Kevin Powers, Faculty Director of the Masters of Legal Studies in Cybersecurity Risk and Governance at Boston College Law School, began his professional and academic journey when he volunteered for a task force exploring cybersecurity education at Boston College. Rather than developing a purely technical curriculum, he advocated for an interdisciplinary approach that would integrate law, business, and risk management. “Cybersecurity is not just a technical issue,” Powers explained during the podcast episode. Working with stakeholders from the White House, FBI, major financial institutions, and technology companies, the team built a curriculum designed to produce well-rounded cybersecurity professionals.
The program launched in 2015 and recently transitioned to BC Law School, offering 10 courses taught entirely by practitioners actively working in the field. Students include FBI agents, financial compliance officers, and executives from Fortune 50 companies, with an average age of 33.
A central theme of Powers’ program is bridging the communication divide between technical teams and business leadership. With recent SEC regulations and requirements like New York’s DFS Part 500 mandating board-level cybersecurity oversight, organizations need professionals who understand both technical controls and business implications.
“Boards are recognizing cybersecurity as a core business function,” Powers noted, emphasizing that every company operating on networks faces operational risk when systems go down. The program prepares students to communicate cyber risk in business terms and develop governance frameworks aligned with regulatory requirements like CMMC 2.0, FedRAMP, and the NIST Cybersecurity Framework.
The program has evolved rapidly to address artificial intelligence governance. Powers redesigned his coursework after discovering AI tools could complete assignments in minutes, shifting 70% of grading to oral presentations that emphasize critical thinking over output.
Looking ahead, Powers identified cloud security and data sovereignty as critical concerns. Many organizations mistakenly believe SaaS platforms automatically back up their data, leaving them vulnerable during incidents. The CDK Global attack on car dealerships illustrated how unprepared businesses can be when cloud services fail.
Beyond academics, Powers emphasizes creating networks. Graduates maintain connections with government agencies, financial institutions, and technology companies, facilitating collaboration across sectors. The program hosts the annual Boston Conference on Cybersecurity, which draws hundreds of attendees including CISOs from major sports franchises and law enforcement leaders.
For organizations navigating increasingly complex regulatory landscapes, Powers’ message is clear: cybersecurity expertise must extend beyond technical skills to encompass governance, compliance, and strategic business alignment. As cyber threats evolve, professionals need frameworks like NIST to demonstrate reasonable security practices to regulators while protecting operational continuity.
LinkedIn:
https://www.linkedin.com/in/kevin-powers-54893a8/
Boston College School of Law:
https://www.bc.edu/bc-web/schools/law.html
Transcript
Patrick Spencer (00:02.446)
Hey everyone, welcome back to another Kitecast episode. I’m really excited about today’s episode because we’re going to be speaking with Kevin Powers, who has some great stories he can tell us. He, just to give you an introduction, is the Faculty Director and Lecturer in Law for the Masters of Legal Studies in Cybersecurity Risk and Governance Program at Boston College Law School. He’s an expert in cybersecurity, data privacy, and AI governance.
And he also serves as an assistant professor at BC’s Carroll School of Management and MIT Sloan research affiliate and lecturer. And he’s on the board—he’s the chair actually—at the BC High School. We’re going to talk a bit about that and some of the things he’s been doing there that are really cool. He holds a JD from Suffolk Law and a bachelor’s from Salem State University. Looking forward to this conversation. Thanks for joining us today.
Kevin Powers (00:57.628)
Yeah, thanks for having me, Patrick. Pleasure to be here, for sure.
Patrick Spencer (01:01.25)
So beforehand we were—you got my interest piqued—we were talking about how you found this program over at BC, and you said it’s a really good story. It wasn’t intended. How did you start off in the role that you have over there?
Kevin Powers (01:18.836)
Yeah, and this just goes to, if you don’t plan something, good things happen. Sometimes you just have to be open to opportunities. So in 2013, I came back to Boston. I was working down in DC, actually commuting back and forth, working for the Department of Defense.
Kevin Powers (01:41.524)
I worked with Vice–Admiral McDonald, the convening authority for the Military Commission. My role was to help them get to arraignment in the 9/11 co-conspirator case and the USS Cole bomber case. I went down there to work as a legal advisor. I always taught as an adjunct—U.S. Naval Academy, then BU, then Northeastern.
