Faced with the climate emergency, digital players are exploring ways to reduce their environmental footprint. Cybersecurity teams face a double challenge: strengthening the security of information systems, while adopting more sustainable practices.
Wavestone and Campus Cyber set out to answer this question as part of the “Cyber4Tomorrow” working group. Together, we developed an initial methodology for calculating greenhouse gas (GHG) emissions linked to cybersecurity, identifying the controls with the highest emissions, and suggesting reduction strategies. We also designed a self-assessment tool to measure and reduce the carbon impact of your security controls, presented below. We were recently joined by the French Environment and Energy Management Agency (ADEME), which has also identified cybersecurity as a key area for action.
This article details the methodology used. It provides an initial framework for quantifying your environmental impact and finding ways to reduce it.
1. Identify the highest emitting security controls
To ensure an exhaustive and universal analysis, our study is based on international standards, in particular the NIST framework (National Institute of Standards and Technology). From 700 recommendations based on the NIST, we selected the 50 most carbon-intensive security controls, according to their “emission score”.
Three questions were used to calculate this emission score for each security control, taking into account the breakdown of the digital sector’s carbon footprint established by the ADEME/Arcep study on the environmental impact of digital technology.
- Does this control require the use of a large number of endpoints?
- Does this control require the use of a large number of servers?
- Does this measure require a large amount of network equipment and bandwidth?
If a security control meets one of these three criteria, an in-depth analysis is needed to assess its environmental impact.
2. Calculate the emissions of each security control
Once you’ve identified the security controls with the highest emissions, you need to estimate the actual greenhouse gas (GHG) emissions. This estimate is based on the ISO 14069 standard and focuses on emissions generated by manufacturing and the use of devices, servers and data center equipment, data center use, Cloud services, as well as air and rail travel by the cybersecurity team.
The study excludes other environmental impacts (biodiversity, depletion of natural resources, air pollution, etc.) because the indicators used to measure them are less reliable. Greenhouse gas emissions provide a sufficiently representative overview of the environmental footprint.
To estimate emissions, 2 areas must be examined in parallel:
- Information system data collection: number of servers hosting security solutions, number of firewalls, number of kilometers traveled by plane and train by cyber teams,
- The collection of emission factors: average values of GHG emitted for the production or use of a good or For example, the manufacture of a workstation is estimated at 232 kg of CO2eq, using Boavizta‘s 2022 statistical study as a reference.
Naturally, this will vary according to your environment and the maturity of your organization. This is the most complex stage to carry out, so do get in touch with your Green IT teams for help with this evaluation phase.
Companies with predominantly on-premise infrastructure will have more direct access to the data they need.
This information is often available in-house – once the right contacts have been found. This proximity offers a relatively good granularity in the evaluation of equipment and infrastructure: server characteristics, workstation models and power, etc. To obtain relevant emission factors, you can use as a reference base the standards established by bodies such as ADEME (France’s Agency for Ecological Transition) or Boavizta (an inter-organizational working group dedicated to assessing the environmental impact of digital activities).
Companies with most of their infrastructure in the cloud face different challenges.
Access to accurate and reliable data can be complex, especially for public Cloud, as suppliers are not always transparent about the environmental impact of using their solutions. As a first step, contact your Cloud provider to obtain details of the infrastructure underpinning your business (such as the number of physical or virtual servers, or the number of network devices).
If you are unable to obtain this information, you may wish to consider using a monetary ratio such as that provided by the Carbon Disclosure Project. It allows you to estimate the average emissions associated with investing €1,000 in Cloud services.
3. Reduce the environmental impact of your cyber practices
You now have a global view of the emissions linked to cybersecurity within your company. Now let’s take a look at how to reduce them!
Among the pre-selected security controls, start by identifying the ten with the highest total greenhouse gas emissions. Then, map them according to emission level and risk coverage. This approach allows you to identify actions with a high carbon footprint, but a relatively low level of risk coverage.
Once this mapping has been completed, organize workshops to explore ways of reducing GHG emissions without impacting security. List the actions selected and calculate their reduction potential. You’ll then have a list of priority actions to implement.
If you’re looking to get started with a few key measures, refer to our list of four actions that can reduce your environmental impact while maintaining an equivalent level of risk.
4. Take action and share results
With our self-assessment tool, we’d like to contribute to discussions on the environmental impact of cybersecurity. This approach, initiated within the Cyber Campus, is aimed at all organizations wishing to imagine new, more responsible and sustainable practices.
Have you followed the methodology and achieved an impact? If you’d like to share what you’ve learned to help us further develop the approach, please get in touch.
The ambition of the Cyber Campus, Wavestone and the ADEME is for this methodology to be a first step towards taking account of sustainability in cybersecurity. If you’d like to get involved in the Campus working group to help cybersecurity practices evolve towards greater sufficiency, join the Campus Cyber working group.