Introduction
As enterprises across the globe have been aggressively digitizing their businesses, the role of the CISO in safeguarding the new digital enterprise is unarguably one of its most challenging and exciting points. The number of attack surfaces .is rising with multi-cloud, edge computing, IoT, and 5G adoption, and geopolitical unrest has further stimulated malicious activity on the internet. However, cybersecurity is no longer just a question of digital safety - it is also one of the organization's financial standing, trustworthiness, and reputation. As a result, cybersecurity is now becoming another aspect of the organization's Environmental, Social, and Governance (ESG) imperatives. All these factors point to an inevitable truth that must land on the CISO's checklist in 2022: that cyber regulatory compliance function must be digitized.
The Geopolitics of Cyber Regulations in 2022
While media reports have incessantly covered the ongoing Russia-Ukraine conflict, parallel and equally intense unrest have followed over the internet. Cyber attacks are growing, and several cyber groups are carrying out federated cyber attacks. Moreover, a growing number of sanctions imposed by various nations on Russia and the subsequent polarization means that businesses are likely to get caught in cyber-warfare crossfires. As a result, the cybersecurity authorities of the US, Australia, Canada, New Zealand, and the UK have jointly issued an alert and a cybersecurity advisory in the wake of the Russia Ukraine crisis.
The advisory warns enterprises of the possibility of distributed DoS attacks, brute-force attacks on consumer-facing digital infrastructure, advanced ransomware distribution mechanisms, and other attacks arising from multiple threat factors. In addition, the advisory identifies financial, e-commerce, healthcare, academia, government, and technology organizations' networks among businesses at risk and has issued directives to harden cyber defense mechanisms and due diligence procedures. Some of the key recommendations of this joint advisory include:
- Use of virtualization to secure IT credentials
- Use of endpoint detection and response (XDR) tools
- Firewalls configured to zero-trust principles
- Ensuring OT assets are not externally accessible
Cybersecurity and ESG: Two Sides of the Same Coin?
ESG strategies have increasingly attracted investor interest over the last few years - so much that the European Confederation of Directors Associations (ecoDa) mentioned how ESG factors play an essential role for investors in societal and business interests. While cybersecurity saw rare mentions in ESG audits and reports, this trend is altering rapidly.
Cybersecurity compliance is now an integral part of the organization's ESG strategy – especially since cyber incident response procedures and compliance with regulations such as the GDPR, HIPAA, PCI-DSS, and other industry-specific mandates is a strong indicator of the social behavior at play within the enterprise. In addition, international bodies such as the World Economic Forum agree and believe that cybersecurity and compliance with cyber regulations should figure into ESG ratings.
Moreover, compliance with cyber regulations also affects customers in significant ways. For example, a breach of data can compromise their digital identities and put them at risk and being assured of the fair and legal treatment of data in alignment with regulations is a critical step in building trustworthiness amongst all stakeholders. Lastly, the interconnected nature of digital services means that cybersecurity concerns are not mutually exclusive from environmental ones, thereby placing cyber-regulatory compliance as a holistic, central aspect of an ESG strategy as we advance.
