TBW ADVISORS LLC

Tag: PRIVACY

  • Whisper Report: What are the most effective strategies for ensuring data security and privacy in customer interactions?

    Whisper Report: What are the most effective strategies for ensuring data security and privacy in customer interactions?

    Published to clients: August 4, 2025                        ID: TBW2080

    Published to Readers: August 5, 2025

    Published to Email Whispers: TBD

    Public and Video Release: TBD

    Analyst(s): Dr. Doreen Galli

    Photojournalist(s): Dr. Doreen Galli

    Abstract:

    “Effective strategies for securing customer data include encryption at rest, in transit, and during compute; cautious AI adoption; and strict access controls. Removing or masking personally identifiable information (PII) and training staff on cybersecurity best practices are essential. Legal compliance, intellectual property protection, and customer trust drive the need for robust privacy measures in customer interactions.”

    What are the most effective strategies for ensuring data security and privacy in customer interactions?

    We took the most frequently asked and most urgent technology questions straight to the technologists gathering at Customer Connect Expo 2025 held at the Las Vegas Convention Center. This Whisper Report addresses the question regarding What are the most effective strategies for ensuring data security and privacy in customer interactions? There are two reasons security and privacy are critical in this space. As Ford’s Dr. Kalifa Oliver pointed out, “to first really understand the laws..” In fact, all governance program definitions start with legal requirements, then industry regulations and requirements, then internal privacy promises made to customers.  The second critical reasons for ensuring data security and privacy as Claritiv’s Sean Gigremoss reminds us, “your knowledge for your business comes from all the conversations that you’re having – that is your IP (intellectual property).”

    Figure 1. Four Pillars of Customer Data Protection

    Four Pillars of Customer Data Privacy Defense in Depth Caution with AI Remove or Hid PII Train your Teams

    Defence in Depth

    As Macy’s Siva Kannan Ganesan pointed out, “all those regulation and implementing an regulation it’s a multi-step approach like data and motion data at rest should be encrypted and you have to make sure it’s like the access strict access control and frequent evaluation of the data breach.” With security depth is always valuable. TBW Advisors LLC advises clients to not only use encryption at rest and in transit, but to leverage protections during compute leveraging Confidential Computing. For additional research, enjoy Industry Whispers: Public is Privacy – Confidential Computing in the Cloud available on TBW Advisors YouTube Channel.

    Caution with AI technologies

    TBW Advisors has frequently warned if you are not being charged for the product, you are the product. If you are the product, you should assume you do not have privacy. Today with many of the advanced AI products, even lower tier paid products do not get privacy; rather they are being used to further train the product. As Ford’s Dr. Kalifa Oliver observed, “you really got to start asking organizations that have AI technologies about their Blackbox about how the data is being trained. You have to ask them about data breaches you have to be conservative about how you implement things because I think the law is going to catch up and the hardest thing to do is trying to go back and fix it.”

    Remove or Hide PII

    One critical step to ensure privacy is to not send PII or personally identifiable information to tools. Enthu.ai’s Atul Grover denoted, “we also ensure that we deduct the PI information we deduct almost 16 kind of PIs including social security data birth credit card information …. we do that in the recording as well as all the analytics.” While removing the information is a common practice, masking data is also quite common. As Mitrol’s Pedro Lopez Slevin shared, “our banks for example you will probably have on premise data servers. Everything will be with TLS 1.2 two or higher you know and create your data. We’re talking about AI, we usually do rack so you will have to process every information into embeddings and those embeddings are..unreadable if you just put it in a vector database.”

    Train your Teams

    While the term Human in the Loop has gained popularity with generative AI and agentic solutions, cybersecurity has always known the human in the loop as being a critical risk factor. Thus in order to truly ensure data security and privacy, you must train those humans! Randy Simmons from FaxSipIt shared the common journey towards compliance. “we’ve gone through a HIPPA audit and we’re secure there we just finished the SOC 2 audit and we’re SOC 2 compliant so people have come in they’ve audited our system our policies they’ve come with recommendations or not and we pass the audit for the socks 2 audit so our staff all goes through cyber security training as well we go through a wiser cyber security training and then also we send phishing to our to our employees and see if they’re going to click and if they click on a link then guess what they’re doing they’re doing that training all over Again.” So remember, do not click on that link without checking the link is safe first!

    Related playlists and References

    1. Whisper Report: How can we integrate AI-driven customer service solutions with our existing IT infrastructure
    2. Conference Whispers: Customer Connect Expo 2025
    3. Whisper Report: What are the most effective strategies for ensuring data security and privacy in customer interactions?
    4. Playlist – Whisper Report: What are the most effective strategies for ensuring data security and privacy in customer interactions?

