Editor's note: The following, originally published by the NACD, was co-authored by Bill Choi, senior vice president, strategic finance and investor relations at Zscaler.
While the connection between cybersecurity, environmental, social, and governance (ESG) issues, and private companies may not be immediately obvious, they influence one another in significant if sometimes subtle ways. Much like how awareness of carbon emissions and climate change has become mainstream, cybersecurity has risen to the top of the ESG agenda and is often included in how companies are evaluated as business partners, suppliers, and as targets for acquisition.
Cybersecurity risk can be as harmful to a company’s reputation as other ESG risks for companies across all sectors. Regardless of your stance on ESG, the practice of managing risk across a set of priority factors that matter to your stakeholders is here to stay.
Establishing and demonstrating a mature cybersecurity posture helps private companies manage and mitigate risk, efforts publicly listed counterparts are required to report in light of recently released US Securities and Exchange Commission (SEC) cybersecurity regulations. This is especially true following recent, high-profile supply chain attacks enabled by compromised vendors.
As a result, cybersecurity is often included in ESG evaluations and robust, well-documented practices can indicate strong risk management. Furthermore, with the right tools, shoring up your cybersecurity can effectively demonstrate ESG progress.
Cybersecurity impacts extend beyond your own operations
In the same way that geopolitical, macroeconomic, environmental, and governance risks threaten business success, adverse cyber events such as breaches and data loss can result in significant financial impact, reputational damage, loss of customer trust, intellectual property theft, and more.
In today’s digital world, cybersecurity breaches and data loss can impact not only individual businesses but also business partners and customers. Cybersecurity issues can potentially impact broader business ecosystems by allowing reconnaissance, intellectual property theft, and extortion against high-value partners in the supply chain.
Private companies’ vulnerabilities can also be weaponized to endanger their customers and partners. For instance, by stealthily compromising the software vendor SolarWinds, a Russian hacking group was able to insert itself into a software update and remain undetected while surveilling thousands of the vendors’ customers. These types of attacks present a significant threat since they exploit third-party vulnerabilities outside of an organization’s direct control and both public and private companies are susceptible to them.
Similar to the way companies are cascading environmental and social requirements to their suppliers and business partners, we should expect similar, cyber-related requests to funnel down to prospective partners. Demonstrating strong cybersecurity practices, including explicit disclosure of cybersecurity controls to protect partner data, will be the preferred norm.
All companies, public and private, must be wary of doing business with companies that don’t take cybersecurity seriously in their supply chains. Due diligence is required for data governance, risk assessment, cyber certifications, and the auditing of controls.
Why businesses insist on zero trust
How can privately held organizations best satisfy the cybersecurity criteria of would-be public partners? By staying on top of advancing cybersecurity best practices.
Research suggests that 90 percent of organizations are concerned that network access provided to third parties could unknowingly serve as a backdoor for attackers. While you cannot trust another organization's cyber risk posture, you can limit the access vendors have to your infrastructure. By controlling vendors’ access to your information and systems, you can prevent bad actors from infiltrating your organization through third parties. This concept is a foundational aspect of a .
Zero trust as a strategy rejects the “implicitly trusting” model advanced by previous cybersecurity practices in favor of a “never trust, always verify” approach. In addition to verifying the user's identity, it considers what information they are trying to access and allows this access based on the principle of least privilege (giving access only to what is necessary).
This approach is far better suited to achieving positive cybersecurity outcomes, including preventing breaches, limiting their damage should one occur, providing secure access to private or public third-party partners, and more. It is also gaining significant traction among both public and private companies.
According to one Zscaler study, more than 90 percent of organizations migrating to the cloud have implemented or are in the process of implementing a zero trust security strategy within the year. The federal government has endorsed the strategy by mandating that agencies adopt zero trust by 2024.
This is because zero trust security represents the most mature approach to cyber risk oversight available today. Rather than a single solution or solution set, zero trust is an approach to security focused on addressing the most common steps in a security breach: target discovery, initial compromise, lateral movement, and data theft.
Private boards, regardless of their strategic aims—whether preparing for a merger, an acquisition, or an initial public offering; seeking partnerships with public companies; or shoring up their own security—would do well to align their cybersecurity oversight regimens with this significant overhaul of cybersecurity best practices. In doing so, they can achieve the twin benefits of enhancing their ESG profiles and better managing cyber risk.
What to read next