Accounting firms in the United States are elevating cybersecurity leaders such as Jim Nagata, Amy Bogac, Steve Jackson, Thomas Walch, Mike Reterstorf, and Megan Shirey as client trust increasingly depends on secure systems, resilient infrastructure, regulatory fluency, and credible risk governance. The job is no longer just to protect laptops, email, and file shares. It is to defend the machinery behind audit evidence, tax filings, advisory models, financial reporting, and the professional judgment clients pay firms to deliver. In accounting, cybersecurity has become part of the product.
Accounting has always sold confidence. The profession’s public language is about independence, assurance, controls, evidence, and judgment; its private operating reality is increasingly about identity systems, endpoint telemetry, cloud access, third-party software, data retention, and board-ready risk reporting.
That shift matters because accounting firms occupy a peculiar place in the modern economy. They are not banks, but they hold bank-grade information. They are not hospitals, but they may touch protected health data. They are not software companies, but they run sprawling application estates, data pipelines, client portals, collaboration tools, and analytics platforms.
For attackers, that makes the sector attractive. A compromise at an accounting or advisory firm can open paths into tax records, payroll data, M&A materials, audit workpapers, business forecasts, and privileged correspondence. A firm does not need to be the ultimate target to be valuable; it can be the trusted intermediary that makes the next target easier to reach.
That is why the CISO role inside professional services has expanded. The best security leaders in this space are not just tool buyers or policy writers. They translate technical risk into operational reality, and they do it in businesses where client service, deadline pressure, partner economics, and regulatory obligations collide every day.
Tax season, audit deadlines, transaction windows, regulatory reporting, and client deliverables do not pause because a patch cycle is awkward or an identity migration is incomplete. That gives security teams a brutal constraint: they must harden systems without interrupting the work that gives the firm its revenue and reputation.
This is where the careers of leaders like Thomas Walch at BDO USA and Steve Jackson at Stout become instructive. Both profiles reflect a path from deep infrastructure and internal technology operations into senior security leadership. In a professional services environment, that kind of institutional knowledge can be as valuable as any certification because it tells a CISO where the real pressure points sit.
Walch’s background at BDO reaches across Windows servers, Active Directory, VMware, storage, backup, Cisco networks, data centers, remote offices, and technology integration during mergers and acquisitions. That is not a résumé footnote; it is the operating map of a large accounting firm. A CISO with that history knows that security exceptions often emerge from business integration, legacy dependencies, regional offices, and acquisition timelines — not from a neat architecture diagram.
Jackson’s progression at Stout tells a similar story on a different scale. Moving from senior IT roles into the CISO seat suggests a security model rooted in knowledge of users, systems, service delivery, and firm culture. That matters because professional services firms run on trust internally as much as externally. Security controls that do not match how consultants, auditors, analysts, partners, and support teams actually work will be bypassed, resented, or quietly weakened.
That is why infrastructure-heavy CISOs remain especially relevant in accounting. They understand that resilience is not a product category. It is the accumulated result of design choices, support habits, staffing decisions, vendor dependencies, and management willingness to fund unglamorous work.
In firms that have grown through mergers, acquisitions, and geographic expansion, the job becomes harder. Incoming teams may arrive with different endpoint builds, directory structures, cloud tenants, retention practices, VPN habits, and vendor contracts. The business wants integration quickly; the security team wants assurance carefully. The CISO has to turn that tension into a plan that neither stalls the deal nor imports unknown risk into the firm’s core environment.
Walch’s M&A-related work at BDO is a reminder that accounting-firm cybersecurity is often integration security. The danger is not always a dramatic zero-day exploit. Sometimes it is a newly acquired office with weak identity hygiene, an inherited application nobody has fully documented, or a migration timeline that treats security review as paperwork rather than engineering.
The infrastructure CISO’s advantage is practical skepticism. They know what breaks. They know which systems are critical only because a partner says they are, and which systems are critical because the firm cannot function without them. They also know that disaster recovery plans, incident response plans, and access reviews are only meaningful if they survive contact with the actual environment.
