THE CIO SUMMIT brought together a great collection of leaders at the beautiful Loews Hotel in Atlanta. Starting late Wednesday afternoon, we packed in reconnecting, laughter, hugs and a huge education docket, into two days. We started the evening with Rachel Ratcliff, senior managing director with Stroz Friedberg, an Aon Company, who jumped right into a discussion on cybersecurity. Ratcliff echoed what we already know – hotels are some of the most complete network environments, period. We face a significant challenge with all of the third-party partners, interconnected systems and the junction of legacy technology that need to work with 2021’s new equipment and protocols.
This presents a unique set of challenges that other industries don’t face. Two factors have led to a drop in direct hotel attacks on credit card data:
- Hotels have moved card data out of local environment via encryption and tokenization.
- Hackers became so good at stealing credit card data that they devalued the information they were taking.
However, a new threat landscape has arisen peopled by “hacitvists.” Some are state sponsored; others are financially motivated. No surprise: China and Russia are the biggest state actors. Their teams often know more about our networks than we do. These groups, which used to focus on espionage and corruption, are now driven to infiltrate critical infrastructure like power grids and pipelines. But the largest threats by far are those trying to make a quick buck through ransomware. These attacks have increased over 300% since 2019. Eight figure losses are common – in part to the ransom – but business interruptions are a large component of loss. Ratcliff said hackers are now more focused on data exfiltration, where data is copied or transferred, not just encrypted. These attacks tend to be sophisticated and highly targeted. Attackers are making gains on the ransom and from selling stolen data. Plus, the surge in remote work makes it harder to protect data everywhere.
She shared sobering statistics on the average effects of ransomware attacks from the IBM/Ponemon Institute’s Cost of a Data Breach Report 2021:
• Downtime = 23 days
• Cost = $4.24 million
• Cost not including ransom = $4.62 million
• 2020 cost of a breach in the hospitality industry 2020 = $1.7 million
• 2021 cost of a breach in the hospitality industry = $3.03 million
Fortunately, costs for the hospitality industry are at the lower end. And they’re declining. Why? Largely because hotel networks are fractured, and hackers must access multiple systems to have a real impact. Ratcliff feels the recent U.S. federal emphasis on aggressively targeting actors has helped, as Q1 and Q2 2021 insurance claims are down. Where possible, she recommends hotels move to a hybrid cloud to create lower average costs, lower containment costs and less down time. Ransomware loves cryptocurrency. It’s the common solution for payment. But some governments are tracking crypto and backing out transactions. This can leave the business down with no resolution. If your business becomes a victim, where do you turn? Ratcliff said ransomware negotiators are now a cottage industry. They help victims pay and make sure their systems are unlocked. If your business is exposed, it makes sense to have one on retainer. She also recommends retaining a forensic responder, augmented with thirdparty experts, ready to help your company if something happens.
To pay or not to pay, that is the question.
Ratcliff shared these steps to help you plan ahead so you can avoid attacks:
• Test to understand all points of ingress\egress to your network.
• Use policy and technical controls to lock down your data – especially at transfer points.
• Understand the risk – assess where your threats, assets and vulnerabilities intersect.
• Invest in detection and monitoring – for people and technology
• Constantly back up data and test plans
• Conduct tabletop exercises to help prepare – make sure you have the right exercise at the right level.
• Lay a foundation that helps you understand and identify risk.
• Develop a culture of security
Needless to say, the 2021 CIO Summit kicked off with a topic that’s top of mind for all attendees, something that impacts all of us.
If you’ve attended a CIO Summit in the past, you know that the HU team loves a silly ice-breaker. I want to say for the record, that in over a decade of attendance, these games have been won by teams other than mine because they are either fixed, the other team cheated or the rules are so nebulous that no one understands the actual winner. This year was no different. Again my team, after finishing first, was not awarded the prize. If you need a real conspiracy theory, start here.
