Charles Fedorko is the director of IT security at Sage Hospitality Group. We were able to sit down with Charles to talk about his role, journey leading to his career in cybersecurity, the current cybersecurity landscape surrounding the hospitality industry, and the upcoming RH-ISAC Summit in October.
Tell us about yourself and your background. How did you start your career in the cybersecurity industry?
Charles: I currently lead the cybersecurity program for Sage Hospitality Group as the director of IT security. I have a liberal arts degree in English literature from the University of Rhode Island where I was first exposed to emerging technology by way of telnet, Unix, and gopher protocol. This was the early 90’s when Netscape was the hot browser at the time. While in college, I was hired to support the alumni foundation network and that’s how I started working in tech, supporting users, loading programs, running cables, and supporting a token ring network.
Over the years, I’ve had various roles in IT operations. My cyber security career started about ten years ago when I was an IT manager leading an IT operations and infrastructure team, and I was scammed renting a vacation property and made a wire transfer that was never to be seen again. That event was the catalyst for me to pivot and focus on cyber security. My first initiative was remediating PCI compliance gaps for the company I was working for at the time.
You’re the director of IT security at Sage Hospitality Group. Can you expand upon your role? What are some of your day-to-day duties?
Charles: I help develop and implement the cybersecurity strategy while finding ways to decrease risk and increase the security posture of Sage and the properties we manage. Maintaining compliance, following privacy regulations, and building and developing policies are my responsibilities, and I seem to continually fill out audits and assessments. I also lead the security team who manages, maintains, and deploys our security tools and monitors and responds to security events. The team and I collaborate on incident response, risk management, projects and making sure we stay aligned to our department goals.
You spoke at The Hospitality Show in June. For those who might have missed your presentation, can you provide us with a few key takeaways?
Charles: The topic was securing hotel operations across multiple brands and owners which is exactly what my team and I do for Sage and our properties. Brands make up 65% percent of our hotels with the rest being independent hotels.
There’s a lot of complexity within those factors when no hotel is truly the same. There are different standards, different systems, different network topologies, and different IOT devices. We inherit a lot of risk through all types of technology and security debt when we take over management of a property, but we’ve developed processes over time to simplify the approach of remediation though foundational security controls.
I also gave my thoughts on the importance of cyber insurance and the indemnity it can provide to cover any expenses before, during and after a breach. Cyber insurance providers assist with covering the costs of fines and revenue loss caused by a breach. Some underwriters will provide experts to perform incident response and forensic services as well as breach readiness services like tabletop exercises and cybersecurity incident response plan building workshops.
When did you first discover RH-ISAC? How has the community impacted you?
Charles: I was introduced to the community when Sage was a member of the Travel-ISAC group which later merged with the RH-ISAC group. The sharing of information and resources available in the community is invaluable. If I’m challenged on a project, I’ll reach out to find ways to overcome it. If there are initiatives, I’m unsure to take on, I’ll ask how other members found the business justification to move forward with it and question if it makes sense for me and the business. There’s no shortage of suggestions, opinions and recommendations and the community can help a small team feel bigger because of the support that comes from the RH-ISAC.
Are you attending the RH-ISAC Cyber Intelligence Summit in October? If so, what are you looking forward to most?
Charles: Yes. I’m looking forward to integrating into the community more and meeting members that I haven’t already met. I’m excited to see members that I’ve gotten to know over the years and am expecting to talk about a lot of shop and share experiences. There’s always thought-provoking panels and discussions and I also seem to find inspiration to influence my career journey.
What are a few of your hobbies and interests outside of your career in cybersecurity?
Charles: Over the last five years you may think my hobby was taking certification tests and attending classes and workshops to gain more knowledge but living in Colorado, I take advantage of the natural splendor as much I can through getting outside, camping, hiking, snowboarding, biking, and fly-fishing and travel to take those hobbies elsewhere. I follow and watch the world surf league pro tour, collect vinyl records, and see a healthy amount of live music. I also have a garden that keeps me busy. I read a lot and I love reading books that are or will be adapted into a TV series or movie to bring the story to another level of vividness.