Kevin Powers: From Academic to Practical Cybersecurity Artwork

Kitecast

Kitecast features interviews with security, IT, compliance, and risk management leaders and influencers, highlighting best practices, trends, and strategic analysis and insights.

All Episodes

Kitecast

Kevin Powers: From Academic to Practical Cybersecurity

October 16, 2025 • Tim Freestone and Patrick Spencer • Season 3 • Episode 48

Kevin Powers, Faculty Director of the Masters of Legal Studies in Cybersecurity Risk and Governance at Boston College Law School, began his professional and academic journey when he volunteered for a task force exploring cybersecurity education at Boston College. Rather than developing a purely technical curriculum, he advocated for an interdisciplinary approach that would integrate law, business, and risk management. "Cybersecurity is not just a technical issue," Powers explained during the podcast episode. Working with stakeholders from the White House, FBI, major financial institutions, and technology companies, the team built a curriculum designed to produce well-rounded cybersecurity professionals.

The program launched in 2015 and recently transitioned to BC Law School, offering 10 courses taught entirely by practitioners actively working in the field. Students include FBI agents, financial compliance officers, and executives from Fortune 50 companies, with an average age of 33.

A central theme of Powers' program is bridging the communication divide between technical teams and business leadership. With recent SEC regulations and requirements like New York's DFS Part 500 mandating board-level cybersecurity oversight, organizations need professionals who understand both technical controls and business implications.

"Boards are recognizing cybersecurity as a core business function," Powers noted, emphasizing that every company operating on networks faces operational risk when systems go down. The program prepares students to communicate cyber risk in business terms and develop governance frameworks aligned with regulatory requirements like CMMC 2.0, FedRAMP, and the NIST Cybersecurity Framework.

The program has evolved rapidly to address artificial intelligence governance. Powers redesigned his coursework after discovering AI tools could complete assignments in minutes, shifting 70% of grading to oral presentations that emphasize critical thinking over output.

Looking ahead, Powers identified cloud security and data sovereignty as critical concerns. Many organizations mistakenly believe SaaS platforms automatically back up their data, leaving them vulnerable during incidents. The CDK Global attack on car dealerships illustrated how unprepared businesses can be when cloud services fail.

Beyond academics, Powers emphasizes creating networks. Graduates maintain connections with government agencies, financial institutions, and technology companies, facilitating collaboration across sectors. The program hosts the annual Boston Conference on Cybersecurity, which draws hundreds of attendees including CISOs from major sports franchises and law enforcement leaders.

For organizations navigating increasingly complex regulatory landscapes, Powers' message is clear: cybersecurity expertise must extend beyond technical skills to encompass governance, compliance, and strategic business alignment. As cyber threats evolve, professionals need frameworks like NIST to demonstrate reasonable security practices to regulators while protecting operational continuity.

LinkedIn: https://www.linkedin.com/in/kevin-powers-54893a8/

Boston College School of Law: https://www.bc.edu/bc-web/schools/law.html

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Patrick Spencer (00:02.446)
Hey everyone, welcome back to another Kitecast episode. I'm really excited about today's episode because we're going to be speaking with Kevin Powers, who has some great stories he can tell us. he, just to give you an introduction, is the Faculty Director and Lecturer in Law for the Masters of Legal Studies in Cybersecurity Risk and Governance Program, that's a mouthful, at Boston College Law School. He's an expert in cybersecurity data privacy and AI governance.

And he also serves as an assistant professor at BC's Carroll School of Management and MIT Sloan research affiliate and lecturer. And he's on the board. He's the chair actually at the BC high school. We're going to talk a bit about that and some of the things he's been doing there that are really cool. He holds a JD from Sulfolk Law and a bachelor's from Salem State University. looking forward to this conversation. Thanks for joining us today.

Kevin Powers (00:57.628)
Yeah, thanks for having me, Patrick. Pleasure to be here, for sure.

Patrick Spencer (01:01.25)
So beforehand we were, and you got my interest peaked, think, we were talking about how did you get, know, found this program over at BC and you said, it's a really good story behind that. It wasn't intended. So, you how did you, start off in the, role that you have over there?

Kevin Powers (01:18.836)
Yeah, and this just goes to, if you don't plan something, good things happen. Sometimes you just have to be open to opportunities. So in 2013, I came back to Boston. was working down in DC, actually commuting back and forth, working for the Department of Defense, where I was working.

Kevin Powers (01:41.524)
with Vice-Chairwoman McDonald, who was the convening authority for the Military Commission. So my role was to come down there and help them get to arraignment, the 9-11 co-conspirator case and the USS Cole bomber case. So I went down there to work as a legal advisor. So I came home and I always taught as an adjunct. I started teaching as an adjunct faculty member at the U.S. Naval Academy, where I was the Deputy General Counsel for a few years in the early 2000s. Then I taught at BU and then I taught at Northeastern.

So I came back and I saw there was a new dean at Boston College. I have a great relationship with Boston College. And I reached out to the dean of the Woods College of Advancing Studies, Father James Byrne. He said, hey, I'm back from DC. If you have any class, I'm happy to help out. And lo and behold, I met with him and he said, hey, great credentials, but I don't have any opportunities, but I'll keep a file on you. Where I laughed. said, oh, I know what that means. He's like, no, I'll really keep one.

Patrick Spencer (02:35.438)
Thank

Kevin Powers (02:38.836)
And two weeks later, I ended up one of his faculty members, Judge Menno, who was a judge in the district courts here in Massachusetts, he needed to get a hip surgery or something like that. So I had to fill in for him. I talked to him. Of course, things went glowingly for that summer. And then father reached out to me. I was in house counsel for a company called ATS. We did security platforms for Army Intel, Navy Intel, the USN.

Patrick Spencer (02:50.414)
Yeah, we're in.

Kevin Powers (03:08.052)
Patent and Trademark Office. I was in-house there and he mentioned, we're looking to do a cyber course or a program. Would you mind being on this task force? I said, sure. That's right on my lane. I'll come over. So right around Thanksgiving time, it must have been 2014. So it's 2014. I go to one of these meetings. We have a nice group there. It was everything you can imagine from an academic meeting.

