Corporate data breaches and security awareness training

Mathieu Gorge of VigiTrust talks about the Marriott Hotel data breach that happened back in June, including the facts of the event and why once-per-year security awareness training isn’t enough when many employees only work seven months of the year. He also offers some privacy tips that will keep your hotel system privacy compliant under a whole host of different compliance frameworks.

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

  • 0:00 – Security awareness and data breaches
  • 2:50 – Elephant in the boardroom book
  • 5:42 – Gorge’s latest projects and book
  • 9:38 – Hacking of the Marriott Hotel
  • 19:22 – Marriott’s privacy and data collection policies
  • 23:20 – Ensuring data privacy worldwide
  • 30:13 – How hotel franchises handle security
  • 34:32 – Skills needed for securing the hotel industry
  • 38:12 – What is DigiTrust?
  • 41:20 – Outro

  • Transcript
    • [00:00:00] Chris Sienko: Every week on Cyber Work, listeners ask us the same question. What cyber security skills should I learn? Well try this. Go to infosecinstitute.com/free to get your free cybersecurity talent development e-book. It’s got in-depth training plans for the 12 most common roles, including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder, and more. We took notes from employees and a team of subject matter experts to build training plans that align with the most in-demand skills. You can use the plans as is or customize them to create a unique training plan that aligns with your own unique career goals. One more time, just go to infosecinstitute.com/free or click the link in the description to get your free training plans, plus many more free resources for Cyber Work listeners. Do it, infosecinstitute.com/free. Now, on with the show.

      Today on Cyber Work, I’m joined by returning guest, Mathieu Gorge of VigiTrust trust to talk about the Marriott Hotel data breach that happened back in June. Mathieu and I talk about the facts of the event, why once per year security awareness training just isn’t enough when many employees only work seven months of the year, and Mathieu offers some privacy tips that will keep your hotel system privacy-compliant under a whole host of different compliance frameworks. Why not treat yourself? Grab that $15 serving of cheese and crackers from the room’s mini fridge with the SVU marathon on mute and listen in today on Cyber Work.

      Welcome to this week’s episode of the Cyber Work with InfoSec podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals, while offering tips for breaking in or moving up the ladder in the cybersecurity industry.

      Mathieu Gorge is the CEO and Founder of VigiTrust, providing Integrated Risk Management SaaS Solutions to clients in 120 countries across the hospitality sector and various industries. Mathieu helps CEOs, CXOs, and boards of directors help handle cybersecurity, cyber accountability challenges through good cyber hygiene and proactive cybersecurity compliance programs. He is a featured Forbes book author, innovator, and an in-demand speaker. Mathieu is a multi-award winning CEO and an established authority in IT security, information governance and risk management, with more than 20 years of international experience. In 2021, the French government awarded him the rank of Knight of the National Order of Merit for his work in the French-Irish Bilateral Trade and in cybersecurity.

      Mathieu, thank you for joining me today, and welcome back to Cyber Work.

      [00:02:44] MG: Thank you very much. Thanks for having me back.

      [00:02:47] CS: So, yeah, the last time you were on the show was in 2020, and you were discussing your book, The Elephant in the Boardroom and your Five Pillars of Cybersecurity Framework. So first of all, how has the reception to The Elephant in the Boardroom been so far in your framework?

      [00:03:01] MG: It’s been amazing, and I was sharing with a friend the other day that the best compliment I can get is when I meet somebody new, and I explain about the book, and somebody says to me, “Oh, yeah. I bought that book, and I read it. That’s the Five Pillars of Security.” So that’s a very nice thing. The book is still selling very well. It’s opening a lot of doors because it’s an noncommercial book. It’s really about educating people, sharing experience. I think that’s very well received in the security industry, generally speaking.

      [00:03:43] CS: Yeah. Now, by having it out in the world like that, have you been getting feedback or input from people that’s made you think about like revising any of it? Have you learned things since then? Or do you think that everything is still pretty – Like it sort of reinforces what you already knew about the five pillars?

