Home » Data Protection » PCI and Compliance

How to Make Guests Feel at Home (and Still Comply with PCI and SOX Too)

The head of information security for the company that owns the Grand Ole Opry gives a snapshot of his road to SOX compliance

February 15, 2008 — CSO — When Mark Burnette came to Gaylord Entertainment Company in 2005, the hospitality and entertainment chain was well into its first year of SOX (Sarbanes Oxley) compliance. Burnette was brought into a newly created role, the executive director of IT operations and security, to help build a mature information-security function that would help the company comply with PCI and SOX regulations.

Since then Burnette has used his skills as a former IT auditor to get the compliance program into shape at this $900 million company, which owns the Grand Ole Opry and several large convention sites. CSOonline.com recently caught up with him to learn more about the challenges of compliance at a mid-sized business, how to build support for a security program, and what to do about the risk of guests who want to “explore” private areas of a hotel, like the accounting office.

CSO: What are the biggest risks facing a hospitality company like Gaylord? How do you manage those risks differently than you might in another industry?

Mark Burnette, Gaylord
Mark Burnette, executive director of IT operations and security at Gaylord Entertainment: When people come into one of our hotels, we want them to feel at home. Our culture is one of accommodation, and that can be a challenge for security. Sometimes it’s counterintuitive to the idea of security and privacy. We have to educate our employees enough to help them understand when to draw the line between a reasonable customer request and an unreasonable one. We have to help them understand what those requests look like. The best example of that has to do with access to private areas of our hotel. Sometimes guests like to explore, and they may wander into, or try and gain access to a private area, like an accounting office. That is one where the employee would need to understand there are clear boundaries within the hotel.

CSO: How do you do that?

Burnette: Part of it is making employees aware of the programs we have in place and why. We produce a security newsletter that touches on [security breaches or other events] that have happened all over the country, and we add some analysis of what that means for our company. We explain what Gaylord is doing to prevent a similar event from happening to us. We also educate through regular interaction with the leadership teams at the individual properties. We rely on them to model the types of behaviors