Patrick Spencer (03:18.602)
Hmm.

Kevin Powers (03:36.436)
where everyone was just sitting down and they were talking about cybersecurity, but they were really just looking at it from this whole technical front. And it was like, hey, we can do this tech program. And I just jumped in and said, hey, that's great, but cybersecurity is not just a technical issue. And we're here at Boston College and we're interdisciplinary. We have one of the best business schools in the Carroll School of Management. We have Boston College Law School. have a great computer science program.

Patrick Spencer (03:53.954)
Yeah.

Kevin Powers (04:05.396)
and all we do with our liberal arts, we're all connected. So if we're do a program, we should look at something like that. And everyone's like, hey, that sounds great. And then the meeting ends. I just jump in and say, well, what are we gonna do next before the meeting next? What's our taskers? And they're like, well, what do you mean? And I'm like, well, what do you want us to do to go forward? And they're like, we're glad you asked. And they started handing out boxes of chocolate for the Happy Thanksgiving.

Patrick Spencer (04:13.422)
Yeah.

Patrick Spencer (04:33.974)
Ha ha ha.

Kevin Powers (04:34.344)
I like, well, this is great. And I said, well, what are we going to do next? Well, we'll type up the notes and we'll meet again in March. And I'm like, well, what do want me to do between now and March? Other than someone typing up the notes. And Father Burns, what a great dean. And he's always just all action oriented. He's like, well, what do you want to do? I said, well, why don't I go out and speak to my friends in government? I'm in the space. I'll talk to my friends in government, in private practice, private industry.

And I want to get their thoughts. What are they looking for? How do we build a program really focused on the end game? Like, what do we need to be the future CISO? And then how do you build a curriculum towards that? And from that moment on, working with Father Burns and working with, honestly, you know, in the federal government side, we had the CISO from the White House involved. We had the Secretary of Homeland Security, Jay Johnson, FBI.

involved the Department of Navy, Department of Defense, like, you know, going down the chain there. We had State Street Bank, we had Fidelity involved, Bank of America, we had Lockheed, Raytheon, Microsoft, Kevin Mandia was super helpful for us. So we had this whole, like, you name it. then locally in the city of Boston, we had the CISO from the city.

Patrick Spencer (05:40.833)
well.

Kevin Powers (05:53.18)
We had the state CSO and CIO involved. So everyone was just, it was a cool thing. And it was more like, hey, let's build this program. And we had all this buy-in from, you know, on the academic side, but we were working truly with private industry going back and forth. And instead of coming up like with a course, we built out this curriculum. And then we had this buy-in and with Father Burns, the next piece that came up is like, okay, let's talk to the provost office.

Patrick Spencer (05:59.042)
No.

Kevin Powers (06:20.468)
And all this time I'm working in, so I'm doing this as a nice Irish Catholic guy for nothing. And we're building out this program and it's just fun. We're all talking now, there's excitement around it. And in academia, it takes forever to get anything done. It's like the government, right? Like, hey, we have a great idea, so fantastic, in seven years, eight years. And that's how I'm thinking. I'm like, hey, this would be a nice retirement job for me. Maybe 15 years down the road, maybe we'll have a cyber course at BC finally.

That's not how it played out. We worked with then, you know, before we became Dell EMC, was still EMC, we had a meeting with folks from the provost office, you the dean's office and administrators from Boston College over at EMC to see what like, hey, are we on the right track here? So we have business leaders and government leaders there. And it started off with retired rear Admiral Mike Brown, who was a great advisor on the program too.

Patrick Spencer (07:09.283)
Yeah.

Kevin Powers (07:19.08)
He starts off the classic Navy, bottom line up front, we support this 100%. This is exactly what needs to be out there. What do you need from us? And from there, so you go from November, the meeting, August, I'm literally down in Disney World with my family getting ready to go on Space Mountain. Father Burns calls me and says, hey, I just met with Father Leahy, the president of university. We're launching this thing and you need to run it. And I say, well, I'll call you right back. Cause I'm literally and jumped on Space Mountain calls him. And then we...

Patrick Spencer (07:44.974)
I'm

Kevin Powers (07:47.636)
came up and a year later we had our next meeting of the task force and it was like, we're launching this program, proof of concept and let's see where this thing goes. And once we launch it, we'll figure out, because we were in the school of continuing education and this was father's vision along with the current Dean, David Goodman, who's a great friend as well. Where do we take this? If this program works, what school does it go to? Does it go to arts and sciences? Does it go to the business school? Does it go to the law school?

So on November 9th, 2015, I joined Boston College full-time. We launched the program. And at that time, it was a Masters of Science in cybersecurity policy and governance. And we just launched the new program, the new iteration of the program where we transferred. That was the school proof of concept. Go to the law school, the Masters of Legal Studies in cybersecurity risk and governance.

and it's built for non-lawyers and lawyers alike. So currently, in the way we've been running it, we have five courses cross-listed with the law schools. We have law students in the classes along with FBI agents, people from finance, people from government, the big four, lawyers in the program. So we have everyone in the whole idea of the programs to build this cyber ecosystem with the recognition that cybersecurity is not just a tech.

It's a governance issue, it's a management issue, it's a business issue, it's a risk issue, it's a compliance issue, it's a data privacy issue. You have AI, which is a technology issue, but it's not just a that's a complete issue that harasses everything. So that's how we started the program. And if I planned it, it would never have happened. I was lucky and I don't know what I stepped in, but it all worked out for me.

Patrick Spencer (09:36.802)
Right place, right time in many ways, right?

Kevin Powers (09:38.736)
It really was. And it was the right leadership with Father Burns and David Goodman, who's now the dean. He was the academic dean at the time. And they were really, they pushed this. And BC, a credit to them, and now we're the leaders in the space.

Patrick Spencer (09:52.43)
Hmm. So well, and at the time they're probably, I mean, you couldn't go get a degree in cybersecurity back in 2016 that I know of.

