Ep 10: AI and the Future of Protecting Hospitality with Choice Hotels CISO Jason Stead

‍Evan Reiser: Hi there and welcome to Enterprise Software Defenders, a show that highlights how enterprise security leaders are using innovative technologies to stop the most sophisticated cyber attacks. In each episode, fortune 500 CISOs share how the threat landscape has changed due to the cloud real-world examples of modern attacks in the role AI can play in the future of cybersecurity.

I'm Evan Reiser, the CEO and founder of Abnormal Security

Mike Britton: And I’m Mike Britton, the CISO of Abnormal Security. 

Evan: Today on the show we're bringing you a conversation with Jason Stead, Chief Information Security Officer at Choice Hotels International.

Choice Hotels International is a global hospitality company with more than 7,400 hotels worldwide and over $1.4 billion in annual revenue.

In this conversation, Jason shares his thoughts on AI’s impact in the hospitality industry, the importance of AI skill development in the workforce, and how AI will shape the future of cybersecurity.

Evan: So maybe kick us off, uh, will you share a little bit about your role at Choice Hotels and maybe how you got into it. 

Jason Stead: So a little bit about Choice Hotels, we were 7, 000 plus hotels across 40 different countries throughout the world. What's maybe a little bit interesting about hospitality versus, say, some of the other industries is we have a really interesting group of threat actors facing us. We've got everybody from the people who are unhappy about their stay. We've got the financially motivated folks. We have state nations that want the data, because if you think about that, people are staying in your hotels, that tells you what they're doing, and sometimes people do nefarious things in hotels, and so that can be used by nation states as well so we've got a really interesting group. But what I think makes hospitality challenging is that desire that we have in hospitality to be warm, welcoming, and inviting.

If you think about that from the threat actor, that's the perfect target, right? The people who are willing to help you. And so social engineering is just a real tremendous challenge in our industry. It just is probably the number one challenge we face, uh, because if you call a hotel, any hotel, I'm not talking my brands, any hotel, they're often small owners.

They own one hotel. They don't have staff that understand, they don't have the training capabilities we have on the corporate side. And you know, if you ask a hotel to do something for you, chances are they might do something for you. So it presents a lot of unique challenges that we see in the hospitality industry.

Evan: So Jason, I was wondering if you could share a little bit more about how you see the threat landscape evolving, right, especially as Choice kind of evolves, kind of their technology platform. Presumably there's new service areas to protect, new threats to be mindful of. You know, what's, what's top of mind there?

And, you know, any advice you'd share that people about, I mean, what's more important today than, than yesterday? 

Jason: Well, everybody's talking cloud. Everybody's been going cloud the last couple years. In fact, we're just months away from being fully cloud. So AWS is a big partner of Choice hotels. We're pretty public with that information.

We're in the process of shutting down our final data centers. So we have a huge reliance on third parties. But more importantly, our franchisees view us as a cloud provider because we're writing and hosting that software. So we have both the challenges of relying on cloud providers, but we are a cloud provider, a SaaS provider ourselves. And so we get to see both sides of that issue. 

From us relying on cloud third parties, its really that third party risk management. How do I know that my partner is doing the right thing? And that's, that's a continual challenge because we think about third party risk as in the cloud providers, but really it's about third party and fourth party risk.

Because it's an issue with that third party's provider downstream can then impact us. And so we, we see some occasional issues in that aspect of things. From the actual being a cloud provider ourself to our franchisees, it's been a real challenge addressing all types of those threats. And so our software, in many cases, is access over the public internet from the hotels.

And so we, that threat landscape has, has definitely expanded over the years, especially as we try to deliver more and more solutions to our hotels, there are more and more capabilities that bad guys are definitely trying to exploit. And we see everything from the social engineering to the traditional hacking attempts.

You know, kind of trying to break into the apps themselves. But I think one of the biggest challenges that everybody faces is misconfigurations. That really is, for what we're seeing, driving the most of the issues across not just hospitality, but just in any kind of a cloud situation. 

Our cloud providers are great, right? They'll give us the guide. But then do your infrastructure, do your developers, your platform teams follow those best practices? It seems like that, um, every time someone turns their back, the configuration strays. And so there's a big, big push from automation because you'd have to be able to inspect what you expect, but you can't do that through people.

We, we like to joke. There's times when we feel like we've got to have one security person for every software developer, but that's obviously not scalable. Software developers want to do the right thing, but maybe they don't have the knowledge or maybe, maybe they miss something. And so that's where we're driving a lot from the cloud perspective of how do we build consistent, measurable and repeatable configurations? And then if something strays, how do we handle that in real time? 

