Within the sprawling digital fortresses built to safeguard corporate data, an unseen and unmeasured byproduct is steadily accumulating, contributing to an entirely different kind of global threat. The sophisticated systems designed to fend off cyberattacks are themselves powered by an energy-intensive infrastructure that leaves a significant carbon footprint, a reality that has remained largely outside the mainstream corporate sustainability conversation. This paradox places modern enterprises at a critical juncture where the tools of protection are inadvertently fueling environmental degradation, compelling a reevaluation of how security is implemented in an increasingly climate-conscious world.
What if the Very Systems Protecting Your Company’s Data Are Silently Contributing to the Climate Crisis?
The global push for corporate environmental responsibility has prompted industries from manufacturing to finance to scrutinize their operations for carbon inefficiencies. Yet, a glaring blind spot persists within these green initiatives: the information technology and cybersecurity departments. These critical functions, often viewed purely through the lens of risk mitigation and operational uptime, have been exempt from the environmental audits applied elsewhere. The perception of digital operations as ethereal or “in the cloud” has obscured their very real physical and environmental impact.
This oversight creates a significant challenge for today’s security leaders, particularly the Chief Information Security Officer (CISO). Tasked with building resilient defenses against an ever-evolving threat landscape, CISOs must now confront a dual mandate. They must not only protect the organization’s digital assets but also align their strategies with broader sustainability goals. Without concrete data on where cybersecurity’s environmental impact lies, these leaders have been ill-equipped to join the conversation, let alone drive meaningful change. The central question is no longer just whether a security posture is robust, but whether it is also responsible.
The Invisible Environmental Cost of Digital Security
Every security protocol, from real-time threat monitoring to data encryption, has a physical foundation that consumes resources. The digital shield protecting an enterprise is powered by vast arrays of servers housed in data centers, which require a constant and massive supply of electricity to operate. Furthermore, these facilities generate immense heat, necessitating energy-intensive cooling systems, often relying on water, to prevent hardware from overheating. This continuous cycle of power consumption forms the base of cybersecurity’s carbon footprint.
Beyond energy use, the lifecycle of security hardware contributes significantly to the environmental burden. The manufacturing of servers, firewalls, and authentication tokens involves the extraction of raw materials and complex industrial processes. When these devices reach the end of their life, they become electronic waste, or e-waste, a growing global problem laden with hazardous materials. The challenge for CISOs is to begin quantifying this entire chain of impact, shifting the perception of cybersecurity from a purely software-based discipline to one with a tangible, measurable physical footprint.
Pinpointing Cybersecurity’s Biggest Carbon Emitters: Findings from the Wavestone Study
To bring clarity to this issue, a landmark study from the consulting firm Wavestone embarked on a two-phase analysis to quantify the sources of CO2 emissions within corporate cybersecurity programs. The initial phase involved theoretical research to build a model, which was then validated through intensive, on-site evaluations at more than ten major public and private organizations. This methodology allowed researchers to move beyond assumptions and pinpoint the specific domains responsible for the heaviest environmental impact, yielding several counterintuitive results.
The study’s most striking discovery was the concentration of emissions within a narrow subset of security functions. A staggering 45% of the total carbon footprint generated by cybersecurity operations originated from just two domains, revealing that targeted interventions could produce disproportionately large sustainability gains. This finding refutes the notion that the environmental cost is evenly distributed and provides a clear starting point for organizations seeking to decarbonize their digital defenses.
Leading the list by a significant margin was the domain of resilience and backups, accounting for 29% of all cybersecurity-related emissions. The core of this impact lies in the foundational principles of business continuity and disaster recovery: redundancy. To ensure rapid recovery from a catastrophic event like a ransomware attack, organizations maintain complete, parallel infrastructures of duplicate servers and data storage. These backup systems are not dormant; they consume a continuous stream of electricity for power and cooling, effectively doubling the energy footprint of the primary systems they are designed to protect.
Unexpectedly, Identity and Access Management (IAM) emerged as the second-largest contributor, responsible for 16% of the carbon impact. Researchers traced this to two primary factors. First is the systemic inefficiency common in large enterprises, often described as a “big mess” of overlapping legacy IAM platforms accumulated through mergers and acquisitions. Running three or four separate identity systems in parallel creates redundant infrastructure and wasted energy. The second factor is the hidden environmental toll of physical hardware tokens used for authentication, whose lifecycle—from raw material extraction and manufacturing to international shipping—carries a heavy carbon cost.
