The Future of Cybersecurity Leadership: AI, Governance & Education | Kevin Powers, Boston College

Hi, I'm John Goodchild. Thanks for joining us for another edition of Security Sessions, where we talk to security leaders who are shaping the trends and topics in the cyber security industry. Today, we're going to be joined by Kevin Powers. He is with Boston College.

He is the faculty director and lecturer in law for a master's of legal studies in Cyber security, risk and governance.

And Kevin actually brings with him a, you know, wide amount of experience, 25 years in national security, law enforcement, military, as well as in the private sector. So we're excited to talk to him about what's shaping cybersecurity education today. So welcome, Kevin. Thank you for having me. Thanks.

So tell me a little bit about, you know, right there to you've worn a lot of hats over the years.

You were your former Navy again. National security, private sector work. Tell us a little bit, if you can, about kind of where you've been and what brought you to what you're doing today.

Well, one thing you left out is, when I was in college, I drove a bus for the TI. Okay. So I can tell you where I was going.

It was in circles at that time. You really earned your stripes there then, too, Yeah. It's you. Yeah. So I began my career with, the US Marshals Service as an analyst, and I moved over to the U.S. Attorney's office as a law clerk.

And then I went off in the Navy JAG Corps, and it was fantastic.

And how I got into education was, at that time, in 2002, I moved over to the U.S. Naval Academy and down in Annapolis, Maryland, where I became the deputy general counsel to the superintendent. And at that point, they allowed me to teach my first course.

It was a leadership course in the midshipmen, and then he allowed me to create my own course.

And then I got the bug where I really loved teaching, and I continue to do so.

When I, worked as a lawyer down in DC and up here in Boston, I continue to teach at Boston University and over at northeastern and down at the Naval Justice School in Newport.

And, you know, and then I found my way, you know, really practicing law, like how I got into cybersecurity and data privacy, like everyone in my age group, I fell into it.

You know, it began, right around 2007. Timeframe. The firm I was at, we were taking in all the case files, from one of our big clients, internally. So we started looking at privacy issues. We weren't talking to cybersecurity, but it was really data privacy.

In 2011, I, was pulled out of civilian practice, and, I was working down in DC where I was called in to, be a legal advisor on the 911 Coconspirator trials, the USS Cole bomber.

This is all under the Obama administration when they were looking to, move everything from DOJ over to the Department of Defense. And my role in it was to, you know, get these to arraignment, which we did.

And during that time, it was just you started seeing more it was national security, had data privacy, and cyber was popping up more and more.

And when I left there, I was in house and it was just cyber nonstop, you know, for a tech company I was working on. And during that time, that's how I started building this whole program. Yeah. Right. And now, okay, so let's talk about the program then.

It was originally launched in 2017. Was it? No. Is actually a close, 2014 because, in 2015, we officially launched the program, and at that time it was a masters of Science and Cybersecurity Policy and governance.

And, when we built that, I mean, if I plan this, this never happens. There's just no way, it was more, I got back up from DC. I reached out to the dean of the Woods College, Father Burns, and said, okay, I'm back up here.

I'd like to teach a course if you have one open.

I'm happy to help. If not, well, that's fine too. He said, sure, I get this course. One of the judges who usually teaches in the summer. Can you teach this course? I taught this course and then he said, like, hey, I know your background.

We're looking to do a cybersecurity or a forensic course. Do you mind being on this task force?

And this was in, November 2014. So I went to this meeting. Long story short, they were looking at like a grad type program, but they were really focused on technical aspects, and I was sitting there and I just, you know, piped up and said, oh, wait a minute.

I look at cybersecurity. It's not just a tech issue.

You hear that all the time now, back then you really did it. Yeah. And, I just said we're Boston College, you know, we're into it. Disciplinary. We have like, you know, great liberal arts. We have one of the best business schools.

We have one of the great law schools. You know, we shouldn't be a tech program because that's not really what cybersecurity is about.

Let's if you're going to build something, let's build it this way and focus on what a CSO does and then build the courses accordingly and go backwards. To which we did.

And and I thought that was going to be, you know, a 15 year process and maybe like I'll get a course in my retirement job or if it wasn't within, less than probably like ten months.

I got a call from the dean and I was actually down in Disney World with my four kids and my wife and I was getting ready to go on Space Mountain, and he just said, hey, we're going to launch this program and you're going to run it.

And I said, all right, great. I am all up for it.

I'll call you back in 30s went on Space Mountain, came back, and, next thing you know, we're kicking off this program, the master's program. And then it was like a proof of concept.

And, you know, we're at the law school now, and the whole idea was, we're going to build this program, let's see where it goes, and we'll make a determination on where should it land within the university, should it go to law school, should go the business school should stay at arts and sciences.