Accounting firms face a particularly delicate AI problem because their data has context. A spreadsheet is rarely just a spreadsheet. It may contain tax positions, audit evidence, transaction assumptions, compensation details, forecasts, legal exposure, or client strategy. Feeding that data into the wrong tool, storing prompts in the wrong place, or allowing unmanaged integrations can turn efficiency into disclosure risk.
The CISO’s role is therefore not to say no to AI. That posture will fail in organizations where partners and clients are already demanding faster, smarter, more automated work. The better role is to define safe lanes: which tools are approved, what data can be used, how prompts and outputs are logged, how model risk is reviewed, and how employees are trained to spot hallucinated authority.
Nagata’s intersection of AI and security is significant because it treats AI not merely as a threat source but as an operational lever. Automation can improve detection, triage, compliance mapping, and response speed. Predictive analytics can help security teams prioritize risk before a control gap becomes an incident. But the same logic cuts both ways: if defenders can automate, attackers can too.
That is the central paradox facing security leaders in accounting. AI can help firms defend complex environments, but it can also amplify phishing, social engineering, document fraud, malware development, and reconnaissance. The firms that manage this well will not be the ones with the loudest AI strategy. They will be the ones with disciplined identity controls, data classification, vendor review, logging, and executive oversight before the AI layer scales.
But compliance is no longer enough as a strategic endpoint. A firm can pass an audit and still be brittle. It can document a control and still fail to enforce it consistently. It can produce impressive reports and still struggle with identity sprawl, shadow IT, weak recovery testing, or inconsistent third-party oversight.
Amy Bogac’s appointment as CISO at Baker Tilly illustrates the modern version of the compliance-plus-security mandate. Her background includes global security program development, incident response, ransomware recovery, NIST-based programs, and heavily regulated environments. That combination matters because firms need leaders who can satisfy auditors and survive attackers.
There is a difference between a security program that looks mature on paper and one that behaves maturely under stress. The latter requires practiced incident response, executive communication, technical containment, legal coordination, client messaging, and recovery discipline. In accounting, where client confidence can be damaged as quickly by confusion as by compromise, that operational maturity is decisive.
Bogac’s reporting line to senior risk and legal leadership also reflects a broader industry pattern. Cybersecurity is increasingly treated not as a technical silo but as an enterprise risk function. That is where it belongs. The CISO may manage tools and teams, but the consequences of security decisions belong to the whole firm.
That experience maps well to accounting, even if the environments look different. A professional services firm may not run a power grid, but it does run business-critical processes for clients that expect accuracy, confidentiality, and availability. Downtime during a deadline window can become a client-service failure. A compromised privileged account can become a breach of trust. A weak recovery plan can turn a contained incident into a firmwide crisis.
Reterstorf’s background in SmartGrid architecture, AMI integration, payment systems, mobile platforms, and enterprise architecture also points to another reality: CISOs increasingly need to understand systems as business platforms. Security is not added after architecture; it is part of architecture. The firms that treat security as a review gate after technology decisions have already been made will always be negotiating from behind.
This is especially relevant as accounting firms expand advisory and digital services. The more firms build analytics, managed services, automation, client portals, and sector-specific platforms, the more they resemble technology operators. That does not erase the accounting mission, but it changes the security surface.
A CISO with regulated-industry experience brings a useful intolerance for wishful thinking. Controls need owners. Recovery needs testing. Identity needs governance. Exceptions need expiration dates. Risk acceptance needs executives who understand what they are accepting.
That is an important extension of the accounting-firm trust model. Firms are not only securing themselves; many are helping clients demonstrate, improve, and govern their own security. The line between professional services and cybersecurity advisory has blurred because clients need help translating frameworks into programs and programs into evidence.
The vCISO model is especially useful for small and mid-sized organizations that cannot justify or recruit a full-time security executive. They still face vendor questionnaires, insurance requirements, SOC 2 demands, HIPAA obligations, PCI responsibilities, board scrutiny, and real threats. A client-facing CISO can give those organizations structure without pretending that a few tools equal a security program.
Shirey’s background in federal IT audits and program evaluations adds another layer. Security governance is not merely about deploying safeguards; it is about proving that investments, architecture decisions, records practices, and controls hold up under examination. That mindset is familiar to accountants, but its application to cyber risk is still maturing across many organizations.
For accounting firms, offering vCISO services also raises the bar internally. It is difficult to credibly advise clients on governance, metrics, incident planning, and third-party risk if the firm’s own practices are loose. The advisory business and the internal security program reinforce each other — or expose each other.
That translation is difficult. Security teams often measure what their tools can count: alerts, vulnerabilities, blocked emails, endpoint events, patch percentages, phishing click rates, and ticket closure times. Boards and executive committees need something else: what could hurt the firm, how likely it is, what it would cost, what is being done, and where management must make a decision.
The best CISOs do not bury executives in dashboards. They produce decision-grade risk intelligence. They explain tradeoffs clearly enough that leadership cannot hide behind ambiguity. If a legacy system remains unpatched because a business unit refuses downtime, that is not a purely technical issue. It is a business risk with an owner.
Accounting firms should be better positioned than many industries to understand this because the profession already deals in evidence, materiality, controls, and assurance. But that familiarity can also create complacency. Cyber risk does not always behave like financial reporting risk. It moves faster, crosses organizational boundaries more easily, and can turn a minor technical weakness into a public crisis overnight.
The CISO’s task is to make that risk legible without sensationalizing it. Fear can win budget once. Credibility wins influence over time.
That makes identity governance the connective tissue of the modern firm. Privileged access, multifactor authentication, conditional access, lifecycle management, role design, third-party access, and access reviews are not back-office chores. They are the mechanism by which client confidentiality becomes enforceable.
The danger is that identity complexity accumulates quietly. A user changes roles but keeps old permissions. A client portal exception becomes permanent. A contractor account survives the engagement. An acquired team brings inherited access models. A privileged account is shared for convenience. None of these failures looks dramatic in isolation, but together they create the conditions attackers exploit.
This is where infrastructure experience, regulated-industry discipline, and compliance knowledge intersect. A mature security program does not treat identity as a one-time implementation. It treats identity as a living control system that requires continuous governance.
Accounting firms also have to contend with client expectations around convenience. Clients want easy portals, rapid document exchange, and frictionless collaboration. Security teams have to deliver that without creating open doors. The firms that get this right will make strong identity controls feel like part of professional service quality, not an obstacle to it.
The accounting-firm CISO is becoming a business architect. They help decide how the firm adopts technology, integrates acquisitions, serves regulated clients, uses AI, structures access, survives incidents, proves controls, and communicates risk. That is not merely a defensive posture. It shapes what the firm can safely do.
This evolution also changes the talent pipeline. The next generation of CISOs in accounting may come from security operations, but they may also come from enterprise architecture, IT infrastructure, risk advisory, audit, cloud governance, privacy, or incident response. What matters is not a single canonical route. What matters is the ability to connect technical reality to business consequence.
For WindowsForum’s audience, there is a familiar lesson here. The Microsoft-heavy enterprise stack — Windows Server, Active Directory, endpoint management, identity platforms, collaboration suites, cloud services, virtualization, storage, and backup — remains deeply embedded in the practical security life of professional services. The strategic conversation may happen in boardrooms, but the blast radius is often determined by configuration, identity hygiene, endpoint control, and recovery architecture.
That is why accounting-firm security deserves more attention than it usually gets. These firms sit close to the records that tell companies, regulators, investors, and individuals what is true. If their systems cannot be trusted, the damage extends beyond one breached organization.
The New Trust Layer Is Technical Before It Is Reputational
Accounting has always sold confidence. The profession’s public language is about independence, assurance, controls, evidence, and judgment; its private operating reality is increasingly about identity systems, endpoint telemetry, cloud access, third-party software, data retention, and board-ready risk reporting.That shift matters because accounting firms occupy a peculiar place in the modern economy. They are not banks, but they hold bank-grade information. They are not hospitals, but they may touch protected health data. They are not software companies, but they run sprawling application estates, data pipelines, client portals, collaboration tools, and analytics platforms.
For attackers, that makes the sector attractive. A compromise at an accounting or advisory firm can open paths into tax records, payroll data, M&A materials, audit workpapers, business forecasts, and privileged correspondence. A firm does not need to be the ultimate target to be valuable; it can be the trusted intermediary that makes the next target easier to reach.
That is why the CISO role inside professional services has expanded. The best security leaders in this space are not just tool buyers or policy writers. They translate technical risk into operational reality, and they do it in businesses where client service, deadline pressure, partner economics, and regulatory obligations collide every day.
Accounting Firms Are Now Cyber Risk Aggregators
The accounting sector’s security problem is not simply that it has sensitive data. Plenty of industries do. The sharper issue is that accounting firms aggregate risk across many clients, industries, jurisdictions, and service lines while operating on unforgiving calendars.Tax season, audit deadlines, transaction windows, regulatory reporting, and client deliverables do not pause because a patch cycle is awkward or an identity migration is incomplete. That gives security teams a brutal constraint: they must harden systems without interrupting the work that gives the firm its revenue and reputation.
This is where the careers of leaders like Thomas Walch at BDO USA and Steve Jackson at Stout become instructive. Both profiles reflect a path from deep infrastructure and internal technology operations into senior security leadership. In a professional services environment, that kind of institutional knowledge can be as valuable as any certification because it tells a CISO where the real pressure points sit.
Walch’s background at BDO reaches across Windows servers, Active Directory, VMware, storage, backup, Cisco networks, data centers, remote offices, and technology integration during mergers and acquisitions. That is not a résumé footnote; it is the operating map of a large accounting firm. A CISO with that history knows that security exceptions often emerge from business integration, legacy dependencies, regional offices, and acquisition timelines — not from a neat architecture diagram.
Jackson’s progression at Stout tells a similar story on a different scale. Moving from senior IT roles into the CISO seat suggests a security model rooted in knowledge of users, systems, service delivery, and firm culture. That matters because professional services firms run on trust internally as much as externally. Security controls that do not match how consultants, auditors, analysts, partners, and support teams actually work will be bypassed, resented, or quietly weakened.
The Infrastructure CISO Still Has the Advantage
Cybersecurity marketing often talks as if every risk is new. AI, cloud sprawl, identity attacks, ransomware, deepfakes, and software supply-chain exposure all matter, but the fundamentals still decide whether a firm bends or breaks. Asset visibility, access discipline, recovery planning, logging, segmentation, and patch governance remain the boring machinery underneath every modern security claim.That is why infrastructure-heavy CISOs remain especially relevant in accounting. They understand that resilience is not a product category. It is the accumulated result of design choices, support habits, staffing decisions, vendor dependencies, and management willingness to fund unglamorous work.
In firms that have grown through mergers, acquisitions, and geographic expansion, the job becomes harder. Incoming teams may arrive with different endpoint builds, directory structures, cloud tenants, retention practices, VPN habits, and vendor contracts. The business wants integration quickly; the security team wants assurance carefully. The CISO has to turn that tension into a plan that neither stalls the deal nor imports unknown risk into the firm’s core environment.
Walch’s M&A-related work at BDO is a reminder that accounting-firm cybersecurity is often integration security. The danger is not always a dramatic zero-day exploit. Sometimes it is a newly acquired office with weak identity hygiene, an inherited application nobody has fully documented, or a migration timeline that treats security review as paperwork rather than engineering.
The infrastructure CISO’s advantage is practical skepticism. They know what breaks. They know which systems are critical only because a partner says they are, and which systems are critical because the firm cannot function without them. They also know that disaster recovery plans, incident response plans, and access reviews are only meaningful if they survive contact with the actual environment.
