CISO could deliver systems that, when a customer’s card is flagged for possible fraud at point-of-sale, would text the credit card’s owner and ask to confirm the sale.

If the owner is actually the customer, then the customer avoids the frustration of a declined sale, gets what he or she wants and feels well protected by the store—all at the same time.

If the card’s owner isn’t the customer, the owner will see that the store is safeguarding him or her.

That one example shows how today’s CISO is expected to work on the various facets that fall into governance—fraud detection, data privacy, business enablement, customer engagement, and trust. The CISO is expected not only to deliver the technical capabilities but to understand and articulate the risks of falling short and how all the pieces meet stakeholder expectations.

However, many CISOs are not there yet.

The CISOs who are involved in their organization’s ESG requirements are those with mature security practices, according to Miller and other experts.

These are CISOs already presenting information to their boards and showing how their security practices fit with governance so that those board members can then share that insight with investors and other interested stakeholders.

As Shane notes: “Companies with good governance will make sure the CISO has direct access to the board without the CEO or CIO acting as a filter.”

Defining new standards

Many expect ESG requirements to increase in coming years, with CISOs taking on more responsibilities in this area.

“I think we’ll eventually see rules and regulations that force CISOs and cyber and risk people to have a sustainable method for really understanding ESG as it relates to cyber,” Miller adds.

In its 2021 report, Cyber security: Don’t report on ESG without it, KPMG says mandates for ESG reporting “are intensifying across industries” and that there is a growing demand for transparency and trust on how companies manage, use, and protect people’s data.

Additionally, the KPMG report notes that corporate cyber, compliance, and risk policies also interact with the social and environmental aspects of ESG—a fact that further elevates the need for the CISO to be involved in ESG activities.

Indeed, Goodwin expects such ESG tasks—for companies as well as for the CISO—to increase in frequency and prominence. “This is not episodic. This is a paradigm shift,” says Goodwin, who also serves as a board leadership fellow at the National Association of Corporate Directors and leader of The Applied Corporate Governance Institute at The Center for Global Enterprise, a nonprofit, nonpartisan research institution.

Still, he and others say companies and their CISOs are on the early side of this shift. So while all CISOs are, of course, in charge of security, only a minority are working with their boards and others in the C-suite specifically on ESG tasks.

That makes them seem like the exceptions; in reality, however, they’re actually pace-setters.

“I don’t think they’re outliers, they’re leading edge,” Baybeck says, noting that “it’s the more progressive CISOs who are actively involved in identifying risks and in the enterprise-risk management programs. They’re the ones who will help define what it’s going to look like.  These CISOs help define new standards.”