Two specific areas of cybersecurity — backups and identity and access management (IAM) — are responsible for nearly half (45%) of the cybersecurity industry’s climate impact.
Though rarely discussed, like any other technologies, cybersecurity protections carry their own costs to the planet. Programs run on electricity. Servers demand water. Devices are built from natural resources and eventually get thrown out.
Gérôme Billois, cybersecurity and digital trust partner at Wavestone, recalls seeing all kinds of sustainability movements in corporate settings and wondering why cybersecurity was never part of the conversation.
“CISOs can help or make the situation worse [when it comes to] sustainability, depending on the way they write security rules,” he says. “And that’s why we started a study: to enable the CISO to be part of the sustainability process of his or her company, and to find actionable ways to reduce CO2 consumption while at the same time not adding more risks.”
At RSAC Conference in San Francisco next month, Billois is going to share the results of Wavestone’s study into the relative climate impact of cybersecurity measures. Some of those results came as a surprise.
The Climate Impact of Cybersecurity Protections
In performing the study, Billois says, “We did a first phase theoretically, and then we did a second phase on-site within more than 10 very large companies and public organizations. We evaluated their cybersecurity systems to identify where there were the most climate consumptions, and then how to reduce them, very concretely.”
Going into the experiment, he and his colleagues had some guesses as to what might rank high on the list of climate impacts. Maybe company-issued devices would be a big contributor, especially those issued to contractors who probably don’t need them. Encryption was another one of their hypotheses but, he recalls, “We discovered after speaking with cryptographers that the main [driver] for the last 50 years of cryptography has been to make encryption systems very efficient, very fast, very lightweight, mainly for performance reasons. And that has co-benefits that led to encryption finally having a low impact on CO2 emissions. Because if it’s very lightweight, it will not produce a lot of CO2.”
In fact, the No. 1 most environmentally harmful category of cybersecurity technology is resilience, by some distance. That means backup servers and computers, and other measures taken to ensure redundancy of data, which together contributed approximately 29% of the studied organizations’ cyber climate impact.
The next closest category was IAM, at 16%. “It was quite a surprise, because we thought, it’s a simple system: you have a simple database with all the identity of your users, then you have authentication, passwords, and things like that,” Billois says. It turned out to be much bigger than they realized, for two main reasons.
First, he says, “If you look at the IAM landscape within large organizations, often there are three, four, five identity systems. Why? Because there have been mergers and acquisitions, old systems, duplicate systems, and at the end it’s a big mess.”
The second reason IAM stuck out in the data was because of hardware tokens, Billois says: “That causes huge consumption of CO2, because you have to build them, you have to have plastics, electronics, batteries.”
Other cybersecurity activities that contribute more than the average to climate change include event logging, penetration tests, vulnerability scans, patch management, and contractor workstations. Interestingly, despite all of the industry hubbub and vendor marketing gimmicks, ultra-power-consuming artificial intelligence (AI) made no discernible imprint on the study.
“I think it will be very interesting to look at what is going to happen in the end of ’26, maybe mid-27,” Billois says, but, he notes, “I do not see many AI systems in cyber. So far, what I have seen deployed are quite low-impact, low-usage tools.”
Cybersecurity categories that incur less of a carbon footprint include: application security; email security; network technologies like segmentation, mapping, and anti-distributed denial of service (DDoS) tools; and data protections — including protections for data in transit and at rest, including cryptography.
How to Make Cybersecurity Greener
There are plenty of ways organizations can at least modestly reduce their carbon footprints, without having to compromise on cyber preparedness.
For instance, the quickest policy shift organizations can implement tomorrow is not automatically giving third-party contractors dedicated workstations. CISOs can let contractors use their own machines, but still ensure their security by migrating to virtual desktop infrastructure (VDI).
Logs meanwhile are an area where there’s often room to cut back.
“We collect a lot of logs, not exactly always knowing why, and the retention period is a huge cost in terms of infrastructure, and also CO2,” Billois says. “So at some point, you can revisit your log collection, and log retention, and if there are no legal issues, you can think about compressing them to reduce their volume. It’s something that is, I would say, quite easy to do.
Even better: By consolidating IAM systems, some organizations might find they can cut back on emissions, costs, risks, and employee frustrations all at the same time.
All of that said, unfortunately, the biggest cyber polluter, by far, is also the most difficult to scale back without incurring risk. Some companies can swap underutilized physical infrastructure for virtualized backups, which eat less power, if they’re not already doing that; but there are few other great ways to make cyber resilience more efficient.
“You can reduce CO2 [from backups] very easily: you stop buying two servers, or you stop having a duplicate of all your data,” Billois says. “But regarding risk, it’s not a good idea [to eliminate redundancy]. So for this one, we don’t have a lot to do.”