    Corporate Headquarters

    2884 Grand Helios Way

    Henderson, NV 89052

    ©2019-2025 TBW Advisors LLC. All rights reserved. TBW, Technical Business Whispers, Fact-based research and Advisory, Conference Whispers, Industry Whispers, Email Whispers, The Answer is always in the Whispers, Whisper Reports, Whisper Studies, Whisper Ranking, The Answer is always in the Whispers, and One Change a Month, are trademarks or registered trademarks of TBW Advisors LLC. This publication may not be reproduced or distributed in any form without TBW’s prior written permission. It consists of the opinions of TBW’s research organization which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, TBW disclaims all warranties as to the accuracy, completeness or adequacy of such information. TBW does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by the TBW Usage Policy. TBW research is produced independently by its research organization without influence or input from a third party. For further information, see Fact-based research publications on our website for more details.

  • Whisper Report: How can we ensure compliance with new and evolving Cyber Physical security regulations?

    Whisper Report: How can we ensure compliance with new and evolving Cyber Physical security regulations?

    Published to clients: July 10, 2025                                                                          ID: 2075

    Published to Whisper Club: December 19, 2025

    Email Whispers Release:  March 23, 2026

    Public: March 24, 2026

    Analyst(s): Dr. Doreen Galli

    Photojournalist(s): Dr. Doreen Galli

    Abstract:

    Cyber-physical security, like healthcare tech, must carefully manage PII. Experts highlight privacy-preserving biometrics, user-controlled consent, and anonymous face matching. Regulatory compliance, such as GDPR, drives standardization and innovation. As laws vary by region, adaptable and consistent global system architectures are essential for scalable, secure, and compliant operations.

    Target Audience Titles:

    • Chief Technology Officer, Chief Security Officer, Chief Information and Security Officer, Chief Trust Officer, Chief Compliance Officer, Chief Risk Officer
    • Head of Product, VP of Product, Chief Marking Officer, Data Protection Officer,
    • Enterprise Architect, Director of Data Protection, Director of Data Governance, Chief Privacy Officer

    Key Takeaways

    • Privacy-first design: Cyber-physical systems must protect PII using encrypted biometrics, local storage, and user-controlled consent mechanisms.
    • Anonymity matters: Face matching enables identity verification without revealing personal data, preserving user anonymity.
    • Compliance drives innovation: Regulations like GDPR standardize data practices and encourage secure, privacy-focused system development.
    • Global consistency is key: Scalable, compliant operations require adaptable, non-proprietary architectures across diverse regions and regulatory environments.

    How can we ensure compliance with new and evolving Cyber Physical security regulations?

    We took the most frequently asked and most urgent technology questions straight to the cyber physical security experts gathering at ISC West 2025. This Whisper Report addresses the question regarding how can we ensure compliance with new and evolving cyber physical security regulations? We will know explore the four signs you are on the correct path as depicted in Figure 1.

    4 signs you are on the correct path Ensure data privacy, maintain anonymity, meet regulatory compliance and deploy leveraging a globally consistent architecture

    Data Privacy

    One very interesting aspect of the cyber physical security space that reminds of healthcare tech is the handling of PII or personally identifiable information data. As Safr’s John Cassie shared, in the cyber physical space it, “has a lot to do with what we talked about as far as PII and how we manage data.” Or as LVT’s Steve Lindsey observed, “what we call private or data of sovereignty .. from a data security perspective the technology and the architectures of how these systems are built really have to be in place to address that the PII information really comes down to our use of AI.”

    Fortunately, the regulations for privacy include related standards for vendors. As Intel’s RealSense’s Mike Nielsen noted, “I have been very excited about the Privacy preservation of biometric data is really possible now so I can get a template of a human being from their face that can be stored and encrypted it can be handed back to me so in my pocket.”

    Managing user consent is a must to achieve privacy in the cyber physical space. Bioconnect’s Edsel Shreve argued, “in privacy where more and more controls going in the user’s hand to say yes I am allowing you to use my biometric. If I ever want to revoke that consent I need proof that you deleted my data and that it’s no longer being used.” He further explained, “we build in to both a upfront gather consent with an audit trail that says okay the user provided consent we didn’t just check a box and say yeah.” Furthermore, the solution must realize the full lifecycle of permission. Edsel Shreve further explained, “you can just do regular maintenance and go in and say who hasn’t authenticated in 6 months what are we going to do with that data right do we want to delete the template or just alert the person or alert an administrator.”