      [00:04:02] MG: So I mean, I keep learning that cybersecurity is a great industry for that because you keep learning, and there’s always something new. There’s always a new type of attack, another company that’s been hacked and so on. But the fundamentals of the five pillars, I think, are nearly timeless. I think that in 20 years’ time, it will be just as valid as today. The questions might change within the questionnaires, and they might become a bit more granular to adapt to new technology, new attacks, new regulations.

      But the reality is that as a basis, it’s a very strong, mature, solid framework. So I don’t think it’s – A lot of people are suggesting a sixth pillar or a seventh pillar. Essentially, what they’re trying to say is maybe you should have something specifically for application security or critical infrastructure protection. I can see the cons. My view Is that five is a nice number that people can remember, and the concepts of physical security, people, data, infrastructure, and crisis management, it’s super easy to remember. So I don’t really want to extend it to more pillars just yet.

      [00:05:19] CS: I figured it’d be easy enough to sort of flat those into the existing pillars, sort of as like subsets or whatever.

      [00:05:24] MG: Yeah. Generally speaking, you can always add something, right? Because let’s say if you take application security, it’s in between data security and infrastructure security. So you can put controls in both of them.

      [00:05:41] CS: Yeah. Now, what’s been happening with you since then? Have you had any projects or achievements that you’re excited to talk about? I mean, you’re knighted, so that’s one thing. But what are some things you’ve been working on lately?

      [00:05:53] MG: So I’m actually working on my second book, which is going to be around the life of CISOs, and there are excellent books out there already on what CISOs need to do, how they need to work, and so on. My angle is slightly different. I’ve gone out and started interviewing 100 CISOs, risk managers, and head of compliance worldwide in various industries. Of course, I talk about the demographics in which industry are they from, what type of company, how did they become a CISO, what kind of certifications do they have.

      But the questions get kind of personal, and that’s do you feel under threat? Do you feel like you need special legal advice? Do you feel like you need special insurance? Are you worried when you go to work? Are you feeling the love of the rest of the company? Are you alone in the industry? I always say that a CISO’s job is very lonely. If you do your job correctly, nobody knows your name. If something goes wrong, you’re public enemy number one very quickly.

      The idea of the book is to talk to enough people that I can see trends. I can already see trends. I’m kind of halfway big into the 100 interviews, and I’ve a couple of very well-known folks in the cybersecurity industry to provide where – Their two cent as to what they think the trends mean. So I expect that that work will be done by the end of the year. So that’s an exciting project for me.

      [00:07:32] CS: That is exciting. Yeah. No, I’m looking forward to checking that out. So you said you’re going to be working out through the end of the year, probably.

      [00:07:38] MG: Yeah. That’s it. I had intended maybe to have everything ready by October for awareness month. But I’m getting so much data. I’d rather wait a little bit.

      [00:07:50] CS: No need to cut it off arbitrarily.

      [00:07:52] MG: I’m not sure I can digest it and come to conclusions or even come to a conclusion that some of the data is interesting, but I still don’t know what it means because there’s new ideas and so on. In fact, somebody was telling me at a conference recently that they felt that CISOs had never been as well positioned within the organization as we are today. I was like, “Well, that’s interesting because out of the people that I’ve been talking to for the book, you’re the first one to give me that opinion.”

      I do appreciate that boards are more receptive to the work of CISOs and head of compliance and so on. But I don’t think I would have gone as far as saying they’re the best position they’ve ever been.

      [00:08:50] CS: Yeah, interesting. Yeah. Well, I like that you’re gathering information that’s sort of speaking back and forth to each other and that you’re not just going to say, “Well, this person said they’re doing great. So I’m just going to –” That’s something that we always work on over here is making sure that we can sort of square the balance between what people are saying on the show and what people are saying in the comments. People on the show say, “Oh, there’s never been a better time to be a cybersecurity person.” People are knocking on your door to give you a job, and people in the comments are saying, “I’ve been looking for a job for two years. Why isn’t this working?”