Kevin Powers (10:01.976)
Yeah, they were out there and you had different programs, but they weren't built the way we did it. You know, they were more like, hey, they would come in with a consulting firm or was just done internally from academia without understanding. And that's a problem still today. Yeah, so it was all compute what you need out there, but there was no idea. It was so siloed. Or even if they did a policy, it wasn't related. So when we I was was purpose built and with the move to law school,

Patrick Spencer (10:16.0)
and add on with a computer science degree or department probably,

Kevin Powers (10:30.6)
that took place over time and that we worked on the last two years working with our faculty. It wasn't like we updated anything. We realigned everything to be this master's degree with a recognition of, if you're not an attorney, that's great, but you need to understand the business. You need to be able to work with the lawyers. You understand the law and the regulatory requirements. That's who the future CISO is. In the current CISOs, you see more and more, it's not that they're less tech.

they're more business oriented in the law and the data privacy and the compliance requirements is something you have to understand and it can't be just a passing understanding.

Patrick Spencer (11:06.894)
Yeah. Well, you designed it from the get-go as interdisciplinary program, which differentiated you. Now there's obviously a lot of others out there now that take that approach, but out of the gate, you were probably really early. What different departments are involved in the program in general? it like 24 credits? How many credits do you need? Is it a year program?

Kevin Powers (11:30.788)
Yes, so it's 10 courses, 10 classes. I think we have a total of like 18 classes. So there's five core, then we have two required electives that are law classes, and then three you can pick from. And out of the two required law, there's like six classes you can pick out of there too that you wanna do, whether it's cyber crime, national security, international cyber, data privacy, cyber litigation, and things along those

Patrick Spencer (11:58.174)
And in terms of students you have, sounds like a wide range of backgrounds, which must make it interesting to teach the classes.

Kevin Powers (12:07.188)
Yeah, the average age in the class, I think last we look is right around 33. So in the oldest student at one time was 61. And it wasn't like, oh, I'm just trying to learn. It was an executive vice president from MITRE, PureTech, who's retiring, who wanted to open a consulting firm. So that was her goal. So we have, and it's great, we have fifth year students too. So from Boston College, we have a program where if you're a senior and you get approval by me, you have to have certain standards.

Patrick Spencer (12:24.91)
interesting.

Kevin Powers (12:35.666)
you can take two of our courses as an undergrad and then you go into our program and those two courses count. So all you need is eight courses. So we have a lot of folks coming in that way. But mostly when you look at it, we have like the FBI has been a great partner. We've probably graduated 23 FBI agents in the program. You many who are starting off moving into the cyber division or more senior getting ready to retirement and needing this background.

Patrick Spencer (12:43.79)
But.

Kevin Powers (13:04.967)
and they become CISOs or CIOs because of this degree in their experience with the FBI. We have a lot more coming from, it's not just the tech side, but the finance side, really coming in from information security. Yeah, the finance side, they're looking at like, hey, I have compliance, that's great. But if I get this cyber degree and I understand cyber security, data private, and the advent of like AI over the last couple of years, I leapfrog.

Patrick Spencer (13:19.438)
I'm sorry.

Kevin Powers (13:31.892)
from like a mid-level, I'm going up to a VP level. If I'm either junior analyst level, I'm going right into that mid-level slot. again, with AI, I explained to the students, it used to be this whole pyramid scheme at the bottom. Hey, that's where entry-level positions are. You're an analyst and you're gonna do all of this. And it's just reading the articles and seeing how it's playing out. It's turning into a diamond. At the bottom now, there's not many analysts.

but there's a big need for those in the middle. And I said, that's where you'd get this degree, that's where you're going anyways. So you're gonna be protected and you're not gonna be running around worrying about those analyst positions to start anyways.

Patrick Spencer (14:12.62)
Yeah, interesting. Now, how many CISOs do you have in the program? Are you seeing that when you launched the program, do you have a lot of CISOs signing up or are they people from other parts of the world?

Kevin Powers (14:22.516)
It was more information security officers. We've had like senior vice presidents who ran risk from banking or senior vice presidents who were doing compliance who were coming in and they wanted that cyber speed piece to keep that career going. We've had several chief operating officers, chief financial officers coming in as well. CISOs, last night in my class, we had one CISO for a Fortune 50 company in there. And her goal was, and it is,

Hey, I understand the tech. I need to understand a lot of the business side of these regulatory requirements. I get it, but how do I work with the lawyers? How do we work with compliance to build out these programs? So I have an understanding so that I'm protecting the company the way I need to, you know, which is great to hear that. And what makes our program really unique too, it's all adjunct faculty. It's not the university. So anyone who's teaching a course,

Patrick Spencer (15:15.47)
Hmm.

real world practitioners teaching.

Kevin Powers (15:20.966)
It's their expertise too. And they've been doing it here in the program for 10 years. So they were all here. So in some of them grew up in the program. So a good example is one of our professors, Doug Doman, his day job, he's a supervisory special agent overseeing cyber crime for FBI Boston. He came in the program. He was one of our students who graduated. Another is Tom Scholler. He is currently the chief risk officer for First Citizens Bank.

and he came through the program as well and now he's teaching incident response. Yeah.

Patrick Spencer (15:54.126)
That's great. Interesting. Have you seen the demographics change since you launched the program or they stay about the same?

Kevin Powers (16:01.396)
They're getting younger. So when we first launched, was probably, the average age was probably 40. And I think that's where, yeah, it was more like senior people looking like, I don't understand this at all. So they needed to get it. And now you see it's getting younger. And I think what's gonna happen with our program, instead of being like 30, you'll still have those groups coming in. I think it's gonna be more of, hey, this is my career path.

Patrick Spencer (16:06.926)
That's actually good news.

Kevin Powers (16:27.316)
especially more and more people are realizing cyber security is not like, they freak out when they see the word cyber security. They think it's tech. And I'm like, hey, I was a history major, I'm a lawyer. I'm lucky I can work my iPhone, but I understand who needs to do the technology, who needs to do the risk and I can build the program.

