Third-Party Data Risks in Hospitality and Travel: A CISO’s Playbook—Part 2

If you tuned into the first part of our series, you know the crucial need for data protection in the hospitality, travel, and entertainment sectors. As data breaches continue to menace these industries, there’s a dire need for strategies to meet the challenge.

We’re continuing our conversation with Stan Kreydin, a seasoned industry CISO, whose distinguished career includes roles as CISO for Travel + Leisure, Co., and Global Chief Technology Officer at Wyndham Worldwide. Now the Founder of Resogy, a fractional CISO, CTO and cybersecurity advisory service, Stan’s firsthand experience equips him with unique insights that can transform your approach to data security.

Today, we bring you the second part of our Q&A with Stan from a recent webinar, “Protecting Customer Data in Hospitality, Travel & Entertainment.” We have distilled Stan’s vast knowledge into a go-to guide for CISOs and security teams in the industry. If you missed Part 1, you can find it here.

Now, let’s dive into Stan’s playbook and unpack his battle-tested strategies to fortify your defenses.

Third-Party Data Risks: The Critical Link in Travel and Hospitality

How can travel and hospitality businesses effectively manage third-party data risks and what security measures do you recommend?

Stan: Through my experience and observation, we can break down this challenge into three main areas of focus, namely third-party assets connected to our network, third-party associates on our network, and third-party processors or service providers. I’d like to highlight some key observations and recommend a roadmap for overcoming these challenges.

Categories of Third-Party Risks

1. Third-party Assets Connected to Your Network: This refers to external systems connected to your network, either persistently or as needed for triage/support. These could be infrastructural and/or security components, operational assets (docks, kiosks, etc.), or alert systems that run automated tasks and/or process data.

2. Third-party Associates on Your Network: Unlike the first category which deals with machine-to-machine patterns, this one refers to human-machine interactions. An example would be third-party outsourcing or multisourcing relationships where a team in a different country might be given access to your operating environment to perform tasks like coding, testing, or operations.

3. Third-party Processors or Service Providers: The last category involves sending data to service providers, usually for functions like marketing. Here, you might not have as much control over the data, as in most use cases, it leaves your network (one way data feeds).

After understanding these categories, the challenge then becomes knowing where your data is, who has access to it, and where it is going. Unfortunately, many companies don’t maintain an accurate data catalogue tied to their service portfolio or their risk profile. As a result, they struggle to understand the relationships between their critical applications and their critical vendors, and the nature of the data being shared between them. This creates issues, especially if/when there are data breaches with third parties, service providers and supporting entities.

Overcoming Third-Party Data Challenges

To tackle this challenge, I believe the first step is to focus on data discovery and classification. This should ideally be part of your overall data management program, including identifying your data custodians, administrators, and owners. Next, we need to figure out what’s on your network and ensure it is segmented and monitored properly. This step depends largely on how well you understand your data and how it should be categorized. Proper segmentation and monitoring can greatly reduce your risk. You could then apply the most critical controls to the most sensitive portions of your data.

In the case of the hospitality industry, a significant number of third parties may be on your network, offering essential services to run facilities and guest services. This could include point-of-sale systems, physical access controls, integration into other third parties, and entertainment systems. Unfortunately, if you don’t own the endpoints or the locations of where processing takes place, your control points are limited. In such cases, you must focus on controlling data ingress and egress using tools like security observability platforms that can help you understand traffic flow and patterns of your application.

Finally, it’s crucial to have an incident response playbook specifically designed to include third parties. Regularly testing this playbook through exercises like annual tabletops can help ensure everyone is prepared in the event of a security incident.

5 Actionable Tips for Managing Third-Party Data Risks

Here are 5 actionable tips for managing third-party data risks:

1. Segment and Monitor Your Network: Recognize different assets connected to your network, including third-party assets, associates, and service providers. In the hospitality sector, third-party integrations (like point-of-sale systems, entertainment setups, and physical access mechanisms) are abundant. Proper segmentation and vigilant monitoring can considerably mitigate risks. Structure your controls and investments accordingly.

2. Know Your Data’s Path: Understanding data flow is pivotal. Identify which of your applications are interacting with which vendors and how often they’re sharing critical data.

3. Employ Data Management Techniques: A robust data management system is indispensable. Recognize custodians, administrators, and data owners to ensure a seamless lifecycle of data handling. This becomes even more crucial when the data is shared with third-party service providers.