Interestingly, the study debunked several common assumptions about high-energy security processes. Encryption, long suspected of being computationally intensive, was found to have a negligible carbon footprint. For the past fifty years, the field’s primary focus on performance and efficiency has resulted in highly optimized algorithms that consume minimal energy. Likewise, despite industry buzz, artificial intelligence in its current form made no discernible impact, as its deployment in security remains low-usage. Other areas noted for their contributions included extensive event logging, resource-heavy penetration testing, and the practice of issuing dedicated physical workstations to contractors.
From Theory to Reality: Expert Insights on the Security-Sustainability Nexus
The driving force behind this research is Gérôme Billois, a partner at Wavestone specializing in cybersecurity and digital trust. The study was born from his observation that CISOs were conspicuously absent from high-level corporate discussions about sustainability. He recognized that this was not due to a lack of interest but a lack of actionable data. Without a clear understanding of their own department’s carbon footprint, security leaders were unable to contribute meaningfully or identify areas for improvement.
The primary motivation for the study was to empower CISOs by translating the abstract concept of digital pollution into a concrete, quantitative framework. By identifying the specific systems and practices that are the worst offenders, the research provides a data-driven foundation for building a business case for greener security initiatives. The goal is to equip security leaders with the evidence they need to integrate environmental metrics into their strategic planning without being seen as compromising the organization’s security posture.
The significance of this work is underscored by its presentation at the prestigious RSAC Conference, one of the world’s leading cybersecurity events. This platform signifies a pivotal moment, introducing the first-of-its-kind quantitative analysis of cybersecurity’s climate impact to a global audience of industry leaders. It marks the beginning of a crucial dialogue, shifting the industry’s focus to include not only digital resilience but also environmental responsibility.
Charting a Course Toward Greener Security: Actionable Strategies
Armed with this data, organizations can now adopt specific, actionable strategies to reduce their cybersecurity carbon footprint without introducing new risks. One of the most impactful changes involves streamlining the identity landscape. Consolidating multiple, overlapping IAM systems onto a single, modern platform eliminates redundant hardware and energy consumption. This move offers powerful co-benefits, including lower operational costs, a stronger and more unified security posture, and a vastly improved user experience for employees.
Another effective and relatively simple policy shift concerns hardware provisioning for external contractors. The common practice of issuing a dedicated physical laptop to every contractor generates significant emissions through manufacturing and logistics. A more sustainable alternative is to implement a secure Virtual Desktop Infrastructure (VDI), allowing contractors to use their own devices to access a controlled corporate environment. This approach maintains security while drastically reducing the need for additional hardware.
Organizations should also revisit their approach to log management. Many enterprises collect and retain vast quantities of event logs for extended periods without a clear purpose, consuming enormous amounts of storage and the energy required to power it. By reviewing log collection and retention policies, security teams can often eliminate unnecessary data streams. Where legally permissible, reducing retention periods and utilizing compression can significantly shrink the storage footprint, leading to lower infrastructure demands and CO2 emissions.
Confronting the immense footprint of resilience and backups, however, remains the most formidable challenge. The most direct path to emissions reduction—eliminating redundant hardware—is not a viable option, as it would critically undermine an organization’s ability to recover from a major incident. While a complete solution remains elusive, some progress can be made. For instance, migrating underutilized physical backup systems to more energy-efficient virtualized infrastructure can offer incremental gains, representing a small but important step toward mitigating the impact of cybersecurity’s largest carbon emitter.
The research conducted by Wavestone illuminated a previously hidden connection between digital protection and environmental impact. It was found that specific areas, namely data resilience and identity management, were disproportionate contributors to carbon emissions. These findings offered security leaders a new lens through which they could view their operations, presenting a clear mandate to integrate sustainability into their strategic planning. By adopting targeted strategies such as system consolidation and policy changes, organizations demonstrated that it was possible to pursue a greener security posture without compromising defense, marking a pivotal evolution in the definition of responsible cybersecurity.
