Mark Burnette was recently interviewed for a feature in Accounting Today. Read article here:

It’s often suggested that accounting firms don’t follow the good advice they give their clients, but that’s definitely not the case when it comes to Tennessee-based Top 100 Firm LBMC’s approach to cybersecurity.

“Since I’ve been at the firm — a little over 10 years — one of the first things I started doing was say, ‘I’d like to know if our firm is practicing what we preach,’” said Mark Burnette, the shareholder-in-charge of the LBMC Information Security unit. “Generally, of course, we were — we understood the importance of cybersecurity.”

To prove that, Burnette got the partners’ approval to conduct the same kind of security assessment and penetration testing that it offers clients. “We were looking to see what kind of controls we have in place, or if it is easier or harder for our pen testers to get in here than at clients,” he said. “To the firm’s credit, when we would find issues, almost immediately the chief information officer would be commissioned to undertake a plan to address them, and that included buying technology where it was necessary, or investing in additional people or controls.”

LBMC later brought on a dedicated information security officer, and Burnette’s team now advises him on policy updates, as well as continuing to provide annual assessments of the firm’s security posture. (The firm also commissions a SOC 2 assessment of its security controls, which is provided by an independent CPA firm.)

As Burnette said, the firm understands the importance of cybersecurity – an understanding bred from decades of experience. LBMC has offered IT assurance services since the mid-1990s; its Information Security practice sits under the IT assurance services umbrella, and dates back to almost 2004 – though it was “kicked into high gear,” according to Burnette, in 2007, with the addition of a former Big Four partner who brought on board the successful security practice he had built in the Nashville area.

LBMC Information Security has thrived since then, with three key teams: an IT assurance team, which provides IT audits like SOC testing, ISO 27001 testing, and those required for the Cloud Security Alliance START certification, the payment card industry security rules, or the HiTrust security framework; a team of technical security experts who provide services like penetration testing, web application testing, digital forensics analysis, incident response; and a team of consultants who perform cybersecurity risk assessments, security program and policy development, and virtual CISO work.

“They all fall under the same umbrella, but there are different types of expertise that’s needed for each of them,” Burnette noted. “For example, a penetration tester is typically very technical, and to do penetration testing well you need to be constantly honing and refreshing your skills. … The group that does the cybersecurity risk assessments typically are more of what I would call your traditional consultants — their strengths are that they’re very good communicators; they may have a little bit of a control background like an IT auditor might, but they’re focused much more broadly on the cybersecurity program elements, and being able to derive conclusions between a company’s cybersecurity and reasonableness.”

Apart from auditing, many of the skills needed to offer LBMC Information Security’s offerings aren’t necessarily specific to accountants, which highlights an important factor to be aware when looking at building a service around emerging technologies: The potential pool of competitors can be much larger than a firm is used to.

“If you look at traditional audit and tax services, in most cases, those groups are competing with other accounting firms, because they’re the only firms that are qualified and equipped and certified to provide those services,” Burnette said. “But in the cybersecurity world, we might be competing with other accounting firms, but we’re also competing with cybersecurity boutiques that aren’t accounting firms … as well as technology companies that might sell things like firewalls or servers, and then they bundle services with it, and they give the services away as kind of a freebie to get the deal on the technology.”

That depth of competition hasn’t kept the firm from becoming a top provider of IT security services – to the point that when the AICPA was looking to educate CPAs on how to provide these kinds of services, it turned to LBMC to provide a roadmap. The firm’s experts created a number of resources, including a white paper, a service implementation checklist, a client assessment template and a client communication template. (All are available to AICPA PCPS members on the institute’s website.