So with that, over the first five years, we really start and this is where everything's going to one. If you look at the compliance, the regulatory, the artificial intelligence, the governance, it really was the best option is to go to the law school.

And we started to move over there like we put our foot over there. We started cross listing classes.

So what that means is we had at one point and now five of our classes across listed with the law school, meaning there's law students in the classes as well as our grad students.

And we made the decision, and I say we, you know, at the university level, the dean of the law school, the provost office, that, hey, we're going to move this over here.

And I'm going to change it to, from a master's of science to a masters of Legal Studies. And then over the last two years, we had a curriculum review. We had a curriculum committee work on it. We I won't say we updated course.

It was more we aligned courses and aligned the curriculum to be a master's of legal studies, which we just launched.

You know, the new program, this three weeks ago. Yeah, I Boston College law school. So now that's where we're housed. So what do you think that says about the role of the security leader of the CSO?

Now that you know, this is kind of where, you know, it made more sense for the for the program to live and the kind of responsibilities that, you know, today's security leader needs to be mindful of. Yeah.

And I think the insecurity leaders understand that now, too. It's no longer you just a, you know, a technologist, you know, it's a business position, cybersecurity. If you look at all the regulations right now, is a core business function.

And as a core business function, you have to understand the board of directors, the C-suite, the business line, the risk, the operations tech.

It's a spoke there, you know, and then you have physical security. You have data privacy, artificial intelligence and governance and all that brings and then dealings with law enforcement and others. So it's you have to be a business person as well as a technologist.

So when you look at us coming here, it's the people in the classroom. We have technologists in there, we have business folks, we have lawyers in the classroom, we have law enforcement people, we have military.

They're all talking together. And that's what you want. So yeah, you look at the security professional of today and then tomorrow it's going to be someone who understands the technology they don't have to be a coder. Right? Okay. But they have to understand the technology, the architecture.

But then they have to understand their role within the organization, understand the business, and then really being an ambassador out there as well.

Well, and you've also pointed out the the CSO role and, you know, again, other security leaders, whether it's the CSO or the VP or security, and, you know, a lot of these other titles that now exist really need to understand the legal and regulatory frameworks that they're working within to.

And that's an important part. You think of education for, you know, people that are in the role now are looking for higher education.

Yet the framework itself, when you're building out your cyber program, is really almost like a legal document if you look at it from a regulatory standpoint. A good example is in New York, DfES part 500, has amended everything you do in there is a legal aspect.

You know, how you build your policy, how you build your program, what you do because they're going to come in and if something happens, that's how they're going to look at it with a legal eye.

Well, you're say you're doing this. Why did you do that. You know, so you have to have the capabilities to understand when you're building a cyber program, how does it match up with the different frameworks and what's the legal consequences.

But you shouldn't be building any program just fine. I tell my students all the time, you don't want to be just building something so you don't get in trouble.

The reason you're building your program is to protect your business operations and then your nonpublic customer data. That's what it's all about. Now, talk to me, too, about educating, you know, the workforce for a cybersecurity, you know, current needs, needs in the future.

This it's somewhat controversial, within the industry to say that there's a skills gap.

You know, a lot of people feel like, this is more of, a misunderstanding or it's about managing the expectations of employers, you know, that they're where they're hiring. They're not necessarily addressing what's out there in the market for for a workforce.

And then those who are trying to get into the industry say that, you know, their expectations are, you know, different from what they actually have for an education and so forth.

Are you trying to square that at all in this program? We try to square that away, for our students. They're entering more mid-level or higher because it's how you come into the program.

And then I'll answer your question is, you know, if you look at our program, I think the average age is 33, but then like 20% of the students are fifth year.

So we have like a fifth year program with Boston College, with the students are coming in, and then you have the middle, and then you have people who are in their late 40s, early 50s, very senior. So depending on their experiences, that's where they go.

So if someone has, is a senior vice president doing risk at a bank, well, they're going to graduate from the program.

They're going to end up being whether a deputy CSO or a VP of Information security and the middle person to them moving in those roles. So a junior person, they're not going to end up as an analyst.

They're typically going to go in as an assistant information security officer or something like that. I think the issues that you're addressing, this is all human resources, and that goes to being siloed. Okay.

So if you have the CSO is looking for a position. The problem is HR, and I'm not bagging on each other by any means, but this is just the problem. They look and say, okay, this is what we want.

And if they're looking for an analyst, like an entry level position, if you read the job description, it's for a CSO and you're not going to get anyone to fill those.

Oh, they're say like we want 5 or 6 years of experience or how is anyone graduating from college or someone going to a community college, you know, with an associate degree going to get seven years of experience? So then that cycle goes on.

What I'm finding out there, I think there is a gap. You know, clearly there is.