Mike: That sounds like a lot of the back end infrastructure stuff, but when you think of the kind of the tip of the spear, your users, whether it's franchisees or the business, are they kind of clamoring and pushing for new technology, the latest and greatest?

They want to drive productivity. They want to drive automation as well. One, are you seeing that? And two, as you see the proliferation of new technology and new solutions come in, how are you kind of having to adjust your security program and where you invest your money and efforts in protecting against those threats?

Jason: You know, it's an interesting point having franchisees, because imagine 7, 000 different, whether it's stores, hotels, whatever it is, accessing your data over the Internet. And it's a third party I can't control. They're not my employees. So they're going to constantly bring in new technologies, new vendors that they're going to use that will want to interact with the systems that we provide.

And so we're constantly having to adjust our controls, our behaviors. A lot of time it ends up being an awareness campaign with those folks to help them understand. Hey, I love where your head's at. That's a brilliant idea. How do we work together to do something and pick a provider that meets not just your needs, but the rest of the 7, 000 franchisees across the board.

So that's a large part of ours, is that interaction, that back and forth. But you know, they are a third party. They can do whatever they want at certain levels. And, uh, we have to spend a lot of time doing response. We all want to focus on prevention. We all want to focus on detection. But ultimately, we better be darn good at responding because you're going to have to respond.

And we see that a lot in the hospitality space. I mean, it's prevalent right now with what you're seeing in some of these large hospitality players and some very public breaches recently. I think what we're seeing is a challenge where the hospitality industry is struggling. We are having some high profile failures. And I like to think of threat actors like sharks. They, once they smell blood in the water, more sharks come in. And that's really absolutely what we're seeing right now in the industry. 

Mike: And so maybe if you look at even the next five years, I mean, we see a lot with generative AI and, and the use cases from a, you know, online reservations or customer service, things like that. Do you think that there's going to be some adjustments you have to make in your security program and probably overinvest in protection in certain ways that you aren't necessarily doing today? 

Jason: Yeah, not a conversation goes by today without AI in some form or fashion.

We definitely have to make adjustments. I think we're making adjustments in two fronts. We're making adjustments in the tooling we're using because obviously you want to incorporate AI into all your tooling going forward. I think that if a tool doesn't have AI at some level in the near future, it's just not going to hold a place in the market before too long.

The inverse of that is the threat capabilities. It used to be really easy to identify social engineering because they didn't speak English. Well, those days are over. They're all using ChatGPT or some other mechanism to rewrite their script. Or, you know, as these new tools come out, I saw a great one the other day about a real time AI tool that's able to translate in real time to different languages.

You couple that with the ability to overlay people's images. Because a lot of people like to rely on the controls of, Hey, I, you know, I need to reset my MFA token. Let's get on FaceTime. Let's get on whatever it is. Let's do a real time chat. But it's just a matter of time before those visual controls we're used to just aren't effective anymore. And so that really is a challenge that we're gonna have to figure out going forward. How do you identify AI? Not only how do you identify AI, how do you do it in real time? 

Evan: Is there any kind of specific attacks you've heard about, right, that kind of, you know, that you would kind of call out?

It's like, hey, this is emblematic of, you know, where this is going in the future. Like anything you can share there? 

Jason: Let's go back to those high profile hospitality and gaming breaches recently, right? Those originated reportedly through social engineering attacks. And we all got noticed, we all read the 8ks, we read the public briefings on these things, and so we're all adjusting our user identification controls.

And so here's the problem though. You introduce AI and all those controls start to be less effective. If I can be Mike Britton and pose and call in and show my proof of life statement that shows, Hey, today's date, and it is Mike. Well, that's not going to work in the future because you know, the bad guys will be able to do that through a generative techniques. The other area I think we'll see it in is it's just a matter of time before somebody creates an LLM tool to write malware. It's just a matter of time, right? And I think we'll see that probably coming out of the nation states that have those large resources that are available to do those things.

You know, a lot of these Western companies that are building these models today are doing everything they can to make sure that they have good ethics built into them. They have good controls to prevent the maliciousness, but you see, you see all the different people finding ways to trick ChatGBT into rewriting phishing scripts or doing other things, but that's just because the founders and the builders of those tools put those controls in place.

