Accounting firms sit close to the systems that define trust: audits, tax records, advisory work, client data, financial reporting, compliance obligations, and the technology environments that support professional services at scale. The security leaders in this group bring experience from firm infrastructure, AI-enabled cyber strategy, incident response, M&A integration, regulated industries, vCISO services, and board-level risk reporting.
Jim Nagata – CISO, Cherry Bekaert
Jim Nagata brings more than 15 years of CISO experience to Cherry Bekaert, with a focus on strategic cybersecurity frameworks, enterprise IT solutions, cyber risk management, and AI-driven security strategy. His work sits at the intersection of cybersecurity and generative AI, with emphasis on using intelligent automation and predictive analytics to strengthen defenses, improve operational efficiency, and support innovation. Nagata’s background also includes compliance work tied to ISO 27001, PCI, SOX, HIPAA, and SOC 2, along with hybrid cloud transformation and governance frameworks such as ITIL and NIST. His profile reflects a security leader focused on building scalable infrastructure while keeping AI adoption, compliance, and business alignment in view.
Amy Bogac – CISO, Baker Tilly USA
Amy Bogac brings more than two decades of cybersecurity leadership experience to Baker Tilly USA, with a career shaped by security program development, stakeholder engagement, team building, and major incident response. She has guided organizations through complex cybersecurity challenges, including the implementation of global NIST-based security programs and the modernization of legacy systems. Her background spans manufacturing, textiles, consumer goods, and critical infrastructure, giving her current role a broader operating context than accounting alone. Bogac holds an MBA from Lake Forest Graduate School of Management and a CISSP certification from ISC2.
Steve Jackson – CISO, Stout
The move into the CISO role at Stout came after Steve Jackson had already spent years inside the firm’s technology organization. He became Chief Information Security Officer in October 2024 after serving as Director of IT for six years and Senior Manager of IT for more than four years. That internal progression matters in a professional services environment, where security depends on understanding systems, users, service delivery, and business priorities. Before Stout, Jackson worked as Product Support Manager at gloStream and held software and support roles at Compuware and Minacs. His earlier Compuware work included support for software development life cycle tools and test environment configuration using VMware, Windows Server 2003, IIS, Oracle 10g, and SQL Server 2005.
Thomas Walch – CISO, BDO USA
Large-firm cybersecurity often has to move in step with infrastructure, legal, compliance, management, and acquisition activity. Thomas Walch has served as CISO at BDO USA since September 2016, following nearly 20 years as Director of Infrastructure Services at the firm. His security leadership covers cybersecurity risk management, board reporting, interface with the Office of General Counsel, the Compliance Office, and firm management. Walch has also been part of a core team for mergers and acquisitions, evaluating and integrating technology into the BDO environment while managing different timelines and requirements for incoming employees. His earlier infrastructure role covered Microsoft Windows servers, Active Directory, VMware ESX servers, EMC storage, HP server hardware, FalconStor backup, Cisco data and voice networks, Juniper WAN acceleration, internal and external security management, data center facilities, and remote office support. His profile is a clear example of CISO leadership built from infrastructure depth and firm-wide integration work.
Mike Reterstorf – CISO, Plante Moran
Mike Reterstorf became CISO at Plante Moran in April 2022 after serving as Senior Manager Cyber Security, bringing prior experience in cyber and physical security, network and system infrastructure design, control development, and risk-based management. Before Plante Moran, he spent 14 years at DTE Energy in roles that included cyber security operations, NERC compliance, compliance and controls, innovation enablement, customer analytics, enterprise architecture, and solution architecture. His DTE work covered identity and access management, privileged access management, cloud access management, endpoint security, SOX, PCI, NERC CIP, patch management, intrusion detection, incident response, configuration and change management, and recovery planning. Reterstorf also contributed to SmartGrid architecture, AMI integration, PCI-compliant payment systems, and customer mobile platform delivery. That combination gives his accounting-firm CISO role an unusually broad base in regulated infrastructure, compliance, application integration, and operational cybersecurity.
Megan Shirey – Virtual CISO, Miller Kaplan
Client-facing security leadership defines Megan Shirey’s role at Miller Kaplan. As Senior Manager and Virtual Chief Information Security Officer, she leads the delivery of CISO-level governance, risk, and compliance programs for clients in multiple business sectors. Her work covers information-security operations for 3,000 employees and 4,000 endpoints, along with mentoring cross-functional teams and executive committees. Shirey has guided clients through ISO 27001, SOC 2 Type 2, PCI DSS, HIPAA, HITECH, and NIST CSF audits, and her responsibilities include executive and board-level reporting, risk metrics, business continuity program development, incident response planning, third-party risk management, and security-culture training. Before Miller Kaplan, she worked as an independent IT consultant for nonprofit, education, and small-business clients. Her earlier career also included federal IT audits and program evaluations at GAO under Secret clearance, with focus areas such as IT investment management, enterprise architecture, and records-management practices.
Trust in Accounting Runs Through Security
Accounting firms are built on confidence, but that confidence now depends on more than professional judgment. It also depends on secure systems, resilient infrastructure, reliable audit evidence, disciplined access controls, incident planning, third-party oversight, and credible reporting to leadership. These CISOs reflect different routes into that responsibility. Some came through infrastructure and firm operations. Others built careers around AI strategy, regulated industries, federal audits, critical infrastructure, or client-facing vCISO programs. Together, they show how cybersecurity has become part of the trust layer behind accounting and advisory work.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.