What the Security Industry Needs to Know About AI, Emerging Tech and Privacy

By Kara Klein, Associate Director of Marketing and Media Relations, Security Industry Association on May 19, 2025 |

In a constantly evolving cyber-physical security landscape, the security industry needs to hold and build on its commitment to promoting sound data privacy practices. The Security Industry Association (SIA) spoke with experts SIA Data Privacy Advisory Board Chair Bobby Prostko, deputy general counsel, IP and cybersecurity, and chief privacy officer at Allegion; advisory board members Sal D’Agostino, CEO of IDMachines; Daniel Krantz, managing partner at the Secure Worker Access Consortium; and Matt Vaillancourt, senior director of global MSS sales at SonicWall; and ADT’s chief information security officer, Tim Rains, and vice president and deputy general counsel, IP and privacy, Frank Cona, to learn about the data privacy landscape and how the industry can better address privacy-related challenges.

A Changing Privacy Landscape Amid the Proliferation of AI

A consistent theme from the panel was that the rapid growth and innovation around artificial intelligence (AI), especially large language models (LLMs) like ChatGPT, have significantly impacted companies’ data privacy practices, including policies and procedures.

“As new technologies are introduced, organizations need to have a solid infrastructure in place to ensure long-term success and protection,” said Rains. Cona and Vaillancourt recommend regularly updating AI policies to minimize risk, providing clear guidance and training employes on the latest updates, risks and how to safely, responsibly and securely use these tools.

D’Agostino and Vaillancourt highlighted the risks that must be considered when it comes to use of AI. Vaillancourt emphasized that although leveraging AI for modern work is “a game changer in productivity and results,” it is important to understand that using open-source AI sends your data into the world and that “you never know where or who can see or use it.”

“Organizations need to take exceptional care with [LLMs’] use, particularly in data that is captured by an LLM if it is set loose on the internet,” D’Agostino said. “There are already copyright cases being brought against organizations that have not realized that they are using copyrighted information that requires a license. The other is the well-known phenomenon of hallucinations, where LLMs just make up false answers. This is where human oversight is critical. A good example is using AI to manage alarms, which should then pass a human gate for certain actions to be taken.”

Prostko suggested that organizations implement access controls and ensure that data used to train AI models be anonymized and/or comply with privacy regulations.

“Additionally, transparency about how AI-driven decisions are made is crucial to maintaining trust,” he said.

D’Agostino also recommended that the person asking an LLM questions be someone with knowledge of the field or line of inquiry in order to get the most effective results, since everything that happens after the questions are entered “is derived from that starting point.”

What the Security Industry Needs to Know

The experts shared several suggestions for which data privacy practices and concepts are most important for our industry to understand and be trained on:

  • Understand and protect all personal data you collect: “Security companies and professionals must focus on competently and objectively identifying personal information collected and stored as a result of operations that should rightfully be protected,” said Krantz, “and they must care enough to devote resources to ensuring its protection through more advanced product engineering.”
  • Implement privacy and security by design: Cona and Krantz urged companies to integrate privacy and security programmatically into product development and into deploying integrated solutions and encouraged product and project managers to work together to evaluate the impact of new projects and ensure that security and privacy requirements are considered prior to implementation.
  • Follow privacy principles and frameworks: D’Agostino cited the International Organization for Standardization’s Privacy Framework and the National Institute of Standards and Technology’s Cybersecurity Framework as helpful resources to guide business’ privacy practices. “These principles need to be applied on an ongoing and operational basis,” he said. “Privacy and cybersecurity have sometimes been treated as a compliance checklist to meet an annual or periodic reporting need when, in contrast, they need to be applied continuously and with increasing maturity in an organization. Transparency, proportionality and reciprocity are themes and requirements throughout these frameworks.”
  • Prioritize training on key privacy concepts: Prostko recommends that companies establish strong training on data minimization, which involves only collecting the data necessary for a specific purpose; data anonymization to protect individual identities; encryption methods; and privacy impact assessments. “Regular training on incident response and breach notification procedures is essential to ensure preparedness in the event of a data breach,” he said.
  • Layer your security and avoid single points of failure: “Relying on your data privacy posture alone creates a false sense of security,” said Prostko, who encourages companies to view data privacy as part of a holistic approach to cybersecurity.

Security companies and professionals can access a range of new and updated resources and programs from SIA to strengthen their knowledge and practices around data privacy – including SIA’s Data Privacy Pro Certificate course, Guide to U.S. Biometric Privacy Laws and Security Cornerstones e-learning module on data privacy concepts. Learn more about SIA’s initiatives and offerings around data privacy here.