Payment security has dominated the cyber security conversation in the hospitality industry ever since the advent of the Payment Card Industry Data Security Standard (PCI DSS) a decade ago. As a result of this focus, and the emergence of technologies such as EMV chips in credit cards, the risk of credit card theft has declined precipitously.
However, the industry has undergone significant digital transformation during that time, integrating mobile and social channels into traditional online and on-premise operations. For example, hospitality customers today can perform any number of functions with their mobile phones, including checking in and out, scheduling restaurant and spa appointments, unlocking the door to their room, and using loyalty points to pay for it all. Meanwhile, marketers capture and analyze the data generated by this activity to gain insight into customer behavior and preferences, which opens opportunities for upselling, cross selling and introducing even more features into digital transformation efforts.
This digital transformation story is amazing, but it has also opened a new world of security risk. And, because of the good work that has been done around PCI, cyber-criminals today are less likely to target credit card information than they are, for example, customer loyalty information. This has set the next great challenge for chief information security officers (CISOs) in the hospitality industry: marrying digital transformation to security transformation, so they can protect customer personally identifiable information (PII) from data breaches.
From PCI to PII
CISOs have had an infamously difficult time over the years explaining security investments at the boardroom level. PCI has actually helped with this problem – the threat of fines for non-compliance is an easily-understood business problem that clearly needs to be addressed (much more so than, say, explaining the nuances of data lakes and advanced security analytics.)
With the shifting security threat landscape brought about by digital transformation, however, CISOs now face a new challenge – explaining to the board why a whole new generation of security investment is required to protect customer PII. A big part of this problem is that, across virtually all industries, digital transformation initiatives tend to charge forward without giving full consideration to security risk. Particularly in an industry as competitive as hospitality, the ability to be first to market with next-generation digital features and capabilities can have a material impact on revenue and customer loyalty. However, it can also expose organizations to excessive data breach risk.
Thankfully, there really is no reason to position PCI and PII as an “either or” proposition – the fact that PII is now a top security priority does not mean the years of PCI investment have been for naught. In fact, many of the security controls and technologies brought to bear for PCI can be extended to fortify defenses for PII. However, it is imperative that hospitality organizations take a broader view of security beyond PCI compliance, and even PII security, and adopt a strategy for enterprise risk mitigation.
Risk Mitigation Needs Security Transformation
The first step in the risk mitigation process is to realize that PCI is not a framework for enterprise security. Rather, it is exactly what it is designed to be: a baseline standard for securing credit card information. PCI compliance will be part of any enterprise risk mitigation strategy, but not the guiding principal. The guiding principal will be continuous security risk assessments that enable organizations to understand their exact risk posture at any given time, so they can answer questions such as: Where is sensitive data stored? How is it protected? Who needs access to it? What third parties are potential risks? And where are the gaps in my security operations and infrastructure? Additional considerations include.
- Balancing cost with security - Too many organizations simply “throw money at the problem” with security, and try to stop all threats without considering the severity of the risk they may pose. This amounts to an “outside in” approach to security, where external threats (even if they don’t represent a serious risk) drive security strategy and spend. This inevitably causes organizations to accumulate multitudes of disparate security tools to combat all of the new threats, which results in complex and expensive infrastructures that are ineffective against modern adversaries. A far more effective approach is to build security from the “inside out,” where enterprise business requirements and risk dictate security spend and strategy. This enables CISOs to prioritize risks and make intelligent decisions around infrastructure and operations. Everything is targeted at enabling the business by mitigating meaningful risks, which makes security much more efficient and accountable.
- Balancing Security with Business Agility - This is what has gotten companies into trouble not only with digital transformation efforts, but also with virtually every major business computing trend: speed always trumps security until something goes wrong, and then security is brought in as an afterthought (this approach to security is why the world needed PCI, for example). Things don’t need to be this way – it is entirely possible to fully secure digital transformation initiatives before they are rolled out, without causing delays that harm business performance. Security needs to be brought into digital transformation projects early, so they can identify and mitigate risks before they are rolled out to the world.
When taking this comprehensive approach to security, PCI becomes a subset of the overall enterprise security strategy, rather than the blueprint for it. By marrying security transformation and digital transformation, hospitality companies can enjoy all of the benefits of next-generation customer experience, analytics and loyalty programs, without exposing their customers’ PII to excessive data breach risk.