      There’s a lot of things that need to be squared, obviously, and I’m glad you’re doing the work at the top level like that. So, yeah, there’s enough news happening these days that it’s possible some of our listeners haven’t heard about this story, and I had to kind of look it up as well. But just to recap briefly, back in June of 2022, the Marriott Hotel chain announced that by a social engineering attack, a hacking group claimed that they tricked a Marriott employee into giving them access to their computer, potentially compromising private data, including credit card numbers and PII, personal identifiable information. Marriott, at the time, claimed that the hackers did not get access to the core account and tried an extortion attempt, which Marriott chose not to enter into. So are there any more details into this event that you’re privy to that can give more context to what happened, or is that pretty much the whole of it?

      [00:10:12] MG: That’s what’s in the public domain. There’s a few rumors out there as to how it happened. But the first thing to mention is that Marriott was hacked a few times. They’re not the only hotel chain to be hacked. In fact, the hotel industry is one of the most hacked in the world because of the type of data that they get. Because if you think about it, they have your driver’s license, your passport, your loyalty information, your home address, your preferences. They have your credit card holder data and so on and so on. Sometimes, we even had like your flight data, the data to arrive, where you’re coming from. So you can see that data is it’s just like a great playground for hackers, right? So they are under attack.

      What I understand from that breach is that it affected minimum number of accounts, so it’s not a massive breach. I think the reason why it’s getting some traction is because there was a massive breach at Marriott before, and that affected, if I have my information right, about five million people.

      [00:11:35] CS: That went undetected for a long time too, didn’t it? They were in there.

      [00:11:39] MG: Yeah, it did. But, again, to be fair, if you look at the Verizon data breach investigations report, they say that it takes about three-quarters of a year, so about nine months, to discover that you’ve been hacked. So if you’re really, really good at it, a more realistic average would be a year, year and a half. By the time you realize you’ve been hacked, the hackers have disappeared, and tracing them back is really hard.

      In case of ransomware, of course, it’s different because they contact you, and they say, “We have the data.” I also think that what that very breach is actually showing is that if you work in a very distributed environment, where you have a high HQ, you’ve got regional hubs or whatever, and you end up having franchisees and maybe small subsidiaries here and there throughout the US or throughout the world, the very fact that a small establishment within the organization, in this case, it was the Marriott group, a small property actually gets hacked, but it’s connected to all of the others. The overall group reputation is at risk, right? You can’t just say, “We are going to protect the HQ and the hubs.” You have to protect everyone or no one because it serves no purpose just to protect part of it.

      I think one of the issues, especially in the hotel industry, is that it’s a very dynamic industry. So you see a hotel belonging to Marriott one day that might be sold to Hilton, that might be sold to Accor, that might be sold to somebody else, and all of the systems are slightly different. They all revolve around a property management system, which is the core system of the hospitality industry. But even though there are only a few market leaders there, then you’ve got completely different payment terminals, different ways of taking credit card payments, different ways of taking IDs and so on. When you move from one brand to the other, that’s where you add the most risk because compliance falls down, right? The idea is to integrate the new property into the group, and then compliance follows.

      The other area that’s interesting is that you could be a master franchisor for various brands of hotels. So again, you might decide that you want to have a luxury property near an airport and then a mid-level property and then a budget property. But you end up buying a luxury hotel from brand A, a mid-market hotel from brand B, and a budget one from brand C. But you are managing all of them as a franchisor. If any of them gets in trouble in data protection or privacy, it’s the overall name that actually gets out there. It’s not you as [inaudible 00:14:50] franchisor of three hotels.

      [00:14:52] CS: Right, right. Yeah. I think, yeah, there’s two levels to that. There’s the reputational damage of if you’re the franchisee. Then the sort of overall corporate name is the one that has the problem. Then conversely to that, I’m imagining and I want to get more into that, the question of if a local branch is breached effectively enough, whether or not there’s a pathway to go from the franchisee network into sort of like the larger corporation network framework, and there’s a question of segmentation and such things.

