» Q&A with Max Goldfarb, Travel Leaders’ Chief Information Security Officer
by Max Goldfarb
Travel Leaders Corporate is at the forefront of data security and cybersecurity risk prevention. We asked Travel Leaders’ Chief Information Security Officer Max Goldfarb a few questions about InfoSec and vetting potential technology partners.
Q: What’s your due diligence process for vendors that want to work with Travel Leaders?
Max Goldfarb: Our technology suppliers are vetted end to end. Travel Leaders has a very thorough questionnaire that vendors must complete in order to become one of our technology partners. Since the form covers all of the crucial elements of data security, their answers should be “Yes” to everything.
Our questions cover their internal approach to data security. We ask things like:
-
-
- Are you PCI Compliant?
- What annual externals audits are performed?
- Do you perform background checks?
- Are employees required to sign NDAs?
- Do you have cyber insurance?
-
Payment card industry (PCI) compliance refers to the technical and operational standards that businesses must follow to ensure that credit card data provided by cardholders is protected.
Q: When do you turn away a technology partner?
MG: When a vendor fails one of our compliance metrics in the questionnaire, we simply can’t go into business with them. A recent example is insurance. When we discover that a company doesn’t have insurance, it’s a red stop sign. Or, if we discover that they don’t routinely do criminal and employer history background checks on their staff or they’re not PCI compliant, it’s an issue that must be addressed. These issues are black & white; vendors can’t do business with us if they don’t have a robust security structure in place. No exceptions.
Q: What level of security is Travel Leaders providing their clients?
MG: Travel Leaders has a 24/7/365 security operations center. Not many other TMCs have this. Anytime a security issue occurs, we have staff to handle it. If an alert goes out, they triage the issue and escalate to my team to work the incident. Within the last two weeks, there were 268 incidents that had to be reviewed. It was mainly phishing attacks and travel behavior investigations.
Q: How can companies secure their Meetings & Events?
MG: Meetings can be a real problem, especially when you have a person collecting personal information and credit card numbers in a spreadsheet. Using a cloud-based secure solution like CVENT or Groupize is an excellent approach. The old manual method is risky and will get your company into trouble at some point.
Q: How do you train your security team and Travel Leaders employees?
MG: At Travel Leaders, we follow travel industry best practices for data security and go above and beyond the required training. For example, we conduct mandatory compliance training for our entire staff of 5,000+ quarterly, as opposed to yearly like many other corporations.
We are constantly reviewing our security and testing protocols to ensure they follow all the latest standards. We have all the security tools that a seasoned organization like ours should have in place. We keep the minimum amount of data necessary to perform the services you contract us for!
Q: Does Travel Leaders beta test technologies internally?
MG: We are proactive about looking at what technologies are out there in our sector. We prioritize by focusing on improvements to the traveler experience and cost-saving measures. As an innovative, forward-thinking company, our staff participates in events like BTN Innovate and ProcureCon so we stay on the leading edge of innovation.
Generally, we are early adopters and like to try out a solution on a small group of customers first. When we see a technology partner that we like, we go through a process internally to test it to see if the ROI is really there. We’ll then share the findings with our user forum about what’s coming to the broader group, and we also like to hear from them about what they want. We’re trying to position all of our solutions in a single desktop or mobile interface so users don’t need to open another app or tab. However, before we roll any of these cutting-edge tools out we make sure that they meet the level of security that our customers expect.
Ready to speak with a corporate travel expert about how you can better manage your business travel? Get in touch with us to schedule a free consultation that can help lower costs and improve employee productivity.
» Q&A with Max Goldfarb, Travel Leaders’ Chief Information Security Officer
by Max Goldfarb
Travel Leaders Corporate is at the forefront of data security and cybersecurity risk prevention. We asked Travel Leaders’ Chief Information Security Officer Max Goldfarb a few questions about InfoSec and vetting potential technology partners.
Q: What’s your due diligence process for vendors that want to work with Travel Leaders?
Max Goldfarb: Our technology suppliers are vetted end to end. Travel Leaders has a very thorough questionnaire that vendors must complete in order to become one of our technology partners. Since the form covers all of the crucial elements of data security, their answers should be “Yes” to everything.
Our questions cover their internal approach to data security. We ask things like:
-
-
- Are you PCI Compliant?
- What annual externals audits are performed?
- Do you perform background checks?
- Are employees required to sign NDAs?
- Do you have cyber insurance?
-
Payment card industry (PCI) compliance refers to the technical and operational standards that businesses must follow to ensure that credit card data provided by cardholders is protected.
Q: When do you turn away a technology partner?
MG: When a vendor fails one of our compliance metrics in the questionnaire, we simply can’t go into business with them. A recent example is insurance. When we discover that a company doesn’t have insurance, it’s a red stop sign. Or, if we discover that they don’t routinely do criminal and employer history background checks on their staff or they’re not PCI compliant, it’s an issue that must be addressed. These issues are black & white; vendors can’t do business with us if they don’t have a robust security structure in place. No exceptions.
Q: What level of security is Travel Leaders providing their clients?
MG: Travel Leaders has a 24/7/365 security operations center. Not many other TMCs have this. Anytime a security issue occurs, we have staff to handle it. If an alert goes out, they triage the issue and escalate to my team to work the incident. Within the last two weeks, there were 268 incidents that had to be reviewed. It was mainly phishing attacks and travel behavior investigations.
Q: How can companies secure their Meetings & Events?
MG: Meetings can be a real problem, especially when you have a person collecting personal information and credit card numbers in a spreadsheet. Using a cloud-based secure solution like CVENT or Groupize is an excellent approach. The old manual method is risky and will get your company into trouble at some point.
Q: How do you train your security team and Travel Leaders employees?
MG: At Travel Leaders, we follow travel industry best practices for data security and go above and beyond the required training. For example, we conduct mandatory compliance training for our entire staff of 5,000+ quarterly, as opposed to yearly like many other corporations.
We are constantly reviewing our security and testing protocols to ensure they follow all the latest standards. We have all the security tools that a seasoned organization like ours should have in place. We keep the minimum amount of data necessary to perform the services you contract us for!
Q: Does Travel Leaders beta test technologies internally?
MG: We are proactive about looking at what technologies are out there in our sector. We prioritize by focusing on improvements to the traveler experience and cost-saving measures. As an innovative, forward-thinking company, our staff participates in events like BTN Innovate and ProcureCon so we stay on the leading edge of innovation.
Generally, we are early adopters and like to try out a solution on a small group of customers first. When we see a technology partner that we like, we go through a process internally to test it to see if the ROI is really there. We’ll then share the findings with our user forum about what’s coming to the broader group, and we also like to hear from them about what they want. We’re trying to position all of our solutions in a single desktop or mobile interface so users don’t need to open another app or tab. However, before we roll any of these cutting-edge tools out we make sure that they meet the level of security that our customers expect.
Ready to speak with a corporate travel expert about how you can better manage your business travel? Get in touch with us to schedule a free consultation that can help lower costs and improve employee productivity.