What's stopping a threat actor, an Eastern threat actor, from building a tool without those controls? It's coming. It's going to happen. And so I think that that's going to be a challenge because the volume of things we face today is going to increase exponentially, coupled with the large maturity capabilities of those, those tools, those malware, et cetera, are going to have in the future.

Evan: Three years from now, what do you think will be like a really common generative AI cyber attack that most people today kind of like, you know, minimize like, ah, it's not kind of, I doubt that would happen. Like, what's your kind of contrarian view on the types of attacks that would be effective and common that maybe other people are underestimating right now?

Jason: Well, I don't know if people are underestimating it, but I think there's not enough emphasis on is, um, kind of these passwords brain or, um, these loyalty account compromises. We see that challenge in the hospitality and other spaces today. And so we put in all these automated controls to identify not humans.

And yes, there's click farms and there you can outsource to people and to brute force some of these things and look like a human coming in. But wait till you're able to scale that human behavior exponentially through AI. I think that is a problem that I think we all know it's coming, but the tools are going to have to adjust quickly.

Let's go back to the earlier conversation. How do you identify AI use in real time? I mean, you're essentially having AI identify AI. Someone way smarter than me is going to figure that out. I don't know the answer to that. But that's going to be the tooling that we're going to need to going forward is those fighting AI with AI, but definitely in the account takeover space. That's a huge opportunity for AI 

Mike: Now, along the same lines of, you know, using AI to fight AI. Are there things on the defensive side and from a technology perspective that you've seen in cyber security that maybe AI has been kind of helpful in solving these problems? 

Jason: Yeah, there's definitely. We're seeing it obviously on the email side of the house of identifying those threats faster, quicker. Way more effectively than some of the old MTAs and security solutions we're doing.

But I think the space that's going to come the fastest is, everybody in the, you know, 10 years ago, SIEM was the hot topic. Every year in cyber you've got a keyword of the year, right? So 10 years ago, give or take it was SIEM and the fallacy of SIEM was we're going to dump all this data in there. It's going to do perfect correlation.

It's going to kick out information. And then the vendor started raising prices and then everybody started to pull out what they were sending into SIEMs. They had to reduce their expectations on that correlation capabilities. I think in the future, that vast data set analysis in real time is going that ability.

I think that's where AI is going to really drive strategic capabilities for defenders to be able to identify unique, interesting attacks in real time. It's no longer looking about malware. Now, you know, we've got finalist malware. We've got other things that aren't things that our traditional tools aren't necessarily used to, or identity is the next firewall or whatever we want to call it.

Identity is the solution. But how do you identify? a valid credential coming from normal systems that happen to be compromised, doing things that aren't necessarily disnormal. And how do you catch that? And I think that's really where AI is going to be able to find that needle in the needle stack going forward.

I think that's a huge opportunity for us. 

Evan: You're kind of saying, like, the dream of SIEM was you kind of like push all your data into this thing, you have all this data, and then you can use that you basically through a bunch of, you know. If you have infinite time on the security, you know, on security operations, you can have people go find these things, but there's kind of like an overwhelming amount of data.

And so AI has the ability to kind of do some of that analysis and investigation decision making so that like these tools can help get closer to at least like the vision and dream of what, you know, the SIEM use cases or the SIEM like was trying to do. 

Jason: Yeah, absolutely. I think I think that was the panacea we were all sold. The SIM was going to solve world hunger for us in cyber security.

It didn't, it blew up budgets by extra zeros. And so we had to scale back. And that's really where those large language models are gonna be able to help us and really sift through that data, hopefully in real time, but do things with that. So everybody went down the road of trying to to automate the actions out of the SIEM.

Love that idea. But again, that's only as good as the human programming or telling it what to do. And I think that's where AI is going to learn from itself. It's going to be able to take that next step and then they take the next step. 

It's not going to eliminate people. I think that's the big fallacy. People are worried about I'm gonna lose my job. No, what happens is your SOC analyst one is now a SOC analyst two all of a sudden, and it makes a huge uplift for them, and it allows them to focus on the things that are really interesting. And that's what we're starting to see today. And that's the real value in the immediate term for us.

Mike: So obviously a lot of great use cases here. And since AI and Gen AI is now the buzzword from a marketing side, are you seeing some overhyped claims around AI and cyber security? Maybe, maybe what are some of those that you're seeing that just, you know, AI is not the right way to handle it? 

Jason: I think this idea that AI is going to identify everything and it's going to respond to everything. Maybe, well, maybe five years from now, who knows? But I think that AI is not ultimately the panacea. In the cyber security world, it's going to uplift us, but I think there is these, these beliefs that we're going to have these AI fighters. It's going to scour the network. It's going to identify everything. It's going to stop in his tracks.

