At CrowdStrike Fal.Con 2025 in Las Vegas, theCUBE goes inside the world of hospitality security with David Anderson, VP Cyber Security and Deputy CISO at Travel + Leisure. In conversation with Dave Vellante and Rebecca Knight, Anderson shares how he is steering a fast-moving consolidation effort, cutting tool sprawl and centralizing on the Falcon platform for tighter integration and clearer visibility. He breaks down the impact of Falcon Flex on procurement, the shift to next-gen SIEM with built-in automation and UEBA, and why safeguarding the trust of 800,000 owners across 270 resorts is as critical as the technology itself.
Anderson dives into the human side of security too, describing how natural language via Charlotte lowers the training curve and speeds investigations. He explains why he thinks of AI as not only a tool but also terrain and identity, and why governance matters when countering threats like poisoning, weight manipulation and agent drift. Reacting to the Pangea acquisition, Anderson outlines a board-level approach that ties controls directly to business outcomes and financial value, reframing cybersecurity as a business enabler rather than a cost center.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
CrowdStrike Fal.Con 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Register For CrowdStrike Fal.Con 2025
Please fill out the information below. You will recieve an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for CrowdStrike Fal.Con 2025.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
CrowdStrike Fal.Con 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Sign in to gain access to CrowdStrike Fal.Con 2025
Please sign in with LinkedIn to continue to CrowdStrike Fal.Con 2025. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
David Anderson, Travel + Leisure
At CrowdStrike Fal.Con 2025 in Las Vegas, theCUBE goes inside the world of hospitality security with David Anderson, VP Cyber Security and Deputy CISO at Travel + Leisure. In conversation with Dave Vellante and Rebecca Knight, Anderson shares how he is steering a fast-moving consolidation effort, cutting tool sprawl and centralizing on the Falcon platform for tighter integration and clearer visibility. He breaks down the impact of Falcon Flex on procurement, the shift to next-gen SIEM with built-in automation and UEBA, and why safeguarding the trust of 800,000 owners across 270 resorts is as critical as the technology itself.
Anderson dives into the human side of security too, describing how natural language via Charlotte lowers the training curve and speeds investigations. He explains why he thinks of AI as not only a tool but also terrain and identity, and why governance matters when countering threats like poisoning, weight manipulation and agent drift. Reacting to the Pangea acquisition, Anderson outlines a board-level approach that ties controls directly to business outcomes and financial value, reframing cybersecurity as a business enabler rather than a cost center.
At CrowdStrike Fal.Con 2025 in Las Vegas, theCUBE goes inside the world of hospitality security with David Anderson, VP Cyber Security and Deputy CISO at Travel + Leisure. In conversation with Dave Vellante and Rebecca Knight, Anderson shares how he is steering a fast-moving consolidation effort, cutting tool sprawl and centralizing on the Falcon platform for tighter integration and clearer visibility. He breaks down the impact of Falcon Flex on procurement, the shift to next-gen SIEM with built-in automation and UEBA, and why safeguarding the trust of 800,00...Read more
exploreKeep Exploring
What motivated David Anderson to transition into the hospitality industry after his experience in healthcare?add
What prompted the decision to consolidate security tools, and what steps were taken in the process?add
What changes did the company experience in their security stack after integrating with CrowdStrike?add
What are some concerns regarding the use of AI in cybersecurity?add
What is the challenge of linking cybersecurity to business objectives and financial impacts?add
>> Good afternoon everyone, and welcome back to theCUBE's live coverage of Fal.Con 2025 here at the MGM Grand. I'm your host, Rebecca Knight, alongside my co-host and analyst, Dave Vellante. We are welcomed by David Anderson, VP Cyber Security and Deputy CISO at Travel + Leisure. Thank you so much for coming on the show.
David Anderson
>> Thank you for having me.
Rebecca Knight
>> So, you've got a cool job. You've been in it for about eight months, but your professional career is really interesting and varied, and you've been in healthcare, defense, aviation, and now you're in hospitality. What drew you to this industry? I mean, what didn't I should say, but tell us a little bit about that.