Patrick Spencer (16:49.902)
That's interesting. on the front of policy management, cyber policy, are you finding that organizations are realizing that they need to have folks who are experts in this area more so, particularly the last few years you've seen an explosion and all the different regulations are coming out that are global. Certainly Europe has their fair share, right? You have the new EU Data Act, you have the EU AI Act.

Here you have the Cloud Act that's had data sovereignty issues in Europe. How is all of that playing out in terms of how the program's being shaped and the questions that many of your students may have?

Kevin Powers (17:27.22)
Yes, so that's a great question. And with us, when we're doing the program, like when we launched it, it used to be like, oh, boards need to be more active. And then you saw nothing happening. They would do like E and Y or PwC. They would do all these surveys. It would come back that only 20 % of the board understands cybersecurity or that it's talked about at the board level because they just don't. And it came down to that

hey, the only way we're gonna get this done is if we make this something they have to do. So that's when you started seeing over the last few years with the SEC regulations, New York DFS with Part 500, they were actually the lead on all of this. The FTC with their safeguard rules and then under Rule 5 too, where they want the directors more involved in senior management. Over in the EU, you're exactly right with DORA, NIS2, there's all focus on the boards.

So once that came out is like, you know, there's no interest like self-interest. So if you're a board member, it's like, well, I have to understand this. And that's what's the recognition that cybersecurity is a core business function. You know, the whole idea that every company is a tech company. know, everything you do is tied to a network. And if the network goes down, you cannot conduct business. So I always say that business of cybersecurity is business. If you don't, if you're not secure and you go down, you're not making money. And that's what it comes down to. So.

Patrick Spencer (18:50.434)
Yep.

Kevin Powers (18:55.408)
Our program has always been pushing that governance. That was like the key in the name of our program when we launched. And that's what our focus is now. And that's the whole idea how we built it. It's that recognition of oversight. So you can't just focused on the siloed tech piece, which is the most important piece we're all talking about like tech, but it's the business way. Because if you look at, there's been a studies that come out all the time. Like there was one.

from Stanford where they talked about it was almost like 80 to 90 % of data breaches caused by human error. And then there was something else that came in. And also like 10 % are caused by misconfigurations of how you're setting it. Like, well, you just do the math. That's 100 % human error. So we're the problem. Yeah, it really is.

Patrick Spencer (19:27.714)
Yeah.

Patrick Spencer (19:40.505)
Always. Not with AI. We'll talk about that in a minute. It's not AI's fault. guess we'll blame it on AI. That's my stance anyway. So are you finding on that note, you know, as there's more and more emphasis on cyber policy and compliance and liabilities now that, you know, companies are liable for failure to protect

Kevin Powers (19:50.707)
Yeah.

Patrick Spencer (20:06.094)
private data, they're liable for cybersecurity incidents, and it's down to the level of the CSO even in some, we've seen that happen already, right? Are you getting students coming in the program who are worried about that? And that's one of the reasons they're going back and working on this degree because they're concerned about the liability that their organization or maybe even themselves may face.

Kevin Powers (20:07.369)
Thank

Kevin Powers (20:15.132)
Yeah, even the soloing.

Kevin Powers (20:29.256)
Yeah, so I can speak to like the CISO community. I've been capital of ventures. They do a great job of hosting some of the top CISOs in the country and they do it in fall and they do it in the spring. Mark Sutton, who's a CISO over there, he hosts it. And they have me come in and I talk about this. It's almost like the skid straight for CISOs. And I walked through a lot of the misinformation out there because they're worried like, hey, what do I need to do?

First off, it's like, make sure you get insurance from the company. You should be part of that. You know, the director and officer liability insurance, because right now they're going after you. The reason they're going after you is they're going after the senior management and they're going after the board. You know, they want you to flip and say like, I told them this and they didn't do it. So make sure you have that type of insurance, because you're going to need it. You know, that's first. And then, you know, second, you know, when they're going after you personally, you got to protect yourself.

You know, so then I walk them through it and that's why, you know, and it actually elevates the CISOs and what they're doing and understanding instead of being worried and then like quitting their job, going and becoming 1099 somewhere else as well. It's, you got to work with the company and make sure they're taking care of you and you're taking care of them. But the whole piece is going to the senior management, into the board. And when you're talking about what you're doing in your cyber program and your needs are and what they're supposed to be doing,

it has to be a give and take. know, it can't just be where you're telling them one thing and they're not doing it or they're, they're agreeing to it and they're not helping you out. so yeah. And the people coming in the field, yeah, those questions come up, but that's a risk with anything. You know, it's like, Hey, if you're doing your job, you know, anyone can bring an action against you. Make sure you have that. Do you know, really, insurance and you're proud of that. And then be happy. Cause if you document everything you win.

Patrick Spencer (22:02.296)
Hmm.

Kevin Powers (22:25.34)
And I see this, I work with the analysis group, has an expert witness every now and then they'll call you if there's a data breach and if you get picked up. And that's what you'll see. things are changing on this too, is like before with the FTC or other regulators, if there's a data breach, they're coming after you as though you're a criminal. That's the approach. You're hit with a cyber attack, you're a victim of a crime. And right away you become a defendant in a case.

And then you become a plaintiff as well because now you're suing your insurance provider because they're like, hey, you don't have best practices and you're like, okay, yeah, we did. And you have to fight it. And the way the regulator looks at it is like, hey, you did something wrong here. We don't care. We're not looking at your overall program. Well, that's the whole idea. It's like you build a cyber program out. It's based on your unique risks. And they have this whole thing of reasonableness. What does that mean? Well, if you look at a whole program and one thing happened that was off,

Okay, that's a mistake. That doesn't mean your program's unreasonable. So you have to have these punishments equal the negligent act. It shouldn't be like, hey, you did this one thing wrong and now, hey, we're gonna make you pay billions of dollars or we're gonna make you enter into this consent degree that lasts for 20 years and we can do whatever we want to from a government standpoint. So yeah, and that's where the regulators were.

Patrick Spencer (23:45.303)
No.

