Q&A WITH MAX GOLDFARB
TRAVEL LEADERS’ CHIEF INFORMATION SECURITY OFFICER
What’s your due diligence
process for vendors that want
to work with Travel Leaders?
Our technology suppliers are vetted end to end.
Travel Leaders has a very thorough questionnaire that
vendors must complete in order to become one of our
technology partners. Since the form covers all of the
crucial elements of data security, their answers should
be “Yes” to everything. Our questions cover their internal
approach data security.
WE ASK THINGS LIKE
Are you PCI* Compliant?
What annual externals audits are performed?
Do you perform background checks?
Are employees required to sign NDAs?
Do you have cyber insurance?
*Payment card industry (PCI) compliance refers to the
technical and operational standards that businesses
must follow to ensure that credit card data provided by
cardholders is protected.
When do you turn away
a technology partner?
When a vendor fails one of our compliance metrics in
the questionnaire, we simply can’t go into business with
them. A recent example is insurance. When we discover
that a company doesn’t have insurance, it’s a red stop
sign. Or, if we discover that they don’t routinely do
criminal and employer history background checks on
their staff or they’re not PCI compliant, it’s an issue that
must be addressed. These issues are black & white;
vendors can’t do business with us if they don’t have a
robust security structure in place. No exceptions.
What level of security is Travel
Leaders providing their clients?
Travel Leaders has a 24/7/365 security operations
center. Not many other TMCs have this. Anytime a
security issue occurs, we have staff to handle it. If
an alert goes out, they triage the issue and escalate
to my team to work the incident. Within the last
two weeks, there were 268 incidents that had to be
reviewed. It was mainly phishing attacks and travel
behavior investigations.
How can companies secure
their Meetings & Events?
Meetings can be a real problem, especially when you
have a person collecting personal information and
credit card numbers in a spreadsheet. Using a cloud-
based secure solution like CVENT or Groupize is an
excellent approach. The old manual method is risky
and will get your company into trouble at some point.
How do you train your security team
and Travel Leaders employees?
At Travel Leaders, we follow travel industry best
practices for data security and go above and beyond
the required training. For example, we conduct
mandatory compliance training for our entire staff
of 5,000+ quarterly, as opposed to yearly like many
other corporations.
We are constantly reviewing our security and testing
protocols to ensure they follow all the latest standards.
We have all the security tools that a seasoned
organization like ours should have in place. We keep
the minimum amount of data necessary to perform the
services you contract us for.
Does Travel Leaders beta test
technologies internally?
We are proactive about looking at what technologies
are out there in our sector. We prioritize by focusing
on improvements to the traveler experience and cost-
saving measures. As an innovative, forward-thinking
company, our staff participates in events like BTN
Innovate and ProcureCon so we stay on the leading
edge of innovation.
Generally, we are early adopters and like to try out a
solution on a small group of customers first. When we
see a technology partner that we like, we go through
a process internally to test it to see if the ROI is really
there. We’ll then share the findings with our user forum
about what’s coming to the broader group, and we
also like to hear from them about what they want.
We’re trying to position all of our solutions in a single
desktop or mobile interface so users don’t need to open
another app or tab. However, before we roll any of
these cutting-edge tools out, we make sure that they
meet the level of security that our customers expect.