SECURITY

Don’t boil the ocean: A technologist’s take on prioritisation in sustainability

Even if manufacturing isn’t close to your heart, you’d have to be pretty cold* not to care about sustainability in 2023. Whether you call it climate change, ecological impact, or our global future, more and more of us are wondering what we can do about it - especially in manufacturing, which accounts for 22% of Europe’s carbon emissions. Manufacturers are leading the way for many other sectors in their pledges and initiatives for sustainability.

For others, whilst a beneficial exercise, calculating a carbon footprint is hard. (Bluntly: if it was easy and valuable, you’d have already done it.) There’s always more data to add into the calculation or more components to consider, and significant time can be spent just working out the approach, e.g. deciding how frequently to do a capture, what counts as a meaningful average, and how to prioritise what’s reported. Worse, measurement is just the first (difficult) step, so that you can gauge the impact of reduction efforts; afterwards, things get even harder, as you have to instil policies and make changes.

It’s always greener on the other side

Once described as the “essential but impossible” calculation, finding a carbon footprint is made harder by the ecosystem effect of the supply chain (also called scope 3 emissions), which account for an average of three quarters of a company’s emissions.

I see a real parallel between this difficulty and the wrangling that goes into forming a view of an organisation’s supply chain risk. In security, we ask: how many links upstream do I go, and how useful is the whole exercise if my suppliers don’t know their own supply chain risk? If I have dozens of suppliers, do I analyse them all first a little bit, or go deep on a couple?

The answer is the same for both sustainability and security: prioritise, and just start. For supply chain risk, focus on your most critical systems, apply an approach to new suppliers first, and refine it over time. In sustainability, capture a carbon footprint from your electricity bills if you have to, and mature it with more data and suppliers. In both cases, it’ll quickly become “good enough” to prioritise interventions and measure impact - and that’s the important thing, not creating a perfect calculation. 

If you want to do something concrete**, then the most obvious place to start is to look at your data centres and clouds, and see the sustainability impact of switching workloads around, using our Sustainability Toolkit. It’s not everything, but it’s a start. If you’re further along the journey, it’s time to dive deeper into your supply chain and iteratively improve your visibility, and act based on new insights.

Eat your greens

Analytical efforts often fall foul of the streetlight effect, also known as the “drunkard’s search”:

“A police officer sees a drunkard looking for something under a streetlight; she asks what’s happening, and the drunkard replies “I’ve lost my keys”. The police officer kindly helps him to look, but after a few minutes - they have found nothing. So the police officer asks, “are you sure that you lost the keys here?” And the drunkard replies, “no, I lost them in the park.” Frustrated, the police officer demands, “so why on earth are we searching here?!” And the drunkard says, "because this is where the light is!”

This joke neatly captures observational bias, specifically the kind when people only search for something where it is easiest to look. Calculating CO2 emissions of data centres is a solid start, but you can’t ignore supply chain emissions forever, just because they’re hard to find. It’s something we’re guilty of in security too - detections that use the data we have, rather than asking for the data we need (like OT data), because it’s harder to get it.

The security parallels don’t stop with supply chains. Security has been a board-level priority for some time now, and we’re seeing sustainability take the same trajectory. For a while, security teams asked if intruders were getting better at attacks, or if we were just improving our detections. In sustainability, it’s likely we’ll see a similar question: are we doing worse on CO2 emissions, or are we just improving our measurement?

In security, we often say folks should “eat their cyber vegetables”. In sustainability, we’re surely going to hear about how you should “eat your greens”****, i.e. do your sustainability good practices. Measure, prioritise, act, and adjust. It’s a constant cycle that doesn’t stop with a single snapshot or capture of your CO2 footprint - but you really don’t need it to be real-time either (and that would be quite the carbon burden in itself).