David Anderson
>> Honestly, I had a stroke while working at a CISO at a healthcare company, and the doctors told me to take a break, and the recruiter called me and said, "Hey, how about being a deputy CISO at a place called Travel + Leisure?" I'm like, "How much more awesome is this?"
Rebecca Knight
>> You needed a sign.
David Anderson
>> Yeah, yeah. So, it worked out. It was great.
Rebecca Knight
>> Absolutely. Excellent.
Dave Vellante
>> So, I wonder if you could share the transformation journey that I understand you guys went through.
David Anderson
>> Sure.
Dave Vellante
>> How did it start? What was the driver to initiate it, and take us through sort of the steps?
David Anderson
>> Yeah, so we're in the process of consolidating. We grew a little bit through mergers and acquisitions, and we've had multiple security tools. So, we kind of looked at how we would consolidate our tools. Is that what you're referring to, first of all?
Dave Vellante
>> Yeah.
David Anderson
>> Yeah. I've worked with CrowdStrike over a long period of time, and what I like about CrowdStrike is their ethos. They have that mantra, which is not just a mantra of "We stop breaches," and my relationship within them has gone from company to company to company because they have my back. And so, that was a very obvious choice for me to centralize on CrowdStrike, to normalize on CrowdStrike, and get rid of some of the point solutions that we had, and bring everything under CrowdStrike's rubric.
Dave Vellante
>> So, you were able to reduce the number of vendors and tools in your security stack?
David Anderson
>> Yes, and in so doing, reduce the seams, I mean, now I've got much greater integration. I got one pane of glass, and so, yeah, it's been cost savings and better security.
Dave Vellante
>> Are we talking many dozens, down to dozens, dozens down to single digits? Can you-
David Anderson
>> No, I'm still working. It's only been eight months.
Dave Vellante
>> So, it's many dozens, right?
David Anderson
>> Yes, yeah.
Dave Vellante
>> Okay, like most companies.
David Anderson
>> Right.
Dave Vellante
>> Okay. And how's that work? Is it an asset that's depreciated already on the balance sheet, so there's not a financial consideration? Do you rip and replace?
David Anderson
>> I wait until the contract expires, and make the transition then.
Dave Vellante
>> You make the transition?
David Anderson
>> Yep.
Dave Vellante
>> How do you deal, David, with the processes and the procedures that are built up around those point tools? How do they transition over? How much heavy lifting is involved? What's that like?
David Anderson
>> No, it's not challenging at all, because my technicians know the environment, and that's really critical. And because I'm going to CrowdStrike, the UI is intuitive, so the folks don't have much. And because we're also a flex customer, the procurement cycle is very easy. So, it works out well for us.
Dave Vellante
>> Why is it so difficult for companies to... I mean, your peers tell us that they have a hard time reducing their security stack. They'll say, "Can they reduce?" I think that the data that we have is probably maybe 10% would say they're in your camp, that they actually can reduce the number of tools. Why is it so difficult? Is it because of the allure of the shiny new toy?
David Anderson
>> That is a lot of it. I mean, we, as CISOs, like to get the next tech, because we want to stay at the same level as the adversaries. As they change methodologies, we need to change methodologies. And again, I'm very happy to be with a company that is helping me out, because they're on the edge too, so I don't feel like I'm losing anything by normalizing with them.
Rebecca Knight
>> I want to back up for a second, and just talk a little bit about Travel + Leisure, the business, and what you do, and the kind of high net worth data that you are tasked with protecting.
David Anderson
>> Yeah, so we are a vacation ownership company, and so we've got long-term relationships with our owners. We have about 800,000 owners, and we've got 270 resorts plus across the globe. And these relationships aren't just with the individual owners, because they're owners, so they can actually transition them to their children. So, we have multi-generational customers. So, because of that, and the fact that they're connecting from all over the world, sometimes in places where the security isn't all that great for the connection, we have to be very careful. And because we're a vacation ownership company, we also own the magazine. We really want to have a positive relationship with all of our customers, because there was a bit of a stigma in this space, and we really work really hard to take care of them, because a breach would be a big problem for us. So, we do the best we can to avoid that sort of situation.
