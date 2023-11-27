New rules from the Association of International Certified Public Accountants require prospective CPAs to choose one of three disciplines \u201cto demonstrate deeper skills and knowledge,\u201d according to the association\u2019s CEO, Susan Coffey. One of those disciplines is cybersecurity as part of its ISC1: Information Systems and Controls exam, which will become available on January 1, 2024.\n\nWhat will these new cybersecurity-trained accountants mean for the typical enterprise CISO? Accounting and security specialists point to two possible impacts: Give CISOs another way to fill those long-empty entry-level security positions; and help the CISO\u2019s office to better articulate ROI benefits for key lines of business as well as for the CFO directly.\n\nCyber accountants see security with \u201ca different lens\u201d\n\n\u201cA cybersecurity accountant brings a different lens, one that combines financial acumen with cyber knowledge. They are adept at spotting irregularities in financial transactions or patterns that may signal a cybersecurity threat, such as unusual financial flows that could indicate a breach or fraud,\u201d Anurag Gurtu, chief product officer at security vendor StrikeReady, tells CSO. \u201cThis hybrid expertise allows them to detect subtle anomalies that might be overlooked in standard cybersecurity protocols. For instance, inconsistencies in financial reporting or unexplained deviations in financial trends could be early indicators of a cyber incident, which a cybersecurity professional might miss.\u201d\n\nSharon Levin, an accounting professor at the University of Maryland, echoes Gurtu\u2019s argument that cyber accountants might notice things that might escape the attention of a veteran SOC-trained cybersecurity analyst. \u201cOften, accountants are the first to become aware of system vulnerabilities and data breaches,\u201d she tells CSO. \u201cIf it\u2019s corporate assets cyber criminals are after, it\u2019s accountants who are responsible for protecting those assets with internal controls.\u201d\n\nAn opportunity to better communicate cybersecurity ROI\n\nThe ROI issue is important because, historically, enterprise CISOs have struggled with convincing line-of-business executives and the CFO of the value of cybersecurity to their businesses. In theory, an accountant\u2019s spreadsheet-loving background might position them to more effectively\u2013and to more directly\u2013address the business\u2019s concerns when arguing for cybersecurity improvements. \n\n\u201cCybersecurity-savvy accountants could better articulate the financial implications of cyber threats, aiding CISOs in making compelling ROI arguments to business leaders,\u201d Gurtu says. \u201cTheir ability to translate cyber risks into financial terms can enhance understanding and support for cybersecurity investments across different business units.\u201d\n\nCyber CPAs not likely to help with security staffing issues\n\nA more controversial aspect of this new certification program is whether it will help CISOs fill open slots, especially entry-level roles. Umesh Yerram has held CISO or similar security titles at AmerisourceBergen, Comcast, and IBM. He sees the training the new CPA program has likely too little to make a difference to enterprise CISOs. \n\n\u201cI wouldn\u2019t hire someone just because of this security certificate. I will still be looking at practitioners for this. [These cyber accountants] will likely not be as technical as we need them to be. That cert may not hold a lot of value,\u201d Yerram tells CSO. \u201cIf it\u2019s in the space of regular GRC, maybe a little bit, but it is not a slamdunk.\u201d\n\nEven though the second half of 2024 is likely to see a lot of cyber accountants looking for work, it\u2019s not at all clear how many would be able to work for enterprise security operations and even how soon. \u201cIt\u2019s going to take years for this change to deliver enough new CPAs with the education to make a difference on security teams. I\u2019d say CISOs are better off poaching accountants and training them, assuming they want accountants on their teams,\u201d Healy Jones, a VP at Kruze Consulting, tells CSO.\n\nJones adds that traditional accounting firms are quite likely to grab many of them for themselves. \u201cThe CPA profession itself is facing a serious pipeline shortage. CPAs are going to be in increasingly short supply. I don\u2019t think this will solve staffing issues in security teams given that accounting firms are going to be fighting tooth and nail for them,\u201d Jones says. \n\nBiggest cyber-CPA value: Selling security to management\n\nThe biggest value-add these new talents are likely to deliver is in helping CISOs sell security programs more effectively. Yigal Rechtman, managing partner of Rechtman Consulting, a New Jersey-based compliance and forensic accounting firm, argues that CISOs make compelling cybersecurity ROI arguments to CFOs but CFOs are typically not persuaded. The CISO\u2019s case is usually about making security investments of X to prevent attack losses of perhaps 10X. But the CFO is focused overwhelmingly on quarterly net income and therefore is obsessed with boosting revenue as opposed to saving money. Also, the money saved in this scenario is seen as theoretical because if the investment happens and the attack never materializes (because if was blocked), the board won\u2019t perceive it as a savings.\n\nRechtman\u2019s point is that cybersecurity-trained accountants might be more effective at persuading the CFO\u2014as well as various LOB executives\u2014because their core training is in money and accounting and not technology. That different perspective may prove more effective at persuading CFOs to invest more heavily in security.\n\nEven if the new cyber accountants don\u2019t immediately deliver better ROI arguments, argues Phil Neray, the VP of cyber defense security at Gem Security, their financial approach and different mindsets might prove quite valuable. \u201cFighting our cyber adversaries requires having different approaches and different viewpoints and different worldviews,\u201d he tells CSO. \u201cTherefore, having a diversity of perspectives on your security team is going to make your team stronger. And these cyber accountants might do just that.\u201d\n\nWill cyber accountants bring another level of checkbox compliance?\n\nNot everyone agrees that cyber accountants will have a positive impact on the cybersecurity function. Douglas Brush, a special master with the US federal courts and the chief visionary officer for Accel Consulting, has dealt with accounting groups for many years, and he is suspicious about whether they will help security executives or if they are trying to undermine them.\n\n\u201cYeah, CPAs and the AICPA. Boy, do I have opinions on that. I knew they were going to pull some stuff between the CMMC, SEC, and CISA. They see blood in the water and want to edge out cyber pros to be the only ones who can certify,\u201d Brush said. \u201cFor example, I am starting to do a SOC 2 Type 2 prep for a customer, which is easily a year-long engagement, and we are going to do a lot of heavy lifting to get them there. Then an auditor will come in and charge as much as we do and only do one-tenth of the work. I am not a fan of governing bodies like AICPA that up-charge services that are subjective, but they push as binary, black and white. They see a land grab.\u201d\n\nBrush\u2019s fear is \u201caccountants and CPAs will bring in a bunch of low-paid people and they will do another set of checkbox compliance, just like we have with SOC 2 and PCI. The question is: How do we effectively measure risk? That\u2019s not what these (accountants) do. They are compliance controls. They are gating decisions, and they are not likely to be aligned with the business.\u201d