ESG+C: Bridging the Gap Between Sustainable Practices and Cybersecurity Resilience 

The current emphasis on ESG (Environmental, Social, and Governance) standards reflects a growing recognition of the importance of sustainable and ethical business practices. ESG+C builds on this foundation by incorporating cybersecurity resilience, acknowledging its critical role in safeguarding digital assets, ensuring trust, and maintaining operational stability in today’s interconnected world. This evolution towards comprehensive and responsible management practices deserves recognition.

However, amidst discussions of ESG, there is an often overlooked but critical aspect: cybersecurity visibility. In today's digital age, where businesses and societies are increasingly reliant on interconnected systems and data, cybersecurity plays a critical role in safeguarding assets, ensuring trust, and maintaining operational resilience.

Cybersecurity visibility refers to the ability of organisations to understand and monitor their digital environments comprehensively. This includes identifying potential vulnerabilities, monitoring for threats, and promptly responding to incidents if and should they arise. Just as environmental and social impacts are monitored and reported under ESG guidelines, cybersecurity visibility should be integrated into this framework with equal rigour.

Challenges of Cybersecurity in ESG+C Frameworks

Advocates argue that cybersecurity is not just an IT issue but a fundamental aspect of corporate responsibility and risk management. By including cybersecurity under the ESG umbrella, companies would be encouraged to prioritise investments in robust cybersecurity measures, disclose their cybersecurity practices, and be held accountable for breaches or failures. For instance, companies could report on their cybersecurity measures in their annual ESG reports, similar to how they report on their environmental and social impacts. They could also set specific cybersecurity targets and disclose their progress towards these targets, aligning their cybersecurity goals with their broader corporate sustainability objectives.

Currently, cybersecurity is often addressed through separate regulations like the NIS2, which can be complex and misunderstood outside of IT and cybersecurity departments. Integrating cybersecurity into ESG would streamline reporting requirements and align cybersecurity goals with broader corporate sustainability objectives. Moreover, as cyber threats evolve and digital transformation accelerates, stakeholders—from investors to customers—are increasingly scrutinising companies' cybersecurity practices. Including cybersecurity in ESG would promote a culture of proactive risk management, improve trust among stakeholders, and improve overall organisational resilience.

Aligning IT and OT Cybersecurity Strategies in ESG+C Frameworks

This would cover both IT and OT (Operational Technology) domains, but it is crucial to emphasise the importance of addressing cybersecurity from the OT perspective. A recent statistic revealed a troubling disparity: OT cybersecurity accounts for only 5% of the budget compared to 95% allocated to IT. This imbalance is particularly concerning given that OT systems are responsible for generating 100% of the revenue in many industries. The protection of these systems is not just an IT issue but a fundamental component of business continuity and operational integrity.

Operational Technology includes the hardware and software that detect or control physical processes in industries such as manufacturing, energy, and utilities. These systems are integral to the daily operations of industrial facilities and critical infrastructure. Their security is critical because any compromise can lead to severe disruptions, financial losses, or even safety hazards. Unlike IT systems, which typically handle data and administrative functions, OT systems manage the very processes that drive revenue and maintain operational efficiency.

The current focus on cybersecurity often prioritises IT systems, leaving OT systems underfunded and undervalued. This misalignment can result in inadequate protection for systems that are vital to the organisation's core functions. It's essential that OT cybersecurity receives the same level of attention and investment as IT cybersecurity. This includes adopting advanced security measures, conducting regular risk assessments, and ensuring robust incident response plans are in place.

System Engineers and other technical staff who work with OT systems are well aware of the need for proper backups, regular updates, and strong security practices. However, this technical understanding does not always translate into higher-level corporate strategies or budget allocations. Decision-makers and senior executives must recognise the critical nature of OT cybersecurity and integrate it into the broader corporate risk management strategy.

A comprehensive approach to cybersecurity should include both IT and OT environments, ensuring that both are adequately protected and aligned with the company's overall risk management objectives. This means developing a unified strategy that addresses the unique challenges and requirements of OT systems while also integrating them into the organisation's cybersecurity framework. The benefits of this alignment are significant, including improved operational resilience, better protection of critical infrastructure, and a more efficient use of cybersecurity resources.

The importance of this integration cannot be overstated. A coordinated strategy that includes OT cybersecurity will not only enhance the protection of critical infrastructure but also improve overall organisational resilience. By aligning budgetary priorities and strategic planning with the realities of both IT and OT cybersecurity needs, companies can better safeguard their operations, maintain revenue streams, and ultimately secure long-term success.

Embracing ESG+C for a Sustainable Future

The current emphasis on ESG standards highlights a commendable shift towards sustainable and ethical business practices, but it must evolve to address the full spectrum of modern risks, including cybersecurity. Incorporating cybersecurity into the ESG framework—forming what could be termed ESG+C—would acknowledge its role not just as a technical concern but as a cornerstone of corporate governance and operational integrity.

A unified ESG+C approach would bring cybersecurity visibility and accountability to the forefront of corporate strategies, ensuring that both IT and OT environments receive equitable attention and resources. This approach would encourage businesses to invest in robust cybersecurity measures, align their risk management strategies with broader corporate sustainability objectives, and most importantly, promote a culture of proactive risk mitigation, which is crucial in today's rapidly evolving digital landscape.

As cyber threats continue to advance and digital transformation accelerates, integrating cybersecurity into ESG is not just a strategic enhancement but a necessary evolution. It's a step that needs to be taken now to align stakeholders' expectations with the realities of a digitally interconnected world, promoting transparency, trust, and resilience across all aspects of business operations. By adopting ESG+C, companies can better protect their critical assets, support their operational goals, and secure their place in a sustainable future.