The combination of what seems like a steady barrage of data breaches and greater understanding of their impact on an organization has led executives at many companies to increasingly view cyber security as a business challenge, rather than an IT concern. Interestingly, chief financial officers and certified public accountants are able to play a vital role in efforts to improve an organization’s cyber security due to their skills and experience.


One of the challenges for a company’s chief information security officer (CISO)—if a company has one—is to explain technical cyber security risk factors in business terms. However, CFOs are in a unique position to help CISOs work through some of these challenges because they have experience managing other forms of business risk and can help CISOs structure a cyber risk management program based on business-appropriate metrics and an integrated data set, a recent CFO article notes.


There are several areas in particular where CFOs can help, the article continues. For instance, as companies address cyber-risk management as a business function, CFOs have the background and experience to help CISOs better understand where cyber defense dollars should be spent. CFOs are able to confirm that the organization’s current security plan addresses business development needs in a cost-effective way.


CFOs are also able to help CISOs understand cyber financial resilience by putting cyber risk in monetary terms, the article notes. Furthermore, CFOs are able to measure the cost of cyber defenses against hedging techniques such as cyber insurance and impact analysis given current risks.


Finally, CFOs are able to help others better understand cyber defense resource optimization by helping evaluate what the company should do with existing investments in technology, policies and processes. That way, leaders can ensure the organization is following the best course of action by optimally leveraging existing resources, rather than simply following trends, explains the article.


I was also interested to recently read that, according to AICPA President and CEO Barry C. Melancon, CPA, CGMA, the U.S. Securities and Exchange Commission has acknowledged that the accounting profession’s experience with integrating data, reporting and assurance puts CPAs in a unique position to assist organizations as they address their cyber security concerns. Consequently, AICPA (American Institute of CPAs) is taking a multifaceted approach to cyber security through the work of the Assurance Services Executive Committee and the Center for Audit Quality to enable CPAs to take a leadership role, he explains.


“The AICPA already sees explosive growth in the need for cyber security-related services that build on the foundation for Service Organization Control, or SOC, reports,” Melancon says. “This demand is driven by market forces—and the market is asking us to do more, from both the advisory and assurance perspectives.”


In response, the AICPA is taking action on many fronts, Melancon says. For example, various segments of the AICPA are working to help CPAs as they address cyber security concerns by leveraging services such as advisory, assurance, tax and management accounting, Melancon says. The AICPA is also looking at how the profession can address cyber security as a natural extension of the platform of services CPAs already perform.


“We see numerous roles for CPAs in the battle against cyber crime,” Melancon says. “CPAs must present their own front line against cyber attacks, implementing controls that help protect data and prevent service disruptions. CPAs in business can use their knowledge of the organization to advise their employers on administering a cyber security risk management program and provide the best cyber solutions. CPAs in public practice can assist their clients in an advisory capacity, as they grapple with cyber concerns and provide assurance when needed.”


What are your thoughts on having CFOs and CPAs help manage cyber security risk? Secondly, if you are a CFO or CPA, are you involved in your organization’s cyber security risk management program?