View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Why cybersecurity is a social responsibility

Cybersecurity risks emerge from and impact stakeholders outside the organisation, calling for 'enlightened self-interest'.

By Tech Monitor Staff

The primary focus of cybersecurity is typically keeping an organisation’s digital assets safe from theft, leakage or destruction. But there is a growing realisation that securing these assets depends not just on the organisation itself but also on an external community of suppliers, researchers and open source software developers.

Similarly, it is not just organisations that suffer when cybersecurity breaches occur. In fact, they can be more damaging to customers, employees or other third parties.

For these reasons, cybersecurity should be seen as a dimension of social responsibility, as well as self-preservation. At Tech Monitor’s Digital Responsibility Symposium last month, Thomas Quinlan, director of solution architecture at event-sponsor Zscaler, made the case.

The case for cybersecurity as a social responsibility

The primary concern of every cybersecurity leader is protecting their own organisation’s digital assets. That’s unlikely to change but, Quinlan explained, the extent to which that task depends on external parties has become unavoidably clear in the last decade.

NotPetya, the encrypting malware that surfaced in 2014, was an extreme example. Originally targeting Ukrainian institutions, it caused billions of dollars in collateral damage for organisations around the world.

More recent examples include Log4Shell, the vulnerability discovered in open source log management tool Log4J late last year, which revealed the extent to which companies around the world depend on the security of open source tools, and the uptick in supply chain cyberattacks.

These developments require cybersecurity professionals to think beyond their organisational borders, Quinlan said.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

This calls for more consideration of external stakeholders, including suppliers and customers, when assessing and mitigating cybersecurity risk, Quinlan argued. “We have to look at risk management overall, whereas previously we may have looked at risk management from just our immediate perspective.”

Viewing cybersecurity as a social responsibility can help leaders understand and manage this risk, he said. “First, it’s generally better for everybody. Second, it’s generally better for the organisation itself. And third, it leads to a more holistic picture of, not only the cybersecurity [risks] they’re directly concerned with, but what sorts of things they can look to mitigate that potentially come in from outside.”

All sessions from the Digital Responsibility Symposium are available to watch on demand. Register here.

Responsibility-driven cybersecurity

What would cybersecurity that is driven by social responsibility look like in practice?

Taking responsibility for customer data across an ecosystem of suppliers and other third parties dovetails with need for ‘zero trust‘ security architectures, Quinlan argued. “It’s important to pay attention to how you deal with the physical reality of third parties, supply chains, [and external parties that need to interact with your data and services,” he explained. “You have to start pretending that you don’t trust anybody.”

Organisations that produce software must be more mindful of the security implications for users, Quinlan said. “We have to start looking at how our programming practices, the various things that we’re doing around software development, could have impact elsewhere,” he explained. “Because if I release a piece of software, I also have to keep in mind that that software may have bugs, that software may be co-opted to be used in ways I hadn’t considered.”

And, in light of Log4Shell, they should think how they can support the open source projects on which they depend, Quinlan said. One way would be to support the Apache Software Foundation, a non-profit that funds a number of open source projects. “I think corporations also have [a] responsibility to be able to look at the things that they’re using and to move away from the traditional ‘This was not invented here’ syndrome and start to think about how they can give back”.

These are some of the ways in which organisations can move beyond an approach to cybersecurity in which self-preservation is the sole priority. Instead, a position of ‘enlightened self-interest’ can help them protect themselves, their stakeholders and the world at large.

Register here to watch the full Digital Responsibility Symposium on demand.

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU