This two-part series examines the broader implications of the changes to the CPA (certified public accountant) exam going into effect in the new year. Part 2 considers how finance teams with a deeper knowledge of technology, security and data can provide tremendous value to the security strategy of a business.
In a recent post, we outlined some of the upcoming changes to the CPA (certified public accountant) exam and how these will help foster a stronger relationship between security teams and finance teams. We decided to go a step further and delve into the mind of security leaders, or CISOs (Chief Information Security Officers), to understand how technologically fluent finance teams can support the CISO as they plan and implement a highly effective security strategy that supports the overall business.
No two CISO jobs are the same, however there are several common aspects of the role that every security leader must tackle. CISOs are business leaders at their core, and their number one job at any organization is to understand how the business operates so that they can build an effective strategy for company-wide security. Just as a security leader works to develop a holistic understanding of the business, it is equally important for finance leaders to invest time into understanding the technological foundation that supports the business operations in which they play a part. In today’s world, both teams are broadening their view of the business to contribute effectively to the shared company goals.
In a recent conversation with Emily Heath, General Partner at our investor Cyberstarts, she shared with us her experience as a CISO. In that conversation, we discussed the upcoming changes to the CPA exam, and she provided an interesting perspective on the security leader’s role and how tech-savvy finance counterparts will be able to better support them.
Emily noted that in her experience, there are five important questions that she, as a CISO, always asked whenever she arrived at a new organization. Keeping in mind the modifications to the CPA exam, let’s examine how a deeper understanding of tech and security will enable future finance teams to take a more active role in supporting the CISO with the technology, security and data strategy at the organization.
In the first few months at a new organization, CISOs will spend time meeting with all the functions within the company, including the CFO. The answers the CISO receives in these meetings always provide broader insight into the business goals of each area within the organization. By understanding each department’s needs, even if they aren’t directly related to systems and data, the CISO will be able to start crafting their strategy and planning their priorities as they settle into the new job.
Like all teams, Finance has aggressive goals they are looking to achieve, and they will have a list of what matters most to them as well as the challenges they are faced with. If the Finance team has a strong working knowledge of the systems and security processes they employ, they will be able to give comprehensive answers to this question that cover all aspects of their business, including their tech stack and tech-enabled processes. Furthermore, if the finance leader has a solid grasp on their technical set up, he or she will also have a better understanding of where there might be challenges in those areas and articulate what really matters most to them through that lens.
If a CISO’s finance counterpart understands what’s in their tech stack and how their systems work, they will be able to speak the CISO’s language and help them to understand what exactly their systems do, or what they are supposed to do if they're not doing it properly. Moreover, they will be able to help the CISO understand where these systems “live”, which in turn will allow the CISO to properly map out the overall company tech stack. This, in turn, will shape the CISO’s understanding of the finance team’s operations. The CISO can then move faster in identifying, prioritizing and addressing finance challenges related to their tech, data, and overall security.
The finance team’s technical knowledge is clear in this case. Not all finance leaders understand how their systems are used, who uses them, how they are monitored and protected, and which security protocols are enforced. However, having a strong foundational knowledge of the way in which the financial tech stack is structured and protected will allow finance professionals to help the CISO assess the protocols and controls currently in place. In other words, they can give their CISO a better lay of the land, so the CISO knows exactly what he or she is walking into. Also, this depth of insight from the finance team can show the CISO early on where there are glaring security gaps, which can help the CISO find quick wins out the gate while planning out the long-term security strategy.
Each department has vulnerabilities and carries potential risk, and the stakes are very high for finance because that’s where the money is. In some organizations, Finance is responsible for the company’s risk and to assess the entire range, the finance team must understand the risks associated with their tech stack. If finance understands their own systems and the potential risks therein, they can work more easily with the CISO to uncover the vulnerabilities and manage them. And once these vulnerabilities are exposed, the CISO can be proactive in addressing those attack surfaces and in helping the finance team avoid future cyberattacks.
Additionally, knowledge of technology means that finance teams will be better equipped to buy tools that can automate manual, antiquated, and vulnerable processes. There are many manual processes still employed by finance teams. Business payments, for example, involve a lot of manual work and human intervention, which offers opportunities for threat actors to infiltrate and exploit the process and steal company funds. By understanding how to buy and properly implement automation tools, AI platforms, and cybersecurity technologies, finance teams will set themselves up to better manage and reduce their risk exposure to fraud and cyberattacks. It goes without saying, this will definitely make a CISO’s life a lot easier!
Calamity happens. But a company can mitigate the impact and the losses by having contingency plans in place and by planning for as many doomsday scenarios as possible. But being prepared is a shared responsibility. A finance team with knowledge of security best practices and processes will know the importance of looping in the CISO immediately if an incident occurs. They can also help identify security gaps and be more proactive in preventing future incidents. Furthermore, finance professionals can also better evaluate and assess the best technologies for the finance business and put preventative measures in place for their function. While something might go wrong, minimizing the risk of that occurrence is something the finance team can work on with the CISO by employing better security protocols in their processes and conducting better evaluations of tech solutions. They can only do this, however, if they are equipped with technical knowledge.
Without technology partners in Finance, the security team is faced with numerous challenges that can impact the business. These days, technology is no longer “the future;” it is a basic reality. No business function can abstain from using tech tools and digital systems in their day-to-day activities. And if finance teams are fluent in technology, they will be much more effective in their role within the wider business.
The modifications to the CPA exam might seem scary to current CPA candidates. However, this change has advantages on all sides, especially as the risks of cyberattacks and fraud continue to grow. By becoming more tech-savvy, the finance leaders of the future will be able to better evaluate tools and improve their tech stack to reduce manual work and the associated challenges. They will also better understand the role of security as a business unit and be able to adopt security best practices faster. Last, they will be able to partner more closely with the security team and CISO to ensure a proactive approach to protecting the financial assets of the company instead of retroactively reacting to losses.
We were intrigued when we found out about these changes to the CPA exam at Trustmi because it will have a positive impact on business payments. For example, we know there will be more B2B payment fraud in the future and that it’ll only get worse, which is why businesses must address it now. An interesting aspect of business payments is that it sits squarely at the intersection of security and finance, and so for this reason, anything that can bring those teams closer together to protect their business payments is a good thing. This is a big step in the right direction.