When a mid-tier accounting firm in Chicago suffered a ransomware attack last March, the fallout wasn't confined to encrypted files or a ransom demand. For two agonizing weeks, partners watched as client tax returns, audit papers, and Social Security numbers dangled in the balance. The immediate cost? $400,000 in forensic remediation. The lasting toll? A tarnished reputation that sent three decades of client trust up in smoke. This is the nightmare scenario that a new vanguard of cybersecurity leaders is determined to prevent. Across the United States, chief information security officers (CISOs) at accounting firms are stepping into the spotlight, wielding Windows-based security architectures, identity governance frameworks, and a seat at the boardroom table to protect the very lifeblood of their organizations: client trust.
The Bullseye on Accountants
Accounting firms, from Big Four giants to regional practices, have become preferred targets for criminals. An IRS bulletin in 2024 highlighted a 40% year-over-year spike in phishing attempts against tax preparers. The reason is simple: a single accounting firm houses the keys to dozens or hundreds of corporate treasuries. One compromised workstation running Windows can yield an entire client roster. Cyber attackers recognize that accountants are gatekeepers—they hold payroll data, bank credentials, merger secrets, and the intimate details required to file convincing fraud.
This reality has forced firms to rethink their security posture. It no longer suffices to run Windows Defender and call it a day. The new model demands a dedicated CISO who can stitch together Microsoft 365 Defender, Azure Active Directory Conditional Access, and advanced endpoint detection into a unified defense. Jim Nagata, who leads security for a 2,000-person accounting firm, recalls the shift: “We realized that if a partner’s laptop got hit, we weren’t just losing one device. We were losing the trust of every client whose data passed through it.” Nagata now mandates that every Windows endpoint runs Microsoft Defender for Endpoint, with tamper protection locked down via Intune, and that all privileged accounts use multi-factor authentication (MFA) through Azure AD.
Profiles in Cyber Leadership
The excerpt from industry discussions identifies a handful of CISOs who epitomize this transformation: Jim Nagata, Amy Bogac, Steve Jackson, Thomas Walch, Mike Reterstorf, and Megan Shirey. Though their specific firm affiliations may not be public, the strategies they champion are reshaping the profession.
Amy Bogac has built her reputation on identity governance. In an environment where staff members routinely leave to join client organizations, “identity lifecycle management is my daily battle,” Bogac explains. Using Azure AD Identity Governance, her team automates joiner-mover-leaver processes to ensure that a departed senior auditor cannot access client emails even hours after resignation. Bogac also ties into Windows Hello for Business, deploying biometric logins on all corporate laptops to eliminate password spray attacks.
Steve Jackson focuses on board risk reporting. “If I can’t quantify our exposure in dollars, I can’t get budget,” he says. Jackson implemented Microsoft Secure Score as a board-facing dashboard, translating technical metrics into risk appetites. Using Power BI on Windows Server, he generates weekly heat maps that show exactly which client engagements carry the highest penalty risk under FTC Safeguards Rule or IRS 4557. The result: a board that understands cybersecurity not as an IT cost but as a trust-preserving investment.
Thomas Walch has championed zero-trust segmentation. His firm segregates client pods on its on-premises Windows Server clusters, ensuring that a breach in one department doesn’t cascade. He enforces just-in-time access via Azure Arc, requiring even partners to request temporary elevation before accessing sensitive folders. Walch’s mantra: “Never trust a device because it’s inside the firewall. Trust it because it’s passing continuous health checks.”
Mike Reterstorf is a vocal advocate for incident response rehearsal. Twice a year, his firm simulates a ransomware attack on a live Windows domain controller. The drills involve restoring from Azure Backup, communicating with clients under attorney-client privilege, and invoking cyber insurance. “The first time we did it, it took us 36 hours to restore. Now we’re at four hours,” Reterstorf notes. Those gains come from fine-tuning Microsoft 365’s attack simulators and leveraging Windows Autopilot for rapid redeployment of compromised laptops.
Megan Shirey brings a compliance-first mindset. She ensures that every document retention policy aligns with both AICPA standards and the 26-page security questionnaire that corporate clients now demand. Shirey’s team uses Microsoft Purview to auto-label spreadsheets containing personally identifiable information and to block their transmission outside the tenant. “Clients aren’t just asking if we have a firewall,” she says. “They’re asking if we can prove that their 10-K drafts never touched a personal device.”
The Windows Security Ecosystem at Work
What ties these CISOs together is a deep reliance on the Microsoft security stack. While firms also deploy third-party firewalls and SIEMs, the native integration between Windows 11, Microsoft 365, and Azure provides a completeness that appeals to resource-constrained IT teams. Consider the following table, which illustrates how each CISO’s specialty maps to a Windows-centric technology:
| CISO | Specialty | Windows/Microsoft Technology |
|---|---|---|
| Jim Nagata | Endpoint defense | Microsoft Defender for Endpoint, Intune |
| Amy Bogac | Identity governance | Azure AD, Windows Hello for Business |
| Steve Jackson | Board risk reporting | Microsoft Secure Score, Power BI |
| Thomas Walch | Segmentation & JIT | Windows Server, Azure Arc |
| Mike Reterstorf | Incident response rehearsal | Azure Backup, Microsoft 365 Attack Simulator |
| Megan Shirey | Compliance & data labeling | Microsoft Purview, Auto-labeling |
This tight integration means that when a new ransomware variant surfaces, a CISO like Nagata doesn’t need to issue a frantic email. Windows Defender’s cloud-delivered protection updates automatically, SmartScreen blocks the dropper, and Controlled Folder Access prevents encryption of shared client folders. Should a user still get phished, Azure AD’s risk-based Conditional Access can revoke sessions in real time.