Kevin Powers (23:49.574)
And now it seems like it's going like this other direction right now. I think there's gonna be less enforcement actions. And what I'm worried about from like a cyber professional is that I don't wanna see the pullback of, know, there's talk about the SEC regulations are pulling them off. I don't think that's good at all. There's a lot of misinformation going out on that too, when they talk about the four day notice requirement, you know, that's for material breach. Well,

Patrick Spencer (24:12.654)
No.

Kevin Powers (24:15.796)
That doesn't mean you have an attack go on and then four days later you had four business days you put forth a notice. That could take a month. It could take two months before you make that determination. But the way you would read it in the Wall Street Journal, the New York Times, or wherever you're reading it, whatever business journal, you would think that, like, this is just over the top. Yeah, and the same with the board and senior management. This is what their responsibilities are anyway.

Patrick Spencer (24:35.03)
At four days.

Kevin Powers (24:41.748)
If you're a board director, your oversight does include cybersecurity. This is like a major risk for your corporation. So you need to do it, whether you're in a private company, you're in an educational institution or wherever you are, it's the same there and the same with senior management. Anything you do on the cyber front aligns perfectly to what you need to do on your business strategy. It's all tech. Everything we do, we tie it to a network.

Patrick Spencer (25:06.828)
I assume part of the program is focused on how do you equip the students in the program to build the tools, the reports, the rapport, maybe even the strategic approach with their boards and senior management to articulate from a business standpoint what the risk looks like and how do we go about measuring it. It's just not a technology play. It's much, much broader, as you well know. But I assume that's part of what the program attempts to accomplish.

Kevin Powers (25:19.464)
Yeah.

Kevin Powers (25:32.564)
That's the whole point of the program. It's bridging that communication gap. It's getting people to talk and understand. And you see that in the classroom. Then you see it outside of the classroom. That was like the whole idea. It's like build this ecosystem in Boston, but then go national with it. So you have people graduate from the program who have direct contact with the attorney's office, with the attorney general's office, with the FBI, right? Like on that side. But then they have their contacts who they're talking to.

at the different banks, at the technology companies, or the municipalities. So everyone's talking and everyone's in a different role, but it's all touching on cyber because they all need to work together on this.

Patrick Spencer (26:14.542)
Your background in the military and the DOD and the government side, now you're working with some in the program who are from that background, that demographic, but you're working with a lot of private sector. How would you take that and parlay that over into how you constructed the program and how you teach? Driven by regulations, as you all know, is the government.

Kevin Powers (26:34.022)
Yeah, so.

Kevin Powers (26:38.612)
Yeah, so I started my career in 96 with the government, working with the US Marshals Service and with the US Attorneys. Then was a JAG officer for five years. But from 2005 up until 2011, I was in private practice. So I worked on a Steptoe Johnson down in DC and then with a mid-size firm up here in Boston after I my fourth child. My wife's like, we're going home. So we did at Citrullo & Capone in Boston. So I was in private practice.

there and then in 2011 I went down and worked on the military commissions with Vice Admiral McDonald and then I came back and I was back in private practice but I always had that government piece with me through the Navy reserves. So I always had that tie back to the government but I was really more focused and bit so it really I had those two things tied together. So I was working in both and going back and forth and the same with academia. So I kind of had when I look at the program you see the stool it's

Patrick Spencer (27:27.416)
Yeah.

Kevin Powers (27:36.454)
academia, government, and private industry working together, and I just happened to touch upon all of those throughout my whole career. Again, not planning to do that, it just happened.

Patrick Spencer (27:44.13)
Interesting.

You know, the DOD, you know, we have CMMC that's gone into effect or, you know, it's sequential, you know, and Katie Arrington, the new CISO over there, who we actually did a podcast with, it's been a couple of years ago. It was before she got her new role. She's been a proponent of CMMC. What do you, we drive a lot of business as a result of those in the defense industrial base who

Kevin Powers (28:02.098)
great.

Patrick Spencer (28:14.604)
realize that their business is going to go away, they're going to lose large revenue streams if they don't achieve CMMC compliance. Do you see that it's, is it going to help us minimize the number of data breaches that we have in that space? know, can we regulate better practices from your perspective?

Kevin Powers (28:33.606)
Yes, I mean, you can't, know, like, here's the thing. So, you know, and I sympathize with the small businesses that are working with, because that's where it's going to go down. Like Raytheon is going to be able to do this. It's going to be all their small businesses that they're working with. Can they do it? I think when you look at the CMMC 2.0, yeah, it's all this like you have the teaming agreements and, one person does one widget. That's all they do. And you need that widget. Well, we're still going to use them, you know, like they're going to figure it out.

Patrick Spencer (28:50.912)
of contractors.

Kevin Powers (29:02.674)
I think that's where it's, you know, they have this shared responsibility model, you know, in the cloud, but this is different. I think this is where the big contractors have to work with the small contractors to lift them up. Because if you're to rely on them, that's the weakest link. And if you really need that widget, well, you better get in there and help them out to do so, or give them the capabilities to do it, to work with you. But the CMMC 2.0, and then you have FedRAMP and all of that.

That's something we have like a whole course on. You we teach on that to get them ready because this is really important because a lot of people go work with those government contractors, whether it's the DOD or who or other. So, but I do think it's important. And, you know, this is not like a surprise like, my God, this I think it's been like six years going on, you know, with the D FARs and whatnot. And a lot of it is very basic hygiene. It's not like it's, you know, punitive.

Patrick Spencer (29:49.806)
No.

Kevin Powers (29:57.972)
yeah, you can do this and you should be doing this. And there's easy steps and they have the NIST framework for the benefit. NIST is the chosen by all the regulators. mean, you see that with CMMC 2.0 and all of that. They added governance in there too. Everything's all coming together. So they're using that and then you build it to unique risk, but there's some things that are prescriptive and I think...

If you look at New York DFS part 500, they do a great job. They codified in this framework and then even updated with governance. That's a great model to use no matter where you are because it gives you like the prescriptions and then you can build out accordingly based on where you are as a company.

