Bruce Sussman, CPA
‘We must adapt our defensive tools …’
Facing new cybersecurity challenges: The increasing ubiquity and sophistication of malware is an enormous challenge. Anti-virus software as we knew it from five years ago is dead. CPas in public practice and those in risk management positions need to work with clients to understand the latest generation in fraud and intrusion detection tools and explain their benefit in nontechnical terms to the C-suite. If most malware is designed to pass through a conventional firewall or anti-virus solution, we must adapt our defensive tools and use them in a more analytic, predictive mode. That is where a technology-savvy CPA has an advantage, because we are trained in the succinct presentation of complex ideas.
Cybersecurity and opportunities for CPas: CPas can bring professional rigor, independence, and reporting to technical risk assessment and to problem-solving. Each time we apply our technical and soft skills to finding exposures in software and infrastructure used by the public, we are serving the public interest. So it’s more than simply doing an audit and delivering the report. These opportunities exist not just in an IT audit, but also in risk advisory assignments, working with public, municipal, and small to medium-size clients who are outgunned when faced with malware, ransomware, and insider risks. The path exists for CPas to develop skills in cybersecurity and provide services to clients. It can be found through IT assurance services offered by public firms and internal audit departments. The natural progression is from public to private audit, to information security. Acquiring IT-related credentials is a prerequisite. Usually, it takes five to eight years of solid experience. It’s also vital to network with other CPA security practitioners and security engineers, and learn from them.
Presenting information in the right way: We constantly strive to acquire and present the facts about risk management in a way that is compelling and crisp. To be successful, however, requires the right tone at the top. In each job I’ve had, there’s been the challenge of presenting the facts about risk—its magnitude, probability, mitigating factors, and business constraints. Once you show these factors are presented equally and without bias, it’s usually easier to gain acceptance for any risk treatment that you propose. Sometimes, it’s as simple as identifying the worst-case loss scenario or regulatory consequence, and presenting third-party data to back up your assertion.
Cautionary tales: CPA firms need to be very careful in dealing with clients whose fIRSt instinct when challenged is to escalate or parry a valid request for information. CPA firms should exercise extreme caution when management or their proxies limit scope, impede access to artifacts, or attempt to intimidate an auditor with threats to bring in their attorneys.