But this is a problem too. And then it pushes people away from going into cybersecurity. Why would I want to even go there? I can't even get a job.

So going back to the education of the program itself, the where it is kind of more that mid-career professional, you know, in your observation or what you might be hearing from professionals that are coming into it is what kind of skills and understanding and education and so forth.

Were they perhaps not able to get at the beginning of their career that they're really craving now to take that next step? It's the whole idea of you start with cybersecurity.

I was a history major in college, so if you said cybersecurity to anyone who's liberal arts like, I don't know, tech, I don't want to touch it. You know, I'm lucky I can work the TV clicker.

That's the classic line, right? And now they understand. Or there's a recognition because they hearing more of, hey, I don't need to be a technologist per se. I can be someone who has a communications background, political science, I can have a history background. I have a law background.

Whatever my background is, I can help because it's a position for you.

So knowing that, where can I get in this field because there's so many opportunities within the field right now, whether it's in the private sector or in the government, you know, these jobs are going to be there for a long time because there's always going to be someone trying to break in and get, you know, hurt your systems or steal your data or next door to you for money.

What kind of, you know, trends, like, how are you adapting to what is being discussed in boardrooms and in organizations, you know, within security divisions to, to ensure that you're really making sure that it's timely.

You know, of course, everybody is talking about what they're doing with AI, how they're getting ROI from their AI investments and so forth.

I mean, how how do you kind of update the curriculum to make sure that you're you're hitting on those trends now? Well, like in, in cybersecurity, you have to update the curriculum every right, every every semester.

It's just like, look at the headline, there's some new law or a new issue out there. But with the artificial intelligence that has, like any organizations, overwhelmed our program, it is integral to everything we do in the program.

And the key to our program is the governance. Right? You start with that.

So when you're asking about a AI governance, we're looking in that and talking to students to like, yeah, you want to bring AI into your business, but when you do it, it's not just to do it like, hey, we're bringing it in, let's go run with it.

It has to be okay. Why are we going to bring it in here? How is this going to help our business, and how are we going to be strategic about bringing it in here? And I think that's what you see in boardrooms right now.

Some boards are very strategic. They're holding back. They're focused on the security, the privacy, the business operations.

And then others are, hey, you know, I see no nothing here. We're not going to use artificial intelligence. All you're on your own or you guys figure it out. Go use it, and then we'll see how it goes. And those other two right there, they're going to fail.

I mean, they're bringing in AI. And then our actually it's not a closed environment.

It's an open environment. All the trade secrets are going out into the internet, and they're bringing all sorts of code into their systems that, you know, it's just going to hurt them.

So in terms of, you know, we talked about the role of the CSO in the security leader earlier, too.

But, you know, going back to that as well, I mean, it's definitely evolved, as you said, you know, it's not it's not a technical role, you know, that's part of it.

But it's it goes much broader than that. As part of executive education, which is, you know, what your program speaks to. Do you hear more about the CSO having, more audience with the board or having, you know, a seat at the table?

We've been talking about this now for two decades about whether or not that's an executive that reports into the CEO or is still up to the CIO.

And those conversations, it seems like, still continue. Yeah, those conversations will still continue. But the CSO is getting in front of the board. You know, they're in their quarterly, they're at the finance committee or audit committees. You might have a committee that's, you know, emerging technologies or whatever.

They're there.

And if you look at the 10-K that's coming out, you'll see from the, the different boards, you know, the fortune 50 where they're saying is like, oh, how does the board fulfill its oversight responsibilities where we get briefings, you know, quarterly by our C so we get trainings by the talking about the CSO.

So the CSO is elevated. Are they going to get into that C-suite? I don't know, but they're definitely getting in front of the board, and they're definitely getting in front of the CEO a lot as well.

I think what you might see, and, you know, I could be wrong on this, but it just seems like you've seen before was the breakup of the CIO and the CSO position.

I think you're going to see that coming back together, because the CIO is already up there. Right. So like, how do you get the CSO up there? So it might be a combination of both. So also on, you know, the topic of trends.

Again I you know, something that a lot of CISOs are talking about now investing in trying to figure out how to demonstrate the ROI on those investments too, from your vantage point and you know what you hear.

And working with the program and hearing about what these people who are looking for executive education in cybersecurity are focused on, what do you think the next big thing is? You know, if we're looking three, four years out, you know, are things changing?

Is AI still a primary part of the conversation or is that becomes widely adopted? Is it on to something else?

Wow, that's so very topical. I was at a, retreat out in Vail, Colorado last week, and it was, with a private equity firm host, and you had all these investment bankers there. And that question came up like, you know, where AI is going.

And there was just this whole talk of it's going to really like impact business impact the profession.

Like, okay, so that's very general. But they really talked about like the SaaS platforms that like what the coding that it's capable to do. And I'm not a coder, I'm not a technologist.