Green with envy, and proportionate responsiveness

I’ve literally never said “real-time data” without either me or the listener indulging in a wry smile. Usually, that’s for two reasons: 1) real-time means different things to different people, and 2) even if it’s possible, it’s just plainly not desirable in most cases (and expensive). Unless you’re also able to act on that data in actual real-time, there’s no point having it. 

Real-time is almost never right-time; the cost exceeds the benefits fast, and the responsiveness can be pointless. For example, if your home thermostat is set to a balmy 23°C, the thermostat switches on when the temperature gets to 22.5°C, and it heats until it reaches 23.5°C, switches off and repeats. Anything more responsive, like only acting between 22.9 and 23, would be a) frankly irritating, b) largely useless and c) economically dire.

We have much to learn from the humble thermostat regarding “real-time” utility. Prioritising the outcome rather than the method often results in periodic or near real-time captures, rather than real-time data; these captures are often enough to measure the impact of interventions, but without bringing their own futile carbon burdens.

Nature’s first green is… Bitcoin?

Sure. While a mention of Bitcoin is always good for web traffic, my point here is to choose your sustainability metrics wisely. For a long time, whenever folks discussed the eco-impact of technology, it wasn’t long before someone said something like, “Bitcoin consumes more electricity than [insert country here]”. But that’s not very helpful as a metric - it sounds like a lot, but some cities consume more electricity than entire countries. It’s more helpful to look at how that figure compares to the mining of other valued stores, such as gold. The Cambridge Bitcoin Electricity Consumption Index currently states that Bitcoin comes in at 117.26 TWh per year, whilst gold mining remains at 131 TWh. This framing makes Bitcoin look almost ecological, even as it simultaneously uses more electricity than the Netherlands - statistics that showcase the importance of being deliberate about what metrics we use in sustainability discussions.

Don’t just green and bear it

I often say “a regulatory initiative is a terrible thing to waste”. Yes, I’m weird, but what I mean is: don’t waste the opportunity to leverage sustainability initiatives and regulation as a springboard for other things, like redoubling your cloud migration efforts or getting that OT data source into your SOC. Take the chance to ask questions like:

  • What is a good enough capture of your carbon footprint to take action? What is the gold standard, and what’s your data journey to get there?
  • What metrics would be meaningful? Consider controllability, context, and comparisons.
  • What’s the green viewpoint on our digital transformation? Can you bring your developers along with you on the journey, and think about the carbon burden of workloads? (Can I use this blog to coin the term GreenDevSecOps, or even DevSecSustOps!?)

Got the green light?

If this blog has convinced you to advance your sustainability, then don’t delay. Remember:

  • It’s hard to measure your carbon footprint, and it will always be an iterative process.
  • Whilst on the journey, make your metrics meaningful.
  • Learn from the parallels of security where you can.
  • Don’t avoid trying because it’s hard; prioritise, and get started ASAP with our Sustainability Toolkit and evolve from there.

Don’t boil the ocean and just get started: measure, prioritise, act, and adjust. We can’t wait.

* No pun intended, seriously.

** These manufacturing puns are flowing*** today.

*** Or, not, since concrete is usually pretty solid.

**** OK, that one was intentional.

Kirsty Paine
Posted by

Kirsty Paine

Kirsty Paine (she/her) is a Strategic Advisor in Technology and Innovation for Splunk’s EMEA region, where she provides technical thought leadership for strategic accounts. As an experienced technologist, strategist and security specialist, she thrives on understanding difficult problems and finding creative solutions. Her long-standing mantra, after nearly a decade working in cyber security, is simple and straightforward: "Make Good Choices".

Kirsty's background in cyber security stems from her mathematical roots, built on by her time working for the UK National Cyber Security Centre, where she spent years specialising in security, privacy and internet technologies. There, she often joked that her job was to look after two simple things: the security of 1) the internet and 2) all of its things. This role required a lot of technical strategy, coupled with international engagement across industry, and quite a lot of patience.

When not finding or fixing problems, Kirsty can usually be found in the gym or surrounded by sushi (making it, eating it, or both).