Patrick Spencer (30:40.142)
You find if organizations, we find as well, you we have a lot of certifications and once you get the right one, then the others are much easier and it's much faster to go through that certification process. if you comply with this 800 171, then you're the groundwork not only for CMMC, but you know, you need to do FedRAMP stuff or you need do ISO certification, they're all much easier, I suspect.

Kevin Powers (30:52.34)
Yeah.

Kevin Powers (31:06.964)
They're all, I, you know, I'll talk to boards and whatnot. They'll call me in to give like, and I'll talk about this, and I'll talk with, and sometimes I'll talk to the CISOs beforehand, and I'll say like, yeah, you gotta get this alternate, and they're like, well no, we use the ISO, we use this. I'm like, I know you do. That's fantastic, and it works great, but you gotta take this framework and show and demonstrate, you know, one, because your board's gonna ask about this, and most importantly, the regulator's gonna come after you, and you might already,

fit into everything with NIST, but if you don't have that slide that's showing what you're doing, the red, green, orange, or however you wanna do it, they're gonna pound you for that. That's just how they operate. So everything you're doing, great. Whatever standards you are, you're able to use that, and that's what makes NIST easy, because it's pulling from all these other frameworks out there to build it.

Patrick Spencer (31:56.91)
Yeah, I agree with you. think if you follow that one, then that makes it much easier. It streamlines the process for all the other cervicating.

Kevin Powers (32:04.34)
Yeah, and they get you out of the regulator wrath when they talk about reasonable security, which they really never defined

Patrick Spencer (32:12.27)
Well, here's a, this will be an interesting answer because you're coming at it from the business side, from the legal side. Are you finding that technology still has a long way to go? That we have all these technology silos when it comes to the different tools organizations use to govern, to secure their data in particular, to secure their network in general. Those don't all talk to each other. Is that an impediment when it comes to managing risk?

Kevin Powers (32:39.34)
yes. I'll take yes on that one. and that's just because you're dealing with, you know, many startups, all different companies. And again, if you look at it, their job is to make money for themselves. Right. So like, yeah, you might patch in here and everyone you're configuring everything, but everything's coming from different angles and you add in AI now, you know, like you're supposed to have like a, you know, Hey, I'm going to have a governance program. I'm to make sure we move slowly here deliberately. Well, any

software as a service platform you're bringing in is using AI and you're throwing that on your network as well. So yeah, how do you secure in? You know, now I'm being kind of jaded, but it's true. It's like a lot of small companies though, you'll send them a form like, hey, click all of this, tell us where you are in your cyber maturity. They'll click every box there, but you don't know. And like, how do you do your due diligence?

Patrick Spencer (33:30.081)
Yeah. Well, see the self-assessation on CMMC is, you know, 80 % or whatever it is. I forgot the exact number. Say, we're fully compliant or we're 90 % compliant. And then you actually have a third party come in and they, oh, they're, it's like 20%, 15%.

Kevin Powers (33:46.908)
Yeah, because it's one of those things. It's like the business of business is business. And, you know, I'm a lawyer. You no one in business wants to talk to you until you get sued and then everyone loves you. How do we get us out of trouble? And it's like, well, you got to come to us first and we'll keep you out of trouble before you even get there. And it's the same with cybersecurity and how you handle data privacy and artificial intelligence. You know, if you start and you're proactive,

security first, privacy first, or now I guess AI first, AI security and governance, yeah, you won't get there. So yeah, that's really important.

Patrick Spencer (34:23.214)
So what AI really became a thing back in November, 2022, I guess it was, and we've been AI first with our organization, particularly from a marketing standpoint, but then across the company. But we're finding that most organizations, they want to be AI first, but the issue of risk management when it comes to AI, and particularly the private data that employees can ingest,

those public LLMs or even just the use of ones they build in-house, from a prompting standpoint, security with those tools is questionable. When did the AI stuff begin to percolate in your program? Probably in November 2022, I suspect. And has it evolved?

Kevin Powers (34:59.977)
Yeah.

Kevin Powers (35:09.364)
Yeah, November 2nd. Yeah, was really, you know, was in there on machine learning, you know, of course, in the tech courses. So you talked about like, and where's this going? And once they came out like chat, GBT, you know, like, that just pushed everything. And that became our focus. And it's in every class that we talked about, you know, especially, you know, I'll go back to like the students in the learning piece, you know, like my class now.

that I teach is called the Intersection of Cybersecurity Law, Artificial Intelligence and Privacy. Okay, so that all comes together. A year ago when we taught that class, would have your written work, it's like 10 memos you're writing to an executive, we had this whole formulation, that was your main grade, okay, like pretty much, and then you would have a final exam. I hacked my course and it took me five minutes to do an 80s worth of work using Copilot, right? Like, okay, how are we gonna change that?

So now 70 % of their grade is oral. You know, they still have to do those right. But like now you're presenting it, you're talking, you're on call, because it's all about critical thinking. we want them to use AI as much as you want. You pick the one because it's a tool. But if you don't have that critical thinking, you can't recognize what's right or wrong with it. And they talk about like, oh, it's only going to get better. Yeah, it will. But still, if you're just relying on the machine and you don't understand

Patrick Spencer (36:11.608)
Yeah. Right for the world,

Kevin Powers (36:35.604)
what you're talking about, you're useless, because you can get anyone to do that. So that's one in the classroom. And then the next piece is the policy side that we're seeing. So on the federal government side, there's been a huge shift. It went from, hey, we're going to move very slow. going to be concerned. We saw what happened in cybersecurity. So we're going to move slow. And now it's back to the Silicon Valley idea of, don't worry. Be crappy. First to market. Let's get out there. We're going to be number one.

hey, if anything happens, well, we'll fix it as we move along, which is different and it's problematic, I think. But they're looking at ways from the federal side, we're just gonna buckle on, know, like NIST on that, and we'll just use what we're using in the security space, because it's kind of a tech issue. But what you see now is like the states, they're coming out with all this, it's almost like the data privacy piece with like CMMC, not CMMC, the California Consumer Privacy Act.

