Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

The Benefits of the CFO Obtaining the CCAK

Published 10/13/2021

The Benefits of the CFO Obtaining the CCAK
Written by Jeffrey Westcott, CPA, Chief Financial Officer, CSA.

What is the CCAK?

The Cloud Security Alliance (CSA), in conjunction with ISACA, released the CCAK (Certificate of Cloud Auditing Knowledge) earlier this year. As the CFO of CSA, I previously obtained my CCSK (Certificate of Cloud Security Knowledge), the predecessor to the CCAK, as did the rest of my accounting and finance team.

The CCSK allowed us to gain a fundamental understanding of the cloud in which CSA operates, as well as a working knowledge of the myriad components that make up our complex cloud-based IT infrastructure.

We discussed amongst ourselves whether we should invest the effort of pursuing the CCAK. Initially it appeared outside our scope of responsibilities. But upon further investigation, it made increasing sense for us to obtain the CCAK designation.

The CFO’s Role in Cybersecurity and Cloud Understanding

In one form or another, it falls upon the accounting department to possess a thorough understanding of its operations and the increasing components and related expenditures on the cloud infrastructure. The cloud infrastructure can be compared to a production facility, where it is the CFO’s duty to not only know the purpose and cost of the machinery on the factory floor, but the role of each, and whether or not it is safe and secure. Since the cloud has become an integral part of our organization, it makes sense to improve upon our cloud skill set by pursuing the CCAK.

When someone asks me what the cloud is, the simple response I give is it’s “someone else’s servers” where data is stored and processed. When data is stored off premises, the term “shared responsibility” is frequently used, indicating that the SaaS, PaaS, SecaaS or IaaS provider (Software-, Platform-, Security-, or Infrastructure-as-a-Service, respectively) has some responsibility for the safety of the client’s data, whether at rest or in transmission. However, this responsibility of the provider is also shared with you, the executive management of your organization, who must understand these duties and the many components that comprise your organization’s cloud infrastructure.

The Importance of Obtaining the CCAK

Obtaining the CCAK as a CFO will facilitate your assessment of the overall vulnerabilities of your organization and allow you to understand the various software and platform components within the company. At minimum, it will help you understand the reason and justification of the spend on these items. Studying for the CCAK reminds me of obtaining my CPA license: it did not make me an expert in all things accounting, but instead tested my broad understanding of the subject matter and raised flags if something in the study material warranted further scrutiny or investigation.

In the event of a data breach, the management of a company will need to be prepared to address the onslaught of questions from its shareholders, the media, and legal and public facets, which the CFO will invariably face. If the CFO is not on the front lines addressing and managing the organization’s cybersecurity framework, then they will minimally need to possess broad understanding of what makes up the cloud infrastructure. Furthermore, a recent statistic that I recall reading is that 39% of responding financial executives indicated that the IT and cloud duties fall under the CFO’s responsibilities.

Hopefully a data breach or hack will never occur under your watch, but if this potentially catastrophic event does occur, the CFO will inevitably be included in the impact mitigation and assessing the financial, legal and other monetary and non-monetary repercussions and damages.

Consequently, being proactive in the CFO’s role of gaining knowledge of the cloud infrastructure is not only a sound practice, but may prevent countless headaches and potentially irreparable harm to your organization’s reputation and financial wherewithal in the event of such misfortune. In the eyes of the media and the public, the data breach more frequently references the entity that was hacked versus the name of the malware or hack. The last thing that any CFO would want to carry through the remainder of your career would be that a hack, data breach or ransomware attack occurred under your management.

The CCAK Versus the CCSK

Regarding the CCSK, it has been in existence for many years and the CCAK is built upon it. The pursuit of the CCSK is a logical choice for those obtaining an understanding of the fundamentals of the cloud and its adoption within an organization; the CCAK is structured for those that already possess this foundational cloud knowledge and is the logical progression to increase proficiency in cloud practices and management. The details on both can be found here for the CCSK and here for the CCAK.

Taking the CCAK

The CCAK exam is a proctored exam offered by ISACA and CSA. Many options exist for students to study for the CCAK exam, including either virtual or in-person instructor-led training for groups of up to twenty-five students. For individuals pursuing the CCAK, there is also the option for self-paced training using either the LMS or physical study materials. Released this year, the CCAK is rapidly gaining widespread acceptance and recognition as a certificate of cybersecurity competence.


Jeffrey Westcott is the Chief Financial Officer of the Cloud Security Alliance and joined CSA in 2014. He can be reached at [email protected], or www.linkedin.com/in/jwestcott/.

Share this content on your favorite social network today!