Rise of the cyber CPA: What it means for CISOs

New rules from the Association of International Certified Public Accountants require prospective CPAs to choose one of three disciplines “to demonstrate deeper skills and knowledge,” according to the association’s CEO, Susan Coffey. One of those disciplines is cybersecurity as part of its ISC1: Information Systems and Controls exam, which will become available on January 1, 2024.

What will these new cybersecurity-trained accountants mean for the typical enterprise CISO? Accounting and security specialists point to two possible impacts: Give CISOs another way to fill those long-empty entry-level security positions; and help the CISO’s office to better articulate ROI benefits for key lines of business as well as for the CFO directly.

Cyber accountants see security with “a different lens”

“A cybersecurity accountant brings a different lens, one that combines financial acumen with cyber knowledge. They are adept at spotting irregularities in financial transactions or patterns that may signal a cybersecurity threat, such as unusual financial flows that could indicate a breach or fraud,” Anurag Gurtu, chief product officer at security vendor StrikeReady, tells CSO. “This hybrid expertise allows them to detect subtle anomalies that might be overlooked in standard cybersecurity protocols. For instance, inconsistencies in financial reporting or unexplained deviations in financial trends could be early indicators of a cyber incident, which a cybersecurity professional might miss.”

Sharon Levin, an accounting professor at the University of Maryland, echoes Gurtu’s argument that cyber accountants might notice things that might escape the attention of a veteran SOC-trained cybersecurity analyst. “Often, accountants are the first to become aware of system vulnerabilities and data breaches,” she tells CSO. “If it’s corporate assets cyber criminals are after, it’s accountants who are responsible for protecting those assets with internal controls.”

An opportunity to better communicate cybersecurity ROI

The ROI issue is important because, historically, enterprise CISOs have struggled with convincing line-of-business executives and the CFO of the value of cybersecurity to their businesses. In theory, an accountant’s spreadsheet-loving background might position them to more effectively–and to more directly–address the business’s concerns when arguing for cybersecurity improvements. 

“Cybersecurity-savvy accountants could better articulate the financial implications of cyber threats, aiding CISOs in making compelling ROI arguments to business leaders,” Gurtu says. “Their ability to translate cyber risks into financial terms can enhance understanding and support for cybersecurity investments across different business units.”

Cyber CPAs not likely to help with security staffing issues

A more controversial aspect of this new certification program is whether it will help CISOs fill open slots, especially entry-level roles. Umesh Yerram has held CISO or similar security titles at AmerisourceBergen, Comcast, and IBM. He sees the training the new CPA program has likely too little to make a difference to enterprise CISOs. 

“I wouldn’t hire someone just because of this security certificate. I will still be looking at practitioners for this. [These cyber accountants] will likely not be as technical as we need them to be. That cert may not hold a lot of value,” Yerram tells CSO. “If it’s in the space of regular GRC, maybe a little bit, but it is not a slamdunk.”

Even though the second half of 2024 is likely to see a lot of cyber accountants looking for work, it’s not at all clear how many would be able to work for enterprise security operations and even how soon. “It’s going to take years for this change to deliver enough new CPAs with the education to make a difference on security teams. I’d say CISOs are better off poaching accountants and training them, assuming they want accountants on their teams,” Healy Jones, a VP at Kruze Consulting, tells CSO.

Jones adds that traditional accounting firms are quite likely to grab many of them for themselves. “The CPA profession itself is facing a serious pipeline shortage. CPAs are going to be in increasingly short supply. I don’t think this will solve staffing issues in security teams given that accounting firms are going to be fighting tooth and nail for them,” Jones says. 

Biggest cyber-CPA value: Selling security to management

The biggest value-add these new talents are likely to deliver is in helping CISOs sell security programs more effectively. Yigal Rechtman, managing partner of Rechtman Consulting, a New Jersey-based compliance and forensic accounting firm, argues that CISOs make compelling cybersecurity ROI arguments to CFOs but CFOs are typically not persuaded. The CISO’s case is usually about making security investments of X to prevent attack losses of perhaps 10X. But the CFO is focused overwhelmingly on quarterly net income and therefore is obsessed with boosting revenue as opposed to saving money. Also, the money saved in this scenario is seen as theoretical because if the investment happens and the attack never materializes (because if was blocked), the board won’t perceive it as a savings.

Rechtman’s point is that cybersecurity-trained accountants might be more effective at persuading the CFO—as well as various LOB executives—because their core training is in money and accounting and not technology. That different perspective may prove more effective at persuading CFOs to invest more heavily in security.

Even if the new cyber accountants don’t immediately deliver better ROI arguments, argues Phil Neray, the VP of cyber defense security at Gem Security, their financial approach and different mindsets might prove quite valuable. “Fighting our cyber adversaries requires having different approaches and different viewpoints and different worldviews,” he tells CSO. “Therefore, having a diversity of perspectives on your security team is going to make your team stronger. And these cyber accountants might do just that.”

Will cyber accountants bring another level of checkbox compliance?

Not everyone agrees that cyber accountants will have a positive impact on the cybersecurity function. Douglas Brush, a special master with the US federal courts and the chief visionary officer for Accel Consulting, has dealt with accounting groups for many years, and he is suspicious about whether they will help security executives or if they are trying to undermine them.

“Yeah, CPAs and the AICPA. Boy, do I have opinions on that. I knew they were going to pull some stuff between the CMMC, SEC, and CISA. They see blood in the water and want to edge out cyber pros to be the only ones who can certify,” Brush said. “For example, I am starting to do a SOC 2 Type 2 prep for a customer, which is easily a year-long engagement, and we are going to do a lot of heavy lifting to get them there. Then an auditor will come in and charge as much as we do and only do one-tenth of the work. I am not a fan of governing bodies like AICPA that up-charge services that are subjective, but they push as binary, black and white. They see a land grab.”

Brush’s fear is “accountants and CPAs will bring in a bunch of low-paid people and they will do another set of checkbox compliance, just like we have with SOC 2 and PCI. The question is: How do we effectively measure risk? That’s not what these (accountants) do. They are compliance controls. They are gating decisions, and they are not likely to be aligned with the business.”