“This Whisper Report address the question regarding the best practices for integrating AI and ML into our security Systems. It highlights how leaders emphasize protecting PII, using selective data movement, optimizing hardware, choosing the right models, and knowing when AI should not be applied. Insights come from LVT’s Steve Lindsey, Safr’s John Cassise, 360 Privacy’s Trinity Davis, Intel’s Mike Nielsen, RightCrowd’s Jason Bohrer, Bioconnect’s Edsel Shreve, Vaidio’s Marshall Tyler, and Databuoy’s Kathleen Griggs. “
Cyber-physical security, like healthcare tech, must carefully manage PII. Experts highlight privacy-preserving biometrics, user-controlled consent, and anonymous face matching. Regulatory compliance, such as GDPR, drives standardization and innovation. As laws vary by region, adaptable and consistent global system architectures are essential for scalable, secure, and compliant operations.
Target Audience Titles:
Chief Technology Officer, Chief Security Officer, Chief Information and Security Officer, Chief Trust Officer, Chief Compliance Officer, Chief Risk Officer
Head of Product, VP of Product, Chief Marking Officer, Data Protection Officer,
Enterprise Architect, Director of Data Protection, Director of Data Governance, Chief Privacy Officer
Key Takeaways
Privacy-first design: Cyber-physical systems must protect PII using encrypted biometrics, local storage, and user-controlled consent mechanisms.
Anonymity matters: Face matching enables identity verification without revealing personal data, preserving user anonymity.
Compliance drives innovation: Regulations like GDPR standardize data practices and encourage secure, privacy-focused system development.
Global consistency is key: Scalable, compliant operations require adaptable, non-proprietary architectures across diverse regions and regulatory environments.
We took the most frequently asked and most urgent technology questions straight to the cyber physical security experts gathering at ISC West 2025. This Whisper Report addresses the question regarding how can we ensure compliance with new and evolving cyber physical security regulations? We will know explore the four signs you are on the correct path as depicted in Figure 1.
Data Privacy
One very interesting aspect of the cyber physical security space that reminds of healthcare tech is the handling of PII or personally identifiable information data. As Safr’s John Cassie shared, in the cyber physical space it, “has a lot to do with what we talked about as far as PII and how we manage data.” Or as LVT’s Steve Lindsey observed, “what we call private or data of sovereignty .. from a data security perspective the technology and the architectures of how these systems are built really have to be in place to address that the PII information really comes down to our use of AI.”
Fortunately, the regulations for privacy include related standards for vendors. As Intel’s RealSense’s Mike Nielsen noted, “I have been very excited about the Privacy preservation of biometric data is really possible now so I can get a template of a human being from their face that can be stored and encrypted it can be handed back to me so in my pocket.”
Managing user consent is a must to achieve privacy in the cyber physical space. Bioconnect’s Edsel Shreve argued, “in privacy where more and more controls going in the user’s hand to say yes I am allowing you to use my biometric. If I ever want to revoke that consent I need proof that you deleted my data and that it’s no longer being used.” He further explained, “we build in to both a upfront gather consent with an audit trail that says okay the user provided consent we didn’t just check a box and say yeah.” Furthermore, the solution must realize the full lifecycle of permission. Edsel Shreve further explained, “you can just do regular maintenance and go in and say who hasn’t authenticated in 6 months what are we going to do with that data right do we want to delete the template or just alert the person or alert an administrator.”
Anonymity has to do with the lack of the ability to identify the person. As LVT’s Steve Lindsey commented, “there’s a difference between facial recognition and face matching right.” Facial recognition includes identification while facial matching allows the face to remain anonymous. A great example was revealed by Intel’s RealSense’s Mike Nielsen.
“I’ve actually got a version of my this QR code is my face template. From this is 512 bytes it’s a it’s just a simple Vector map that looks at 80 points on my face but it’s mine. This isn’t siting in a database somewhere. This isn’t living on somebody’s server. This is physically in my pocket as a badge. I can then apply that (badge) by walking up to one of our devices – one of our cameras have the scan. It pulls in that QR code, evaluates what that template looks like. Then I look at the camera it pulls the template from my actual face and compares the two. The cool thing about the techniques that is it’s privacy preserving by definition it never leaves the device it can be dissolved immediately and you never have to send a picture or any personally identifiable info anywhere outside of me scanning my badge. Then the device makes sure I can unlock that door.”
Thus, this example achieves privacy and anonymity.
When it comes to cybersecurity and data governance – there are the things you want to do as an organization based on your public commitments such as your privacy statements. Then, there are requirements which are legal requirements sometimes coming from a location and sometimes defined based on your industry referred to as regulatory compliance. As LVT’s Steve Lindsey put it, “we think about the problem in the context of the of the compliance and Regulatory things that we have to have as we’re designing and building this stuff from the beginning.” Furthermore, since we are dealing with cyber physical security,
The best part about regulatory compliance according to Intel RealSense’s Mike Nielsen is, “they’re really well defined at least in the case of like GDPR so GDPR has very strange requirements on how to use PII but specifically how to use sensitive PII like biometric information one of the things that we’ve seen help move the industry forward ironically is having the regulation in place allows people to have a Level Playing Field.” That means that vendors will not be penalized for taking the more difficult road by protecting the customer as all must take equal precautions. Gary Chen of EverFocus noted, “to ensure that we have keep our regulations up to date, we need to keep advancing our technology and mostly from our end installers that will be the key .. also keep good connection with your customer.”
