Why Organizations Must Fix Data Security Now

By Tyrone Showers
Co-Founder Taliferro

2025 Update: The fundamentals haven’t changed—collect less, secure more—but the operating environment has. Attackers automate discovery and credential abuse; regulators expect clear policies and audit trails. Here’s the practical baseline I advise now:

Data minimization first: only collect what you can defend and explain to customers.
Short retention by default: set explicit TTLs; auto-delete or anonymize when TTL expires.
Strong crypto: TLS 1.3 in transit; modern encryption at rest with managed keys (rotation + separation of duties).
Access control: least privilege, MFA for all admins, and session-scoped tokens.
Evidence by design: keep tamper-evident logs of access, changes, exports, and key operations.

Stop the Over-Collection: A Practical Case for Data Minimization

For years, I've been vocal about a simple yet crucial idea: everyone should be responsible for their own information. Unfortunately, corporations continue to collect vast amounts of personal data and then fail to secure it properly, leading to countless data breaches and hacks. It's time for corporations to stop being stupid about data security and take real responsibility for the information they collect.

The Problem with Excessive Data Collection

Corporations ask for all sorts of personal information from users. They want your name, address, phone number, and even more sensitive data like social security numbers and credit card details. But here's the thing: the more information they collect, the bigger the target they become for hackers. When a corporation gets hacked, it's not just the company that suffers – it's the millions of users whose data gets exposed.

The Smart Approach: Minimal Data Collection

With TODD, we take a different approach. We only ask for your email address. Why? Because if TODD ever gets hacked, the worst thing a hacker gets is a bunch of email addresses. No sensitive personal information is at risk. This minimalistic approach to data collection is not just smart – it's responsible.

AI helps here — but only with the right guardrails. I rely on our Consistent Output Protocol (COP) to keep detections and summaries consistent, and the techniques I described in How Machine Learning Is Changing Cybersecurity (2025) to reduce noise without missing the signal.

Security Baseline You Can Ship This Quarter

Map your data: inventory PII/PHI/PCI, flows, storage, processors, and sharing.
Cut scope: remove or anonymize fields you don’t use; stop collecting optional PII.
Encrypt: enforce TLS 1.3; encrypt databases, backups, and object storage with managed keys.
Harden access: SSO + MFA; short-lived credentials; no shared admin accounts.
Retention: define TTLs by data class; automate deletion; log purges.
Backups: immutable backups with periodic restore tests.
Monitoring: alert on exports, permission changes, and data volume anomalies.
Vendors: assess processors; require SOC 2 / ISO 27001 or equivalent controls.

AI’s Role in Data Security (2025): Assist, Don’t Replace

AI is a force multiplier, not a substitute for discipline. I use AI to correlate events across systems, summarize evidence for auditors, and prioritize what matters. I don’t use AI to invent policy on the fly, decide retention, or manage encryption keys. Those are human decisions backed by clear standards.

What AI should do: correlate signals, surface anomalies, summarize incidents, and recommend next steps with citations.
What AI should not do: bypass access control, change retention automatically, or create exceptions without approval.

To keep AI dependable, I apply our Consistent Output Protocol (COP) so the same evidence produces the same outcome every time. That’s how we cut false positives while maintaining repeatability.

Accountability and Security

If a corporation asks for your information, it's up to them to secure it. This isn't just about good business practice – it's about ethics. Users trust companies with their data, and that trust should not be taken lightly. Companies need to stop trying to shift the responsibility back to users by saying things like, "Use strong passwords" or "Enable two-factor authentication." While these are good practices, they don't absolve corporations from their duty to protect the data they collect. Refer to NIST CSF 2.0 principles and the CIS Critical Security Controls for practical control baselines. For a practical example of designing customer-friendly security, see Secure Customer Access to Project Data.

The Call to Action

Corporations need to wake up and realize that the more data they collect, the greater their responsibility becomes. They should:

Collect only what's necessary: If you don't need it, don't ask for it.
Secure the data rigorously: Use advanced encryption and security protocols.
Limit data retention: Only keep data as long as necessary and then dispose of it securely.

Conclusion

In an ideal world, everyone would be responsible for their own information. But if a corporation insists on collecting data, it must step up and secure it. This isn't just about avoiding hacks – it's about respecting the trust that users place in them. The smart move for corporations is clear: minimize data collection, secure what you must collect, and always prioritize the user's privacy.

Stop being stupid about data security. Collect less, secure more, and respect user privacy. It's that simple.

FAQ — Data Security (2025)

Is AI a replacement for basic data security?

No. AI can flag anomalies and summarize evidence, but it cannot replace data minimization, encryption, access control, and retention discipline.

What’s the fastest way to reduce breach impact?

Shorten data retention and narrow collection to essentials. Less data collected and kept means less to lose and disclose.

How do I prove to auditors that we’re doing the right things?

Maintain tamper-evident logs for access, changes, exports, and key operations; map controls to NIST CSF or CIS Controls and review quarterly.

Tyrone Showers