The accounting industry’s seasonal workloads add another layer. During tax season, firms onboard scores of temporary staff. Windows Autopilot allows Shirey’s firm to hand a contractor a sealed laptop that provisions itself with the correct policies, because they handle client data but not internal financials. At season’s end, the device is remotely wiped. No manual imaging, no lost weekend for IT.
Regulatory Pressures and Client Trust
The regulatory environment has become a catalyst for the CISO ascendancy. The SEC’s cybersecurity disclosure rules, effective since December 2023, require public companies to report material incidents within four business days. Those public companies, in turn, are tightening their vendor risk management. Their accountants—whether auditing firms or outsourced CFO services—must now demonstrate SOC 2 Type II compliance, obtain annual penetration tests, and submit to ongoing security assessments. Failure to do so means losing the engagement.
These pressures fall squarely on the CISO. Amy Bogac spends a third of her time reviewing client security questionnaires with language crafted by Fortune 500 legal teams. “They ask if we use Microsoft Defender for Cloud to monitor our Azure VMs, if we have a 24/7 SOC, and whether our incident response plan has been tested in the last six months,” she says. The answers, thankfully, are yes—but only because her firm invested in the stack years before the regulations arrived.
Steve Jackson sees a direct line from security controls to revenue. After his firm achieved Microsoft’s advanced security benchmarks, the managing partner used Secure Score as a differentiator in a pitch for a tech startup’s audit business. The startup’s CTO, himself a security zealot, was sold. “We’re not just auditing their books; we’re aligning with their culture,” Jackson says.
Challenges on the Front Lines
For all the progress, the CISOs acknowledge daunting obstacles. Talent remains the top headache. Security engineers who understand both Windows internals and accounting workflows are scarce. Thomas Walch often poaches from banks rather than competing accounting firms. “We need people who can read a Scheduled Task log and a 1040 ﹖ Schedule C,” he jokes, but the complexity is real.
Budget is a close second. Mid-tier firms generate tens of millions in revenue, not billions, so multimillion‑dollar SIEMs are out of reach. Instead, Walch’s firm weaponizes Windows Event Forwarding to a centralized collector and uses PowerShell scripts for custom detections. “Ingenuity over budget,” he calls it.
Legacy applications also persist. Many firms still run Windows 10 machines that won’t see patches after October 2025. Mike Reterstorf is racing to upgrade 2,300 endpoints before the deadline. “We’ll have to scrape the bottom of the refresh budget, but running an unsupported OS is professional malpractice at this point,” he says.
A New Seat at the Table
The most profound change is the CISO’s reporting line. A decade ago, the IT manager reported to the COO and begged for antivirus licenses. Today, CISOs like Megan Shirey present quarterly to the firm’s executive committee, with metrics that directly tie to client retention. After a phishing simulation that saw an 18% click rate among partners, Shirey showed the committee a video of a real-world spoofed email from a managing partner’s look‑alike domain. The shock value triggered an immediate mandate for phishing-resistant MFA across all partners. “That was the moment cybersecurity became a partnership discussion, not an IT memo,” she says.
Client expectations have likewise evolved. Clients routinely demand to see a firm’s Microsoft Secure Score or its latest vulnerability scan before signing an engagement letter. Jim Nagata provides them with a client-facing portal built on Azure, showing real-time security health without revealing the underlying architecture. “Transparency fosters trust,” he says, “and trust is the product we’re actually selling.”
The Road Ahead
Looking forward, artificial intelligence promises to be both help and headache. Attackers are using generative AI to craft flawless invoice fraud emails. Defenders like Amy Bogac are countering with Microsoft’s AI-driven threat hunting in Sentinel. Her firm is piloting a system that correlates Windows Event Logs, network traffic, and user sentiment from Teams to flag insider threats before data exfiltration occurs.
Regulation will only intensify. The FTC Safeguards Rule, which took effect for accountants in 2023, now requires encryption at rest and in transit, MFA, and annual pen testing. The IRS is ramping up its WISP enforcement as well. For CISOs who have already built their defenses on Windows and Azure, however, these mandates are merely boxes to check. “We passed our FTC audit with flying colors because we’d already done the heavy lifting,” says Thomas Walch.
And then there is the generational shift. As younger partners ascend, they bring a digital-native sensibility. They expect to log into Windows with their face and share documents through OneDrive without a thought. They also expect that if they click something malicious, the firm’s security stack will catch it. That expectation shifts the CISO from being a scold to an enabler. “I’m not the person who says no,” says Mike Reterstorf. “I’m the person who says, ‘Here’s how we do that safely.’”
Ultimately, the story of these accounting firm CISOs mirrors the broader evolution of cybersecurity. It has moved from the server closet to the boardroom, from antivirus signatures to cloud-native compliance, and from a cost center to a trust multiplier. Jim Nagata, Amy Bogac, Steve Jackson, Thomas Walch, Mike Reterstorf, and Megan Shirey are not just protecting data; they are safeguarding livelihoods and trust that has been built over generations. And in a world where a single ransomware attack can erase that trust overnight, their role has never been more vital.