“Cybersecurity Is Never Boring”: A Conversation with Lisa Traina
Lisa is a nationally recognized speaker and author. Throughout her career, she has served as president of the Society of Louisiana CPAs and a member of the AICPA’s Cybersecurity Task Force. She also has been honored with numerous awards, including being named one of CPA Practice Advisor magazine’s “Most Powerful Women in Accounting” and receiving the Society of Louisiana CPAs Women to Watch Experienced Leader Award and Outstanding Discussion Leader Award (twice).
Lisa is retiring from the firm on December 31, 2021, after an incredible career that has had a positive and far-reaching impact. We recently spoke with her about what has — and hasn’t — changed in cybersecurity over the years, insight gained as an early adopter of remote work, and what lies ahead.
CapinCrouse: How did you get started in a career combining technology and accounting?
Lisa: My interest in technology started when I was in elementary school and became fascinated with learning how a calculator works. In college, I took one programming class and was hooked.
As a computer science major, I was required to take 30 credit hours in another area, and I selected accounting because it looked interesting. I quickly discovered that I loved accounting, too, and saw that there was a big need for people who could turn “tech speak” into business language. I became a CPA and combined my skills to become a “tech person in accounting” before that was even a thing. Today CPA firms actively recruit employees with technical skills, but it was unheard of then.
CapinCrouse: What led you to start a CPA firm focusing on IT audits at a time when other firms didn’t have this focus?
Lisa: I was doing technology-related consulting in the late 1990s when a CPA friend with a local firm asked me to do an IT audit for one of his bank clients. I decided to give it a try since it combined my skills in auditing, banking, and technology.
At the time, IT audits were brand-new and very few firms were doing them. There were no road maps, so I did extensive research. That first IT audit led to more, and the business grew from there.
What was referred to as an “IT audit” then involved checking controls such as the physical security in the server room and how often the lock on the door was changed. But it’s the root of cybersecurity as we know it today.
CapinCrouse: What contributed to the growth of Traina & Associates (now CapinTech) over the years?
Lisa: I attribute it to two factors. First, we provided a service at a time when it was a growing need and not many other firms were offering it. Second, we focused on providing more than just an IT audit. Technology was changing quickly and regulators were continually issuing new guidance. We focused on breaking the regulatory guidance down into language our clients could understand. We also provided sample policies and best practices for controls to address the evolving technology. As a result, clients viewed us as a resource, not just the source of an annual audit report.
CapinCrouse has a similar philosophy as a firm, with a focus on being a resource that clients can turn for help navigating new standards, regulations, and more.
CapinCrouse: What have you enjoyed most about working in this field?
Lisa: The fact that it changes so often — and has been doing so for over 20 years. Cybersecurity is never boring because there is always something new to research and learn. It’s fascinating to watch where the industry is heading and determine what controls clients will need to reduce their risks as technology continues to evolve.
I’ve also enjoyed working with our terrific team and clients. As I mentioned, our roots are in community banking and we’ve made wonderful connections through the years. And since merging with CapinCrouse in 2017, we’ve enjoyed the opportunity to serve nonprofit clients who are working hard to change lives every day.
CapinCrouse: We all know cybersecurity changes rapidly, but has anything remained the same?
Lisa: It’s amazing how technology and cybersecurity are continually evolving, yet many things remain the same. Phishing and ransomware remain big threats, for example.
I recently looked back at a presentation I gave eight years ago on the top five steps to reduce cybersecurity risks. They remain the same today:
- Understand the risk and accept that it needs to be addressed.
- Create and maintain an inventory of hardware, software, applications, and data. You can’t manage and protect what you can’t measure.
- Update and patch systems consistently.
- Maintain good virus protection on all systems and devices and keep it current.
- Provide cybersecurity training for employees.
Today we add a sixth important step: use multi-factor authentication, which is a relatively new tool. But the other steps haven’t changed.
While there are sophisticated cyberattacks today, the majority occur because a system wasn’t updated and it was easy to target. You can truly prevent the vast majority of attacks with some basic controls.
CapinCrouse: What are the most challenging aspects of cybersecurity right now?
Lisa: One challenge is breach fatigue. When small and mid-size organizations see big corporations and pipeline companies getting shut down by cyberattacks, they may think there’s not much they can do to stop bad actors from targeting their own organizations. Or they get cyber insurance and hope for the best. We went from no one being aware of cybersecurity risks to organizations becoming overwhelmed by the sheer volume of attacks and not realizing that there are still steps they can, and should, take to protect themselves.
The rapid switch to remote work during the pandemic has also led to challenges. During the initial push to get employees equipped for remote work, cybersecurity became secondary at many organizations, and proper controls may not have been put into place. Remote work is here to stay for many organizations, and now is the time to ensure the right controls are in place to mitigate the cyber risks associated with remote working.
CapinCrouse: What other steps should organizations consider for their remote work environments now?
Lisa: In addition to the cybersecurity component, it’s also important to consider the leadership and management challenges remote working can pose. Managing remote workers is different from managing people down the hall from you, and organizations should make sure their managers are trained and equipped to lead remote teams.
Our firm was an early adopter of remote work, and one thing we learned was the importance of setting clear expectations. Now is also a good time for organizations to regroup and determine how they want to define progress and the metrics they should use to measure it.
CapinCrouse: What achievement are you most proud of?
Lisa: Watching the growth and accomplishments of people I’ve mentored over the years, particularly young people who have gone on to achieve great things. It’s been very rewarding.
CapinCrouse: You’ve been instrumental in forging a path for women to be leaders in public accounting. What advice do you have for women in the profession today?
Lisa: I think many women need to build confidence in their abilities and what they can accomplish. Also, parents facing the challenge of balancing family and career should recognize that it’s a series of choices. Many times, young professionals want to get out there and do everything right now, but the timing may not be right. There were times as a working mother that I had to turn down great volunteer opportunities, but I asked them to check back later, and I’m glad I did.
One day you may choose the soccer game and another day you may choose the business meeting. Although technology has made some things easier. I wish I’d had an iPad when my kids were young and I was sitting through soccer practice!
But it’s important to find the flexibility. CapinCrouse allows employees to have flexible schedules if needed, and that has led to great opportunities for working mothers on our team.
CapinCrouse: What are you looking forward to most about retirement?
Lisa: While I love working, I’m looking forward to a relaxed schedule, with more time for family, friends, and volunteer and fitness activities. I’ve also found that accountants and technology people are in high demand as nonprofit volunteers, and I’ve joined the finance committee for a new local nonprofit. I know I’ll be keeping busy!