AI Has Entered the CISO’s Office, but Governance Got There First
Jim Nagata’s profile at Cherry Bekaert points to another force reshaping accounting-firm security: the collision of cybersecurity and generative AI. His emphasis on AI-driven security strategy, intelligent automation, predictive analytics, and scalable infrastructure reflects where the sector is heading. Firms want AI to improve productivity, accelerate analysis, and modernize service delivery, but they cannot afford to let experimentation outrun governance.Accounting firms face a particularly delicate AI problem because their data has context. A spreadsheet is rarely just a spreadsheet. It may contain tax positions, audit evidence, transaction assumptions, compensation details, forecasts, legal exposure, or client strategy. Feeding that data into the wrong tool, storing prompts in the wrong place, or allowing unmanaged integrations can turn efficiency into disclosure risk.
The CISO’s role is therefore not to say no to AI. That posture will fail in organizations where partners and clients are already demanding faster, smarter, more automated work. The better role is to define safe lanes: which tools are approved, what data can be used, how prompts and outputs are logged, how model risk is reviewed, and how employees are trained to spot hallucinated authority.
Nagata’s intersection of AI and security is significant because it treats AI not merely as a threat source but as an operational lever. Automation can improve detection, triage, compliance mapping, and response speed. Predictive analytics can help security teams prioritize risk before a control gap becomes an incident. But the same logic cuts both ways: if defenders can automate, attackers can too.
That is the central paradox facing security leaders in accounting. AI can help firms defend complex environments, but it can also amplify phishing, social engineering, document fraud, malware development, and reconnaissance. The firms that manage this well will not be the ones with the loudest AI strategy. They will be the ones with disciplined identity controls, data classification, vendor review, logging, and executive oversight before the AI layer scales.
Compliance Is Not the Ceiling Anymore
The accounting sector is fluent in frameworks. ISO 27001, SOC 2, PCI DSS, SOX, HIPAA, NIST, HITRUST, and related control regimes appear throughout these leaders’ backgrounds. That is not surprising; accounting firms serve clients who live inside regulated environments and must often prove security posture to win or retain work.But compliance is no longer enough as a strategic endpoint. A firm can pass an audit and still be brittle. It can document a control and still fail to enforce it consistently. It can produce impressive reports and still struggle with identity sprawl, shadow IT, weak recovery testing, or inconsistent third-party oversight.
Amy Bogac’s appointment as CISO at Baker Tilly illustrates the modern version of the compliance-plus-security mandate. Her background includes global security program development, incident response, ransomware recovery, NIST-based programs, and heavily regulated environments. That combination matters because firms need leaders who can satisfy auditors and survive attackers.
There is a difference between a security program that looks mature on paper and one that behaves maturely under stress. The latter requires practiced incident response, executive communication, technical containment, legal coordination, client messaging, and recovery discipline. In accounting, where client confidence can be damaged as quickly by confusion as by compromise, that operational maturity is decisive.
Bogac’s reporting line to senior risk and legal leadership also reflects a broader industry pattern. Cybersecurity is increasingly treated not as a technical silo but as an enterprise risk function. That is where it belongs. The CISO may manage tools and teams, but the consequences of security decisions belong to the whole firm.
Regulated-Industry Veterans Bring a Different Sense of Consequence
Mike Reterstorf’s path from DTE Energy into Plante Moran’s security leadership brings another useful lens. Energy-sector security experience carries a particular seriousness because operational reliability, compliance, and cyber risk are tightly coupled. The vocabulary of NERC CIP, identity and access management, privileged access management, endpoint security, patch management, intrusion detection, incident response, change management, and recovery planning is not abstract in critical infrastructure.That experience maps well to accounting, even if the environments look different. A professional services firm may not run a power grid, but it does run business-critical processes for clients that expect accuracy, confidentiality, and availability. Downtime during a deadline window can become a client-service failure. A compromised privileged account can become a breach of trust. A weak recovery plan can turn a contained incident into a firmwide crisis.
