KBKAST Episode 360 Deep Dive: Simon Cook | The Right To Be Forgotten, Navigating GDPR, IRAP and Global Standards in Physical and Cybersecurity

Date: March 25, 2026
Host: Chris (KBI.Media)
Guest: Simon Cook, Director of New Offerings, Genetec

Episode Overview

This episode of KBKAST explores the rapidly converging worlds of physical and cyber security, with a strategic focus on risk optimization, regulatory shifts, and the challenges posed by global compliance standards like GDPR and IRAP. Simon Cook from Genetec offers candid, deep insights into how technological advances, legislative changes, and organizational culture affect security at every level—from enterprise to critical infrastructure.

Key Discussion Points & Insights

1. The Blurring Lines between Physical and Cyber Security

Timestamps: 01:01–04:38; 05:35–09:52

• Simon notes everything in security has shifted dramatically over the last several years, especially with the increase in connected devices, AI, and remote work.
• Quote [01:32]:
  "The attack surface for cybercrime has just got so much bigger...from 10 billion devices in 2020 to about 18 to 21 billion today. And a lot of those devices are physical security devices." — Simon Cook
• Cybersecurity is now a business risk—no longer just an IT issue—directly impacting costs like cyber insurance.
• Physical and cyber teams have historically worked in silos, but as everything from cameras to door controllers becomes network-connected, those boundaries are dissolving.

Memorable Moment:

• Quote [07:16]:
  "There have been sort of two disparate camps, right? ...Never the twain shall meet. ...But more so these days, you know, an IP camera is effectively a computer, so it's susceptible to hacks and attacks."

2. The Culture Clash: Physical vs. Cyber Security Mindsets

Timestamps: 08:05–11:57

• Long-standing industry traditions in physical security vs. more progressive attitudes in cyber.
• There's often fear of "losing territory" or relevance as cyber becomes more integral.
• Generational and experiential gaps remain, but new entrants are blending both worlds.
• Quote [10:34]:
  "The physical security industry is a very traditional industry...see what works, don't change it."

3. Evolving Technology and Proactivity in Security

Timestamps: 12:32–13:58

• Physical security is now less about reaction and more about proactivity, with AI/analytics detecting threats before they escalate.
• Quote [12:32]:
  "Technology is evolving physical security from a reactive application to a proactive application...technology...can detect the threat rising in someone's voice."

4. The Right to Be Forgotten: From Legal to Technical

Timestamps: 13:58–16:42

• GDPR and the "right to be forgotten" have sparked product and architecture overhaul in security platforms.
• Video and biometric data require systems to support selective deletion, redaction, retention limits—a major technical challenge.
• Quote [14:10]:
  "The right to be forgotten...becomes a product, an architecture problem...video footage...is not designed for that selective deletion."

5. The Risks of Cheap, Insecure Devices and Supply Chain

Timestamps: 16:42–19:52

• The market's appetite for low-cost, foreign-made devices adds risk—especially concerning backdoors and lack of rigorous security.
• Genetec advises on trusted sourcing, emphasizing the potential network risk even if "nobody cares" what a camera sees.
• Quote [19:52]:
  "Arguably, I would say perhaps six, seven times out of ten, the person isn't interested in what the footage is...They're actually interested in what they can do with that device. It's a springboard into the network."

6. Attack Surface Ignorance: Cameras and IoT as Threat Gateways

Timestamps: 22:09–25:38

• Many don't realize how any connected device (camera, fish tank, fridge) can be a network attack vector.
• Simon recounts notable breaches—like the Target HVAC and casino fish tank hacks—to stress the scale of risk.
• Quote [23:52]:
  "Everything that's connected, if it's not protected, updated, etc...becomes that springboard for an attacker."

7. GDPR: Global Reach, Not Just Europe

Timestamps: 25:38–29:54

• Misconception persists that GDPR is limited to Europe; in reality, any interaction with European data subjects brings organizations into scope.
• Countries worldwide are using GDPR as a template (Brazil’s LGPD, China’s PIPL, US states).
• Quote [25:57]:
  "Anyone that's in Europe, anything...even if one of their customers, cameras, users...interact[s] from Europe, you're in scope for GDPR compliance."
• Penalties for noncompliance can devastate global enterprises—but reputation impact may be even greater.

8. Compliance and Proactivity: Beyond the Checkbox

Timestamps: 29:54–34:24

• Organizations are increasingly asking about data handling (retention, access, deletion) even outside legal mandates, signaling a proactive mindset.
• Regulatory blueprints (GDPR, IRAP, NIST) are being pulled or adapted globally as companies move to the cloud.
• Sensitive data types (biometrics, video, mobile credentials) require robust trust and transparency from vendors.

9. The Future: Laws, Cloud, Technology—and Bridging the Gap

Timestamps: 32:02–34:24

• Regulatory frameworks will proliferate in step with the cloud migration of physical security.
• AI and behavioral analytics will soon make real-time, proactive intervention standard, helping organizations anticipate rather than just respond to threats.
• The convergence between cyber and physical teams is accelerating, necessitating cross-functional understanding and solutions.
• Quote [32:18]:
  "Physical security is like the last bastion that is...not going towards cloud as fast as the rest of the world...But ultimately everything is in that cloud connected way."

10. Building Trust: Not Set-and-Forget

Timestamps: 34:55–38:11

• Compliance should not be a "tick-box" exercise; trustworthiness requires ongoing transparency, certification, and proof of secure practices.
• Genetec puts all certifications and pen-test information front and center for customers as part of their “secure by design” logic.
• Quote [36:28]:
  "It's not set and forget, let's just do it once. It is constant evolution, much like technology is a constant evolution."

Notable Quotes & Memorable Moments

• "Everything has changed...security, it's not just a trust, don't trust. It's a whole architecture approach for a manufacturer." — Simon Cook [01:32–03:30]
• "Technology is evolving physical security from a reactive application to a proactive application." — Simon Cook [12:32]
• "The trust isn't a grant once decision. Now it's a constant discussion, a constant negotiation and a constant design principle." — Simon Cook [04:00–04:30]
• "Ignoring [GDPR]...pleading ignorance has a massive financial impact...But that reputational damage is the challenge, that's the harder thing to build up." — Simon Cook [28:44–29:28]

Final Takeaway

"[When] assessing a company, a physical security company, what are they doing to make sure that you have that continual trust? It's not set and forget ... much like technology is a constant evolution. So yeah, look at trust as: what is that company doing to actually give me that feeling of trust? And they can actually show it as trust as well." — Simon Cook [36:28–38:11]

For more strategic insights and cybersecurity news, visit KBI.Media.