Enterprise AI Team

Using AI to Reimagine Cybersecurity in Hospitality

January 22, 2026
Share this blog post

Jason Stead doesn’t frame AI as a futuristic buzzword or marketing slogan. For the CISO of Choice Hotels, a global hospitality network spanning thousands of hotels around the world, artificial intelligence is already reshaping how his security operations team defends guest data, cloud platforms, and the hospitality business itself. 

In his eyes, AI isn’t just a defensive tool; it’s a force multiplier, enabling smaller teams to scale in the face of increasing threat complexity, while preserving the warm and welcoming nature that defines hospitality.

He described the hospitality industry’s challenges in terms more commonly associated with data analytics and behavioral security. It’s a signal of how AI is fusing disciplines: transforming identity-based fraud, social engineering, misconfigurations, and cloud-native risk into quantifiable, addressable events, all while allowing security teams to focus on higher-order work.

Why Legacy Cybersecurity Models Don’t Fit Hospitality

Traditional security playbooks, built on email gateways, manual configuration reviews, checklists, and reactive measures, struggle to keep pace in a world where hotels are both consumers and providers of cloud services, and where every franchisee may bring new vendors, tools, and risks.

Stead explained that Choice is “just months away from being fully cloud,” migrating off their legacy data centers and consolidating services with partners like AWS. But this shift means the company is now both relying on external cloud providers and acting as a cloud/SaaS provider to thousands of franchisees. That dual role amplifies risk: “We have both the challenges of relying on cloud providers, but we are a cloud provider, a SaaS provider ourselves.”

“As we try to deliver more and more solutions to our hotels,” Stead said, “there are more and more capabilities that bad guys are definitely trying to exploit.” He outlined misconfiguration as one of the biggest threats: cloud providers “give us the guide. But then do your infrastructure, do your developers, your platform teams follow those best practices?” The answer, often, is no. And when a configuration strays, traditional manual reviews can’t keep up. He quipped that sometimes they feel “like we’ve got to have one security person for every software developer,” a model that’s clearly not scalable.

Hospitality’s inherently decentralized structure, with individually owned hotels, independent third-party vendors, and public Internet-facing systems, means every new integration, new vendor, or new tool can introduce risk. That’s a problem that cannot be solved with checklists and manual oversight alone.

AI as the Foundation of Modern Defensive Strategy

To meet this scale and complexity, Stead argues that AI must be built into every tool the company uses. “You want to incorporate AI into all your tooling going forward,” he said. In his mind, soon “if a tool doesn't have AI at some level … it's just not going to hold a place in the market before too long.”

That’s not because AI mesmerizes him with novelty, but because of its power to address real, growing challenges. For example, social engineering and loyalty-account compromises are already major concerns for hospitality. “There is not enough emphasis on these loyalty account compromises,” Stead warned. 

He added that malicious actors are already “outsourcing to people and brute force some of these things” to mimic legitimate users. But the real danger lies ahead: “Wait until you're able to scale that human behavior exponentially through AI. That is a problem … the tools are going to have to adjust quickly.”

At the same time, AI offers defensive promise. Stead believes AI can help sift through enormous data volumes, from user behavior logs to identity access patterns, and surface anomalies far faster than traditional rules-based systems. He notes how the legacy dream of dumping everything into a SIEM failed in practice, but he sees AI, including large language models, as capable of delivering the real-time analysis and correlation that SIEMs promised but rarely delivered.

“This idea that AI is going to identify everything … that's maybe five years from now,” he cautioned. “But AI is going to help us get closer to there.” Far from replacing people, AI is about uplifting them: “Your SOC analyst one is now a SOC analyst two all of a sudden … it creates a huge uplift for them, and it allows them to focus on the things that are really interesting.”

Confronting AI-Enabled Threats

Stead doesn’t mince words about why attackers will embrace AI, and why defenders must adjust accordingly. He pointed out how the hospitality industry’s core value, being “warm, welcoming, and inviting,” makes it inherently vulnerable to social engineering. “If you call a hotel … they might do something for you.” The distributed nature of many hotels, often small, independently owned, with limited cybersecurity sophistication, only compounds the risk.

When AI is layered on top, the threat multiplies: “Bad guys will be able to use generative techniques to spoof someone on FaceTime or a video call, show a proof-of-life … That’s not going to work in the future.” He foresees attackers using real-time translation tools, deepfakes, and AI-written social engineering scripts, potentially even AI-generated malware, to probe and compromise hospitality systems.

In that world, conventional controls like static authentication, manual review, and simple heuristics will no longer suffice. Instead, detection and response must evolve at machine speed. As Stead puts it: “It’s just a matter of time before somebody creates an LLM tool to write malware,” possibly from nation-states with large resources.

Consequently, defense must evolve to match: AI must be used to fight AI. AI-assisted email detection, automated behavior-anomaly detection, and real-time identity analysis become not optional, but foundational.

Rewriting the Security Team’s Role

With threats evolving, Stead sees the role of security professionals shifting, but not shrinking. In fact, he argues those who reject AI risk being left behind: “Those people who fail to learn how to use AI … those are the people that need to be worried about their job.”

To avoid that, Choice Hotels is investing in upskilling. Stead described plans for hackathons with AI providers, internal “make-a-thon” and training sessions, to get security team members comfortable writing or configuring AI-enabled tools, collaborating with data scientists, or building capabilities that directly support business growth.

He’s clear: cybersecurity teams at Choice don’t want to be the “no police” holding the business back. Instead, he sees them as potential leaders and enablers: leveraging data, automation, and AI to help the company scale safely while embracing innovation. “Cybersecurity teams are just big data analysts at the end of the day,” he said.

That shift threatens nothing so much as inertia. Security pros who treat AI as optional may find themselves bypassed; those who learn to harness AI may find themselves indispensable.

Looking Ahead

For Stead, the path forward is clear: AI is a fundamental necessity. He suggests a future where tools lacking any AI capabilities simply won’t survive in the market. Moreover, he believes AI will empower organizations to operate more efficiently, respond faster, and even reclaim work-life balance: “Maybe we can go to bed at a normal time on a Friday for once.”

He is realistic about limits: AI will not instantly make every system bullet-proof, nor eliminate every attack. “It’s not everything everywhere,” he admitted. But he firmly believes AI will get defenders closer to the dream once promised by SIEMs: real-time, data-driven visibility; intelligent alerts; automated triage; focusing security talent where it matters.

Beyond defense, he sees AI becoming a strategic differentiator for hospitality businesses, enabling smarter fraud detection, tighter third-party risk management, better identity governance, and ultimately a more secure guest experience.

For security leaders stepping into their first CISO role, his advice is simple: treat your job like sales. You have to sell the vision, build relationships, and earn resources, just like any business leader. With AI, that argument is more compelling than ever.

Lessons Learned

Stead’s vision is grounded in hard-earned experience, technical realism, and strategic foresight:

  • The complexity and scale of modern cloud-native hospitality demand automation and intelligent tooling.
  • Threat vectors are evolving fast: AI-powered social engineering, identity misuse, and generative attacks are not hypothetical…they’re already here.
  • Defensive AI is not a magic bullet, but a force multiplier: it augments analysts, reduces toil, and frees talent to focus on bigger problems.
  • Security teams that embrace AI and build internal AI fluency will be better positioned, not just to survive, but to lead.
  • Cybersecurity must shift from a “no” mindset to a partnership mindset, helping the business grow safely and quickly.