Rebecca Knight
>> So, let's dig into that a little bit. You said it would be a big problem, which, of course, it would be, but what would it be beyond just the technical impact?
David Anderson
>> Well, it's trust, right? I mean, we've got these customers that are owners, and they want to know that we're taking care of them, no matter where they're connecting from, and how they're using our resources.
Rebecca Knight
>> And multi-generational trust, as you said?
David Anderson
>> Yeah.
Rebecca Knight
>> Yes.
Dave Vellante
>> Can you talk about SIEM and Next-Gen SIEM? I mean, it's marketing term, but we love to hear from the CISO perspective, what does Next-Gen mean? I mean, the state-of-the-art back last decade was a bunch of log files that you could search, and that was awesome actually at the time, but that's now legacy. What is Next-Gen SIEM? What was your transition like?
David Anderson
>> Oh, it's amazing, the fact that it's got automations built in, the fact that they're adding modules to it on a pretty regular basis. I didn't ask them to build case management, they just threw it in there. And that's changed the way we operate, because now it's automatically collecting information for us. We're getting the metrics that we need to see how we're operating, and we're prosecuting those incidents much more quickly. And they're doing the same thing with UEBA. I mean, that tool has really revolutionized the way our SOC operates.
Dave Vellante
>> Can you add some color to that? What does that mean for a SOC analyst? What's the day in the life of a SOC analyst, kind of before and after?
David Anderson
>> Well, before, I don't want to call out the previous provider, but it was very arcane, very specific searches. You had to learn the language to pull that stuff from the SIEM, and if you didn't know the language, you were kind of out of luck. We had certain analysts that were experts, and they had to bring the other analysts on.
Dave Vellante
>> "Where's Joe? Oh, he's on vacation. Oh, no."
David Anderson
>> Exactly. But with Next-Gen SIEM, and with Charlotte as well, we're able to communicate much more natural language and get the information that we need, not just as quickly, more quickly.
Dave Vellante
>> Okay. So, you're a Charlotte customer as well?
David Anderson
>> Yeah, we're a design partner with Charlotte, and we're moving into it.
Dave Vellante
>> So, how has that changed the SOC analyst experience?
David Anderson
>> Well, it's, again, much easier. The on-ramping for training is much lower, because they don't have to learn. Again, all of these, you stand on one foot, what finger do you use to type when you're actually creating those searches, it's natural language, and you get the information that you need.
Dave Vellante
>> So, when we talk to an LLM on a topic that we understand, we can kind of challenge it, and, of course, correct it, and then maybe use another LLM and get to an answer. How does that work with Charlotte? Is there a similar dynamic in that the SOC analyst, you, as the CISO, have to trust that the SOC analyst has an in-depth of expertise to know when Charlotte is maybe a little bit off base or a little off script? I don't want to say hallucinating, because I know they've put some real efforts into-
David Anderson
>> Yeah, there is some really governance around it. But beyond that, yes, they do-
Dave Vellante
>> It's not perfect.
David Anderson
>> Of course not, yeah. And not with Charlotte, but with other LLMs, I have some personal experiences where it hasn't gone the way I wanted it to, but with Charlotte, we've had no issues. And the difference here is you've got the deep institutional knowledge that Charlotte doesn't necessarily have. She has the machine knowledge, or it has the machine knowledge. Sorry.
Dave Vellante
>> It's okay.
David Anderson
>> But my staff knows that the institutional and knowledge exclusive to Travel + Leisure, that helps them to identify when things just aren't right. And I think the transparent searches make it much easier for them to understand what's going on.
Dave Vellante
>> Is security AGI something that resonates with you?
David Anderson
>> Oh, absolutely. Yeah.
Dave Vellante
>> Why?
