Rise of the cyber CPA: What it means for CISOs

Cyber CPAs not likely to help with security staffing issues

A more controversial aspect of this new certification program is whether it will help CISOs fill open slots, especially entry-level roles. Umesh Yerram has held CISO or similar security titles at AmerisourceBergen, Comcast, and IBM. He sees the training the new CPA program has likely too little to make a difference to enterprise CISOs.

“I wouldn’t hire someone just because of this security certificate. I will still be looking at practitioners for this. [These cyber accountants] will likely not be as technical as we need them to be. That cert may not hold a lot of value,” Yerram tells CSO. “If it’s in the space of regular GRC, maybe a little bit, but it is not a slamdunk.”

Even though the second half of 2024 is likely to see a lot of cyber accountants looking for work, it’s not at all clear how many would be able to work for enterprise security operations and even how soon. “It’s going to take years for this change to deliver enough new CPAs with the education to make a difference on security teams. I’d say CISOs are better off poaching accountants and training them, assuming they want accountants on their teams,” Healy Jones, a VP at Kruze Consulting, tells CSO.

Jones adds that traditional accounting firms are quite likely to grab many of them for themselves. “The CPA profession itself is facing a serious pipeline shortage. CPAs are going to be in increasingly short supply. I don’t think this will solve staffing issues in security teams given that accounting firms are going to be fighting tooth and nail for them,” Jones says. 

Biggest cyber-CPA value: Selling security to management

The biggest value-add these new talents are likely to deliver is in helping CISOs sell security programs more effectively. “CISOs are not known to speak in [terms of] ROI effectively, at least not in the practical ROI issues lines of business executives care about. And after hearing these ineffective arguments for years, many CFOs are eventually not listening,” Yigal Rechtman, managing partner of Rechtman Consulting, a New Jersey-based compliance and forensic accounting firm, tells CSO. 

Even if the new cyber accountants don’t immediately deliver better ROI arguments, argues Phil Neray, the VP of cyber defense security at Gem Security, their financial approach and different mindsets might prove quite valuable. “Fighting our cyber adversaries requires having different approaches and different viewpoints and different worldviews,” he tells CSO. “Therefore, having a diversity of perspectives on your security team is going to make your team stronger. And these cyber accountants might do just that.”