No. It's going to help us get closer to there, but it's not everything everywhere. Maybe 20 years from now, you know, go back to the movie. It was the eagle eye or whatever it was. Maybe we'll get there. I gotta help. I hope not. I hope AI doesn't become people killers or really malicious in nature.

But I think that the volume of activities and the expectations, while maybe true in the long term, they're not nearly as, as where they are today as everybody's saying that the market is. I think that there's going to be a new market. There's going to be new entrants. There's going to be new capabilities.

There's going to be new threats we never envisioned. I do think that AI is going to help us move faster. It doesn't solve it though. It's, it's not the end all be all. 

Evan: So you talked about kind of changes to, you know, the threats, changes to the tools, changes to like the roles to apply. I want to kind of double click into the impact it's going to have on the workforce. Specifically when you think about, you know, kind of developing the organization over time.

What's the impact from an organizational development perspective? Is there a new sets of, you know, skills that we need to kind of train on? Is there new roles we're going to have to add? In this kind of world that you painted, right, if that all comes true, what's kind of the impact on how that team can best contribute, like, given that the new attacks and the new tools will be available?

Jason: So those people who fail to learn how to use AI. Those are the people that need to be worried about their job. It's the tradition of, like, you know, I was the Linux administrator. I'm never going to go to the cloud. I don't have to learn platform in the cloud. Those are the folks that are going to be out of a job. Absolutely. 

But those who learn how to interact and harness the power of AI, those are the ones that are going to thrive. So where we're looking at it is, how do we start introducing those skills to our team members today? We're in process of looking into a, um, a hackathon with an AI provider to get our hands dirty. And our feet wet. Honestly, technologists, cyber security professionals, they love to learn. Like you don't get in this profession if you don't love to learn. You'll be obsolete very quick. And so giving those people, those team members, the opportunity to learn that skill. But then also help them understand how does that help them in their career growth?

There's going to be new capabilities. Look, I want you to stay at Choice, but let's be honest, some people are going to leave and I want them to be marketable and I want them to grow in their career, even if it's not with us. So the big area of focus for us is to give the people the training, and I know the team's excited about that,

and I know the capabilities that come out of that. Now that gives us also an opportunity then to not only become cybersecurity AI trained professionals, but we can be AI professionals and help the business grow. I think it's really important for our team not to be the no police. I, I want to come to the table, work with our business partners. How do we drive the company forward through AI? And if we can be leaders and experts in that, fantastic. We should be absolutely doing that. And I think the team sees that and they're on board with that vision. 

Evan: That's a really good point, Jason, because AI is like really good at data analysis and a lot of the work that cyber security teams are doing, I'm sure your teams are doing a lot of right, before AI, before machine learning, is like data analysis, being very thoughtful about finding the right data, analyzing the right way, making the right judgments about what to do based on that, and so in some ways like, outside of using AI to improve, you know, security and privacy and all these other things, right?

Also, it sounds like you're saying security teams have the opportunity to be a role model in the organization about how AI can augment and expand, you know, the capabilities. 

Jason: Absolutely. Cybersecurity teams are just big data analysts at the end of the day, and I think we, we forget that. And so at Choice, we try to be really strong partners with our data scientists because that's what they do. That's what we do. Maybe they've got models that we haven't thought of. You know, in cybersecurity, we're also partnering really strong with the fraud team because ultimately the fraud is using the data that we have in our data leaks. So we've demonstrated a lot of value to the company through those mechanisms.

Maybe somebody's got a great idea for a new vision for something that the company can take on. I'll give you an example. We have a week every year we set aside here at Choice. We call it Mastery. It's an opportunity for, we do an unconference for two days. Anybody can present on any topic. They can do trainings.

We have hackathons. We have some deep racer activities with AWS. But then we have a make-a-thon. And so for two days, anybody at Choice, doesn't have to be IT, anybody at choice can come up with an idea and they can build out that idea for two days. And then we have cash drawings at the end and ultimately a lot of those things actually go into production.

So that is an idea where cyber security team can come up with something that's interesting. They can drive the business forward and we have had examples of that. We had some great things, especially our tech teams are coming, and building things, literally building things in two days. A week later, they're in production and is driving revenue for the company.

And I think that when we look at this next one, we're going to be doing here in March of 2024, AI, that's going to be the hot one, right? Everybody's going to find a way to incorporate AI into some business process or technology capability. And that's where I'm excited because look, I've got a really, really talented group of people on my team.