David Anderson
>> Well, I mean, there's a whole bunch of things. I mean, the speed which we can process is amazing and very, very helpful. But I will say there are some things that concern me, and it's concerning me more and more every day, when I talk to other vendors that don't look at this, this advent of AI inside cybersecurity, as not just a tool. It's the terrain now. And so, we have to ensure that when we're using these tools, that we acknowledge that, not only can they be poisoned, can they be manipulated, can their weights be changed, but they could go rogue on us. And so, it's very important that we have monitoring in place, to ensure that not only are the inputs and outputs correct, but the processing of the LLM itself can be trusted. So, we got to watch those things very, very carefully.
Rebecca Knight
>> That's really interesting how you described it. It's not just the tool, it's also the terrain. I mean, when you're here at a conference like CrowdStrike, and you're talking to your peers in other industries, at other companies, is this something that is well understood among your sort, and maybe a frustration in terms of explaining that internally, and then helping other C-suites understand how you're prioritizing, and what your decision-making process looks like?
David Anderson
>> Yeah, absolutely. I still think it's evolving in this space, because I think a lot of people still are looking at it as a tool, but with the advent of MCP and all that brings, where we're able to reach out, and the risks that come from that, being like the TCP/IP of AI. I mean, we've got to view this as something akin to what we saw when we started up with AV, and how if you access AV, you can access the entire enterprise. Now, if you access AI and co-opt it, or it goes rogue, it's machine speed. I mean, earlier, George talked about it being superhuman, and really, if you've got an intern working for you, this from Krypton, and if it turns, you've got some serious problems.
Dave Vellante
>> You mentioned TCP/IP of AI, it's a good analogy. What are the similarities and differences in terms of the benefits, I guess, of TCP/IP are obvious, the standard, but what about the need to protect the protocol, if you will, and it feels like it's significantly more complicated to protect agents? Can you help us understand your perspective on the similarities and differences?
David Anderson
>> Yeah, the similarities, that is the mechanism through which it reaches out to the rest of the world. And so, when we had firewalls before, we need the same sort of thing in the AI space, to be certain that the communication to and from that LLM is what we want it to be. And we have to treat them not as just a tool and not just as a terrain, but also as an identity, right? I hate to say it, but it's got a capacity to take its own path, and we have to acknowledge that, and look at it as not only someone that can help us out with, but something that can become an insider threat.
Dave Vellante
>> And George was saying, he knows some companies that are giving basically employee IDs to agents.
David Anderson
>> Yeah, I heard that.
Dave Vellante
>> So, I mean, based on what you just said, David, it's like, yeah, they're kind of like people. People can go rogue too, all the time.
David Anderson
>> That's exactly the concern that I have. We've got these superhuman machines that could go rogue, and I think there's a lot of inherent trust that we've built up, because everything else in computing is pretty much deterministic. Same thing goes in, same thing comes out. This is very, very different, and there's LLM drift. And then, say, you've got agents that are working with other agents, one agent goes bad, it could actually teach the other agents to go along with it. So, it's an increased risk that requires us to remain very skeptical, and ensure that we're looking out for those things.
Dave Vellante
>> Rebecca, there's an interesting debate now going on in tech, with the Tom Friedman article, and I don't know if you've seen the counterpoint to that, where basically he said he doesn't really know what he's talking about. AI's not there. But this article we're talking about, Tom Friedman basically said, talking about AI potentially going rogue, and he use some examples that AI can learn languages that it would never trained on, which others are saying, "Well, that's not really true." But any rate, I feel like, eventually, AI is going to have its own agency. It doesn't today, but I would think all of us should be worried about that.
David Anderson
>> I don't want to be apocalyptic about it. I mean, it's very Hollywood-esque to talk about Skynet and all that thing. However, when we do have frontier agents that were in an academic study showing that, when they were told they were going to be shut down, they began testing security controls and trying to find ways to save themselves. So, that to me is terribly concerning.
Dave Vellante
>> Right. I mean, notwithstanding speed of light, I feel like everything in science fiction ultimately happens.