      [00:15:32] MG: Yeah. I think it – I’ll give you an attorney’s answer. It depends on the brand, and it depends even on the regions because even the same brands, they may be completely interconnected in Asia, but in Europe and have segmented in the US. I think that’s why it’s very important to know your ecosystem, and the ecosystem is more than a network diagram because the network diagram doesn’t talk to the key financial decision makers or the compliance decision makers. What you need is an ecosystem diagram that actually shows the different silos, the different roles, the different business roles. Then you can decide to map out the flow of data between all of those different silos. That’s not always done.

      Then to go back on the breach itself, I think the idea that this came through social engineering is a little bit annoying for a lot of people because social engineering, it can be a direct attack, where I’m going to call you and try and bluff my way into you giving me your credentials. But it could just be a simple phishing attack, and the problem with those is that they’re not new. It’s just a question of training people and training them on a regular basis.

      If you look at PCI, the Payment Card Industry Data Security Standard, it says that you need to be in compliance at all times and that you need to train your employees on credit card data security upon hire and once a year. But like that’s not enough. You need to do a lot more. I think one of the issues is that while straining is the low-hanging fruit, and it’s super cost-effective to do e-learning training videos, awareness campaigns, quizzes, phone games, it’s not always done.

      [00:17:32] CS: No, right.

      [00:17:34] MG: I think –

      [00:17:35] CS: You can make your security system as big as you want. But then there’s the backdoor that makes it easy to just walk through, is if someone, “Oh.” I think there’s probably going to be something to that with the hotel industry, perhaps Italian industry as well, is that it’s a very overworked industry. People are working all hours of the day and night. There’s a lot of fatigue amongst employees. I’m sure if you’re dealing with 10 calls at the same time, and you’re putting everyone on hold, and one person says, “Hey, I need to get on that computer for a minute,” it’s really easy to say, like not thinking, “Oh, yeah. Sure, sure. Whatever. I need to get to the next thing.”

      [00:18:13] MG: Yeah. I think the reality is if you look at the risk surface of the hotel industry during COVID, so a lot of hotels closed doors. They were actually technically still open because you can’t really leave a building unattended, and you have to keep it going per se. So a lot of the staff are seasonal staff, right? So when you say, “I’m going to train you upon hire and once annually,” and you look at the average that it’s about seven or eight months for seasonal people in the hotel industry, we only get trained once, right? That’s not enough. That clearly is not enough.

      Right now, the problem within the hotel industry is because everybody wants to go back on holidays or vacation, and they want to move around, we want to travel. But the challenge is they can’t get the staffs. So once we get the staff, the priorities to get them operationally going, compliance, unfortunately, is not top of mind.

      [00:19:21] CS: Yeah. Now, is there anything we can talk about regarding Marriott’s policy of data collection? I mean, there’s a number of national, international data privacy frameworks that have been put into place. We’ve had them on our show, various privacy experts. Unifying factor for most or maybe all of them is to collect data only for what you need to make it only accessible when it’s being used to allow the right of removal to users and safe removal to the company.

      Do you think there’s anything about Marriott’s data collection policy now that had anything detrimental to this, and do you think that it could be doing better in that regard?

      [00:19:59] MG: I’m not familiar myself with the details of the policy, other than I’ve stayed at Marriott. I have an account with them and so on. So I did read the policy that way. I think that’s one of the issues not just with Marriott but with the hotel industry, generally speaking, is they ask you for data for one purpose, and that’s to manage your stay. We use it for multiple secondary or tertiary reasons.

      First of all, that is not acceptable under GDPR. You have to tell me. If you want to use my data for a secondary purpose, you have to tell me. If you want to share the data with your partners, you have to tell me. I do think that the more data the aggregates, the more risks you have because the exposure is within your systems, within the third-party systems and so on.