Patrick Spencer (37:09.987)
Yeah.

Kevin Powers (37:29.812)
and then different states coming out or the GDPR with like you mentioned the AI Act that's coming out too. So we're not gonna have like this big fair, but you're have the states now doing a lot of the regulatory requirements when it comes to AI, which makes it tough because they're be all over the map as usual. But that's where we stand. And that's what we're trying to do with the students. So we're doing it from like more of the governance approach. Like, hey, if you're gonna bring it in, how do you do this?

depending on the size of your company, and who do you bring in to actually make sure you're doing it right? Because a lot of companies started right out of the gate with, hey, okay, chat GBT, and they were just pulling the public one and they're pumping in all sorts of personally identifiable information, trade secrets, and like, this is great, you know, like, and it's like, no, no, no. Now, like, now you have the closed versions, whether it's co-pilot or whatever you're using, because they're closed and it's encrypted,

Patrick Spencer (38:12.27)
All sorts of stuff.

Kevin Powers (38:27.892)
Okay, you're protected there, okay? But then you have to be careful with that too, because a lot of folks will like, hey, we have the whole company, and then you get to really see how your security is, because there's gonna be access management issues of like, who has access to what file, and then you notice with, you know, the clothes, copilot, whatever you use, I'm just using copilot, because that's on my head. And then all of a sudden, the receptionist has access to some of the top files in a law firm or wherever, like how did that happen?

Patrick Spencer (38:51.896)
Yeah, going long country.

Kevin Powers (38:56.436)
It's like, well, we had no lock on that. We didn't have any password protections. OK, so that ups your security.

Patrick Spencer (39:04.78)
You see more and more emphasis on data governance happening versus just the other compliance stuff and the technical stuff, but you got to govern to your point who actually can see the data, what levels of access can they edit it? They said view access, can they send it? What countries can it be sent to? What countries it can't be sent to? And then you need to have an audit for all that as well.

Kevin Powers (39:26.26)
I feel a lot of great talk on data governance, but then when you lift up the hood, there's not much going on. And it's kind of like artificial intelligence. I feel like cybersecurity, I thought 10 years ago, would be well past where we are today. It feels like Groundhog Day. There's more talk about it, but less of it happening. Yeah, it's like, has we mature, has a field of not only study, but it's a discipline as well.

There's great people, practitioners out there, but most companies don't have a CISO. They don't have an IT firm. They might be using managed services, but managed services means someone has to manage them and they don't have anyone managing them. So they don't know what's going on. I recall one time I asked someone what the law firm is they're using. If they're using a law firm, they were like, Rapid Seven. Rapid Seven is not a law firm.

Patrick Spencer (40:21.201)
HAHAHAHA

That's not quite right.

Kevin Powers (40:26.022)
Yeah, we're still in our infancy, sadly. That's where we are really. And people know about it. And then there's this numbness now too of like, yeah, you get hit with data breach, who cares? It just happens all the time. We'll pay a nuisance fee. That's where it looks like it's going.

Patrick Spencer (40:41.262)
It's going to take public shaming with some actual fines and penalties before people start to pay attention to data governance in general, but specifically the AI risk that we alluded to, because people are loading stuff into those public LLMs and their compliance violations, they just don't realize it.

Kevin Powers (40:57.598)
they don't realize it until it starts popping out on someone else's, right? And things not happening. And I think it's gonna be, I think it's now like, if we keep it at that board level, you're gonna see this get really taken care of over the next three to five years. Honestly, that's where I see it. Because boards are recognized this as, the data breach. And I think that's like one of the worst things that can happen, okay? But from a company standpoint, like, it's a lawsuit, right?

Patrick Spencer (41:00.962)
nicely.

Kevin Powers (41:25.524)
You know, it's almost like, this happened here. Okay, there was, you know, and if someone broke into one of our banking issues or our files, okay, what do we do about that? That's almost how it's looked upon. When they shut down your business, you know, your operations and you can't act and your company goes out, that's when businesses take it seriously. That's when anyone takes it seriously, right? So that's like the little difference, like the data breach, awful as they may seem, that's almost like, well, that's the cost of doing business. We have insurance, that's where we're going.

I wish they didn't think that way, but that's how businesses do think and governments too. know, like the entities like, okay. When you're shut down, like the city of Oakland was down for like six weeks. That changes everything because if you can't perform services for your citizens or your customers, your customers are going to go somewhere else. Your shareholders are going to be sit like, and then you're out of business. So the more idea of like, Hey, they're going to take us down. That's when you're going to see, okay, we have to really be cyber secure, take care of this data as well.

which is not just the person identifiable information, it's the sensitive, confidential information you have to run your business, intellectual property. That changes the game, it really does.

Patrick Spencer (42:30.272)
MNA activity, financials, your IP.

Patrick Spencer (42:37.625)
So we're about out time. This has been a fascinating conversation. Kevin, know, if you're to look out, say a year, and the market moves so darn quickly, what are some of new things that you see on the horizon when it comes to cyber policy, governance, cybersecurity that you think we should be paying attention to?

Kevin Powers (42:46.398)
Yeah.

Kevin Powers (42:56.456)
I think,

Kevin Powers (43:00.894)
Well, I'm going to talk about, I'll talk about like the cloud. That's my favorite thing here. And I just think, software as a service, no matter what, like you'll say to people like, hey, any platform you have, they actually don't back up your data. So you're going to be using a CRM, you think a CDK, what happened with all the car dealerships? That went down and no one had their data backed up. They thought it was backed up by the platform, which...

Patrick Spencer (43:04.749)
Right.

Patrick Spencer (43:29.516)
Yep.

Kevin Powers (43:30.298)
It's on the cloud, but what that means is you're going to get it when they figure it out on their end. And when you get it, could be three weeks, six weeks, whatever. And whatever you get is going to be corrupted and useless anyways. So I think a lot of

Patrick Spencer (43:42.262)
And who knows what retention policies are as well, right?