Kevin Powers (02:38.836)
I came back and saw there was a new dean at Boston College. I have a great relationship with BC. I reached out to Father James Burns, dean of the Woods College of Advancing Studies: “Hey, I’m back from DC. If you have any class, I’m happy to help out.” He said great credentials, no opportunities, but he’d keep a file on me.
Patrick Spencer (02:50.414)
Yeah, we’re in.
Kevin Powers (03:08.052)
Two weeks later, one of his faculty members needed hip surgery, so I filled in. That went well. Then Father reached out—at the time I was in-house counsel at ATS (security platforms for Army Intel, Navy Intel, USPTO). He mentioned they were looking to do a cyber course or program and asked me to join a task force.
Patrick Spencer (03:18.602)
Hmm.
Kevin Powers (03:36.436)
Around Thanksgiving 2014, I attend a meeting. Everyone’s focused on a purely technical program. I said cybersecurity isn’t just technical—BC is interdisciplinary: business school, law school, computer science, liberal arts. If we do a program, it should reflect that. Meeting ends, and I ask, “What are our next steps?”
Patrick Spencer (03:53.954)
Yeah.
Kevin Powers (04:05.396)
They were handing out Thanksgiving chocolates and said, “We’ll type up notes and meet in March.” I asked what to do until then. Father Burns—action-oriented—asked what I wanted to do. I said I’d talk to friends in government and industry to define needs and build a curriculum toward the future CISO.
Patrick Spencer (04:13.422)
Yeah.
Patrick Spencer (04:33.974)
Ha ha ha.
Kevin Powers (04:34.344)
From then on, we engaged federal and private leaders: White House CISO, DHS Secretary Jay Johnson, FBI, DoD, State Street, Fidelity, Bank of America, Lockheed, Raytheon, Microsoft—Kevin Mandia was super helpful—plus local city and state CISOs. Instead of a single course, we built a full curriculum.
Patrick Spencer (05:40.833)
Well.
Kevin Powers (05:53.180)
Next, we met with the provost office and EMC leadership. Retired Rear Admiral Mike Brown kicked off with “we support this 100%.” Fast-forward: I’m at Disney about to ride Space Mountain when Father Burns calls—he’d met with President Leahy: “We’re launching, and you need to run it.”
Patrick Spencer (07:44.974)
I’m—
Kevin Powers (07:47.636)
A year later, task force meets again: we’re launching as a proof of concept in the School of Continuing Education and will determine the long-term home later.
Kevin Powers (08:45.000)
On November 9, 2015, I joined BC full-time. We launched the M.S. in Cybersecurity Policy & Governance. We’ve since realigned to the Law School as the Master of Legal Studies in Cybersecurity Risk & Governance, for lawyers and non-lawyers. Cross-listed courses include law students and practitioners (FBI, finance, government, Big Four, attorneys).
Patrick Spencer (09:36.802)
Right place, right time in many ways, right?
Kevin Powers (09:38.736)
It really was—credit to BC leadership. Now we’re leaders in the space.
Patrick Spencer (09:52.430)
Back in 2016, few true cybersecurity degrees existed.
Kevin Powers (10:01.976)
There were programs, but not built like ours. Many were siloed—technical only or policy without integration. We purpose-built interdisciplinary and moved it to the Law School.
Patrick Spencer (11:06.894)
What departments are involved? Credits? Length?
Kevin Powers (11:30.788)
Ten courses total. Five core, two required law electives, and three open electives. Required law offerings include cyber crime, national security, international cyber, data privacy, and cyber litigation.
Patrick Spencer (11:58.174)
And student backgrounds?
Kevin Powers (12:07.188)
Average age ~33; we’ve had students from 5th-year BC undergrads to executives (e.g., MITRE). The FBI has been a strong partner—~23 graduates. Many from finance/compliance upskilling into cyber; AI awareness is shifting roles from entry-level pyramids to a “diamond” with more mid-level demand.
Patrick Spencer (14:12.620)
How many CISOs vs other leaders?
Kevin Powers (14:22.516)
More info-sec officers, risk/compliance SVPs, COOs/CFOs. We do have sitting CISOs seeking deeper business, legal, and regulatory understanding. Uniquely, all faculty are adjunct practitioners—real-world experts, many alumni.
