Fit cybersecurity into your accounting courses

Many years ago, Scott Boss, Ph.D., associate professor of accountancy at Bentley University in Waltham, Mass., was conversing over Skype with his 6-year-old daughter, who was visiting her grandparents. “Why are you on Mommy’s computer?” he recalled his daughter saying. “Daddy, we don’t share passwords in our family.”

That moment was a proud one for Boss, who shared this story to reflect on something he’s passionate about: cybersecurity. The topic, he said, needs to be mentioned over and over again to accounting and other students so the very nature of it is ingrained into their psyches.

“The point is to bring up the topic from the very beginning,” said Boss, who teaches advanced Accounting Information Systems courses, both undergraduate and graduate.

Without question, cybersecurity is a hot topic. Data breaches make the news frequently; companies lose millions of dollars in what are accounting and reputational nightmares; and organizations, including public accounting firms, need internal controls to ensure their data and their clients’ data remains secure.

CPAs are at the forefront of this rapidly escalating wave. They must protect their firms and clients’ companies from hackers, assess cybersecurity risks during IT audits, and consult with clients regarding their own cybersecurity systems. Today, all Big Four firms have large cybersecurity consulting practices, and opportunities in the field abound for new college graduates in accounting, business, and computer science. “This isn’t a topic for IT people,” Boss summarized. “It’s a topic for everybody. And it’s cooler than debits and credits.”

Accounting faculty will likely soon feel the need to learn about cybersecurity and to integrate the topic into their courses, if they haven’t already, as knowledge of the subject can help students find jobs. The Bureau of Labor Statistics has estimated information security jobs will grow 31% through 2029. “People are very hungry for talent in this area, so students who have that knowledge are better poised to identify risks,” said Nancy Bagranoff, CPA, DBA, professor of accounting at the University of Richmond, in Virginia. She began teaching a stand-alone course, Cybersecurity for Business, in the fall of 2020.

Employers need graduates with cybersecurity acumen, said Tawei (David) Wang, Ph.D., an associate professor of accounting and management information systems at DePaul University in Chicago. Firms and companies are hard-pressed to hire graduates who not only understand accounting and auditing, “but also have a solid understanding of the risks and governance issues from the cybersecurity point of view,” he said.

Faculty may question where to fit cybersecurity into their already-packed classes, however. And, as Wang noted, cybersecurity is a broad topic, which requires different perspectives across disciplines.

Another hurdle is the fact that there’s no real consensus on how universities should teach cybersecurity: Some courses are offered through the computer science division; others, like Bagranoff’s, are taught in the business school; and others in accounting departments. But all too often, cybersecurity is not included in accounting programs at all.

“Historically, accounting has been reluctant to consider cybersecurity as an important part of the curriculum,” Boss said.

Despite these issues, accounting professors armed with some basic guidance can bring cybersecurity into their classrooms without too much difficulty. Experienced faculty offer the following six tips for teaching cybersecurity and getting up to speed on the topic:

Tell students why cybersecurity matters. Some accounting students may wonder why they need to learn about cybersecurity, viewing it as solely a matter for IT. So discuss the “why and how” with students. “The most important tip would be to get your students to understand how, as an information system, accounting relies on cybersecurity, as do all information systems,” said Lawrence A. Gordon, Ph.D., professor of managerial accounting and information assurance at the University of Maryland’s Smith School of Business, and co-author of Managing Cybersecurity Resources: A Cost-Benefit Analysis.

Explain how cybersecurity is a vital component of internal controls, and how disclosure issues and decisions must be addressed. “What’s the cost of a cybersecurity breach? That’s an accounting issue,” he said, as an example.

In addition, noted Boss, mention high-profile incidents like the Equifax Inc., and Target Corp., breaches, where data from millions of customers was compromised. Students like to hear about real-life events.

Tap resources. It doesn’t take long to get trained on the basics of cybersecurity. Bagranoff strongly advises taking the AICPA’s certificate course. “It’s a quick way for an accounting professor to get a good handle on [the subject],” she said. Or monitor websites such as the Cybersecurity & Infrastructure Security Agency (CISA) homepage.

YouTube can also be a source of information, Bagranoff said. There are “cybersecurity-related videos on any topic, and full-length courses and course modules on specific topics,” she said, including on the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Harvard University also offers a podcast on teaching cybersecurity, and outlets like Coursera provide many courses on the topic. Bagranoff also receives “cybersecurity alerts” from a host of sources, including the Washington Post.

Don’t expect to be an expert. You don’t need to be a cybersecurity specialist to integrate the subject into your class. Talk about it here and there and continue to acknowledge cybersecurity as important. “You don’t have to go in-depth,” Boss said. You can incorporate, say, newspaper articles about someone being hacked into your classes, he said.

Bring in guest speakers. Many people, like Boss, love to talk about cybersecurity and can make interesting speakers in a classroom. Ask other faculty members, public accounting firm representatives, or alumni to speak to your students. “Don’t be afraid to reach out,” Boss advised. Fellow academics who already teach cybersecurity may also be a great resource for offering teaching advice.

Vary the assignments. Accounting faculty can offer a mix of assignments for students around the topic of cybersecurity. Gordon provides students with “problems and little scenarios” and asks them probing questions, such as “How much should a firm invest in cybersecurity?” and “What’s the impact of COVID-19 on cybersecurity?” He also asks students to read articles online that explain topics such as how to do a penetration test, a way of testing a computer network or application to find security holes.

Wang suggests covering topics such as risk management and governance policies and programs, and how to respond to a cybersecurity crisis should it occur. You can do so through a variety of methods, whether “an exercise, a bigger project, a case study, or a teaching simulation,” he said. Harvard University offers case materials to help in the teaching process.

Repeat. Repeat. Repeat. Cybersecurity can be woven throughout the accounting curriculum, from introductory accounting courses to graduate-level classes. Cybersecurity “should be covered in audit, financial accounting, managerial accounting, IT audit, and fraud and forensics” courses, said Boss. “One of the things we’ve learned from education is repetition makes the habit.”

— Cheryl Meyer is a freelance writer based in California. To comment on this article or to suggest an idea for another article, contact Courtney Vien, a JofA senior editor, at Courtney.Vien@aicpa-cima.com.