Skip to content

Illustration by iStock; Security Management

An Environmental, Social, and Governance (ESG) Primer for Security Practitioners

The ESG train is running fast down the tracks, but not everyone is onboard. The conductors driving this locomotive are BlackRock, State Street, and Vanguard—global investment firms that set the tone for raising capital across the world. When the big three tried to make ESG (environmental, social, governance) initiatives table stakes to get funding, it sparked some hot debate among CEOs and politicians. Many CEOs publicly rebuked BlackRock’s statements, and U.S. politicians in Florida and Texas passed resolutions prohibiting state fund managers from considering ESG factors for investments.

But despite all the cultural and political drama playing out in the news, security professionals have a unique opportunity to play a key role in supporting their organizations’ ESG efforts.

Why is ESG such a hot topic? Consider the risks inherent in just one part of the acronym: E, for environment. NASA reports that human emissions have warmed the planet by 2 degrees Fahrenheit (1.1 degree Celsius) since pre-industrial times (circa 1750). If nothing changes, we are on a path to raise the global temperature by 3℉ (1.5℃) in the next 100 years. NASA warns this will result in rising sea levels, more intense hurricanes, more droughts, more heat waves, longer wildlife seasons, and an ice-free Arctic. All of these effects could devastate companies and communities worldwide.

This article will introduce the ESG framework pillars to improve your ESG literacy, provide recommendations to align your security mission with your organization’s ESG strategy, cover predictable landmines to avoid, and offer opportunities to enhance your security posture. 

What is ESG?

Morality-driven financial decisions are not new. Religion, moral norms, and cultural values have been influencing investments and operations for centuries. In the 1700s, Quakers and Methodists only invested in companies that excluded slave labor. In the 1960s, the corporate world divested from South Africa in a way that has been credited to helping end Apartheid.

Today, activism-minded investors have a collective goal of keeping the average global temperature rise to below 2 degrees Celsius to prevent the worst effects of warming. Activist investors and the United Nations are also pushing companies to improve in 17 areas to transform the world, including zero hunger, gender equality, clean water, sustainable cities, and saving the oceans. While investors’ activist and political agendas vary widely, the majority are aligned on ESG, and they insist companies have an ESG strategy and set realistic targets.   

The three pillars of ESG are environmental, social, and governance, and this model was first used in 2004 in a United Nations’ report cleverly titled “Who Cares Wins.” A fulsome ESG strategy provides a framework that companies can use in their overall strategy that benefits all stakeholders. In other words, instead of focusing solely on profits at all cost, a company that factors in ESG will achieve profits and make the world a better place.

To truly embrace ESG initiatives, security practitioners may need to adjust their own thinking. Why? Because a common misconception is that any investment made by a company into an ESG initiative was a purely morally driven sacrifice that will have detrimental effects on the organization and its stakeholders. This is often negatively referred to as “woke capital.” But the reality is that highly rated ESG companies have higher profitability, a lower tail risk, and lower systematic risk, according to a report from Elsevier.

Assuming a negative or ignorant view of ESG’s role in modern business could have very real consequences—both for the organization and for security professionals themselves.

Focusing on ESG in Your Organization

Each organization’s priorities around ESG will be different. Before security directors get involved, they should gain further understanding of their company’s goals.

Step One: Ask the Right Questions to Understand ESG in Your Organization

  1. Who at your company or organization is accountable for ESG?
  2. Who is handling ESG oversight: the board, an auditor, or a third party?
  3. Has the company developed a comprehensive ESG strategy?
  4. Are ESG metrics reported, forecasted, and analyzed?
  5. Is any part of the CEO’s or your compensation tied to ESG goals?

Hopefully, the answers to these questions will confirm how your company prioritizes ESG; whether their strategy responds to stakeholders’ expectations; how they intend to achieve their commitments in a reasonable time frame; and if they are keeping pace with peers. Security leaders are encouraged to set up meetings with the leaders in your company who own a piece of the ESG strategy. This signals security’s interest to help, and it confirms where the company is headed in this space. 

Step Two: Understand the Three Pillars Overall

The environmental pillar is all about preservation of our natural world. While no one expects any one company to save the world; every company can be part of the solution. The social pillar focuses on considerations of humans and our interdependencies. This pillar arguably has the most opportunity for the security function. The governance pillar refers to the logistics and defined processes for running your business or organization. They are three very different pillars with very different challenges and opportunities.

Step Three: Align Your Security Practice with the Three Pillars

Environmental. The top areas of environmental concern are climate change, carbon emissions, air and water pollution, and greenhouse gas emissions. Security professionals have direct and indirect roles in this area, and the level of contribution will depend on your company’s products and services.

