One of the most costly, frequent, persistent and systemic of societal risks does not exist in the physical world, but rather in the virtual one.  Growing reliance on data and hyper-connected IT systems by individuals, businesses and governments makes information security an increasingly important tenet of sustainability.  The adversary—ranging from hackers and criminals motivated by fun or profit, to nation-state actors seeking competitive and political advantages—poses a more serious and sophisticated threat than ever before. Yet sustainability report issuers and users tend not to prioritize this understanding, and face a daunting task in fully capturing the economic and societal value at risk.

The number of devices connected to the Internet is expected to reach 31 billion in 2020[A1] —carrying more patient health records through cyberspace, linking electricity users to power grids, widening the reach of false information to potentially spread virally.  Companies in multiple sectors are charging towards highly-digitized processes to become more competitive and efficient. Gartner estimates spending related to big data and analytics surpassed $28 billion worldwide in 2012.

Little surprise, then, that this rush coincides with an exponential leap in cyber incidents.  According to the U.S. Computer Emergency Readiness Team (US CERT), nearly 50,000 cyber security incidents were reported in 2012 from federal agencies alone, up from only 5,500 incidents reported six years prior.  The “smarter” and “smaller” our world gets, the greater the value in accessing the critical data which powers it.   Information security breaches cost society $388 billion globally in financial losses and lost time in 2012, according to a study by Norton. That study estimated that 431 million adults fell victim to cyber-crime alone.  The U.S., U.K. and other governments have developed national security strategies related to cyber risks.

Despite clear linkages to society, information security was not among seven critical issues highlighted at the United Nations Conference on Sustainable Development Rio+20 Conference. Nor does information security rank among environmental and social issues with the highest disclosure rates by S&P Global 1200, based on 2013 research from Bloomberg and The Conference Board.  The next generation of Global Reporting Initiative guidelines, G4, includes one indicator on complaints from customer data losses and customer privacy breaches, but its glossary contains no entry for either “cyber” or “information security.”

Three factors may be influencing the ubiquitous absence of Information Security in formal and high-profile sustainability agendas.  First, the topic does not fit neatly into separate environmental, social or governance scorecards or frameworks.  Protecting infrastructure is an environmental risk prioritized by utilities and energy providers; privacy is a social risk strongly evident to financial institutions; online safety represents a growth opportunity for IT service providers.

Second, the difficulty in modeling the economic impact of a cyber incident make it harder for organizations to determine the appropriate amount of investment and resources needed to prevent or mitigate it.  The greater the accuracy in quantifying costs incurred by organizations, the greater the demand will come for disclosures and cyber deal-making, like the recent $1 billion acquisition of forensic cyber investigating firm Mandiant by a network security vendor.

Third, when you know you will be compromised, you can’t just build a taller wall to repel the adversary, you also need to snoop at how the intruder is snooping around your networks.  What you learn could prevent it from happening again.  This crafty cat-and-mouse routine is an effective and powerful mitigation strategy, but it contradicts the movement of increasing non-financial disclosures.  Thus organizations tread cautiously on a full-throated explanation of performance indicators for information security.

Those reporting institutions that prudently sort through these challenges and take actions to tie the information security-sustainability thread will assume leadership on a formidable global issue that can wreak environmental, social and economic havoc in a keystroke, not a decade.
[A1]The Internet of Things Backgrounder, Intel.