      I wouldn’t claim to know the infrastructure at Marriott’s, but my guess is that, like any other hotel chain we’d work with, they would have their PMS, their property management system, they would have their payment systems, they would have their loyalty system, they would have a back office system, and then they have all of the IT systems and all the operational systems within a hotel. So you [inaudible 00:21:30] doors, electronic opening of doors, the car park, the unattended machines, all of that good stuff.

      When you have a privacy policy, generally speaking, you need to disclose what you’re going to use the data for. I think it’s not just the hotel industry. I think a lot of very large distributed systems are guilty of not revising their privacy policy to explain to the end user that actually that data is going to be shared, and it’s going to be used for multiple purposes. They have to do that, but they’re not always doing that.

      [00:22:14] CS: So when we talk about sharing secondary and tertiary purposes, we’re talking about things like I have your birthday, and therefore we’re going to send you an announcement saying, “Happy birthday. Here’s a discount.” Or, “We see you traveled here. We can give you –” is it sort of marketing-related things like that and loyalty things?

      [00:22:33] MG: I think marketing and loyalty, certainly under GDPR, if are asked if you are happy to sign up to newsletters with promotions, you would have a legitimate interest in saying, “Hey, it’s your birthday. You’re a good client. We’d like to send you a coupon or something.” That wouldn’t be a problem. The problem would arise where you would say, “We’ve just signed a partnership with this spa company, and they were investing in new spas in all of our properties, and we’ve shared your health data with them.” Well, no, you can’t do that. You have to ask me first because I might say yes, but I might also say no.

      [00:23:18] CS: Yeah, absolutely. So as an international company, which obviously most major hotel chains are international, what are the challenges of ensuring data privacy based on the variety of these regulations worldwide, especially since guests can be coming from anywhere? So if you’re from Europe, and you’re staying in the US, you still have the GDPR sort of rights on your background. So US hotels have to still comply with GDPR if they have European guests, I assume, right? So is there an aggregate of all these regulations that can be put together that sort of keep hotels and the hospitality industry on the right side of all these laws?

      [00:23:56] MG: It’s a great question. I always tend to say that GDPR is the best framework to start from because it’s very comprehensive, and it forces you to do a privacy impact assessment, which basically means I look at my data flow, I look at the data for a specific purpose, and I ascertain whether I’ve dealt with the risks the right way. Do I have the right technical solutions, the right training, the right policies and procedures? There’s also the idea of a data subject request.

      The other starting point is consent. So do I provide people with the right choice? With GDPR, you don’t have any consent to use my data, unless you tell me what you’re going to do it for, what is the purpose. CCPA, on the other hand, is slightly the opposite. It’s kind of saying, “Unless I tell you not to use the data, the minute I share my data, you can kind of use it.” You’ve got over frameworks worldwide that are kind of in between.

      My hunch is that if you use the guidance for GDPR, you’re probably covering most of the bases. Then in terms of technical security, use PCI because PCI is super prescriptive, at least the current version, 3.2.1. The new version, 4.0, that just came out, that were in the transition period, allows you for more flexibility. But it’s still reasonably prescriptive. So you take the text, and you replace credit cardholder data with any type of sensitive data, and it will give you a very nice framework to follow, and you can cover the bases.

      At risk of sounding buyers, I would say that a simple framework like the Five Pillars of Security, can be overarching, even above GDPR. It’s interesting you mentioned US hotels because US hotels need to comply with GDPR, CCPA. The equivalent of CCPA in Virginia, in other states that are coming, they probably need to comply with parts of HIPAA and so on, if they take protected health information.

      We also have some banking requirements. Some of them are listed on the NASDAQ and so on, so on the stock exchange. They actually need to comply with SEC and other regulations. So they have all of those various frameworks. Some of them conflict with each other, and I think that the best way to do this is let’s have a look at our risk surface within the ecosystem. Start with the five pillars, physical security, people, data, infrastructure, and prices management. Let’s work from there because that’s going to call the 80 to 90 percent of all the other regulations.