Reterstorf’s background in SmartGrid architecture, AMI integration, payment systems, mobile platforms, and enterprise architecture also points to another reality: CISOs increasingly need to understand systems as business platforms. Security is not added after architecture; it is part of architecture. The firms that treat security as a review gate after technology decisions have already been made will always be negotiating from behind.
This is especially relevant as accounting firms expand advisory and digital services. The more firms build analytics, managed services, automation, client portals, and sector-specific platforms, the more they resemble technology operators. That does not erase the accounting mission, but it changes the security surface.
A CISO with regulated-industry experience brings a useful intolerance for wishful thinking. Controls need owners. Recovery needs testing. Identity needs governance. Exceptions need expiration dates. Risk acceptance needs executives who understand what they are accepting.
The vCISO Model Turns Security Into a Client Service
Megan Shirey’s role at Miller Kaplan introduces a different but increasingly important model: security leadership as a service delivered outward. As a virtual CISO, she helps clients build governance, risk, compliance, incident response, business continuity, third-party risk, executive reporting, and security-culture programs.That is an important extension of the accounting-firm trust model. Firms are not only securing themselves; many are helping clients demonstrate, improve, and govern their own security. The line between professional services and cybersecurity advisory has blurred because clients need help translating frameworks into programs and programs into evidence.
The vCISO model is especially useful for small and mid-sized organizations that cannot justify or recruit a full-time security executive. They still face vendor questionnaires, insurance requirements, SOC 2 demands, HIPAA obligations, PCI responsibilities, board scrutiny, and real threats. A client-facing CISO can give those organizations structure without pretending that a few tools equal a security program.
Shirey’s background in federal IT audits and program evaluations adds another layer. Security governance is not merely about deploying safeguards; it is about proving that investments, architecture decisions, records practices, and controls hold up under examination. That mindset is familiar to accountants, but its application to cyber risk is still maturing across many organizations.
For accounting firms, offering vCISO services also raises the bar internally. It is difficult to credibly advise clients on governance, metrics, incident planning, and third-party risk if the firm’s own practices are loose. The advisory business and the internal security program reinforce each other — or expose each other.
The Boardroom Wants Risk, Not Tool Telemetry
One common thread across these CISO profiles is the move from technical control ownership to executive risk communication. Board reporting appears explicitly in several backgrounds, and it is not incidental. Accounting firms depend on leadership groups that need to understand cyber risk in terms of client impact, regulatory exposure, operational continuity, reputation, insurance, and growth.That translation is difficult. Security teams often measure what their tools can count: alerts, vulnerabilities, blocked emails, endpoint events, patch percentages, phishing click rates, and ticket closure times. Boards and executive committees need something else: what could hurt the firm, how likely it is, what it would cost, what is being done, and where management must make a decision.
The best CISOs do not bury executives in dashboards. They produce decision-grade risk intelligence. They explain tradeoffs clearly enough that leadership cannot hide behind ambiguity. If a legacy system remains unpatched because a business unit refuses downtime, that is not a purely technical issue. It is a business risk with an owner.
Accounting firms should be better positioned than many industries to understand this because the profession already deals in evidence, materiality, controls, and assurance. But that familiarity can also create complacency. Cyber risk does not always behave like financial reporting risk. It moves faster, crosses organizational boundaries more easily, and can turn a minor technical weakness into a public crisis overnight.
The CISO’s task is to make that risk legible without sensationalizing it. Fear can win budget once. Credibility wins influence over time.
Identity Is the Quiet Center of the Profession’s Security Problem
If there is one technical theme that should dominate accounting-firm security, it is identity. Professional services environments are built around access: employees, partners, contractors, clients, vendors, auditors, advisors, acquired teams, temporary staff, and external collaborators all need to reach data and systems in controlled ways.That makes identity governance the connective tissue of the modern firm. Privileged access, multifactor authentication, conditional access, lifecycle management, role design, third-party access, and access reviews are not back-office chores. They are the mechanism by which client confidentiality becomes enforceable.
