Agboola M’ Odufuwa

Nexford University

MHY6750: MODULE II - Analysing Digital Leadership Positions to Address Role in

Audits and Remediation in Marriot International HQ

Professor Felix Hernandez

June 18, 2025

INTERNAL MEMO MARRIOT INTERNATIONAL

To: Country Leadership Team (CLT) – Marriot Intl Global Office

From: Agboola Odufuwa, Director de Tech.

Date: June 18th, 2025

Subject: Marriot International HQ Digital Leadership Positions Analysis to Address Audit

Roles & Remediation

EXECUTIVE SUMMARY

Marriot International founded ahead of the internet era. in the 1920’s as a “Nine-seat beer

stand in the USA by J William and Alice Marriot (Marriott International, 2025) is considered

a Legacy organization. However the company has come full circle since then considering the

effects and experiences our organization- Marriot International has had and also surmounted

it is imperative we all become forward looking and thinking in our approach to ensuring data

compliance, safety and integrity. This in place and in mind will definitely ensure we do not

dole out millions of USD as in the Starwood Hotel acquisition case.

The increasing sophistication of cyber threats, instances and occurrence can no longer be

undermined, calling for a more intentional drive towards cyber compliance, protection and

watch.

In the wake of this complex threats to safety considering Marriot is a heavily digitalized

organization dealing with a wide and huge variety of personal data is thus the need to ensure

a solid CYNER SECURITY LEADERSHIP.

LUXURY IN EVERY WAKE

INTERNAL MEMO MARRIOT INTERNATIONAL

According to Von Solms & Van Niekerk, 2013; Tounsi & Rais, 2018, “Cybersecurity

leadership refers to the strategic and operational guidance provided by individuals or teams

responsible for protecting an organization’s digital assets and infrastructure. It involves

setting a clear vision for cybersecurity, aligning security initiatives with business objectives,

managing cyber risks, and fostering a culture of security awareness across all levels of the

organization. Effective cybersecurity leaders must possess a blend of technical expertise, risk

management acumen, and strong communication skills to influence stakeholders and drive

organizational resilience in the face of evolving cyber threats” (Von Solms & Van Niekerk,

2013; Tounsi & Rais, 2018).

BACKGROUND

After the acquisition of Starwood Hotels Marriot was exposed to a cyber-breach which had

been running from 2014 & 2020 until it was discovered – 4 years later – and was mandated to

pay a heavy fine of $52MILLION to the feds due to same, (Suzanne Rowan Kelleher, 2024).

This breach was said to have occurred due to outdated software, lack of multifactor

authentication, and poor networks structure. (Hoenig, 2025), in wake of the exposure of

highly confidential data of guests including DOB, Passport details, payment information etc.

at the time.

The global office as a result of this incidence was also mandated to upgrade and step up on

their cyber strengths thereby highlighting the importance of adequate cyber checks and

measure during acquisitions and mergers.

LUXURY IN EVERY WAKE

INTERNAL MEMO MARRIOT INTERNATIONAL

 CURRENT STRUCTURE OF MARRIOTS IT DEPARTMENT

Find below the present global organogram for Marriot

The Org. (n.d.). Marriott International organizational chart. The Org. https://theorg.com/org/marriott-international

MARRIOT INTERNATIONAL EXTENDED ORGANOGRAM

LUXURY IN EVERY WAKE

INTERNAL MEMO MARRIOT INTERNATIONAL

ORGANOGRAM SHOWING CYBER SECURITY AT THE GLOBAL LEVEL

 GAPS IN MARRIOT’S CYBER LEARDERSHIP ROLES

 Absence of CISO – CHIEF INFORMATION SECURITY OFFICER (CISO) –

While MARRIOT has Pinto Drew and Exec Vice President (EVP) Revenue and

IT, there appears to be only a few hands working at a global level protecting the

organization. (MARRIOTT INTERNATIONAL INC /MD/ 10-K Cybersecurity

GRC - 2025-02-11, 2025)

LUXURY IN EVERY WAKE

 INTERNAL MEMO MARRIOT INTERNATIONAL

 Also there appears to be a lack of proper synergy between locations. For instance

while Thomas White Marsh is the Information Security Manager, reporting to

Kristin Harding VP IT SEC, DELIVERY &OPS, we also have IGNATIUS who

is reporting to JIM SCHOFIELD with the same role., note both Drew and Jim are

reporting to the CEO. The Ideal state should have a form of alignment whereby

Jim reports to DREW and then all others working with Jim do same eventually.

Presently as depicted in picture 1 & 2 above both DREW and SCHOFIELD

report individually.

 There appears to be a lack of AI driven architecture, which undermines Marriot’s

ability to face the present challenged of cyber security inspired by AI.

(MARRIOTT INTERNATIONAL INC /MD/ 10-K Cybersecurity GRC - 2025-

02-11, 2025)

 Not sure if Marriot has a way of ensuring and enforcing compliance across the

various brands and franchises.

 For such a larger global organization as Marriot, the role of Incidence responder

should NOT rest on the shoulders of an individual as we have in the first 2

pictures.

 IT Engineer, Cloud engineer role is not reporting to the EVP IT

 RECOMMENDATION

 Marriot should create and fill a role for CISO, the CISO will synergize all other

related fields and report to the EVP INFORMATION TECHNOLOGY.

 This role and role holder should be made public.

LUXURY IN EVERY WAKE

INTERNAL MEMO MARRIOT INTERNATIONAL

 Proper 3rd party risk assessment in synergy with IT team to guard against another

Starwood occurrence

 TRAINING!! TRAINING!! TRAINING!! This bit cannot be overemphasized.