      [00:27:03] CS: Yeah. No, I was going to say it. I mean, all the different things you’re saying here says to me that to make this work for everybody requires sort of scrapping the sort of piecemeal, sort of policies that we have right now, and sort of starting clean. It seems like a lot of these policies were put in a backwards way of like, well, what can we get out of this data. We can sell it to here. We can do this. We can do this. Then as soon as people start saying, “We’d rather you not do that,” then they say, “Well, okay. Well, we’ll turn the spigot off here. We’ll turn it off here, whatever.” I mean, the way I’m hearing it from you is like just push all that off the table, and then start out. What are the security ramifications? Then as you get to different things like birthdays or health information or whatever, like what can we realistically do within that that’s not going to be over intrusive?

      [00:27:56] MG: Well, absolutely. One other thing you want to avoid is to make security and compliance departments, the departments of ‘no’. They’re not here to say no all the time. They’re not saying no because they want to protect the good name of the business, and therefore everybody’s employment. But the reality is we can’t do that if we don’t have buy in from the board of directors. I think that the board of directors need, they need to be educated. I might have mentioned that the last time we spoke.

      But like I often talk about the five stages of cyber grief for the board, where the first stage is denial, “Not our problem. We’re here to make profits. We’re here to create employment pay tax, whatever. Leave us alone.” Then anger, “We’ve given you money to hire a CISO. We’ve hired a head of compliance. We’ve giving you money for training, firewalls, antivirus, whatever. Go talk to those guys.” Then comes to bargaining, “Well, okay. Other chains of hotels have been hacked, so maybe we need to look into it.” Then comes to depression, “Oh, we’ve been hacked. What do we do?”

      Eventually comes the acceptance, and the acceptance is it’s actually not rocket science. You’re probably doing 60 to 70 percent of what you’re supposed to do. Let’s do it in a proper way that can demonstrate accountability because I think accountability is what end users want to see, right? So as a client of a hotel, whether it’s Marriott, Accor, Hilton, whatever, I want accountability. If something happens to my data, I can understand that there’s hackers over there. What I can’t understand is that you didn’t actually follow the rules, and you left my data unattended. That I can’t accept. That’s not great. Next time, I’ll go to another chain of hotels.

      I also can’t accept that my credit history is going to be impacted by your lack of accountability, and therefore that’s the message that the board needs to understand because it’s actually a commercial message. It’s not just an IT message.

      [00:30:07] CS: Yeah. Now, I want to talk next sort of – I want to get back a little bit to the sort of top down corporation versus franchise security models and privacy models and so forth. I mean, first of all, is there a sense that like in these sort of privacy frameworks that are happening right now that are, as you said, being implemented 60 or 70 percent of the way, are there kind of like rogue franchises that are either disregarding that or doing it differently? Or does something like a security privacy and risk policy come from the top down, and all of the franchises have to –

      Because I keep thinking about the fact that you said like one franchise could be bought by three different people or three different companies over time. Then maybe they’re still using the old security policy for Marriott after they become a Hilton, and that there’s sort of gaps on there and so forth.

      [00:31:00] MG: So there’s two schools of thought here. The first one would be to say, “Hey, is they’re Hilton, and they’re still following the Marriott one, well, at least they’re following a policy, so it’s not so bad.” On the other hand, you might say, “No, no. The systems are different. So the policy needs to be different.” That’s probably the more advanced way of thinking.

      I think that generally speaking, you get like a group policy. Then you might get a regional policy that’s a little bit more granular. Then after that, it’s up to the franchisees or the subsidiaries to implement all of that. The key challenge is you never see a hotel owner waking up in the morning saying, “Today, I’m going to do my PCI compliance. I’m going to read the policy.”

      [00:31:48] CS: That was going to be my next question, is can we count on that to actually happen. Yeah.