A few good starting points are to understand your company's exposure to environmental concerns, what your company's ESG strategy is in terms of investment and timing, and how your company stacks up against peers. Security professionals who work for public companies should know this is the most scrutinized area right now because reporting requirements provide environmental activists with a lot of data. A good example of how the security team can support this is promoting a robust “see something, say something” culture and providing training so that your team serves as eyes and ears for any employee or third party not complying with the company’s ESG values.

Social. This pillar offers the most opportunity for security professionals to directly and indirectly improve the effect of their company’s ESG actions. Even if other support departments are not embracing social opportunities, the security department can mature in many areas, including employment equality and gender diversity, employee health and safety, training and development, privacy issues, and physical and mental health issues. Your leadership may influence a positive outcome are customer success, data hygiene, human rights, animal testing, and supply chain transparency.  Some proactive research and discussions with peers may unlock more opportunities.

Four well-known industries with higher risk in the social category are fossil fuel companies, financial, healthcare, and software and IT services. Fossil fuel investors are concerned about strained community relations and shifting consumer attitudes. Financial investors are concerned about aggressive or deceptive selling practices and client relations. Healthcare considers social risk a top priority, especially in product safety, recalls, and misleading marketing. The software and IT sector may not be known as polluters, but their risk exposure is high because they regularly manage user privacy and data security.

Governance. The governance pillar concerns many areas typically outside the corporate security function, such as the makeup of the board, executive compensation, and political contributions. However, there are areas that security does influence. These include bribery and corruption, fraud, ethics and values, and transparency.

Landmines and Opportunities

Every company’s ESG strategy is a work in progress, and that means the security department’s support needs will ebb and flow. Every quarter, at minimum, the security leader is encouraged to revisit step one above and re-ask those essential questions to understand the current state of ESG in your organization. If the answer to any of the five questions changed, it is likely you will need to update your corporate security ESG support strategy.

Before implementing or deploying any support to the company’s ESG strategy make sure to filter the plan through these five critical considerations: 

Politics. ESG is political dynamite, so it must be handled with care. Critics argue that ESG goes against a company’s duty to earn the best returns for its shareholders and reflects political agendas, and that the benefits of ESG are overstated. Regardless, security leaders are cautioned not to participate in the ESG politics and instead strive to ensure their department aligns with the company’s ESG strategy.

Every company’s ESG strategy is a work in progress, and that means the security department’s support needs will ebb and flow.

Contradictions. ESG gets confusing fast. Why? Because ESG combines three pillars that are developing their own support and reporting frameworks and—at times—contradict each other. For example, closing a mine may reduce emissions (and mitigate climate change), but the same decision can undermine the social pillar by harming workers and suppliers who relied on the mine for their livelihoods. Thus, it is very important to understand which of the pillars apply to your company and focus your security practice to align to those specific goals. Check back regularly with the stakeholders in case priorities evolve.

Metrics. As we all know, “what gets measured gets managed,” so it is very critical to track the right metrics. A good starting point is to hunt down any “materiality assessments” to confirm where the company’s efforts are focused. Many companies will use law firms, consultants, and a steering committee to identify relevant stakeholders, compile a list of material issues, analyze the material issues, and create a strategy. Their strategic work would trickle down to the tactical level, for instance, creating an opportunity for the security team to capture how all your outside vendors are addressing ESG in terms of codes of conduct, whistleblowing policies, diversity, and sustainability reports.

Cultural changes. To truly be effective, ESG has to be part of a company’s overall culture. Many companies reference ESG in their corporate responsibility statements, but there is an inherent opportunity for security leaders to upgrade department governance to provide clarity, establish measurable goals, and build key performance indicators (KPIs) that align with the company’s ESG reporting standards.

Ignoring processes. Work processes may need to be replaced to meet new standards. Start by identifying one win here, and don’t try to boil the proverbial ocean. Examples include assessing a reliable tracking system that automates data collection, setting a regular cadence to review KPIs with a focus on process improvement and outcome, or meeting with peers to learn new ideas and speak as one voice.

Leveraging ESG to Advance Security

The security department is often the last one fully funded due to budget restraints, so understanding the current and future state of ESG can empower your business case for resources. ESG is fast becoming table stakes for many companies to get funding, and knowing why will help make your input relevant.

Social media often dominates the media narrative today, and your company is always one misdeed, whistleblower, or tweet away from being on investors' radar, and that misstep—especially if it contradicts your organization’s public stance on an ESG issue—can spark outrage, backlash, or boycotts. Younger generations are taking over Baby Boomers’ leadership roles, and large swaths of young professionals—more than two-thirds of them—have an interest in “sustainable investing,” according to NASDAQ.

The good news is that there are real positive links between ESG achievements and a company’s purpose and values, and security leaders can help their organizations achieve those goals.


Thomas R. Stutler, JD, CPP, ICD.D, is vice president of national security operations for Cadillac Fairview Corporation, Ltd., which is based in Toronto, Canada.