THE OPENING DINNER was a great opportunity to chat with new and existing friends. We all learned something about each other. This year, we asked attendees, “If you could live anywhere, where would you live?” Turns out about 33% of the group wants to live in my home state of Colorado, and I don’t blame any of them. It offers 300 days of sun, mild weather, great food, a vast array of outdoor activities and the actual purple mountain majesties – the Rockies. However, as of the evening of the Summit, Colorado is officially full. We want it for ourselves. I hear Utah, Wyoming and New Mexico are delightful. Special thanks to all the sponsors. This can’t happen without your support.
DAY TWO, Thursday, started off with Delta Airlines’ Vice President of Innovation Matt Muta. He wowed everyone with the not so futuristic travel ideas his branch of Delta which leverages technology to build the future of travel, is working on. They incorporate artificial intelligence (AI), human-centered design, strategic investment, incubation and acceleration. Muta shared some of their visionary ideas, including using AI guest recognition to make you your own boarding pass and neurolinguistic programming to speed the time of development.
Muta also shared a single display solution that only presents to you using your language with your travel information. This technology can address many patrons at the same time on the same display. It’s all based on where you’re standing and the technology’s ability to recognize you. Muta described the solution as using many displays at an airport, each giving the traveler individual information on their travel journey in their language, based on their vantage point.
Delta is also leveraging AI to help minimize the cost and headaches related to mishandled bags – one of the biggest problems with airline travel. Muta and his team are working on building walking speed security for everything in the airport journey. This will not only ease the anxiety and effort associated with travel, it can also help eliminate human trafficking.
Greg Duff, with Foster Garvey, PC has become a fixture at the CIO Summit. He always comes with fresh information that is important, and often terrifying. This year was no different. Duff has been hyper focused on COVID-19 for 18 months. He warned us from the start that, “Everything I am about to tell you will be wrong tomorrow!” For me, this is the quote of the conference. He immediately clarified that, “The rules are entirely dependent on state and local laws.”
First, he walked us through all the different scenarios where we can – or can’t – require vaccinations. Then he explained guest and staff rights regarding them. He covered mask mandates and health passports as well. Guests, for example, have no constitutional rights against a hotel’s vaccine mandate, hotels can’t require verification. So we must make reasonable accommodations. But a business can ask its team members for proof of vaccination. Testing requirements are a little simpler. There’s no constitutional right, Duff says, for a guest or team member to refuse testing. There are no religious exemptions or waivers afforded by the Americans with Disabilities Act. Employers should pay for testing and companies must be wary of a collective bargaining agreement that could alter this position.
Duff made it clear that there’s a lot of litigation around this topic, so stay tuned. However, by the time many of these cases are heard, the point might be moot. Meaning, we hope, that by then we will have contained the virus. Another hot topic, and one that remained a thread throughout the conference, was the impact of brain drain. Many of the people we relied on in 2019 have been lost to staff reductions. Some will never return to those positions. It’s a real problem, not just for hospitality, but everywhere. This forces team members to wear many hats – and some of those hats don’t fit. Brain drain, coupled with attracting and keeping talent, will continue to be a major issue going forward.
Duff also discussed the impact of a group requiring that all staff at the hotel be vaccinated before it signs a contract. Force majeure, an often overlooked section of most contracts covering uncontrollable events that allow the agreement to be negated by one party, is often used during natural disasters. There’s a question now of whether it applies to a pandemic. Contract language is already changing.
Duff also pointed out that:
• Vacation rentals, as well as other nontraditional accommodations, are here to stay.
• Cost savings are here to stay. Operators are wary of another downturn and will be cautious with spending, particularly around staffing.
• Employees will expect a bigger focus on health and safety going forward.
• There’s a new contracting paradigm. We’re challenging partners and clients to work with us in new terms as they, too, try to protect their businesses and revenues.
Dan Kornick, CIO of Loews Hotels, led a spirited mini-session on labor challenges. He discussed his experience – going from 10,000 team members to 1,000 in a few weeks.