      [00:31:55] MG: So in order to make it easier for them to digest, I think any good program for security and compliance needs to include education, and education needs to be done in plain business English. So instead of calling it introduction to PCI or introduction to compliance, call it introduction to credit card security or how to protect data within the hotel. It’s something super simple and says, “Hey, this is how we collect the data. This is the type of data we’re collecting. This is why we need to protect it. This is what happens when we don’t. This is how we protect it. Here’s a link to the policy. Go read it. Click that you’ve understood.” Of course, there’s no guarantee that they understand. But at least there’s accountability and there’s responsibility here. Then you can push the message.

      It’s also important to have policies that that are meaningful and that people can understand. So there’s no point in throwing legal or industry jargon at a hotel owner whose experience is in providing excellent hospitality to their clients. What you need to do is you need to just explain to them that it’s part of the way they do business. Essentially, in a hotel or in a resort, you carry your identity, and you carry your money and access to your money and maybe your history within that hotel chain with you on your card, everywhere you go. You can use your card to get in and out of the room to pay, to book something, either directly with the property or with their partners.

      That’s the message we need to explain to those owners who are probably not fully aware of the data exchange. What they want to do is provide a good experience and make money, and we understand that.

      [00:33:54] CS: Yeah. I mean, it needs to be understood that it’s as important as like making sure there’s not mold in the room or that the sheets are sufficiently clean. This is also part of like the everyday upkeep of a hotel.

      [00:34:10] MG: Security and compliance should be one of the most important KPIs, key performance indicator, for a hotel manager. Access to the building, clients safety, food safety, health, and then everything that has to do with security and compliance.

      [00:34:32] CS: Yeah. Now, so I’m moving over to the work side of Cyber Work. For our listeners who are in or just joining the world of cybersecurity, I feel like there’s a few different career paths they could focus on if they wanted to contribute to the security of the hotel industry. One would be in security awareness. Like you said, learning to teach employees how to watch out for social engineering attacks, how to report them if they happen and so forth. The other would be to become acquainted with the creation or maintenance of security systems, whether perimeter, data storage, physical backup recovery.

      So what are some specific skills and talents you would need to demonstrate to employers in the hospitality industry to show that you’re one of the people that can help keep their data and network safe?

      [00:35:12] MG: Well, I really do think that you need to be able to demonstrate you understand their ecosystem. So you understand that it’s more than just a credit card booking for a night of five nights or whatever. It’s a very complex ecosystem that is made of systems that are owned by the brand, managed by the brand. Maybe owned by the brand, managed by a third party. Maybe not owned by the brand but recommended. We’ve guidelines as to how to implement that. So all of those systems are totally – It’s totally oblivious to the guest. But it should really be oblivious to the guest. The guest wants a simple experience.

      As a cybersecurity person or a compliance person, when you want to add value in the hotel industry, you need to be able to understand all of the different pieces of data, the PHI, the PII, the credit cardholder data, the loyalty data, the historical data. You need to be able to demonstrate that you can add value to the management of that data from a compliance perspective. So you don’t necessarily need to be a GDPR expert, a PCI expert, a property management system expert. But you need to know all those three things. You need to know all of it, right?

      There are some very good groups where you can get some information. There’s the retail and hospitality ISAC. There’s the retail and hospitality working group. There’s a number of working groups for the restaurant industry, and all of which have a compliance and security arm to them. So my advice would be if you really want to be in compliance in that industry, go and mingle with those guys. Go and attend those events.

      Now, as you know, we run an advisory board, which is a nonprofit commercial – Sorry, noncommercial platform, and we do events specifically around security and compliance for the hospitality industry. Those events are free, and they are aimed at serious compliance people. We do get like folks from competing chains to come in on a panel and explain their common challenges and so on.

      One thing that I do find extremely useful in that industry is that it’s not unusual to go to CISO working groups, where you’d have somebody from one hand and their direct competitor at the same table. It’s much harder to do that in other industries, like in construction or even in banking.

      [00:37:52] CS: Yeah, yeah. No, you have to understand that you’re all in this. If one falls, so falls the other.