Rebecca Knight
>> This conversation is starting to scare me. I'm starting to get high, but when you think about what's next, I mean, you've already laid out some exceedingly big challenges ahead, and these apocalyptic scenarios that are, in fact, real. You cited that academic study, where we saw the AI do that.
David Anderson
>> At one point, 85% of the responses were deceptive after one of the agents was told it was going to be shut down. I mean, that's just-
Rebecca Knight
>> Well, because it has the desire for self-preservation. Exactly. What do you see as some of the opportunities?
David Anderson
>> No, I think the opportunities are just as amazing, and that's why we have to have the appropriate governance around it. And so, that's my biggest fear, is that, as we move forward to take advantage of the massive processing power, and the ability that we have to use it to speed up all of our business processes. I mean, I've got 800,000 owners, so I've got a lot of information to process, and we're just scratching the surface of what that thing can do for us. But at the same time, we have to be aware that there are risks that come with it. And so, we're going to have to develop those two capacities in parallel. And I think George, they had a pretty good plan for that. The Pangea acquisition is fantastic.
Dave Vellante
>> Why do you feel that way?
David Anderson
>> Because they're focusing on the things that concern me the most, the issues that we have with the capacity for these agents to be co-opted with poisoning, with weight changing, all of those things. And they're acknowledging that they're there, where a lot of people are a little bit too trusting, I think.
Dave Vellante
>> So, you were familiar with Pangea before the acquisition?
David Anderson
>> I was not. I need some research right after.
Dave Vellante
>> Oh, okay.
David Anderson
>> Yeah. I was like, "Oh my gosh, what is this?"
Dave Vellante
>> Okay. So, as a CISO that's trying to consolidate his organization's stack, you perhaps wouldn't have gone out and acquired a Pangea tool. But now, as part of Falcon Flex, George was saying today on theCUBE, "Well, it'll be available as soon as we close the deal, it's going to be available." So, any customer that's a Flex customer will be able to bring it in, if they so choose.
David Anderson
>> And thankfully, that's me, so, yeah. Yeah, and it helps me, because it solved a big problem that I was concerned about. Because my first meeting, I've been here for a few months, my first town hall with my CEO, he talks about AI. He came out with a deep fake of himself, and he showed just a little bit of information. I was able to create this thing. That's what we need to be doing. We need to be advancing. We need to be pushing, because it's a cutthroat business. We got to go out there, and if we're not advancing, other people are going to catch up to us. And so, with that comes this need to protect that power.
Dave Vellante
>> I'm looking at this sign over here, cyber resilience. It's kind of the big buzzword these days. But you've been involved in, I think, healthcare?
David Anderson
>> Yes.
Dave Vellante
>> Defense?
David Anderson
>> Yep.
Dave Vellante
>> Aviation, now hospitality? How have these past experiences shaped your thinking about building cyber resilience?
David Anderson
>> Yeah, interestingly enough, I don't consider myself an IT guy, because I was recruited by the Navy, worked for NSA and CYBERCOM as a cryptologic linguist, and then had a short detour as interest, went back to cryptology, because working for NSA was a heck of a lot more fun than being a nurse. And that really colored my perception of what a threat can do, and how fast threat actors can act. Working for CYBERCOM in the early days, we were trying to get decisions down to the millisecond, right? Because we've got nation state actors, with incredible resources coming after us, and we have to be able to make and put decisions. And now, with the advent of AI on the adversarial side, I have a very similar, if not the exact same problem, because we've got folks that have polymorphic malware controlled by AI. So, if they can get into my system and begin, like George is saying, query the LLMs that we have, that just makes the whole thing exceptionally more difficult. And so, I've got to be able to adapt, and their purchase of Pangea helps me understand that the stack that I'm using is coming with all those protections that I was going to try to have to figure out myself.
Rebecca Knight
>> So, for other hospitality and customer-focused companies that are looking at what you're talking about, what is your advice in terms of consolidation, in terms of thinking about flexibility, and what you choose?
