Large hotel groups often operate through franchised, highly distributed models. Hundreds, or even thousands, of independently managed properties, multiple vendors, and global digital infrastructure create an environment where visibility is fragmented but a risk to one is a potential risk for all. Oftentimes, security teams must make decisions about threats they can’t fully see, across systems they don’t directly control.
Turning intelligence into decisive security impact
Against this backdrop. hospitality brands are rethinking about how intelligence is gathered, shared and acted upon – moving beyond fragmented monitoring towards a more connected, operationalized approach.
Wyndham Hotels & Resorts illustrates this shift in practice. Operating across more than 9,000 properties worldwide, the business has had to address the inherent visibility challenges of a highly distributed model by evolving its intelligence function to bring disparate signals together and better support security decision-making at scale.
Visibility gaps in a federated environment
As one of the world’s largest hotel franchisors, Wyndham operates across thousands of properties and multiple brands, where individual hotels manage their own IT environments while corporate security remains accountable for their overall risk exposure.
This creates a federated model where there is no single, centrally managed environment to defend. Instead, corporate teams manage security posture through standards, guidance, and shared intelligence.
Without consistent visibility into local environments, security teams can’t rely purely on telemetry or detection alone. Even in more centralized models, the same challenge persists – the volume and complexity of signals can make it difficult to identify what matters most. In both cases, teams need a way to interpret external signals, connect them to business risk, and guide action across the organization.
Why threat intelligence needs to evolve
Similar to many hospitality brands, intelligence at Wyndham initially supported threat hunting and security operations center (SOC) activity, providing context around observed events. But over time, the audience for intelligence expanded. Executives, risk teams, IT leadership, and compliance functions all began to depend on intelligence to inform decisions.
Weekly intelligence reports, produced manually in document formats, became increasingly inefficient. They required significant effort to compile, often relied on copy-paste workflows, and struggled to meet the needs of multiple audiences simultaneously.
The result was output that was resource-intensive, yet not always relevant to the decisions different teams needed to make. For organizations operating at scale, intelligence that isn’t timely and can’t be tailored to specific stakeholders quickly loses its value.
Moving from collection to operationalization
To address this, Wyndham evolved its approach from producing intelligence outputs to operationalizing intelligence across the security function.
A key step was defining clear intelligence requirements aligned with business priorities. Rather than collecting broadly and reporting retrospectively, the team focused on what decisions needed to be supported - and structured collection and analysis accordingly.
This shift reframes threat intelligence as a decision-support capability. At Wyndham, this was supported by the introduction of an intelligence platform (Silobreaker), which helped move the team away from manual collection and static reporting towards a more structured, requirements-driven workflow. At a technical level, this meant that analysts no longer had to manually aggregate sources, but instead rely on structured collection pipelines that draw from open-source, industry, and closed datasets, including deep and dark web intelligence.
These inputs are then processed into consistent intelligence outputs that can be tailored to specific stakeholders, from detailed analysis for security teams to higher-level context for executives. The result is intelligence better-aligned to meet business needs.
Automating workflows without losing analytical control
One of the biggest challenges in scaling threat intelligence is balancing efficiency with analytical rigor. Automation can ease the workload, but taken too far, it risks distancing outputs from expert judgment.
By introducing automation into summarization, drafting, and reporting workflows – enabled by the intelligence platform – Wyndham’s threat intelligence team significantly reduced manual effort, cutting weekly production time from nearly a full week to around half a day.
This automation removes repetitive tasks, allowing analysts to focus on higher-value work such as threat actor research, deeper analysis, and identifying risks relevant to their business. Analysts retain oversight of outputs, ensuring that intelligence remains evidence-based and aligned with organizational priorities.
For CTOs and CISOs, this distinction is important – machines handle scale and humans provide judgment.
Integrating intelligence with security
Operationalized threat intelligence only delivers value when it connects directly to security outcomes.
At Wyndham, intelligence is embedded across detection engineering, incident response, and broader security decision-making. Insights generated through intelligence workflows inform how controls are tuned, how incidents are prioritized, and how risk is managed across the organization.
Equally important is the feedback loop. Operational experience – what is detected, what incidents occur, and how systems behave – feeds back into intelligence priorities.
This closed loop ensures that intelligence remains grounded in reality, rather than drifting into abstract or speculative analysis. It also reinforces credibility, as intelligence that is not evidence-based quickly loses trust, particularly with senior stakeholders.
When intelligence changes outcomes
The ultimate test of threat intelligence is whether it changes decisions.
One example highlighted at Wyndham involved email security controls. Intelligence analysis identified a link between allowlisting decisions and subsequent security incidents, providing clear evidence of how configuration choices introduced risk.
By connecting external threat activity with internal operational data, the intelligence team was able to guide changes in policy and reduce exposure.
This type of outcome illustrates how intelligence can translate external threat signals into internal decision-making.
Best practices
Wyndham’s experience points to several key takeaways:
- Standardize outputs – Consistent formats make intelligence easier to consume and distribute across diverse stakeholders
- Tailor to requirements – Different audiences require different levels of detail; aligning outputs to decisions improves relevance and impact
- Automate selectively – Focus automation on collection, summarization, and formatting — while preserving analyst control over interpretation.
- Integrate with operations – Intelligence must inform detection, response, and strategic planning, not sit alongside them
Taken together, these steps enable organizations to increase the speed, consistency, and impact of intelligence without proportionally increasing resources.
From monitoring threats to managing risk
As hospitality organizations continue to digitize and expand globally, the limitations of segmented threat monitoring become increasingly apparent.
Wyndham’s experience demonstrates that when done effectively, threat intelligence enables organizations to focus on what matters, communicate risk clearly, and act with greater confidence in complex threat environments. In a sector facing new risks every day, that ability is essential.
About the Author
Hannah Baumgaertner is Head of Research at Silobreake