Requirements evolve by location as every product vendor will realize. “One of the things that’s occurring is that whether it’s in Europe or in each state coming up with new requirements for both security of data and compliance.” Edsel Shreve, Bioconnect. When faced with this challenge, it is always best to step back and see how to adjust the architecture to accommodate this capability as a configurable option vs to create a product branch. Today’s regulations in location A become tomorrow’s regulation in location Z. One can then configure at the system level as regulations evolve in different locations.
Finally, it is important to keep in mind the architecture must accommodate the cyber physical security space. who has “from an access control standpoint is not only managing who has access in and out of the mine but also incorporating some functionality around safety who’s completed what safety classes and if they haven’t completed the proper classes then we have the ability to manage access control based on what needs to happen.” Cyber physical security includes the physical safety of the employees themselves and all that goes into ensuring safety compliance regulations are met – in each location.
The complexity of cyber physical security is magnified in organizations the wider the physical disparity across country and continental boundaries. As one might expect, different vendors have different footprints across the globe. For smooth global operations one generally recommends standardized solutions as opposed to propriety solutions. As Safr’s John Cassie explained, “would be nice if I could just capture that from the existing access control system and not have to do some extra procedure so that’s another element that allows us to have sort of this compliance across my entire security platform. As long as I am not using solutions that are pigeonholing me into proprietary solutions.” There may be slightly better solutions in this aspect or that aspect locally available but those frequently ruin the ability to have global clarity. It is critical to maintain a consistent architecture globally unless you want custom roadmap items for each and every change. If you are anywhere in the lifecycle of trying to realize such as solution, be sure to set up an inquiry plan so that an expert who has been there can provide actionable guidance.
As cyber and physical security continue to merge, proactive, multi-layered strategies are essential to safeguard critical assets in interconnected environments. Secure data practices, including encryption for data in transit and at rest, during compute, and ensure compliance with high security standards. Architectural resilience is crucial, integrating cybersecurity from the outset rather than retrofitting outdated systems. Correlating physical and cyber events provides valuable context. Finaly, digitizing workflows streamlines response efficiency, minimizing the window of vulnerability during attacks.
Target Audience Titles:
Chief Technology Officer, Chief Security Officer
Chief Information and Security Officer, VP of Cybersecurity
Director Cyber Physical Security, Security Analyst
Cybersecurity Engineer, Incident Response Analyst
Key Takeaways
Data must be encrypted at rest, in transit, and during execution.
Cyber Physical security requires a securely designed architecture from the start.
Cyber and physical threats must be correlated.
Only a digitized workflow can respond with the required speed to cyber physical threats.
As with all security, cyber physical security must also be concerned with, “ data security and encryption … that’s data in the device, data in transit, data in rest at the servers, and so all of those things we have the highest level standards and we also meet more advanced requirements, “ Bioconnect’s Edsel Shreve. The solution should be flexible enough to enable any data protection requirements that come into play. Edsel Shreve went on to further explain, “for example you need to do certificate rotation for things like TLS encryption So we can do those things not every customer wants them but those are the things that we’ve actually got in our system for the folks that have those higher level requirements so it really is the combination of how do we make sure that they’re cyber secure sitting on the network and then how do we make sure that they’re physically and the data is secure on the on the readers and devices themselves.” In addition, TBW Advisors LLC recommends confidential computing architectures for protection and privacy during computations. For additional information see Industry Whispers: Public is Private – Confidential Computing in the Cloud.
Taking a 1968 mustang and updating it to 2025 safety standards would be quite the challenge and likely land up with an ugly beast that is neither safe nor resembling of a mustang. Cyber physical security is no different than safety. It must be thought of and integrated from the very beginning. As LVT’s Steve Lindsey explained, “it starts with architecture if we can rethink our architectures and we can start building for cyber security in mind.” The challenge of physical cyber security is that, “for the longest time in the physical security space we’ve been using on premise systems and as we’ve lifted and shifted those into the cloud .. what complicates that is as we’re deploying these systems it’ not just cloud to end User, it’s Cloud to IoT (Internet of Things) device which is going through usually public cellular or satellite infrastructure itself and there’s other things that need to be done to address that” Steve Lindsey.
The real power of cyber physical security is the two areas working together to correlate events. Through correlation, context and a greater understanding is realized. An example shared by Advancis’ Paul Shanks demonstrates this best. “Someone loses their badge and falls out of their pocket and they’re logged into the network from home and their badge is used at the building. Those two events by themselves are benign but we take that together and create a an alert for the operator to look into whether is it a Cyber attack or is it a physical attack.”
As early as 2019 TBW Advisors LLC has been advising clients to automate security responses when possible for the simple fact you must. Ransomware attacks were already taking place within a 35-minute window. In 2025 the cyber physical attack vector also calls for automation or a digitized workflow at the very least. As Advancis’ Paul Shanks communicated, “we can take that and make that workflow digitized so that all they have to do is read click and go. Simple as that.”
