A recent Count Managing Partners’ Roundtable featured Mark Burnette, Chief Growth Officer at LBMC and one of the architects of the AICPA’s cybersecurity standards. The conversation focused on a question managing partners raise consistently: how to add cybersecurity services without overextending the practice.

Security advisory services are valued at $19.4 billion globally in 2025 and are projected to reach $62.2 billion by 2033, growing at roughly 15% annually. Most businesses handle sensitive data, face real cyber risk, and do not have a dedicated security team to manage it. Many of them are also already clients of a CPA firm they trust. Cybersecurity advisory is a logical extension of that relationship.

Burnette outlined two entry paths that have worked in practice. They differ in speed, risk, and what they require from firm leadership.

Path 1: Bring In an Experienced Cybersecurity Practitioner

Look for cybersecurity entrepreneurs who have built a strong practice but hit a personal capacity ceiling. They have client relationships and credibility. They cannot grow further without firm infrastructure behind them: staff, billing systems, brand, and cross-referral access to an established client base.

Mark Burnette, who built LBMC’s cybersecurity practice before being named to lead LBMC’s unified Advisory Services Group, described the exchange clearly. The practitioner gains access to years of built partner relationships. The firm gains a credentialed practitioner with a live client roster and a credible track record.

What this path requires:

• A deliberate search. These individuals are often not posting their availability. You find them through peer networks, regional professional associations, and industry conferences.
• A cultural fit assessment beyond technical skill. The right person understands how a professional services firm operates, can build relationships with existing partners, and can translate cyber risk into language that resonates with a CFO or board.
• Clear economics and expectations. Revenue share, client ownership, and growth path need to be defined before the conversation goes far.

What this path delivers:

• Immediate credibility with clients, grounded in the practitioner’s existing track record
• Near-term revenue from partner introductions to an established client base.
• A practice that generates work without a multi-year training ramp.

Path 2: Develop an Internal Champion

This path takes longer but carries less integration risk. It works best for firms building cybersecurity capability from within, embedded in the firm’s culture rather than brought in from outside.

The AICPA’s Cybersecurity Advisory Services Certificate is the clearest starting point. It is designed for accounting professionals without a technical background and builds the foundation to advise clients on cybersecurity risk from a business and compliance perspective. The SOC for Cybersecurity framework gives firms a structured attestation model that connects naturally to existing audit and assurance work.

From there, the development path combines conference participation, targeted coursework, and progressively scoped client engagements. Start with risk assessments and compliance-framed advisory. Build competency through real work at appropriate scope before expanding into more complex technical engagements.

What this path requires:

• A designated person with clear ownership of the practice. When responsibility is shared across a team, it tends to fall through the cracks.
• Protected time on that person’s schedule. Building cybersecurity competency alongside a full compliance workload is difficult in practice.
• A realistic timeline of two to three years. Firms that treat this as a faster path tend to underinvest and stall before the practice gains traction.

What this path delivers:

• A practice deeply integrated with the firm’s existing culture and client relationships
• Lower integration risk than bringing in an outside practitioner
• A clearer internal succession path as the practice matures

Choosing Between the Two Paths

Firms that commit to one of these paths in the next twelve months will be better positioned as cybersecurity demand continues to grow. The AICPA has built the standards, certificate programs, and attestation frameworks that make this accessible without a legacy security practice. The market demand is real and growing. For firm leaders who have decided this is the right direction, the two paths above offer a practical starting point.

Count partners with accounting firm leaders to build stronger, more scalable practices through capital, AI integration, and advisory expansion. If this conversation is relevant to where your firm is headed, reach out or follow along for future roundtable insights at withcount.com.