Navigating the Convergence of Law and Technology: A Cybersecurity Perspective

Cybersecurity is increasingly at the intersection of law and technology. Decades of digitization of business and society have led to a growing intractability of legal and technical requirements and of operational and governance considerations. As workloads, assets, and capabilities shift to the cloud, to artificial intelligence, to supply chain networks, and to multiple ecosystems, laws and technologies have become increasingly codependent in driving best practices in cybersecurity.

A key factor driving this is the expansion of the legal and regulatory construct of “reasonable security.” Laws, regulators, and judges consider whether the organization put in place cybersecurity controls that reflect industry best practices and common cybersecurity frameworks. This has resulted in cybersecurity frameworks and guidelines such as the NIST Cybersecurity Framework (CSF) and NIST SP 800-53, which were previously optional and considered best practice guidance, now being nearly considered de facto standards to ensure an organization’s cybersecurity governance is present and aligned with practical standards for being audit-ready and resilient to incidents. If a security program is effectively aligned to a cybersecurity framework, this alignment can be practically leveraged to show due care, help in defending risk-based trade-offs that were made, and even provide a basis for communication in the event of a regulatory investigation or litigation.

Additional legal areas that have had a similar effect include data privacy and breach notification requirements. Data privacy laws such as the GDPR and CCPA place a premium on principles of transparency, data minimization, and accountability throughout the data lifecycle. Compliance with data privacy laws are things that matter from a cybersecurity perspective as well; these include identity and access management, encryption, logging, monitoring, secure software development, etc. This is also the case with breach notification requirements, which create a parallel incentive for detection and response readiness and potentially forensics readiness. This means incident response should be designed and tested alongside legal counsel and breach response teams to preserve evidence, preserve privilege, accurately assess data and impact, and effectively coordinate communications that can also work to limit liability, which can both be important for protecting trust.

Third-party risk is another example of the complexities of this convergence. Modern business practices often involve relying on other organizations for data processing, infrastructure hosting, service delivery, software features, etc. This creates legal implications that include contracts, data protection addenda, service-level agreements, and indemnity clauses. These have technical impacts too, in that they expand the overall attack surface, increase areas of concern for auditability, and impact the visibility of threats and actions. Vendor risk management, therefore, is a matter of contract language that should tie to identifiable and measurable controls, including items like audit rights, minimum security baselines, incident reporting timelines, expectations around penetration testing, and secure data handling requirements. Contract language should also be supported with technical verification and continuous monitoring of vendor controls where appropriate, as well as being part of periodic assessment cycles.

New technologies and their adoption and deployment models further complicate these aspects of the convergence of law and technology. AI systems are exposing new legal and ethical risks for organizations to consider, such as bias, transparency, explainability, data provenance, and model integrity, and also increasingly important security risks such as prompt injection, model data leakage, and adversarial manipulation. Organizations will need to expand their governance to cybersecurity for AI to include risk assessment, model risk management, and control testing that is commensurate with technical, ethical, and legal risks. This is also the case with cloud and remote work infrastructure and capabilities, which will place a premium on zero trust principles, strong authentication, least privilege, and configuration management that matters from a cybersecurity perspective and has direct overlap with regulatory expectations.

To continue improving security outcomes, therefore, legal and business leaders need to understand technology, and technical and security leaders need to design security programs that are auditable, can provide evidence, and align with technical considerations and legal obligations and duties. Organizations should think about cybersecurity as a socio-technical system: it needs policy, it needs controls, it needs training and awareness, and it needs controls that can be measured and tied to governance standards. The result is a system that supports trust, resilience, accountability, and, ultimately, business goals of sustainable innovation and business value that can become more prominent at a global scale.

The Critical Role of Medical Toxicology in Modern Healthcare

Integrated Marketing Campaigns: A Holistic Approach

Innovation Under Pressure: Nonprofit Reinvention During Times of Disruption

The Role of Certifications in Real Estate Success

Transforming Correctional Health: A Director’s Perspective

Laura W. Fidelie: Guiding Families with Strength, Strategy, and Heart

Embracing Disruption and Innovation with Martin Rowinski, Boardsi CEO

Sam Seidel & Olatunde Sobomehin, Thought Leadership and the Creative Hustle

Elevating your brand with a book | Stacy Mayer

Leveraging Thought Leadership Live featuring Morag Barrett

Bob Gershen: If you can’t finish your work in 24 hours – Work Nights!

Janet L. Routman: Embracing Life with a Sense of Adventure and Purpose-Driven Leadership

Victoria Steward: Bringing Clarity to Complexity and Building Systems that Empower People, Performance, and Progress

Jeff Tweedy: Driving Agricultural Innovation, Scaling Growth, and Delivering Results; No Matter the Challenge

Kenneth Lee: Driving Security Innovation at Scale with Precision and Purpose

The Mindset of a Leader: Rising Above the Doubters and Building Your Support System

Entrepreneurship and Well-Being: Navigating the Balance Between Passion and Personal Wellness

Launching Your Start-up: Navigating the Path to Success with Vision, Teamwork, and Diversity

Guiding Startup Triumph: The Vital Role of Independent Advisors and Platforms in Achieving Success

Is an Imposed Leadership Identity Making You an Insecure Leader?

Strategic Networking: Cultivating Relationships Aligned with Your Brand

Thought Leadership: Establishing Your Industry Voice

Elevating Executive Presence: The Imperative of Personal Websites

Mastering LinkedIn: Advanced Strategies for Executives

Unveiling the Essence of Executive Branding: The Art of Personal Storytelling

Leadafi Vol 1 – Morag Barrett