The danger is that identity complexity accumulates quietly. A user changes roles but keeps old permissions. A client portal exception becomes permanent. A contractor account survives the engagement. An acquired team brings inherited access models. A privileged account is shared for convenience. None of these failures looks dramatic in isolation, but together they create the conditions attackers exploit.
This is where infrastructure experience, regulated-industry discipline, and compliance knowledge intersect. A mature security program does not treat identity as a one-time implementation. It treats identity as a living control system that requires continuous governance.
Accounting firms also have to contend with client expectations around convenience. Clients want easy portals, rapid document exchange, and frictionless collaboration. Security teams have to deliver that without creating open doors. The firms that get this right will make strong identity controls feel like part of professional service quality, not an obstacle to it.
The Accounting CISO Is Becoming a Business Architect
The most interesting thing about this group of leaders is not that they have security credentials. It is that their backgrounds span infrastructure, AI strategy, critical infrastructure, federal audit, incident response, compliance frameworks, M&A integration, and client-facing advisory. That breadth says something about the job itself.The accounting-firm CISO is becoming a business architect. They help decide how the firm adopts technology, integrates acquisitions, serves regulated clients, uses AI, structures access, survives incidents, proves controls, and communicates risk. That is not merely a defensive posture. It shapes what the firm can safely do.
This evolution also changes the talent pipeline. The next generation of CISOs in accounting may come from security operations, but they may also come from enterprise architecture, IT infrastructure, risk advisory, audit, cloud governance, privacy, or incident response. What matters is not a single canonical route. What matters is the ability to connect technical reality to business consequence.
For WindowsForum’s audience, there is a familiar lesson here. The Microsoft-heavy enterprise stack — Windows Server, Active Directory, endpoint management, identity platforms, collaboration suites, cloud services, virtualization, storage, and backup — remains deeply embedded in the practical security life of professional services. The strategic conversation may happen in boardrooms, but the blast radius is often determined by configuration, identity hygiene, endpoint control, and recovery architecture.
That is why accounting-firm security deserves more attention than it usually gets. These firms sit close to the records that tell companies, regulators, investors, and individuals what is true. If their systems cannot be trusted, the damage extends beyond one breached organization.
Six Names Point to One Bigger Shift
The useful way to read these CISO profiles is not as a ranking or a personality roundup. It is as a snapshot of how professional-services security is maturing under pressure. The job is broadening because the risk is broadening.- Accounting firms now defend not only internal data but also the trust relationships that connect clients, regulators, advisors, and financial reporting systems.
- Infrastructure experience remains a major advantage because many real security failures begin as operational complexity, legacy dependency, or integration debt.
- AI is becoming both a defensive tool and a governance challenge, especially where firms handle sensitive client data and high-context work product.
- Compliance frameworks are necessary, but they do not substitute for tested resilience, incident response, identity discipline, and executive accountability.
- vCISO services show that accounting firms are increasingly exporting cybersecurity leadership to clients that need governance but lack full-time security executives.
- The modern CISO’s most important audience may be the board or executive committee, where cyber risk must be translated into business decisions rather than technical noise.
References
- Primary source: Security Boulevard
Published: 2026-06-23T16:40:08.178464
Balancing Risk: The CISOs Securing America’s Accounting Firms - Security Boulevard
Accounting firms sit close to the systems that define trust: audits, tax records, advisory work, client data, financial reporting, compliance obligations, and the technology environments that support professional services at scale. The security leaders in this group bring experience from firm...securityboulevard.com - Related coverage: cbh.com
Cybersecurity Services | Cherry Bekaert
Cherry Bekaert’s specialists can identify an organization’s cybersecurity risks, and develop realistic solutions to help minimize the impact of a company’s data being compromised.
www.cbh.com
- Related coverage: ciso.inc
Cybersecurity Risks: What Keeps CISOs Up at Night
Explore the top cybersecurity challenges CISOs face in 2026, from AI-driven threats to identity-based attacks, and how organizations can close the security gap.www.ciso.inc - Related coverage: cooley.com
- Related coverage: pulseconferences.com