Patrick Spencer (15:54.126)
Have demographics changed?
Kevin Powers (16:01.396)
Getting younger. Early cohorts skewed senior; now more building a career path in cyber that isn’t purely technical.
Patrick Spencer (16:49.902)
On policy management, are orgs recognizing the need for experts given exploding global regulations?
Kevin Powers (17:27.220)
Yes. Boards used to be disengaged; now SEC rules, NY DFS Part 500, and FTC safeguards push oversight. EU’s DORA and NIS2 echo that. Cybersecurity is a core business function—downtime kills revenue.
Patrick Spencer (19:40.505)
Liability pressures—are students motivated by personal/org risk?
Kevin Powers (20:29.256)
CISOs worry. We advise on D&O coverage, documentation, and working with boards. Regulators historically treated victims like defendants; “reasonableness” should consider whole programs, not single missteps.
Patrick Spencer (24:35.030)
Four-day SEC notice confusion, board responsibilities?
Kevin Powers (24:41.748)
Disclosure is for material breaches and may take weeks to determine. Board oversight should include cyber—align security to business strategy.
Patrick Spencer (25:06.828)
Do you train students to brief boards and senior management?
Kevin Powers (25:32.564)
That’s the point—bridge the communication gap and build a practical ecosystem across regulators, industry, and academia.
Patrick Spencer (26:14.542)
How did your gov/private background shape the program?
Kevin Powers (26:38.612)
Career across DOJ, JAG, private practice, military commissions, and academia gave me the three-leg stool: government, industry, academia working together.
Patrick Spencer (27:44.130)
CMMC impact on the DIB?
Kevin Powers (28:33.606)
Important and feasible, but primes must help small subs—the weakest link. We cover CMMC/FedRAMP extensively; much is basic hygiene aligned to NIST.
Patrick Spencer (30:40.142)
Once you do NIST 800-171, others get easier?
Kevin Powers (31:06.964)
Yes—map standards to NIST and show regulators your posture. Presentation matters to boards and regulators.
Patrick Spencer (32:12.270)
Do tech silos impede risk management?
Kevin Powers (32:39.340)
Yes. Many tools, configurations, and now AI in every SaaS increase complexity. Vendor due diligence is uneven; self-assessments can be unreliable.
Patrick Spencer (34:23.214)
AI risk and November 2022 inflection?
Kevin Powers (35:09.364)
We pivoted fast. My “Intersection of Cyber Law, AI, and Privacy” course now weights oral work heavily to emphasize critical thinking. Use AI as a tool, but think. Policy is evolving: federal pace vs. state AI rules (like privacy before).
Patrick Spencer (39:04.780)
Data governance rising?
Kevin Powers (39:26.260)
Lots of talk; execution lags. Many SMEs lack CISOs and even basic managed oversight. We’re still early as a field.
Patrick Spencer (40:41.262)
Penalties will drive change—especially around AI data risks.
Kevin Powers (40:57.598)
Board-level focus over the next 3–5 years should improve things. Outages that halt operations—not just data breaches—are what truly change behavior.
Patrick Spencer (42:37.625)
Looking a year out—what should we watch?
Kevin Powers (43:00.894)
Cloud/SaaS data backups. Many assume platforms back up customer data—they often don’t (see CDK/dealerships). Ensure backups, immutability, and disaster recovery. Vet platforms, integrations, and access rigorously.
Patrick Spencer (44:41.442)
Data sovereignty—more concern?
Kevin Powers (44:56.123)
Feels in limbo with broader policy/geo-economic tensions. Enforcement approach remains a question.
Patrick Spencer (46:28.984)
Where can listeners learn more about the BC program?
Kevin Powers (46:40.548)
Search for “Boston College cybersecurity” and you’ll find the Law School page. We co-host the Boston Conference on Cybersecurity with the FBI (October 15). It’s sold out, but Zoom is available via the site.
Patrick Spencer (48:09.142)
Best way to contact you—LinkedIn?
Kevin Powers (48:14.780)
LinkedIn is best. I’m active and happy to connect on cyber.
Patrick Spencer (49:59.960)
Find more episodes at kiteworks.com/kitecast. Thanks for joining us, Kevin.
Kevin Powers (50:14.036)
Thank you, Patrick. Awesome.