“The role of the CISO is changing. On the one hand, it requires technical and managerial skill to run an effective security team. That’s the “ISO” part. However, there’s also the “C” part, which means that in some organizations, the CISO is taking over from the CIO and sharing responsibility with the CFO. Recent interviews have suggested that CISOs (and potential CISOs) want/need more training … in business, in law, and in management skills. Instead of merely reporting to the C-suite, they are becoming a valued part of the business strategy team, and the breadth of skills to get there is overwhelming.” 

Professor Steve Black is Professor of Law at Texas Tech University and has taught at seven law schools and two business schools, focusing on cybersecurity, technology, privacy, money, and the law. He is a frequent speaker worldwide and has been named a Visiting Scholar at the National University of Singapore. Professor Black has been cited in Forbes, and his articles have been published in leading US law journals. He has an LL.M from the University of Washington, a J.D. from the J. Reuben Clark Law School and a B.S. in Mathematics from Brigham Young University. He began coding at age 12, works with students on entrepreneurship technology, and is teaching himself to play the ukulele. 

What are the key suggestions for staying compliant in the age of AI, especially for businesses operating across borders?  

AI governance involves a tough balance between business interests (including private ownership and innovation) and accountability. Who is responsible when AI goes wrong? 

The concept of “algorithmic accountability” proposes that AI developers and operators should be liable for the actions of their systems. This involves an examination of ethical principles such as fairness, transparency, privacy, and responsibility. However, a transparent AI system is also susceptible to reverse engineering and increased competition. At this stage of AI development, is it wise to impose more costs on developers which can slow down innovation? Does that mean that other countries might achieve technical dominance while we are concerned about developer responsibility?  

For businesses that operate worldwide, staying ahead of these concerns means recognizing the following. First, a multidisciplinary team is necessary. Addressing ethical challenges with AI systems requires insights from not only computer science and engineering but also law, social sciences, and humanities.  

Second, that team needs to be aware that international collaboration is crucial. AI involves data privacy, digital inequality, cultural awareness, and accountability.   

Third, AI development is not only about pushing the technology as far and as fast as we can. It also requires an awareness of the impact of biases, data ownership, IP laws, privacy, and fairness. Teams that are able to balance an appreciation of these factors while managing technological magic will fare well. 

Can you discuss the critical business impact of cybersecurity in the financial sector and how organizations can navigate these challenges? 

Financial institutions are prime targets for cyberattacks due to 1) the vast amounts of sensitive data they possess, 2) the significant financial assets they manage, and 3) the position of trust they occupy in the economy. The repercussions of cybersecurity breaches in the financial sector are multifaceted and can have far-reaching consequences.   

Breaches can result in direct financial losses and indirect costs associated with remediation efforts, legal fees, regulatory fines, and reputational damage. Breaches also shake investor trust, which can weaken an economy and have political repercussions, as even brief disruptions can have cascading effects on markets, trading activities, and customer service, potentially causing widespread economic impact.  

To navigate these challenges, organizations in the financial sector must prioritize cybersecurity as a core business function. That includes a robust risk management program focused on cybersecurity (in addition to and sometimes separate from, other risk management teams in the organization), constant employee training and attention to institutional security culture, a compliance team that communicates with (or is part of) the security team and developing a world-class incident response programme. Financial firms need to be proactive in their security posture and realise that because of the critical role they play in the economic stability of they country or countries that they serve, cybersecurity needs to be a business priority.  

How do you see the role of business leadership evolving in the context of cybersecurity?  

First, the role of a CISO is expanding. CISOs are becoming more than security managers. While managing an organization’s security is a big enough job, they are now being asked to lead budget strategy, crisis PR, and culture development as well as inform other business leaders about risk management in cybersecurity.  

Second, security is now becoming an issue for investors. This means that all business leaders now have to consider how decisions and statements that affect security concerns will be viewed by investors now and in the future. It also means that internal communications that contradict public facing statements can be used as evidence in securities fraud cases, which forces business leaders to consider a host of issues.  

Third, the board needs to increase its oversight (and understanding) of key security issues. Governments require that board members have security awareness and training.  

While these are positive changes, they require organizations to rethink policies, training, and the overall culture of the organization with respect to security concerns.  

What are the top ten legal issues that CISOs should be aware of in 2025, and how can they navigate this complex landscape?  

#10 Ransomware – to pay or not to pay? 

#9 Exclusions from cyber insurance 

#8 Supply chain liability 

#7 Work from home and remote work 

#6 Working with law enforcement 

#5 Intellectual property, trade secrets, and the breach 

#4 Breach litigation 

#3 Personal liability and breach of duty 

#2 Insider threats and employee privacy 

#1 Alphabet soup – GDPR, CCPA, HIPAA, COPPA, GLBA, and LGPD 

The role of the CISO is changing. On the one hand, it requires technical and managerial skill to run an effective security team. That’s the “ISO” part. However, there’s also the “C” part, which means that in some organizations, the CISO is taking over from the CIO and sharing responsibility with the CFO. Recent interviews have suggested that CISOs (and potential CISOs) want/need more training … in business, in law, and in management skills. Instead of merely reporting to the C-suite, they are becoming a valued part of the business strategy team, and the breadth of skills to get there is overwhelming. 

What strategies do you recommend for addressing the human element and insider threats effectively in cybersecurity?  

We all recognize that humans allow cybersecurity incidents to happen. Whether that is because someone misconfigured a server, clicked on a suspicious link in an email, or just didn’t think far enough down the road to recognize how a criminal might infiltrate the network, our job is about people. It happens and we’re not even considering how many attacks succeed because someone inside my organization fell prey to really, really good social engineering ploys.  

When the threat is inside our walls, we have to adopt a different mindset. On the one hand, I want my organization to be security minded and that takes a certain level of esprit de corps, a level of trust and loyalty. It’s the mindset that says this is our house and we will defend it from all external threats.  

On the other hand, as a security professional, I also need to have a cynical eye to watch for signs and opportunities for someone inside the organization to betray us or who may be someone who could be a target to be recruited by a competitor. Insider threats run the gamut from unintentional accidents to sabotage and espionage, and effective mitigation strategy requires that I prepare my team and my organization for those types of events.  

However, this requires a difficult balance. A culture of trust and unity can easily be destroyed if employees believe that they are being watched for signs of sabotage or espionage. An effective security professional is able to build the security culture while minimizing the intrusion of vigilant safeguards.