Across the board, a lack of staff has caused issues with service – guest service scores are terrible. It affects a hotel’s ability to support current revenue. Limiting services or opting out of housekeeping only address part of the problem. We as leaders are getting creative. Sometimes this creativity can cause other issues. Finding the right people often conflicts with finding any people.
We discussed how more and more hotel groups are centralizing services like PBX and accounting, but also running into challenges with major brands to access systems they’re responsible for protecting. Everyone hopes we can find ways to securely share data with third-party or centralized services to help mitigate some of these challenges.
Shamla Naidoo, independent director at Stonebridge Acquisition Corporation, offered advice for owners and board members on speaking to C-suite leadership. The starting point, she says, is to understand your audience and their objectives. Leadership at this level will have goals around operational efficiencies, long-term resilience, shareholders targets and profit thresholds. The one thing all C-suites consider their north star is money.
Acceptable risks will be a priority. Where business goals and security goals overlap there is risk. There is risk in everything IT does, including innovation, security and data storage and access. Success will come from understanding where top-level leaders’ initiatives fit into the larger risk picture. Focus on using magic phrases like “strategic risk” and “material risk.” If you can demonstrate these, you’ll have more success moving your programs forward. Ask yourself “How is our business impacted if we don’t do this?” and “How does this impact shareholder value?”
Think about what the conversation will be like after you leave the room. The board only has a few priorities and if your initiative doesn’t focus on those, it will fail to impress. When business and technology strategies aren’t aligned, both will fail.
NEXT ON THE DOCKET was Bram Gallagher, a senior economist with CBRE Hotels Research. He offered a State of the Union address for the U.S. hotel industry. He described the pandemic as the biggest disaster in the hotel industry, ever. Bigger than the great recession, bigger than post 9/11. RevPar is slowly moving toward, he said, and in some cases exceeding 2019 numbers. But occupancy is leveling off. He cautioned that RevPar could be skewed because the hotel room supply can’t truly be compared against two years ago.
There has been a reduction in rooms related to staff shortages. Some hotels are offering lower inventory because they can’t service the rooms. Others remain closed due to market constraints. Once the hospitality labor market stabilizes, there will be a massive change in supply growth. That will, in turn, look like a decline in occupancy. Bram’s data points to a “true” Rev-Par return in 2024. However, if foreign destinations continue to impose restrictions on American travelers, many will offset their pent-up travel desires with domestic vacations. That would change the U.S. market.
The nonresidential real estate fixed investment market beat its previous peak in Q4 2019 at just over $3 trillion dollars. But things are changing. Existing real estate is a hot market as new construction costs skyrocket due to the price of building materials and increased wages. This is further impacted by the global chip shortage and supply chain challenges. Building new has become very expensive.
However, consumer confidence is falling, as more people hold back savings and are paying down debt. Gallagher shared some stark numbers on the hospitality labor market, namely industry labor shortfalls which are well above pre-pandemic peaks. Job openings at hotels are nearly 50% higher than the 2019 peak. Wages are also growing, from an average of just under $15\hr in 2019 to over $16.50 now, representing a 10%-12% increase depending on market. Wage and other cost efficiencies will result. Most will be permanent. As always, operators and technology teams will be asked to maintain cost reductions.
CALEB HURD FROM CITRIX was last, but certainly not least, in a day of incredible presenters. He started off with a challenging thought: Contrary to what we’ve learned, procrastination can be a winning IT strategy. He went on to discuss the impossibility of quickly developing something that is both cheap and high quality. Further challenging customer service perceptions, he asked, “How do you make your customers non-unhappy?”
He explained a point he calls the unhappiness cliff. Instead of doing more with less, he suggested just doing less and keeping people from being unhappy. We should push as close to the unhappiness cliff as we can, he says. When we find it, we should back off a little. It’s where performance meets need – where you can justify a project’s cost.
