CPAs: Cybersecurity Talent Gaps, FTC Compliance

by Jed Fearon, Solution Advisor, Integris

February 10, 2023

#Cybersecurity, #Cybersecurity Audit, #vCISO

CPAs that wish to overcome cybersecurity talent gaps and FTC compliance risk should partner with a SOC 2 Type II-certified MSP.

While this partnership is not a silver bullet for all operational problems and FTC liabilities, a SOC 2 Type II managed IT services provider invests up to $100K per year in comprehensive auditing services exclusively offered by certified CPAs.

This distinction is not a trivial detail.

According to Jaclyn Finney, Partner and Certified Systems Information Auditor (CISA) with Linford & Co., LLP, “If a firm is not a certified CPA firm, then they cannot complete a SOC 1 or SOC 2 audit that will be acceptable in the eyes of the AICPA and users of the report cannot rely on the contents provided within.”

The benefits of a SOC 2 Report are three-fold:

CPAs know the quantitative and qualitative value of the attestation.
Accounting firms can eliminate MSPs that don’t meet this foundational criterion.
MSPs that invest in this audit every year will keep you compliant with changes to FTC-mandated Safeguards

The following four factors create a perfect storm of compliance chaos, especially when you’re immersed in a perpetual cycle of tax deadlines and extensions.

#1 – There’s a Growing Shortage of Cybersecurity Talent

Citing the growing cybersecurity talent shortage, the FTC recently extended the deadline for compliance with the GLBA Safeguards Rule by six months.

As you know, this announcement gives financial institutions until June 9, 2023, to update critical policies and technologies mandated by changes to the Financial Data Security Rule.

The (ISC) 2022 Cybersecurity Workforce Study notes a global cybersecurity workforce gap increase of 26.2% from 2021. What does this mean? Businesses need 3.4 million more security professionals to effectively protect assets.

Respondents believe additional security personnel can mitigate the following problems:

Not enough time for proper risk assessment and management
Oversights in process and procedure
Delays in patching critical systems
Not enough time to train each cybersecurity team member
Misconfigured systems
Not enough resources to train our staff

#2 – Cybersecurity Talent Turnover

Cybersecurity talent turnover risk affects CPAs with in-house IT and MSPs with teams of cybersecurity specialists.

LinkedIn Data ranks the professional services industry number one for turnover. This observation covers the “Big Four” accounting firms, businesses, and IT consulting organizations.

Cybersecurity professionals and experienced CPAs can always make a move for more pay, responsibility, and new career challenges.

Change is disruptive when turnover affects non-technical personnel at accounting firms who oversee IT functions – internally and externally with your MSP.

Do any of these scenarios sound familiar?

The Director of IT leaves, and a help desk specialist improvises until you find a replacement.
A tech-savvy senior partner and IT thought leader exits, and the other partners can’t confidently manage in-house IT and your MSP.
Your MSP experiences a lot of turnover, and its new hires don’t meet your exacting standards.
Critical information security recommendations aren’t approved by senior-level stakeholders and implemented on time.

#3 – Securing Reliable Cybersecurity Talent is a Journey

While an MSP is the obvious choice for outsourced cybersecurity talent, the managed services industry is growing, crowded, and undergoing consolidation.

Private equity firms are actively investing in roll-ups of smaller MSPs into larger entities to create national platforms with deeper cybersecurity benches, more efficient service delivery, longer-term career opportunities, higher wages, greater procurement leverage, and insurance coverage smaller MSPs cannot afford.

Scale matters in the managed IT services market, and many smaller providers struggle.

According to estimates from ChannelIE2E, “There are fewer than 20,000 truly successful (i.e., very healthy and very profitable) small business MSPs in the North American market.

To complicate matters, ransomware attacks against MSPs are increasing in frequency. In 2021, the ConnectWise Cyber Research Unit analyzed data from 500 MSP partners and noted 40% of the incidents were related to ransomware.

Even more alarming, ransomware incidents are rising by 10-15% per quarter.

The number one reason MSPs are teaming up is to strengthen security. Is your MSP strong enough for you? It wouldn’t hurt to have the conversation.

#4 – Cybersecurity Talent Cost

Infosecurity Magazine cites five cost-related factors that affect the stability of retaining cybersecurity staff. Businesses can’t keep stellar talent amidst a host of obstacles:

33% struggle to keep up with turnover/attrition.
31% can’t pay a competitive wage.
28% don’t have the budget.
24% don’t offer opportunities for growth/promotion for security staff.
23% don’t put enough resources into training non-security IT staff to become security staff.

How much does a full-time cybersecurity employee cost? “As of February 3, 2023,” Zip Recruiter reports, “The average annual pay for a Cyber Security Professional in the United States is $97,625 a year.

Here’s where the complications multiply. Even if you can afford a $100K salary, a genuine cybersecurity superstar won’t stay very long. They can quickly jump ship for a $25,000 salary bump, a larger budget for cloud-based management tools, and the chance to partner with a higher-end MSP.

Average players will likely stick around, where their skill sets quickly stagnate.

Let Someone Else Manage Your Talent Challenges

As we mention at the very beginning, SOC 2 Type II MSPs are part of an elite group. After all, fewer than 1% of MSPs have SOC 2 Type II Certification.

While MSPs in this category aren’t immune to turnover, their outsourcing model reduces client risk more efficiently than in-house IT teams and local mom-and-pop IT providers.

They also offer cost benefits by amortizing their talent costs across thousands of clients.

CompTIA, Cyber Seek, and the U.S. Bureau of Labor Statistics provide a detailed list of the top nine jobs in cybersecurity:

Cybersecurity analyst: $107,500
Software developer/engineer: $110,140
Cybersecurity consultant: $92,504
Vulnerability analyst/penetration tester: $101,091
Cybersecurity manager/administrator: $130,000
Network engineer/architect: $83,510
Systems engineer: $90,920
Senior software developer: $151,960
Systems administrator: $80,600

A SOC 2 Type II MSP gives you all this firepower under one roof. And they worry about career development, compensation, recruiting, and maintaining certifications, so you don’t have to.

Did your firm miss the first Safeguards deadline last December? Are you ready for the June 9, 2023, Deadline?

Schedule a free consultation to ensure you’re on the right track.

Jed is a Solution Advisor at Integris who has specialized in MSP solution development, sales, and marketing communications since 2003.

Keep reading

vCIO vs. vCISO: What’s The Difference?

Managing your IT operations is a big job, especially if you're a small or mid-sized company without the resources to hire a full internal IT staff. In these cases, most companies hire a managed IT service provider to fill the gaps. Yet, knowing who to hire and what...

Retainers for vCIOs and vCISOs: A Comprehensive Guide

If you're running an IT department at a small to mid-size company, you know— the demands on your infrastructure are greater than ever. Cyber threats are growing at an alarming pace, primarily fueled by the accessibility of AI to hackers. Cloud productivity, system...

Preparing Your IT Team to work with a vCISO: a Step-by-Step Guide

According to recent reporting from Channel Futures, the market offering for virtual Chief Information Security Officer (vCISO) services is set to expand by 480 percent between now and the end of next year. In fact, most MSPs say they will soon offer senior...