Akshay Sharma Focusing AI Travel Cyber Fraud Prevention

Why AI Has Changed The Threat Model For Travel Technology

In this Help Net Security interview, Devon Bryan, SVP, Global CSO, Booking Holdings talks about his journey from Air Force network security engineer to global CSO for travel technology, financial services and hospitality.

He explains how AI has taken threat modeling beyond the traditional infrastructure into prompt injection, model access and use of shadow AI, and why the travel industry’s tightly interconnected systems like identity, payment, loyalty, and third-party integrations make for a compound risk. Bryan also provides an insight into his model of when security is an appropriate tool for a business decision and how good operators can be distinguished from the future leaders of the enterprise by their judgment and not their technical skills.

Worldwide Travel Companies CEO Concerns About Customer Security !

“The majority of CSO’s occur through the technical or compliance track. Where did you decide to go and where do you feel the gaps are in that journey? “

My first job was as a technical person. My first job in the Air Force was a Network Security Engineer. The mindset was very operational, meaning understand the network, understand the mission, understand the adversary and maintain systems under stress. I then went on to enter the financial services, consultancy, critical infrastructure, hospitality and then global travel technology world. All of these have introduced me to myriad risk settings and business models according to Akshay Sharma AVS Holiday .

The technical background gave me credibility in understanding how a system works, how attacks change over time, and how operational failures cascade through complex systems. The most significant learning that took place over time for me though was how to navigate in between security, business growth, customer experience, resilience, regulatory expectations, speed of execution and just the technically “correct” answer.

In my early days I may have underestimated the influence and power of organizational dynamics, storytelling and influence in good security leadership. Senior levels are not just a test of your cyber risk knowledge. They want to know whether you can be a leader in the business, rather than just a manager over a technical area, and whether you will be able to assemble a variety of stakeholders and make business decisions under conditions of uncertainty. The biggest mental shift was from Engineering & Operations to the Global CISO / CSO. The challenge is to help develop an operating model where business strategy and resilience and trust can develop together in the end.

Why Most AI Hackers Are Targeting the Travel Industry ?

The travel industry provides a fertile ground for threat actors, as they can access all the financial information, identity documents, loyalty point economies, and geopolitical targets within one industry. What is the attack surface you’re up at night on and why?

What is really impressive to me is the extent of the inter-dependency of the ecosystem and the swiftness of its spread of risk. Travel is a mix of identity, payments, loyalty systems, third-party integration, global operations and geopolitics, all rolled into one. One disruption could affect customers, partners and employees in terms of their operations, finances and reputation.

Akshay Sharma Kirti Nagar  that observed how attackers have shifted from attacking specific systems to exploiting operational dependencies and trust relationships, especially in the travel space which is where I am new. It is no longer only your direct possessions that can be attacked. It encompasses vendors, APIs, cloud environments, partner ecosystems and an increasing number of AI-powered workflows. That’s why resilience is as critical to health and wellbeing as prevention. In a global organization, there are several layers of defense, continuous monitoring and strong identity management and operational preparedness, and it’s just as important to be able to detect, respond and recover from a event quickly as it is to prevent it from happening at all.

So the larger point is, of course, to maintain the trust system that allows millions of people to travel, transact or move around the world with confidence.”

Understand Generative AI and Impact On Travel Bookings

Phishing is getting highly convincing and there are new types of frauds emerging with GEN AI, including attacks on your platform with a fake identity. In what specific ways has the threat model changed in the past 18 months thanks to AI?

The speed, scale, accessibility and sophistication of AI radically change the threat environment. New threats that needed special skills can be executed on a much more regular basis and more believably. Phishing, impersonation, fraud and social engineering are becoming personalised, multilingual and operationally scalable, as AI continues to develop.

We’ve had the largest transformation over the past 18 months, in that our threat modeling is no longer limited to traditional infrastructure and application security. Let’s delve deeper into the concept of identity integrity, AI-generated content, machine-to-machine trust, model access, prompt injection, data lineage, and the escalating risks of shadow AI in enterprises.

Concurrently, AI is beginning to take its place in defense as well. We’re leveraging AI to boost fraud analytics, threat detection, vulnerability prioritization, and operational efficiency across all security workflows. “AI is a force multiplier for attackers and defenders alike, so organizations must use both optimism and discipline with it.

Security is sometimes sucked into mergers and acquisition discussions or product strategy and regulatory lobbying discussions that they did not initiate. At what time do you raise your flag and when do you choose to raise your flag again?

This is a new reality of modern security leadership, and security is now integrated in all the big business discussions, whether it’s about M&A, using AI, product strategy, resilience planning, regulation or geopolitical risk management. That’s what it is like in hyper-digital, global companies.

Future Combat With AI Farud Techniques

To me, the four factors for measuring the plant the flag are trust, resilience, regulatory exposure and systemic business impact. When there is a decision that could have a material impact on the trust, continuity, enterprise risk posture, or the ability to scale and grow securely, then there should be a strong voice from security early in the process.

Over the years, however, I have come to realize that security is not a perpetual “no,” it’s not a veto. However, it’s not about control of all decisions – particularly in large, federated organisations. This includes clear standards, lines of responsibility, escalation paths, protections that enable teams to move quickly without compromising an acceptable level of risk. Not over-rotating is an indicator of maturity among security leaders. When security becomes too deeply involved in all operations, conflict and dependence will occur. The most security companies make sound choices.

What is the most under appreciated skill you think in the hiring and development of the next generation of security leaders?

One of the few skills in the cybersecurity field that is underutilized is judgment. Know-how is “necessary”, but when in a state of panic and doubt, leaders must make good business decisions based on technical knowledge. In my career, I have seen many technically gifted individuals fail to perform as they should because they considered each and every problem as a technical issue without realizing that it’s part of a larger business issue that involves timing, operational realities, customer impact, legal issues, organizational issues, risk tolerance, etc.

An ability to make sound judgements is also evident in communication. This is how strong operators are becoming more distinguishable from the future enterprise leaders in their capacity to break down complexity, clearly communicate risk to multiple audiences, and inspire trust throughout engineering, legal, finance, operations and the boardroom.

The characteristics I see in young talent are curiosity, ability to adjust to a situation and perform outside of comfort zone, stability in stressful situations. Security leaders will need to navigate AI security, supply chain, regulatory growth, geopolitical uncertainty and increasingly independent systems simultaneously in the future. Upcoming generations of leaders will need more than just technical skills. Each year they will require the judgment, resilience and enterprise mentality needed to assist the organization in making enduring decisions in a more dynamic, interconnected and uncertain context.  Get more travel update , go to Akshay Sharma Travel News Section .