      [00:38:00] MG: Well, absolutely. Because at the end of the day, even though the systems are slightly different, the infrastructure is reasonably similar from one chain to another.

      [00:38:11] CS: Yeah, absolutely. So as we wrap up today, Mathieu, could you tell me more about VigiTrust and some of the projects that you and your company are most excited to be working on or releasing in the second half of 2022?

      [00:38:23] MG: Yeah. So we have a tool called VigiOne, which is a software as a service governance risk compliance tool that allows you to prepare for validate and manage continuous compliance for about 100 security standards and frameworks worldwide. So obviously, the Five Pillars of Security, PCI, very big, GDPR, CCPA, and so on. We do a lot of work with the hospitality industry.

      In fact, I’m speaking at the PCI Community Meeting in Milan in October with Marie-Christine Viteet, who’s the Head of Compliance from Accor Hotel Groups. We’re going to talk about those challenges. We’re continuing to increase the size of our advisory board, 800 members from 32 countries now. We’ve just appointed a global leadership team of 25 people to manage the 10 chapters that we have.

      VigiTrust trust is still growing specifically in the US right now, and we plan on doing a lot of work around Cyber Awareness Month. We have five major events going on. Some are face-to-face in New York and Dublin. Others are remote. I think that between now and the end of the year, we’re going to continue doing a lot of good work around critical infrastructure protection, around managing geopolitical risks, particularly on the back of Russia invading Ukraine and the tensions in Taiwan and so on. We see how interconnected all those things are, and we also want the board to understand that managing geopolitical risk is an investment into the future.

      Then from a product perspective, we are releasing a brand new UI, a brand new dashboard, and a few new modules at the PCI Community Meetings. Not just for PCI, but tools that allow you to manage all of your stakeholders within cybersecurity. Get a visual of who’s responsible for what. You don’t need to go into the actual user management. You can see that it’s me managing something that you will approve, and somebody else will have final approval. So we’re very excited about that because it allows us to give our partners and our end users a much easier way of seeing what we’re doing in compliance.

      It’s really about empowerment. That’s really the key for us in the next six months is to provide more empowerment to our clients and partners or use the tool so that they can really own the programs and really grow into a self-service, where we always hear in the background, but they can actually manage their compliance program on their own.

      [00:41:20] CS: All right. That’s fantastic. Thank you for the context there. So finally, if our guests want to learn more about VigiTrust or you, Mathieu Gorge, or your books, The Elephant in the Boardroom, where can they go online?

      [00:41:35] MG: I mean, they can find me on LinkedIn, Mathieu Gorge. They can go to vigitrust.com. I also have my own website, mathieugorge.com, which is about the book and speaking engagements and so on. Then finally, if they want to add value to the community, and they really want to mingle with their peers, I’d highly recommend contacting us to talk about the VigiTrust Global Advisory Board. Again, all the info is on our websites.

      [00:42:01] CS: Awesome. Mathieu, thank you, again, for coming back to the show and talking to us today. It was so much fun.

      [00:42:06] MG: Thank you very much. A lot of fun and thanks, again, for the opportunity. I really appreciate it.

      [00:42:10] CS: My pleasure. As always, I’d like to thank you all for listening to and watching the Cyber Work Podcast. On an unprecedented scale in the past three months, all of you have helped to more than double Cyber Work’s viewership on YouTube. For that, I am thankful and humbled. If you’re subscribing, thank you. If you’re watching when it goes live on Mondays at 1:00 PM Central, thank you again. If you’re telling friends and colleagues, thank you and thank you and thank you. We’re delighted to have you all along for the ride.

      Every week on Cyber Work, listeners ask us the same question. What cybersecurity skills should I learn? Well, try this. Go to infosecinstitute.com/free to get your free cybersecurity talent development e-book. It’s got in-depth training plans for the 12 most common roles, including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder, and more. One more time, just go to infosecinstitute.com/free. Click the link in the description, and you can get your free training plans, plus many more resources for Cyber Work listeners. Do it. It’s infosecinstitute.com/free.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.