Ajax Privacy and Cybersecurity Lawyer, Rajen Akalu, of Akalu Law P.C., provides an review of his participation on a expert panel on developing “A Holistic Approach to Cyber Risk Challenges” convened by the National Cybersecurity Consortium on Jun 26, 2025.
I was invited to participate on an expert panel on the “A Holistic Approach to Cyber Risk Challenges.” Which was organized by the National Cybersecurity Consortium. The mandate of the NCC is to “grow a pan-Canadian network that works with private and public sectors to lead world-class cybersecurity innovation and talent development and to increase cybersecurity-related economic activity in Canada.”
The discussion centered how academic and professional disciplines work together to respond to cybersecurity risks. I was joined on the panel by a technical expert on cybersecurity, Marc Kneppers and mathematician, Ed Furman. The panel was moderated by Amir Belkhelladi, Delloite.
Risk management as it applies to cybersecurity necessarily requires a multi-disciplinary approach to ensure all factors are considered to most effectively protect an organization.
The panel provided me with an opportunity to highlight the fact that Ontario Tech University has recently been approved to deliver a Ph.D. in Cybersecurity. I am a faculty member of the Institute of Cybersecurity and Resilient Systems and we are engaged in interdisciplinary research on this topic. The focus of the Institute is to examine issues surrounding the use and protection of emerging technologies such as the Internet of Things (IoT), Artificial Intelligence, 5G networks, Autonomous Vehicles, and Blockchain in both public and private sectors.
As an academic researcher and practicing lawyer that focuses on privacy law and cyber security I have been engaged in interdisciplinary research for most of my career. Interdisciplinary research is hard to do well because it requires you to unlearn things that took you a long time to learn and recognize the limitations of your own discipline.
Legal reasoning is increasingly applied in cybersecurity because it resolves uncertainty over time. It does this be applying law to cases and establishing precedent out of which a legal principle will emerge that will be the basis of deciding future cases and more practically out of court settlements.
This has a distinct advantage over quantitative reasoning which works best if there is an optimal solution that can be specified objectively. The disadvantage of course is that legal opinions are context specific making them harder to generalize and the subject matter is highly technical and this requires specialized expertise. Moreover, a legal case can take many years to resolve and technology changes rapidly. Legal reasoning also applies to the interpretation of regulatory requirements. Satisfying these obligations is necessary for a company to demonstrate compliance. Regulations change often so this is an ongoing challenge.
One interesting insight from the panel discussion was the differences in meaning and orientation in academic disciplines. For example, when lawyers discuss reasonableness, they are trying to determine established practices. This will form the basis for asserting a standard of care that the defendant in a civil action has breached (or not). Engineers by contrast are interested in effectiveness which means better than current state in some objectively quantified way.
This is important because when making complex decisions, descriptive assessments invariably yield to normative value judgements. While empirical quantification is necessary and valid if it is not aligned with the inference made as to the best explanation then it is likely to get discounted. Lawyers tend to do better here because they are trained to develop a theory of a case, which is a complex fact pattern that involves conflicting evidence.
However, a lawyers main aim is to mitigate legal risk in the best interests of their client. They will seek to control the information flows of an organization both internally and externally in order maintain legal privilege and confidentiality. This aim is at times in conflict with the cybersecurity professionals desire to undertake a root cause analysis of a cyber breach and engage in remediation efforts to get the company operational as quickly as possible. Sharing details of vulnerabilities and applying patches is necessary for the development of more robust security.
The panel concluded that a willingness to understand and engage with other disciplines and understanding the limits of your own discipline will prevent siloed approaches to problem solving and improve decision-making with respect to risk analysis in cybersecurity.
As will all good research patience, perseverance and curiosity are the [cryptographic] keys!
Rajen Akalu
647 299 5079
rajen@akalulaw.com