For example, he explained that the cost of maintaining five 9s (99.999%) of availability – only 5 minutes of downtime in a year – was exponential compared to the cost of four 9s – just 52 minutes of downtime a year. Is that worth it, he asked. Even 99.5% of uptime, at a significantly lower cost, might still keep clients from being unhappy.
Load times are another great example, he said. A one-second website load time costs 78 times more than a three-second load, but the user’s experience is likely unchanged. Are you paying for performance that isn’t worth the effect it has on product use? To find the unhappiness cliff, Hurd recommends taking an unbiased look at your data. Your project could call for 100% golden toilets, at an enormous cost, when less expensive porcelain ones wouldn’t cause unhappiness. He sees this strategy applying across many areas, such as security. Is your organization spending more protecting against a hack, than the cost of the hack? Would it be better for your budget to have good security and cover a couple of hacks? Even newsworthy ones? Do you budget for hacks?
He pointed to three major hacks, Hilton in 2015, Marriott in 2018 and Facebook in 2019. While all three caused a short-term loss in shareholder value, the numbers all returned to previous levels within three months of the breach being publicly announced. All three are significantly higher in value today.
The world has become less concerned with data breaches, which further shortens the recovery window and softens the value dip. While the financial loss to the company is low, personnel costs can be high. Breaches usually result in termination. Allocating resources and doing budgets this way will lead to saying ‘No’ a lot, Hurd said, adding that it’s critical to decouple the amount of work needed from the number of people needed.
THE HIGHLIGHT OF EVERY CIO SUMMIT is the open round table, this year led by Scott Strickland, EVP and CIO at Wyndham Hotels & Resorts. He asked us to dive into successes and challenges over the last 18 months: What do we wish we’d done sooner? What should we never have done? We’re creating a scarcity mentality, he said, and must try to build back stronger, insulate against future downturns and be ready for the next pandemic-level downturn.
What do we wish we’d done sooner? What should we never have done?
Many started their COVID-19 reduction process by identifying the wastefulness of 2019. The bloat was a symptom of seemingly never-ending success and dramatic growth in revenues and profits. First to be cut were extra perks and solving problems inefficiently with labor. Companies closed hotels, often for the first time since their doors opened. A scarcity mentality developed, focused on having to do many things with incredibly small teams. People were challenged to do more, often outside of their comfort zone.
One great positive was that, almost overnight, we created better access to systems and information to meet new workplace dynamics. Many of these solutions will enable better access for team members with disabilities. Some properties used the drop in systems access to push through massive changes.
However, returning workers faced an incredibly high learning curve for all systems. This put added stress on the teams, which were often just skeleton crews. Learning new systems made it harder for leaders to focus on rebuilding. This time would have been better spent working with their teams and interfacing with guests. They need to focus on the human connection, not sitting in front of a monitor or tablet.
Labor continues to be a common concern. COVID-19 hit so hard, so fast, that there was no opportunity for knowledge transfer. Many team members that knew how to keep systems working were let go.
I know I’m speaking for the entire team, when I say that our tour of the Delta training centers was an incredible experience. We now appreciate even more the hard work and level of expertise the crews that fly us have. To say the facility was massive would be an understatement. Let’s just say that we all got our steps in that Friday morning. Flight crews train in teams. Initial training lasts a few weeks. There’s no room for error: Each candidate gets three shots to pass – just three, and they must score a 90 or better to pass. There were several crews training as we toured. These trainings are required every 18 months, on every aircraft configuration. The crews are prepared.
Next, we toured the Delta engine hanger. Some engines are so large you could stand or sit in them. The sheer logistics of getting the right parts to the right bays is incredible. You can read more about the hangar description and see photos from the hangar tour by using the QR code.
Rich and the Hospitality Upgrade team packed a ton into a few days. Most importantly, they brought people back together – in person. Of all the great things I remember about the CIO Summit 2021, being together with my colleagues – and my friends – again is the best takeaway. I already can’t wait until next year.