    Anonymity

    Anonymity has to do with the lack of the ability to identify the person. As LVT’s Steve Lindsey commented, “there’s a difference between facial recognition and face matching right.” Facial recognition includes identification while facial matching allows the face to remain anonymous. A great example was revealed by Intel’s RealSense’s Mike Nielsen.

    “I’ve actually got a version of my this QR code is my face template. From this is 512 bytes it’s a it’s just a simple Vector map that looks at 80 points on my face but it’s mine. This isn’t siting in a database somewhere. This isn’t living on somebody’s server. This is physically in my pocket as a badge. I can then apply that (badge) by walking up to one of our devices – one of our cameras have the scan. It pulls in that QR code, evaluates what that template looks like. Then I look at the camera it pulls the template from my actual face and compares the two. The cool thing about the techniques that is it’s privacy preserving by definition it never leaves the device it can be dissolved immediately and you never have to send a picture or any personally identifiable info anywhere outside of me scanning my badge. Then the device makes sure I can unlock that door.”

    Thus, this example achieves privacy and anonymity.

    Regulatory Compliance

    When it comes to cybersecurity and data governance – there are the things you want to do as an organization based on your public commitments such as your privacy statements. Then, there are requirements which are legal requirements sometimes coming from a location and sometimes defined based on your industry referred to as regulatory compliance. As LVT’s Steve Lindsey put it, “we think about the problem in the context of the of the compliance and Regulatory things that we have to have as we’re designing and building this stuff from the beginning.” Furthermore, since we are dealing with cyber physical security,

    The best part about regulatory compliance according to Intel RealSense’s Mike Nielsen is, “they’re really well defined at least in the case of like GDPR so GDPR has very strange requirements on how to use PII but specifically how to use sensitive PII like biometric information one of the things that we’ve seen help move the industry forward ironically is having the regulation in place allows people to have a Level Playing Field.” That means that vendors will not be penalized for taking the more difficult road by protecting the customer as all must take equal precautions. Gary Chen of EverFocus noted, “to ensure that we have keep our regulations up to date, we need to keep advancing our technology and mostly from our end installers that will be the key .. also keep good connection with your customer.”

    Requirements evolve by location as every product vendor will realize. “One of the things that’s occurring is that whether it’s in Europe or in each state coming up with new requirements for both security of data and compliance.” Edsel Shreve, Bioconnect. When faced with this challenge, it is always best to step back and see how to adjust the architecture to accommodate this capability as a configurable option vs to create a product branch. Today’s regulations in location A become tomorrow’s regulation in location Z. One can then configure at the system level as regulations evolve in different locations.

    Finally, it is important to keep in mind the architecture must accommodate the cyber physical security space. who has “from an access control standpoint is not only managing who has access in and out of the mine but also incorporating some functionality around safety who’s completed what safety classes and if they haven’t completed the proper classes then we have the ability to manage access control based on what needs to happen.” Cyber physical security includes the physical safety of the employees themselves and all that goes into ensuring safety compliance regulations are met – in each location.

    Consistent Architecture

    The complexity of cyber physical security is magnified in organizations the wider the physical disparity across country and continental boundaries. As one might expect, different vendors have different footprints across the globe. For smooth global operations one generally recommends standardized solutions as opposed to propriety solutions. As Safr’s John Cassie explained, “would be nice if I could just capture that from the existing access control system and not have to do some extra procedure so that’s another element that allows us to have sort of this compliance across my entire security platform. As long as I am not using solutions that are pigeonholing me into proprietary solutions.” There may be slightly better solutions in this aspect or that aspect locally available but those frequently ruin the ability to have global clarity. It is critical to maintain a consistent architecture globally unless you want custom roadmap items for each and every change. If you are anywhere in the lifecycle of trying to realize such as solution, be sure to set up an inquiry plan so that an expert who has been there can provide actionable guidance.