4. Embrace Observability Solutions: Modern solutions amalgamate operational observability with security, offering a holistic view of data flows and patterns. This, combined with risk-based application segmentation, provides the necessary context and aids in detection and triaging anomalies.

5. Prepare with an Incident Response Playbooks: While many companies create incident response playbooks, few test them out. Regular tabletop exercises, including third-party service providers, especially the critical ones, are vital. These drills help refine the strategy and ensure a more streamlined response during real crises. Aim for at least bi-annual tests, with at least one of them involving C-level leadership.

Navigating third-party data risks in the hospitality industry requires a strategic and layered approach that focuses on understanding where data is going, how it’s being used, and the third parties involved. These five recommendations provide a robust framework to minimize risks and create a resilient data management structure.

Maturing Vendor Management: Beyond Compliance

How can organizations transition from a compliance-centric approach to a mature, risk-based vendor management process?

Stan: First and foremost, the shift from compliance management to risk management is not merely a trend—it’s a necessity. We’ve moved beyond simple compliance checklists, where we only adhered to static and often evolving tools or methodologies deployed. Continuous vendor management is now required, not just at main touchpoints.

The concept of continuous vendor management is pivotal here. It’s not enough to engage with vendors at the typical points of interaction – initial relationship, renewal, and offboarding. Vendor management must be an ongoing process. This continuous engagement includes not just focusing on security compliance but also understanding the overall attack surface of vendors. We must also recognize that not all vendors provide the same value or present the same risk to a company. It’s about understanding their functions, time period, value, and adjusting our risk management approach accordingly.

Automation, regular data audits, and extending our data governance to third parties are also critical practices. It’s about being proactive and assessing whether our vendors still require the same level of access to our systems or the same volume and type of data.

Furthermore, we need to be prepared for real-world scenarios. Knowing how our organization uses a vendor’s products and services, what the connection points are, and what happens if they are compromised is vital. We need to have playbooks in place to act quickly if an incident occurs.

5 Actionable Tips to Mature Vendor Management Practices

Here are 5 actionable tips to mature your vendor management practices:

1. Shift from Compliance to Risk Management: Many companies still focus on compliance rather than risk. This shift requires understanding the broader risk landscape, not just compliance with specific standards and static questionnaires. It’s essential to evaluate the actual risk, including the prevalence of exploitability and potential impact, rather than merely checking boxes.

2. Treat Vendor Management as a Continual Process: Vendor management is not a one-and-done task. It must be ongoing and involve continuous monitoring, from the initial relationship through renewals, to offboarding. This continuity ensures that any changes in the relationship or vendor’s security posture are promptly addressed.

3. Prioritize Vendors Based on Criticality: Not all vendors are equally critical. Understand which vendors are more important to your business by assessing their access to critical data and functions. Focus on those that process a significant portion of your sensitive data or are crucial to your operations. Also automate risk assessments to streamline interactions with third parties, making them more sustainable and efficient.

4. Extend Data Governance to Third Parties: Your data governance should include third parties. This involves understanding what data they need, their level of access, and ensuring that they comply with your deletion and archival cycles. Regular data audits can ensure that the vendor relationship aligns with your data governance policies. Business owners and stakeholders must ensure accountability; they are often the touchpoints for key or critical relationships.

5. Develop a Comprehensive Response Plan: A well-prepared response plan that includes third-party vendors can make all the difference when something goes awry. Knowing exactly how and where vendors connect allows for immediate and effective mitigation steps. Focus on risks tied to applications and key business processes. This planning should overlap with your business continuity and disaster recovery planning and management.

Maturing vendor management requires a comprehensive approach that shifts the focus from mere compliance to true risk management. By adopting an ongoing, risk-based perspective, and prioritizing critical vendors, businesses can create a more robust and resilient vendor management strategy. The integration of automation, clear communication, and a solid response plan further fortifies this approach, ensuring that vendor relationships enhance rather than hinder the organizational objectives.

Concluding Thoughts

Navigating the intricate web of third-party data risks and maturing vendor management in the hospitality, travel, and entertainment sectors is no small feat. It requires a strategic, layered, and risk-focused approach. In this second installment of our Q&A with Stan Kreydin, we’ve unpacked critical insights and actionable tips to fortify your defenses and manage third-party relationships.

But the journey doesn’t end here. Join us for Part 3, where we shift our focus to future-proofing against evolving cybersecurity challenges, so that you can anticipate, adapt, and outpace emerging threats.

For a deeper dive, watch the full webinar here.