Hospitality Industry - Cybersecurity Uplift
Case Study
About Our Client
Overview
Our client is a diversified investment firm with interests spanning retail property, equity, and hospitality. In a significant strategic shift, the business moved away from relying on established international hospitality chains to directly managing its own hospitality properties under an independent operating model.
This transition marked a pivotal moment for the organisation – one that brings both opportunity and complexity. Taking on full operational accountability meant inheriting the IT, operational technology, and governance, risk, and compliance (GRC) obligations and security operations, that had previously been managed by independent operator.
The challenge
Taking the keys — and everything that comes with them
When our client transitioned away from a managed model to operate their operations independently, it inherited a technology environment it had never owned or governed before. The security operation, vendor relationships, incident response processes, and compliance obligations previously sitting with the independent operator were now their responsibility – and the gap between where they were and where they needed to be was significant.
The core challenge was not simply a technical one. Our client needed to understand its new security obligations across people, process, and technology; establish assurance over its vendor dependencies; and build a governance structure capable of standing on its own – all ahead of an aggressive launch schedule.
With the stakes high and the timeline firm, our client engaged Avocado to assess the current state, develop the cyber strategy, and chart a clear path forward.
Services:
- Cybersecurity Gap Assessment
- GRC Framework Design
- Policy and Standards Development
- Endpoint, Identity and Access Management Protection
- Third Party Risk Management
- Penetration Testing
- Incident Response
- Cyber Awareness Training
- Virtual CISO Advisory
Sector
Hospitality
The Approach
A phased plan built for an operation that had to keep running
Avocado structured the engagement in three phases supported by a roadmap of risk-prioritised activities, designed to move our client from assessment through to operational independence – without disrupting day-to-day operations.
Phase 1: Cyber Security Strategy
Avocado conducted a comprehensive gap assessment across people, process, and technology. The work focused on mapping the operational security gaps introduced by the transition, reviewing the technology stack (including Azure AD, MFA, and network segmentation), and assessing controls across preventative, detective, and corrective security domains. Risk findings and strategic recommendations were presented to leadership, and an agreed roadmap and project plan was established to guide the subsequent phases.
Phase 2: Implementation
With phase 1 complete and the roadmap agreed, Avocado moved into delivery of the project plan. This phase included drafting critical security policies and standards, establishing a clear RACI matrix, conducting assurance on deployed polices and controls, onboarding and integrating the SOC, conducting incident response and disaster recovery planning, and completing penetration testing across the new environment. The implementation of the ISMS was aligned to ISO 27000 to ensure controls met this standard for to meet future compliance obligations.
Four key work streams structured the programme: Cybersecurity Framework, Incident Response and Business Continuity, Outsourcing and Vendor Assurance, and Security Operations.
Phase 3: Transition to BAU
Following the Go-Live launch, Phase 3 focussed on a planned handover of security responsibilities to our client’s internal team, with a virtual CISO in place to guide the transition and ensure long-term success building on a strong foundation of cyber resilience.
The Outcome
From inherited complexity to a clear, confident security posture
The work undertaken by Avocado has established the building blocks for our client to operate as a mature, independent management entity: a clear governance hierarchy supported by a well-defined security operation, confidence in business continuity and incident response, phishing simulation and cyber awareness programmes, and a vendor management strategy fit for a multi-supplier environment.
Longer term, the programme positions our client not just to meet its immediate security obligations, but to continue maturing its security maturity as the business scales – with the processes, tools, and team knowledge to manage cyber risk effectively and independently.
