Sonesta: The importance of partners in effective security

Since 2020, Sonesta International Hotels Corporation (Sonesta) has grown by 350%. Starting out as 16 hotels in 1937, Sonesta has more than 1,200 hotels today – and this number only continues to grow. Sonesta’s foundations are built on excellent service and authentic experiences, driven by its founder A.M. ‘Sonny’ Sonnabend.

Offering its services with passion, loyalty, and commitment to the many faces - new and familiar - that stay with the organisation, the human side of hospitality is at the core of Sonesta’s culture. “The guest experience is the number one goal,” says Michael L. Woodson, Director of Information Security and Privacy at Sonesta. 

Growing its portfolio of hotel brands, each hotel is as individual as its customers’ reason to travel. “Our mission is to wow every guest, team member, partner and community in which we operate by delivering quality, value and amazing hospitality. Being a fast-growing organisation, we are dedicated to redefining hospitality, making sure our operations are the best of the best,” he adds, elaborating on the organisation’s aims for consumers. “Since joining the organisation, Sonesta has gone from 1,000 employees to more than 8,000. We have made significant improvements in five key areas: people, processes, technology, security and resilience. 

“We have evolved into this expansive corporation of hotels and services, with very talented and diverse people among us. It’s truly been an amazing journey.”

As Director of Information Security and Privacy at Sonesta, Woodson leads the organisation’s cybersecurity practices.  “From a holistic cybersecurity perspective, I have a lot of experience in a variety of industries including retail, pharmaceutical, banking, manufacturing, wholesale and distribution, government, healthcare and utilities and gas,” says Woodson. 

“In hospitality, I have consulted with many leading organisations on incident response, threat identity, and asset management,” he adds. “So, when this opportunity came up at Sonesta, I felt that with my deep industry experience that I could immediately add value and help the organisation reach its goal of becoming a world-class organisation. Since then I have been working to improve the organisation’s cybersecurity posture from one with limited security capabilities to one that has a fully operational security function that is both sustainable for the business and aligns with its objectives.

“At Sonesta, we have adopted a hybrid approach, supported by a managed detection and response solution in partnership with an organisation called ReliaQuest. With our unique workforce, my team and I are solely focused on cybersecurity, whether that's risk management, privacy, compliance, or endpoint detection and response, our goal is to ensure that we develop a cybersecurity program that aligns with the business.”

The importance of an effective cybersecurity program during an aggressive growth strategy

Once a small organisation, the expansive scale of Sonesta opens up the organisation to all manner of vulnerabilities. “Once, we were in the backyard; now, we are in the jungle,” says Woodson. 

“In the jungle, there are lions and tigers, so we need to make sure that, as our organisation continues to grow, we are proactively creating our security posture to defend against a wide spectrum of potential threats, making sure everyone is safe and secure.”

As the organisation continues to develop, cybersecurity will be critical to its success. “Security is very much woven into the fabric of our strategy; it receives commitment from the top down,” Woodson says.

Woodson warns, however, that, being a large organisation, it is important to attribute pillars of the organisation when it comes to security, rather than looking at the concept as a whole. 

Sonesta’s approach to…

Cloud security: COVID-19 brought about an influx of cloud adoption. 

“Whether it’s Software-as-a-Service (SaaS) or a platform, it will be vital to look at these technologies from a security perspective in order to continue to drive success.”

Application security: Moving from DevOps to DevSecOps, Sonesta is dedicated to ensuring its environments are developed in a secure way. 

“We are making dramatic improvements in this area as we expand. We are committed to making sure that our developers are security conscious and adopt the best practices.” 

Asset Management: “When it comes to asset management, we have been looking at some of the key enablers to develop a single, centralised foundation for information security. We have been looking at this from three areas – asset management, inventory management, and configuration management. Together, we aim to create a dynamic approach to making things secure.”

Unified patch management: “Vulnerability management and patch management go hand-in-hand. The combination of the two has helped us to advance our cybersecurity strategy, giving us an edge when it comes to keeping our security posture.” 

Sonesta and its partnerships

When it comes to its partnerships, Sonesta is always on the lookout for those committed to developing a strategic partnership. “Being strategic is an important element of a partnership: it adds value, something that is incredibly important to Sonesta. Listening to our customers and developing strategic relationships with our partners have been very important elements of our cybersecurity strategy,” says Woodson.

“It’s not just about price, it’s about added value,” he adds. “When we work with our partners, we are looking for organisations that can advise us on the right products, that can collaborate with us and suggest other approaches that we may not have considered. Sun Management is one such organisation that has given us that ability.

“Sun Management provides us with the ability of value-add both to meet the needs of the organisation and from a cost perspective. They have been a trusted advisor and trusted partner, who have helped not just on the cybersecurity side but on the infrastructure side. They have helped with project management and bringing third parties to help improve our security posture holistically.”  

The next 12 to 18 months for Sonesta 

In the upcoming months, Woodson is committed to growing the organisation. “I’ve been in the digital equipment industry for more than 30 years – as a Director, you never know what tomorrow will bring, but I try to see cracks before they become holes, and my job is to prevent them from becoming craters. The next 12 to 18 months will continue to be dedicated to the development of our security programme and the mitigation of threats and risks,” says Woodson.

“Partners will be key to this going forward; as we adopt things like platform-computing, infrastructure-as-a-service and various cloud technologies, vendor management relationships will be very important. Third-party risk is going to be a key attribute that the industry will need to manage better – as well as fourth and fifth-party risk, as these dependencies can indirectly affect your security.”

Another key trend to keep an eye on will be prevention methods, as Woodson believes that “awareness of the human aspect of security will play a major role.” 

“It will be important to make sure that, with a growing remote and hybrid workforce, organisations start to look at their threat landscape differently. With these new ways of working, the perimeter is no longer confined to the walls of your building – workers can now be anywhere. It will be important for organisations to have visibility, as well as the ability to discover, build, understand and utilise what is coming onto the network and how they are using the data.”