But what they talked about is that you'd be able to build your own CRM, you know, like in minutes, you know, you. So you would have someone who's working there was like, okay, we want to do this.

So instead of buying your own CRM, you're buying a software as a service. You're going to be able to do that, and you're going to be able to do that with other elements that you're already purchasing.

You're building your own individualized unique to your business, which is is amazing to me. And then my thought and then they also talked about, like, everyone having their own personal Jarvis from like Iron Man, which sounds fantastic until you go like, okay, great.

So what happens if that gets hacked into every like dark secret you may have? Every personal thing you even do is now in someone else's hands and think of how they could extort you or cause trouble for you, or just raid all your bank accounts.

So it sounds great in theory. I think the problem, like everything is, you know, has where humans as we move without thinking, we always say we're going to we're going to move slowly.

If you remember with AI, there was an executive order. We going to move slowly, and now it's let's move as fast as we can. We're going to be the best at this. And it's the old Silicon Valley of don't worry, be crappy, get first to market. Right? Right.

And also the issue of the more convenient and connected things become, the larger the attack surface grows. Right?

It's it is. And I think everyone forgets that artificial intelligence is a technology in any technology can be hacked. Right. You know, so it's not going to cure everything. Yeah. Great. It's going to make things faster.

I think there's going to be a lot of displacement in different positions, but there's going to be other positions that open up as well.

You're going to have a lot of people who are managing artificial intelligence. Good point. Okay. Unpopular opinion.

The thing we ask everybody tell us, you know, you know, what's a controversial viewpoint that you might have specific to, you know, this career or the executive in this position that, you know, tell us what something that you think that others might disagree with, but you'll die on that hill.

I don't I don't know if I'll die on this bike. So. So one for me is, there's been a lot of talk, and this is more on, like, the government in running, cybersecurity.

There's been a lot of talk of recently where now there's going to be these block grants to states to secure, different municipalities.

The different agencies within. And, there's a lot of folks who are against that. For me, I look at it, well, if they're going to do this, why, this could be a good thing as long as it's uniform.

Meaning that it's not like you give $1 billion to one state, and they get to build out that program one way and someone builds.

No, we're going to give the money out, and we're going to have, these different requirements in place, and it's going to be uniform across the board. And I'm going to have one federal person or two or a team managing this.

I think this is a great program for the states in general, because now you're going to have this money and you're going to be able to secure municipalities, the different police departments, different agencies, right before you couldn't have CSO do that.

You know, you can have different federal agencies do that instead. Now you're giving the money to the states to build out their program. They have certain requirements like, oh, you have to do a cyber assessment.

Once you have that, this is what you know you need to do and you get the money that way, but you're building it out.

If you look at the towns and the different the smaller cities or even the city of Boston, they're not spending the money on cybersecurity or data privacy that they need to if they're getting this funding, okay, from the states.

And then you have people who work there and live in this. They're going to build out good programs.

They're going to have the playbook to do that, and they're going to have the money to support it.

So I look at it as a good thing because it's coming back to the states, and the states are going to secure it, and it's really in municipalities, you know, you can go to any one of them. They'll tell you they're secure.

But I'm I'm not bashing anyone particular, but they're not going to be where they need to be on the cyber front. They're they're where they are with the technology to run a town, not to secure it. They might have things in place, but they're very highly reachable. Yeah.

And that's a conversation I feel like two that we've had about, you know, there is a significant gap.

You know, from my lens as a cybersecurity journalist, between what other municipalities are doing or even government, you know, it's always kind of considered to be somewhat behind. And there's so much discussion now about critical infrastructure, too, you know, which sometimes rolls into those budgets.

And, you know, kind of how, how you come up with the dollars to be able to really cover that. Right.

And then just look at New England, you look at Massachusetts, we have all these schools here. You have a lot of cyber programs, and you could use students to help build that out.

And I think it's just best let the states, you know, understand it's going to be uniform across the board what you need to do. But now that they have the money, they can best utilize it to secure municipalities, our agencies and our citizens. Great.

Well, Kevin Powers, I really appreciated having you on here today and for this discussion. Sure. My pleasure. And we're, we're, we are, recording this right now in September. So we're at the start of football season. I hope the Eagles have an excellent, season this year. Yeah. UCLA.

We've been playing them for parents weekend this upcoming Saturday.

All right, well go Eagles. My dad's a BCC alum. So I feel a little bit akin to that football team. Still, even though I didn't go there myself so. Oh there you go. Eagles is right. All right Kevin, thanks so much for you.

Thank you, John, and thanks to you for listening. If you enjoyed the conversation, we encourage you to like and comment and subscribe.

And, we'll see you next time for another episode of Security Sessions. For now. Have a great day.