    Related playlists

    1. Industry Whispers: Public is Private – Confidential Computing in the Cloud | TBW ADVISORS
    2. Conference Whispers: Black Hat USA 2019
    3. Whisper Report: How can we enhance our cybersecurity measures to protect against emerging Cyber Physical threats? 
    4. How can we ensure compliance with new and emerging cyber physical security regulations?
    5. Conference Whispers: ISC West 2025

    Corporate Headquarters

    2884 Grand Helios Way

    Henderson, NV 89052

    ©2019-2026 TBW Advisors LLC. All rights reserved. TBW, Technical Business Whispers, Fact-based research and Advisory, Conference Whispers, Industry Whispers, Email Whispers, The Answer is always in the Whispers, Whisper Reports, Whisper Studies, Whisper Ranking, Whisper Club, Whispers, The Answer is always in the Whispers, Vegas Convention Library, and One Change a Month, are trademarks or registered trademarks of TBW Advisors LLC. This publication may not be reproduced or distributed in any form without TBW’s prior written permission. It consists of the opinions of TBW’s research organization which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, TBW disclaims all warranties as to the accuracy, completeness or adequacy of such information. TBW does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by the TBW Usage Policy. TBW research is produced independently by its research organization without influence or input from a third party. For further information, see Fact-based research publications on our website for more details.

  • Industry Whispers: Public is Private – Confidential Computing in the Cloud

    Industry Whispers: Public is Private – Confidential Computing in the Cloud

    Join us for “Public is Private – Confidential Computing in the Cloud,” featuring Mike Bursell from the Confidential Computing Consortium and Manu Fontaine, founder of Hushmesh. This event will delve into the transformative potential of confidential computing for cloud environments. Aimed at CIOs, CTOs, enterprise architects, solution architects, and technical product managers, the discussion will cover how confidential computing enhances data security and privacy, even during processing. Learn about real-world applications, challenges, and future trends in this critical technology. Don’t miss this opportunity to gain insights from industry leaders and explore how to leverage confidential computing for your organization’s success.

    Research Code TBW2071

    Moderator: Dr. Doreen Galli, TBW Advisors

    Doreen Galli

    Chief of ResearchTBW Advisors LLC

    Dr. Doreen Galli is the Chief of Research at TBW Advisors LLC. She’s led significant and measurable changes as an executive at IBM, DPWN, Dell, ATT, and most recently Microsoft. Dr Galli was Chief Technology and Chief Privacy Officer in Azure’s MCIGET. Gartner recognized Dr. Galli as an expert in data ingestion, quality, governance, integration, management, and all forms and analytics including sensor data.

    Mike Bursell

    Executive DirectorConfidential Computing Consortium

    Mike Bursell is the Executive Director of the Confidential Computing Consortium, having been involved since its foundation in 2019, and Co- chair of the OpenSSF’s Global Cyber Policy working group. He is one of the co-founders of the open source Enarx project and was CEO and co- founder of the start-up Profian. He has previously served on the Governing Boards of the CCC and the Bytecode Alliance and currently holds advisory board roles with various start-ups. Previous companies include Red Hat, Intel and Citrix, with roles in security, virtualisation and networking. He regularly speaks at industry events in Europe, North America and APAC and has a YouTube channel dedicated to cybersecurity education. Professional interests include: Confidential Computing, Cyber Policy, the EU Cybersecurity Resilience Act (CRA), Linux, trust, open source software and community, security, decentralised and distributed systems, Web3, blockchain. Mike has an MA from the University of Cambridge and an MBA from the Open University, and is author of “Trust in Computer Systems and the Cloud”, published by Wiley. He holds over 100 patents and previously served on the Red Hat patent review committee.

    Speaker Profile

    Manu Fontaine

    CEOHushmesh Inc

    Manu Fontaine is the Founder and CEO of Hushmesh, a dual-use Public Benefit cybersecurity startup in the Washington DC area. The company believes that people need safe code and authentic data, just like they need clean water and stable electricity. To deliver this, Hushmesh leverages Confidential Computing to develop and operate “the Mesh”: a global information space, like the Web, but with universal zero trust and global information security built in. Secured by the Universal Name System (UNS) and the Universal Certificate Authority (UCA), the Mesh provides global assurance of provenance, integrity, authenticity, reputation, confidentiality, and privacy for all information within it, at internet scale. Hushmesh is a NATO DIANA Innovator startup.

    Dr. Roy Fune

    Cannot make it live? Register and submit your question. The answer will be in the video on TBW Advisors’ YouTube Channel.

    NO AI note takers allowed. Event copyrighted by TBW Advisors LLC.

  • Whisper Report: Seven Security and Governance Data Space Issues CxOs Don’t Know About

    Online Research Summary

    ABSTRACT

    CCPA and GDPR expect CxOs to be able to answer the question, “who shared what customer data with whom.” Unfortunately, due to configuration errors, missing driver updates, missing log files or lack of understanding of vulnerabilities, many CxOs are not aware of which data copies exist, let alone how they are being shared. This research shares seven security and governance issues in the data space that compromise security and governance, yet, unfortunately, remain generally unknown by CxOs. Remedies are also discussed.