The new equation for sustainable IT and cyber resilience

For years, sustainability and cyber security have occupied opposite ends of the boardroom agenda. One has been framed as a moral and long-term obligation while the other, an urgent operational necessity. Businesses have often treated them as competing priorities - a choice between doing what is responsible and doing what is immediately necessary.

But that framing no longer reflects today’s reality. UK organisations have been battling economic uncertainty, rising software costs, mounting ESG expectations and an increasingly volatile cyber threat landscape. Technology leaders are being asked to do more with less, while simultaneously proving value, resilience and accountability - plagued by the question of how to build organisations that can withstand disruption while achieving both.

Encouragingly, many UK businesses appear to be shifting their thinking. Based on responses from more than 1,200 IT decision-makers across Northern Europe, a recent independent research has found that 38% of UK organisations are now using environmentally friendly or refurbished IT equipment as part of their sustainability strategies, placing the UK ahead of its Northern European counterparts.

Paired with further research on the consumer side with the UK leading the way with refurbished PC sales, it signals a rethink of the relationship between efficiency, longevity and resilience. Yet it also raises an important question: in the pursuit of smarter spending and greener operations, are businesses inadvertently exposing themselves elsewhere?

Green thinking gets practical

Not long ago, sustainable IT sat neatly inside CSR reports and carbon reduction targets - important, certainly, and great if it can deliver actual savings - but often peripheral to core business strategy.

Today, sustainability has moved much closer to the centre of business decision-making. Economic pressure along with government mandated targets and reporting have forced organisations to challenge long-standing assumptions about technology investment, particularly around hardware refresh cycles.

For years, replacing devices every three or four years was treated almost as doctrine, regardless of whether those devices remained fit for purpose. Not unusual when replacing your phone every year was equally expected, but in an era of tighter budgets and sharper scrutiny, leaders are asking a more pragmatic question: if technology still performs securely and effectively, why replace it prematurely?

There is also a broader imperative at play. The United Nations’ Global E-Waste Monitor estimates the world generated more than 60 million tonnes of electronic waste in recent years, while only around one-fifth was formally recycled. Against that backdrop, extending the lifespan of devices responsibly carries additional CSR kudos.

And if you wonder how that translates in today’s reality, when device refurbishment is carried out by authorised providers in line with the manufacturer’s standards, original warranties are often maintained or extended - effectively turning refurbished IT into a lifeline for sustainability and operational continuity rather than a compromise on assurance or support.

The cybersecurity blind spot

The key word in sustainable IT is “responsibly”. There is a meaningful difference between extending the life of technology and simply delaying investment to the detriment of operationability and security.

Done well, sustainable IT strengthens resilience. Done poorly, however, it risks creating what I would describe as resilience debt, otherwise, short-term efficiencies that quietly accumulate long-term vulnerabilities. While updating devices every couple of years generates new vulnerabilities and attack vectors, holding onto old (often unpatchable) devices for too long has the same effect. Balance is required.

While 44% of UK IT leaders cite emerging cyber threats as their biggest concern, patching frequency has declined - an uncomfortable contradiction. At precisely the moment organisations recognise heightened cyber risk, some appear to be loosening their grip on one of the most fundamental disciplines in cyber hygiene.

The UK government’s Cyber Security Breaches Survey found that 43% of UK businesses experienced a cyber breach or attack in the past year. That shows that cyber threats are becoming more sophisticated, frequent and disruptive to day-to-day operations.

This is why poorly managed lifecycle extension becomes problematic. Refurbished technology itself is not the issue - professionally refurbished devices are tested, secured and validated before redeployment. The greater risk lies with organisations independently stretching hardware lifespans without ensuring devices remain capable of supporting modern endpoint protection, patching standards and management tools.

A laptop that struggles to run contemporary security software may appear economical on paper, but the hidden cost of vulnerability can quickly outweigh any savings.

The great software reset

This balancing act between efficiency and resilience is playing out elsewhere too. Cloud investment appears to be entering a period of recalibration. Nearly half (49%) of UK IT leaders in our research report say they overspend on software licensing, prompting many organisations to reassess sprawling technology estates and consolidate vendors.

This reflects a broader shift happening across the market. Businesses are becoming more selective and sceptical about unchecked software expansion. The era of accumulating SaaS platforms without scrutiny appears to be giving way to something more intentional: optimisation over excess.

However, there is a danger that cost control becomes indiscriminate. Not every technology expense carries equal weight. Scrutinising inefficiency is sensible, while weakening resilience is not. Cyber preparedness cannot simply become another budget line to trim when financial pressure intensifies.

Smarter spending, stronger defences

The organisations navigating this moment most successfully are integrating sustainability and security as dual priorities.

I would describe this approach as secure efficiency: using smarter lifecycle management, refurbished technology and software consolidation to unlock savings, while reinvesting a portion of those efficiencies into cyber preparedness. That means maintaining robust patching practices, investing in modern endpoint security and stepping up vulnerability management efforts so organisations bring more rigour to how they scan, prioritise and remediate risk - in other words, directing resilience effort more intentionally.

The reality is that organisations no longer have the luxury of treating environmental responsibility and digital security as separate conversations. Customers, regulators and shareholders increasingly expect businesses to demonstrate both.

UK organisations are already showing that sustainability and cost discipline can coexist. The next challenge is keeping resilience in step with that evolution. In an environment of constant cyber pressure, the lowest-cost choice upfront is rarely the one that proves cheapest in the long run.