Kevin Powers (43:45.414)
Yeah, so you have to make sure that you're backing up those platforms. And a lot of companies aren't like, you they just, they don't know. They're like, yeah, it's up there. That's fine. And that's like, hey, that's all your business information. And if you get hit with a cyber attack and you can't run your business, you're out of business. And people aren't thinking that way when they're all up there on those different platforms. And then I think also for businesses, when you look at like the real big corporate ones and the government as well.

What type of platforms are you bringing in there? How are you tying them into your systems? And what type of policies do you have to make sure that anything that's coming in, it gets vetted accordingly? You actually do due diligence, and then you make sure it's secure and make sure you have access to your data and it's immutable. If something happens, disaster recovery. So my fear is there's gonna be a reckoning on that coming down.

Patrick Spencer (44:41.442)
Interesting. One final question for you, because you got me thinking data sovereignty and all of the stuff that's going on with the SaaS providers and so forth. You see that with all those EU regulations we alluded to. Is that becoming more of a concern? You know what was the result of that?

Kevin Powers (44:56.123)
I think so. It's really interesting because I'll go like not talk political, but it seems like everyone's kind of like ran and hid back in their tents for a bit because you had the tariffs and things like that. And then there's talks from the current administration talking about like, hey, if you're going after our tech companies, we're going to like add 200 % tariffs on you. So the question is, are they negotiating that right now?

What's gonna be the change in the game? I feel in the policies and the regulations right now, there's, I don't wanna say, it feels like in limbo right now. Like where are we on this? We have them here, but how are they gonna be enforced? Are they gonna be enforced? Are they going away? So yeah, your question is, I don't know.

Patrick Spencer (45:34.742)
skirt.

Patrick Spencer (45:42.998)
Hopefully in the next year we find out.

Kevin Powers (45:46.42)
That's the thing I was telling the students on that too when we were talking last night about the FTC and enforcement, know, like the question is like, you where are things going now? Cause we talked about lab MD and how things were shifting and we said, your guess is as good as mine. You know, right now we're looking like, okay, where's the FTC going to go with this? They'll probably keep everything in place, but are they going to enforce or is it going to be more, you know, to use that term, a reasonable approach? Like, Hey, something happens. We're to work with you, see how you went. And then for every,

you know, data resets out there, we're gonna look and say like, okay, well, you had your program, it's not a matter of if, it's a matter of when, you did everything right here, so there's a harm, but no foul against you, might be a reprimand to fix your program.

Patrick Spencer (46:28.984)
Hmm. Interesting. Well, Kevin, I appreciate your time. For the audience members who want to learn more about the program over at BC, what URLs should they check?

Kevin Powers (46:40.548)
that's a great one. I don't have that off the top of my head. But if you type in Boston College, cybersecurity, you're to come right to our web page at Boston College Law School. And one plug for us too, is we host every year with the FBI. We call it the Boston Conference on Cybersecurity. So we're having the ninth conference this year. It's on October 15th. It's already sold out. We have like a wait list of 500 people trying to get in. But we have it available Zoom. So if you go to our web page, you'll see it there. We have the assistant director

Patrick Spencer (46:48.022)
department.

Kevin Powers (47:10.046)
Brett Leatherman, he's gonna come and speak. And then I'm moderating a panel for you Boston fans out there with the CISO for the Celtics, the CISO for the Red Sox, the Senior Vice President General Counsel for the Bruins, and then the CISO for the Craft Group, which includes the Wimbledon and of course, New England Patriots. And then we have Billy Evans, who's the Chief of Police for Boston College. And Billy was the Superintendent of Boston Police and then the Commissioner.

during the Boston Marathon bombing. So it's gonna be a very interesting panel where we're focusing on like all the data they're collecting, how they manage all that, all the information they have on you, and then the national security concerns, and then just protecting everyone as their fans coming to the game.

Patrick Spencer (47:52.248)
So no one should show up wearing pinstripes, it sounds like. that's some cool stuff. We'll include the link at the bottom of podcast so you can check

Kevin Powers (47:55.622)
Yeah, none of that. Yeah.

Patrick Spencer (48:09.142)
And Kevin, for someone who wants to contact you, I LinkedIn's probably the best route.

Kevin Powers (48:14.78)
LinkedIn's the best route. I'm pretty active on there. Just reach out and happy to talk to anyone, especially on the cyber stuff. It's not only just like a passion for me, it's like a hobby. So I'm really lucky to be in this space. It's fun. I'd be doing it anyways if I wasn't getting paid from BC. You can edit that part out.

Patrick Spencer (48:33.042)
Well, if you go there, the latest post is a picture of him and Gronk we met with last week over at the BC High School.

Kevin Powers (48:39.987)
Yes!

Yeah, and we were with Robert and Kousy yesterday over at Boston College High School, again, where I graduated, my son graduated from there, and I'm the chair of the board of trustees, and we're opening a new wellness center over there. We had it from the Patrick Katigan Foundation. Pat Katigan was a BC high grad in Boston College, and he actually gifted us $55 million to build this wellness center. We have a new pool, gym.

nutrition center in the weight room, we worked with Gronk's family and his brothers. It's called Gronk Fitness and you know they helped us build up this beautiful weight room facility and Rob Gronk cut like you know they they just like such great people. Hey we'll stop by we'll meet like you know with the students we'll do a ribbon cutting and so Rob came by with his brothers and his dad who they referred to as Papa Gronk so all the kids are going Papa Gronk.

It was a blast. was really something else. And we really appreciate Gronk and his family for all they've done for us, and especially the Pat Katigan Foundation. Fantastic.

Patrick Spencer (49:49.058)
That's great. Yeah, we didn't have time to talk as much about your philanthropic work. That's for the next podcast.

Kevin Powers (49:55.804)
Yeah, anytime. We'll have to get you over at the law school. You'll love it.

Patrick Spencer (49:59.96)
Well, make sure you check all that out. If you're listening to podcasts, you can find other podcasts at kiteworks.com slash kitecast. Thanks for joining us today. Look forward to having you on our next episode. Thanks, Kevin.

Kevin Powers (50:14.036)
Thank you, Patrick. Awesome.