Cybersecurity is clearly a companywide concern, but there are few areas as critical—and vulnerable—to attack as finance.
Michael Annessa, CFO of GuidePoint Security in Reston, Virginia, works on that concern for both his own organization and on behalf of clients. He spoke with CFO Leadership about how the scope and breath of cybersecurity is getting more complicated, particularly for small businesses and mid-market companies, why finance executives should pay particular attention to the issue, and how to prepare talent for today’s challenges.
How has demand for cybersecurity consulting changed across mid-market and SMB segments?
Mid-market companies are showing the steepest increase in year-over-year demand, largely driven by the increased velocity and complexity around change in technologies, alongside a talent gap of in-house expertise and budgets compared to Fortune 500 peers. They’re turning to cybersecurity experts for incident response readiness, managed detection support, ransomware resilience and help rationalizing multiple tools after years of “tech stack sprawl.” This segment is increasingly moving toward hybrid models: lighter internal teams supplemented by outside experts.
SMBs have the largest need but the thinnest resources. According to the U.S. Small Business Administration, in 2023, 41 percent of small businesses were victims of cyberattacks. Demand is climbing sharply, but instead of large consulting engagements, SMBs are opting for fully managed security services. They want simplicity, predictable costs and help meeting the security requirements of customers and partners. Many don’t have an in-house security team at all, so consulting often fills the entire function.
A few years ago, demand was driven by compliance; today it’s driven by risk, revenue protection and business continuity. AI-related threats and cloud complexity have widened the expertise gap, pushing all segments toward more sustained advisory support from implementation through ongoing services, not just one-off projects.
Are you seeing growth for cybersecurity consulting accelerate in specific sectors such as healthcare, finance or government?
Security and risk management will remain central to digital business initiatives, reinforcing the need to treat data and IT systems as critical infrastructure. At the same time, the growing complexity of corporate technology environments—driven by enterprise scaling, multi-cloud adoption, agile development and expanding vendor ecosystems—will further elevate the importance of robust, integrated security frameworks.
Healthcare providers, hospital systems and medical manufacturers confront an unprecedented surge in cyber risk. Healthcare organizations are also investing heavily in risk management, cloud security and incident response to protect patient data and meet stringent requirements under HIPAA and other regulations. With tighter compliance standards and rising threat activity, the sector is turning to partners who can help secure complex environments and respond quickly when attacks occur.
The financial services industry will always sit at the forefront of investment and focus on cybersecurity because it operates at the center of the world’s most targeted asset: money. Banks, lenders and payment platforms manage massive volumes of sensitive customer data and real-time transactions, making them prime targets for highly organized and increasingly sophisticated threat actors.
As a result, financial institutions have long been early adopters of advanced security technologies, rigorous risk frameworks and rapid incident response capabilities, focused on a best-of-breed solution suite across tools and capabilities. Their business model simply doesn’t allow for anything less than constant vigilance and continuous innovation in cybersecurity.
Within your own company, what efficiencies have you implemented to sustain growth while improving margins?
As CFOs, we continually explore new technology and automation to modernize our finance functions, replacing manual, time-consuming tasks with AI-driven tools that free our teams to focus on higher-value, strategic work. We’re leveraging AI to enhance—not replace—core capabilities like forecasting, risk modeling and real-time analytics, giving us deeper visibility and enabling faster, more confident decision-making.
We’re also transforming outdated workflows by eliminating redundancies, expanding automation opportunities and improving information-sharing across departments. The result is a leaner, more agile finance organization that can operate at the speed today’s business environment demands.
How are you attracting and retaining financial and technical talent in such a competitive market?
Finance departments must evolve to keep pace with today’s rapidly changing business environment, and that starts with creating clearer career paths and equipping teams with the skills needed for a more modern, tech-driven function. At GuidePoint Security, we prioritize continuous learning in areas like data analytics and automation, supported by mentorship and rotational programs that give employees broader exposure across the organization.
Most recently, several of our employees completed an executive education program at Columbia Business School, where they deepened their understanding of AI in business and its applications within the finance and other back-office functions. At the same time, we’re modernizing roles through automation to reduce low-value, manual tasks and enable our teams to focus on more strategic work.
We’re also identifying opportunities to further integrate AI and machine learning into our back-office functions to drive greater efficiency. Together, these efforts are transforming finance from a traditionally compliance-heavy function into one centered on business partnership, analysis and long-term value creation.