Consistent Periodic training will strengthen the team as well as prepare them to

identify and tackle new forms of threats.

 Invest in human capital : Certification in cyber space will help ensure skilled

talents are made, retained and even built and deployed.

 Investment in infrastructure and skilled talents to manage AI algorithms which

would enable the identification of patterns and subsequently tackle same across

the over 2000 apartments across the world.

 Cyber Safety and Culture – periodic engagement with members of staff will

further make cyber security a norm, a DNA across franchise, labels and properties.

 Auto Threat detection, threat intelligence to put us ahead of possible threats

related to our industry.

CONCLUSION
In conclusion, it is clear that the Marriot Organogram still needs a few touches, for a role that
would unify the related IT team – this is the CISO role. Marriot also needs to pay attention to
empowering the Risk units so to ensure proper checks of 3rd party liabilities and
vulnerabilities that may cost us company her goodwill. This can be achieved by setting up a
Cybersecurity Governance Committee which will encompass a 360 team across the IT,
Compliance, Risk, Ops, and Legal units, this will not only help them understand and grow the
business safely but would also be able to come up with strategies to handle cybersecurity and
risk.
Below are some roles in Cyber security, it important to understand that the essence of these
roles are to protect, secure, ensure compliance and manage risks at all levels across an entity.
Role Primary Responsibilities

LUXURY IN EVERY WAKE

INTERNAL MEMO MARRIOT INTERNATIONAL

Chief Information Security Leads the cybersecurity strategy, governance, and risk
Officer (CISO) management from a high level approach
Security Architect Designs resilient secure systems and networks,
Security Engineer Builds and maintains security tools and infrastructure
such as firewalls, intrusion detection systems to
mention a few.
Security Analyst Monitors systems for suspicious activity, trend of same
and pattern if possible, and also investigates incidents,
and analyses threats.
Incident Responder Handles security breaches, coordinates response efforts,
and performs forensic analysis.
Penetration Tester (Ethical Simulates cyber-attacks to find vulnerabilities before
Hacker) malicious actors do.
Threat Intelligence Analyst Tracks emerging threats,.

Governance, Risk & Ensures policies, regulations, and standards are

Compliance (GRC) Analyst followed (e.g. ISO 27001).
Identity and Access Manages user access controls and authentication
Management (IAM) Specialist systems.
Cloud Security Engineer Secures cloud environments such as AWS, Azure, GCP
and ensures compliance.

Research also show emerging roles in this space stated, some of which are stated below all in
the bid to underscore a more robust system management as organizations continue to depend
on Cloud, explore IoT and rely on AI.
Role Focus Area
DevSecOps Engineer Integrates security into DevOps pipelines and software
development workflows (Chavaria, 2022)

Application Security Engineer Secures software applications through code reviews,

vulnerability scanning, and secure coding practices.
(Indeed Editorial Team, 2024)

Security Awareness Trainer Educates employees on cybersecurity best practices and

phishing prevention (Indeed Editorial Team, 2024)

Data Privacy Officer Ensures data handling complies with privacy laws like
GDPR or CCPA (Cemal, 2025)

LUXURY IN EVERY WAKE

INTERNAL MEMO MARRIOT INTERNATIONAL

References

Cemal. (2025, February 10). Key Responsibilities of a Data Privacy Officer: A

Comprehensive Guide - Data Privacy Officer. Data Privacy Officer.

https://dataprivacyofficer.org/key-responsibilities-of-a-data-privacy-officer-a-

comprehensive-guide/

CHAVARIA, J. (2022). What does a DevSecOps Engineer Do? | Fluid Attacks.

Fluidattacks.com. https://fluidattacks.com/blog/what-does-a-devsecops-engineer-do

Hoenig, M. (2025, February 7). Marriott Settles for $52M & Enhances Data Protections

After Multi-State Investigations. KJK | Kohrman Jackson Krantz.

https://kjk.com/2025/02/07/marriott-settles-for-52m-enhances-data-protections-after-

investigations/

INDEED EDITORIAL TEAM. (2024). 12 Types of Cybersecurity Roles (With Duties and

Salaries). Indeed Career Guide.

https://www.indeed.com/career-advice/finding-a-job/types-of-cyber-security-roles

Marriott International. (2025). Our Story. Www.marriott.com; Marriott International.

https://www.marriott.com/about/culture-and-values/history.mi

Marriott International - Org chart. (n.d.). THE ORG. https://theorg.com/org/marriott-

international

Marriott International - Org chart. (2025). THE ORG. https://theorg.com/org/marriott-

international

MARRIOTT INTERNATIONAL INC /MD/ 10-K Cybersecurity GRC - 2025-02-11. (2025,

February 11). Board-Cybersecurity.com.

https://www.board-cybersecurity.com/annual-reports/tracker/20250211-marriott-

international-inc-md-cybersecurity-10k/

LUXURY IN EVERY WAKE

INTERNAL MEMO MARRIOT INTERNATIONAL

Suzanne Rowan Kelleher. (2024, October 10). Marriott Gets $52 Million Slap On Wrist For

Massive Security Breaches Due To “Lax Security.” Forbes.

https://www.forbes.com/sites/suzannerowankelleher/2024/10/10/marriott-52-million-

slap-wrist-cybersecurity-breaches-lax-security/

Tounsi, W., & Rais, H. (2018). A survey on technical threat intelligence in the age of

sophisticated cyber attacks. Computers & Security, 72, 212–233.

https://doi.org/10.1016/j.cose.2017.09.001

Von Solms, R., & Van Niekerk, J. (2013). From Information Security to Cyber Security.

Computers & Security, 38(1), 97–102. https://doi.org/10.1016/j.cose.2013.04.004

LUXURY IN EVERY WAKE