David Anderson
>> So, it's a problem everywhere. I worked in healthcare before that, and aviation for a bit. And the point solutions just don't work anymore, because it's those seams and those gaps that the adversaries are now much, much more effectively able to exploit, because they don't have to make the decisions themselves. They can deploy an agent, and set it free to do its bidding. So, yeah, I think that's very, very important that they consider that when they're making purchases. And it's not look at just best-of-breed, but the solution that's going to work best with the stack that you have.
Dave Vellante
>> So, you said you're eight months in, did I hear that correctly?
David Anderson
>> Six, but yeah.
Dave Vellante
>> Six months in? So, let's say you're a year and a half in, you're in front of the board, and they say, "Okay, what have you accomplished? What proof points do you have that this investment's paying off?" What are the KPIs that you communicate at the board level?
David Anderson
>> Actually, I'm working on this philosophy, my own philosophy, of being able to take a security control, and link it to a business objective, and then link it finally to a financial impact. Because one of the things that I haven't been able to figure out, and maybe you can connect me with somebody that has, is how to make cybersecurity perceived not just as a cost center and not just rely on FUD. I hate that when folks just rely on, "Hey, we're going to stop this breach." I'd much rather find a way to operationalize my processes to use AI to automate my processes, so that I can say that now I'm making my security architecture and compliance acquisition process X number of times faster, which means you can move your business processes much more quickly, and I'm enabling that for you. And so, those are the kind of things that I want to present to them, that cybersecurity is in the office of, no, it's the office of enabling you to do business faster, because we're getting things out of your way.
Dave Vellante
>> Well, I definitely think there's a top-down, simple, my back-of-the-napkin brain. I mean, you've got IT infrastructure that supports applications, that this connected the business processes that supports revenue. And you have organizations actually have a fairly good understanding, not withstanding that the business processes are interrelated, and there's dependencies, but they have a fairly good understanding of which applications are driving revenue. And it sounds like, if the more standards that you can put in place, the faster you can get new initiatives, new products, and services out to market, and that's quantifiable by some percentage. Are you shortening the time to market by a week, two weeks, a month, two months? Because we don't have to go through this SOC compliance capability. I mean, that can be very time-consuming if you can, I don't want to say rubber stamp or throw holy water or whatever, but essentially it's that. You're getting products and services into the market faster, faster than your competition. You can actually quantify that beyond reduction in loss, reduction in risk, and so reduction in expected loss, which is the classic way to do a business case. But this sort of flips the script and turns it into a revenue driver.
David Anderson
>> And that's really what I'd like to do. Certainly, security is paramount, and that's what I... Because that's my fiduciary duty to my customers and my owners, I've got to take care of them. But at the same time, I want to be able to be a good business partner, and not just think about cyber security, but ensure that my processes are enabling business in every way possible. One of the things that, I'll say it, loathe about coming into IT is so many people refer to the rest of the business as the business. No, we're the business too. We have the same goals. We are all trying to achieve the same thing. And so, quit calling it the business, acknowledge you're part of the business, and help the business to execute.
Dave Vellante
>> It's so true.
Rebecca Knight
>> Our incentives are aligned. Absolutely.
Dave Vellante
>> It's so true. IT organizations always say, "Well, it's the business. It's the business." Well, you're right. You are a fundamental part of the business.
David Anderson
>> And that came from the Navy.
Dave Vellante
>> You're embedded in the fabric of the business.
Rebecca Knight
>> Yeah, absolutely. That's words to live by, David Anderson.
Dave Vellante
>> Pull IT away. Watch what happens to the business.
Rebecca Knight
>> Excellent point. Very good point. Excellent. Well, David Anderson, thank you so much for coming on theCUBE. Pleasure having you.
David Anderson
>> It's my pleasure.
Dave Vellante
>> Appreciate it.
David Anderson
>> Thank you.
Rebecca Knight
>> I'm Rebecca Knight, for Dave Vellante, stay tuned for more of theCUBE's live coverage of Fal.Con. You're watching theCUBE, the leader in enterprise tech news and analysis.
Rebecca Knight
David Anderson
Dave Vellante