A Cyber Sustainability Pledge

When I am not running our cybersecurity practice, I volunteer to lead a major plank in our organization’s sustainability \ corporate social responsibility program.

I work on influencing the credit union industry – other institutions, suppliers and regulators – to become THE sustainability leaders in the financial services sector.  (If your business is interested in learning more about corporate sustainability, visit the UN Global Compact: https://www.unglobalcompact.org/what-is-gc)

Being uncomfortably transparent plays a major role in achieving our goals – which means executive management publicly committing to sustainability, setting environmental, social and governance (ESG) goals and regularly reporting on our progress toward those goals (e.g., impact reports, etc.)

We have long known that effective cybersecurity starts at the top – but while senior leaders seek to avoid the negative outcomes of a breach – does that top-level commitment permeate the organization?  How can we make sure cybersecurity is reflected in all day-to-day decision making?

In the ESG space we know that public commitments are an important step for organizations who truly seek to adopt and integrate sustainability into their operations.  After setting highly visible goals and targets – organizations can’t easily back down in the face of headwinds – and sustainability starts influencing decisions throughout the organization.

While this is admirable in its own right – sustainability is ultimately about long-term performance and risk reduction.  Notably, these are the same goals of most cybersecurity strategies.

It is cliché to say that hygiene is the root of cybersecurity – but it is really about setting cybersecurity citizenship as an organizational value first.

Data privacy legislation has forced organizations to reconsider their handling of personal information – but we owe each other more than just safeguarding data.  We can’t “pollute the internet” by leaving systems unpatched, not always requiring MFA or by paying extortions and ransoms. We are all negatively impacted if adversaries can leverage any compromised system or hijacked identity to target their next victims.

To avoid these shared risks, it is critical to authentically embed cybersecurity into our organization’s decision-making processes at every level.

To help achieve that end – and modeled on the sustainability movement – we could ask organizations to publicly adopt a Cyber Sustainability Pledge – something like:

We commit to:

• making the protection of data and systems from unauthorized access or misuse THE primary priority in our digital or technology strategies

• ensuring all business decisions consider cybersecurity and privacy controls as non-negotiable requirements to be validated before release or implementation

• making no exceptions in applying standard cybersecurity controls to all staff members or agents of the organization, regardless of role or function – including senior executive leadership

• taking full ownership, being transparent and not seeking to minimize a cybersecurity breach at the expense of impacted stakeholders

• not paying ransoms, cyber extortion attempts, or to otherwise incentivize criminal activity in an attempt to avoid negative business impacts (where life or public safety is not at risk)

• maintaining systems hygiene throughout the organization as priority in business and funding plans

• not abandoning or leaving publicly accessible systems or digital artifacts – sold or operated – in an unmaintained state without decommissioning or providing a reasonable take-back or upgrade path to consumers

In our natural environment, from the industrial revolution to nearly the current day – the impacts of irresponsible corporate activity were not fully considered until a crisis point was reached.

The impacts of historically poor cybersecurity citizenship have caused negative impacts of their own – both financial and in a fundamental loss of trust in organizations as good stewards of digital assets. And like the natural world – these negative impacts do not respect our artificial borders (i.e. our gateways, firewalls, brands, etc.).

To this day, we are paying the price for an Internet littered with unpatched devices and unprotected systems and data.   It is only by an intentional and shared commitment now, that the Internet will remain a trusted, usable or safe resource – a sustainable resource – into the future.