Digital security relies on physical resources. Security programs consume electricity, servers require cooling and water, and hardware relies on the extraction of natural materials. While these environmental costs are often overlooked in risk discussions, recent analysis suggests that cybersecurity infrastructure is a significant contributor to corporate carbon emissions.
Research indicates that two specific domains, resilience measures (such as backups) and identity and access management (IAM)—generate approximately 45% of the industry’s total climate impact.
Gérôme Billois, a partner in cybersecurity and digital trust at Wavestone, initiated a study to understand why cybersecurity was frequently absent including corporate sustainability conversations. He notes that security leaders significantly influence sustainability outcomes depending on how they architect security rules and infrastructure. The study aims and integrate CISOs into the sustainability process, identifying practical methods to reduce CO2 consumption without introducing new risks.
Billois is scheduled to present the full findings at the RSAC Conference in San Francisco.
Analyzing the Carbon Footprint of Defense
The Wavestone team conducted the study in two phases: an initial theoretical model followed by an on-site evaluation of more than 10 large enterprises and public organizations. By assessing live cybersecurity systems, the researchers identified specific areas of high consumption and potential reduction.
The results challenged several initial hypotheses. The team anticipated that encryption and company-issued devices might be primary drivers of emissions. However, consultation with cryptographers revealed that decades of optimizing encryption algorithms for performance and speed has naturally resulted in high energy efficiency. Consequently, modern cryptography has a relatively low CO2 impact.
Instead, the study identified resilience as the single largest environmental factor, accounting for approximately 29% of the cyber climate impact in the studied organizations. This category includes backup servers, redundant hardware, and other measures designed to ensure data availability and continuity.
Identity and access management (IAM) followed as the second largest contributor at 16%. While IAM might appear to be a lightweight system of databases and authentication protocols, two factors drive its high consumption:
System Complexity: Large organizations often operate multiple disjointed identity systems resulting from mergers, acquisitions, and legacy infrastructure.
Hardware Dependencies: The manufacturing and distribution of physical tokens, requiring plastics, electronics, and batteries—adds a substantial carbon cost.
Other activities with above-average environmental impact include event logging, security assessments, vulnerability scans, patch management, and contractor workstations. Notably, despite current industry attention, artificial intelligence (AI) did not register as a major contributor in this specific study. Billois observes that current AI deployments in security are typically low-impact tools, though this may change as adoption scales through 2026 and 2027.
Conversely, areas such as application security, email security, network segmentation, and data protection (including encryption) were found to have a lower carbon footprint.
Strategies for Sustainable Security
Organizations can implement targeted changes to reduce their carbon footprint while maintaining sturdy security postures.
Optimizing Contractor Access One immediate policy adjustment involves the provisioning of hardware for third-party contractors. Rather than automatically issuing dedicated workstations, organizations can secure access by migrating to virtual desktop infrastructure (VDI), allowing contractors to use existing devices securely.
Refining Log Management Logging practices often default to maximum retention, creating significant storage and energy costs. Billois suggests that teams revisit log collection strategies. By compressing data and adjusting retention periods to match actual legal and operational requirements, organizations can reduce infrastructure volume and emissions.
Consolidating Identity Systems Addressing the fragmentation in IAM environments offers a dual benefit. Consolidating duplicate identity systems reduces the energy required to run them while simultaneously lowering costs and reducing the attack surface.
The Resilience Challenge Reducing the impact of the primary contributor, resilience—remains the most complex challenge. While some organizations can shift from underutilized physical infrastructure to more efficient virtualized backups, the core principle of resilience is redundancy. Eliminating redundancy to save energy often directly increases risk.
"You can reduce CO2 very easily: you stop buying two servers, or you stop having a duplicate of all your data," Billois explains. "But regarding risk, it's not a good idea. So for this one, we don't have a lot to do."
For security leaders, the goal is not to dismantle defenses for the sake of sustainability, but to identify inefficiencies where protection and environmental responsibility can coexist.