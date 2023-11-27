New rules from the Association of International Certified Public Accountants require prospective CPAs to choose one of three disciplines "to demonstrate deeper skills and knowledge," according to the association's CEO, Susan Coffey. One of those disciplines is cybersecurity as part of its ISC1: Information Systems and Controls exam, which will become available on January 1, 2024.

What will these new cybersecurity-trained accountants mean for the typical enterprise CISO? Accounting and security specialists point to two possible impacts: Give CISOs another way to fill those long-empty entry-level security positions; and help the CISO's office to better articulate ROI benefits for key lines of business as well as for the CFO directly.

Cyber accountants see security with "a different lens"

"A cybersecurity accountant brings a different lens, one that combines financial acumen with cyber knowledge. They are adept at spotting irregularities in financial transactions or patterns that may signal a cybersecurity threat, such as unusual financial flows that could indicate a breach or fraud," Anurag Gurtu, chief product officer at security vendor StrikeReady, tells CSO. "This hybrid expertise allows them to detect subtle anomalies that might be overlooked in standard cybersecurity protocols. For instance, inconsistencies in financial reporting or unexplained deviations in financial trends could be early indicators of a cyber incident, which a cybersecurity professional might miss."

Sharon Levin, an accounting professor at the University of Maryland, echoes Gurtu's argument that cyber accountants might notice things that might escape the attention of a veteran SOC-trained cybersecurity analyst. "Often, accountants are the first to become aware of system vulnerabilities and data breaches," she tells CSO. "If it's corporate assets cyber criminals are after, it's accountants who are responsible for protecting those assets with internal controls."

An opportunity to better communicate cybersecurity ROI

The ROI issue is important because, historically, enterprise CISOs have struggled with convincing line-of-business executives and the CFO of the value of cybersecurity to their businesses. In theory, an accountant's spreadsheet-loving background might position them to more effectively-and to more directly-address the business's concerns when arguing for cybersecurity improvements.

"Cybersecurity-savvy accountants could better articulate the financial implications of cyber threats, aiding CISOs in making compelling ROI arguments to business leaders," Gurtu says. "Their ability to translate cyber risks into financial terms can enhance understanding and support for cybersecurity investments across different business units."