They're smart. They get stuff done. They're nice to waiters. And they're really good at their job and so I can't wait to see what that team is going to bring forward next year in that hackathon. In the meantime, we're going to do some our own hackathons within the team. We're going to get them that exposure so that they can start learning today and be ready for that next opportunity.

Evan: So yeah, Jason, so we like to do kind of a lightning round at the end, just get kind of like one tweet, kind of quick hits to a couple questions that probably deserve more than the one tweet answer. But Mike, why don't you kick it off? 

Mike: Yeah, so what advice would you give to a security leader that's stepping into their first CISO job? Maybe something they might overestimate or underestimate about the role. 

Jason: Our job is a sales job. We are sales leaders. I think you have to be comfortable reaching out, establishing the relationships, but selling that vision. It's a really hard job to be a sales leader. We don't get that training as cyber professionals.

So take a look at the sales trainings that are out there because it will help you tremendously when you're selling your vision, seeking resources and really selling the vision of the team, not just the company. 

Evan: You seem very up to date on some of the kind of the trends, right? You've been very thoughtful about it. What is your advice to maybe other CISOs that, you know, want to stay up to date on either new technologies and their impact, the organization, the threat landscape, or the tools? Which are like information diets, right? Like, where do you, how do you, how do you stay up to date?

Jason: The best way I stay up to date is talking to my peers in the industry. Every single day, I'm on the phone, either texting or calling one of my peers. We're constantly staying in contact. And we, we've established that relationship through the retail and hospitality ISAC.

If you're in an industry that has an ISAC, 100 percent jump in. Those people in that ISAC know exactly what's going on because it's not just those threats aren't just facing them. They're gonna face you because it's the same industry. So meet those peers, get good relationships, and then share information.

As you learn something, share it back out. If you have some good threat indicators, some TTPs, share it out. It has made a world of a difference, not just for me personally, but on my team, because now they have visibility, not just what we're seeing, but what the industry sees. 

Mike: So on a more personal note, what's a book that you've read recently that's had a big impact on you and why?

Jason: One that I really, really enjoy is the book called Quiet. It's something like Quiet and the Power of Introverts or something like that. I'm an introvert by heart, and I think a lot of us in tech are natural introverts. But we operate in this world that's not made for introverts. Especially in Western cultures, Western businesses that you're rewarded for being an extrovert.

And it's exhausting as an introvert to live in that world. And the book is really a great, um, uh, book about the value of introverts and how we as a society and companies can create space to allow those introverts to be successful. And not only that, harness the value that introverts bring, because introverts bring some pretty tremendous value.

Evan: What do you believe AI's future impact on cybersecurity is going to be a couple of years down the road that maybe some of your peers today still think is like science fiction? Like what do you think is gonna be true about the future of AI's impact that other people wouldn't believe? 

Jason: I do think AI is going to make life difficult for us, but I don't think it has to be a negative.

I think the power of AI is, is a positive ultimately. And I think there's a lot of doom and gloom about the threat actors using AI. And they are, they're using it today. It's going to, it's going to evolve. It's going to be much harder. But there's really great entrepreneurs out there that have visions that we haven't even talked to.

We have no idea what's coming up. And I think it's going to be really, really interesting. I also think it's going to take some of the human out a lot of these things, and that actually could be to our advantage. There's a lot of nights and weekends we all spend, and we work constantly to address new issues that come up.

Because, right, let's be honest, it doesn't happen on two o'clock on a Friday after, or on a Tuesday afternoon, right? It's always 5pm on a Friday night is when stuff happens. And I think that yes, that's going to continue. But as we get better AI tooling and capabilities, maybe we can go to bed at a normal time on a Friday for once.

Evan: Jason, really appreciate you taking the time to join us. Thank you for sharing your experience and wisdom and thank you for painting an exciting vision for the future. 

Jason: Oh, my pleasure. Thanks guys.

Evan: That was Jason Stead, Chief Information Security Officer at Choice Hotels International.

Mike: Thanks for listening to the Enterprise Software Defenders podcast.  I'm Mike Britton, the CISO of Abnormal Security. 

Evan: And I’m Evan Reiser, the CEO and founder of Abnormal Security. 

Mike: And Please be sure to subscribe so you never miss an episode. You can find more great lessons from technology leaders and other enterprise software experts at enterprisesoftware.blog. 

Evan: This show is produced by Josh Meer. See you next time.