Best Practices for 2026 on Technology Infrastructure and Cybersecurity | with Carlos Lugo
GAIN Momentum episode #94:Best Practices for 2026 on Technology Infrastructure and Cybersecurity | with Carlos Lugo
===
Adam Mogelonsky: Welcome to the GAIN Momentum Podcast, focusing on timeless lessons from senior leaders in hospitality, travel, food service, and technology. I'm joined today by my fellow lead gain advisor, Carlos Lugo. Carlos. Um, so you're down in Orlando right now? I'm here in Toronto. Uh, let's talk tech, uh, to start off with, what is your role at GAIN?
Carlos Lugo: Uh, yeah. So, uh, well, thank you number one for, uh, for having me here my role at GAIN is, uh, I serve as a strategic, uh, advisor, right? And, uh, focus on, uh, hospitality, technology, strategy, execution. Uh, and my role is really to help, uh, hotel owners, operators, uh, and brands translate business outcomes, uh, to like guest experience.
Labor efficiencies, risk reduction, uh, return on investment when there is such a thing as a, a return on investment, uh, and more into a practical technology roadmap, right? A lot of times they don't truly understand which ones need to go first and why. Uh, and that usually means guiding the infrastructure decisions, uh, cyber security, posture, vendor selection, uh, implementation and planning, so on, right?
For the properties. Just, you know, to be able to drive technology, investments, that, and then making sure that those integrations. Um, uh, you know, are operating effectively, um, to, and also be making sure that they have a great support arm once those, uh, actually go live.
Adam Mogelonsky: Great introduction. You covered a lot of ground there in terms of areas to operate and to improve and to offer best practices. One area to start first though is, um, outside of gain, through your own consulting practice, you uh, engage in something that is very, very common. Hospitality, which is you work with family.
How's the dynamic working with family, uh, and.
Carlos Lugo: Yeah. A great question because, um, it, it is, it is a real dynamic, right? And, and in hospitality, this is very common. Um, you know, family involvement can be a strength when it's structured corrected. Um, and, and with, with Aaron, uh, we approach it like, you know, like a professional engagement in, in, in a lot of ways, right?
Is, you know, clear roles, define responsibilities, and a disagree in private and agree in public type of approach, right? Um. The, the upside is really trust, honestly. Um, the speed and share values, all those things, right, come together. Uh, and the key is discipline, right? We, we must be disciplined, respecting each other's lanes, uh, keeping communication clean and holding the same standards.
Uh, you'll expect, uh, in any professional team.
Adam Mogelonsky: Yeah, it's, uh, there's a lot to be said there. Uh, I'd want to unpack maybe offline the whole idea of disagreeing in pri in private and agreeing in public because that is, um, that is something where it's, uh. You know, the, the disagreement is oftentimes where the best ideas come forward. But, uh, when we're talking about client services, we have to distill a situation down for them and giving them a running train of thought.
They don't really even want that. They want to just have the clear solution, prioritized order, here's what we need to work on. Here's our findings, et cetera, et cetera. Let's move forward as quickly as possible. So on that note, um, let's dive into one specific area of expertise that you have, which is infrastructure.
And this is an area that some hotels often overlook relative to other areas of technology, which are related to the. The, uh, information technology and the commercial systems that sit either, uh, on-prem or in the cloud. So for infrastructure, what should hotels be looking at? What is often overlooked and what's the best way to describe some risks that, uh, that hotels have by not investing in this area?
Carlos Lugo: Yeah, I, I love the compounding questions because, um, there's so much to unpack, right? Um, I will just simply say that, um, the infrastructure risk is, is hitting fragility, if that makes sense. Um, like things may appear to work. Until peak time in occupancy strikes. And then, uh, an ISP issue or a power event happens, or a me, uh, major system, uh, upgrade exposes the gaps.
Right. And then on, let's sit on cybersecurity, because you touched on that too, on the cybersecurity front. The biggest risk is that hotels have, uh, enterprise level, stack, or attack surfaces with small business level controls, right? And so what often is overlooked, um, are flat networks, for instance, right?
Like where one compromise device can reach everything, right? Or legacy systems, right? Um, oftentimes your PMS interfaces, door lock servers, PBX. Or even all switching gear, uh, that can be patch that cannot be patched adequately, right? These are major risks, uh, vendors for all right? When, uh, unmanaged remote access happens all the time.
Uh, and then lack of visibility, right? Like if you can't see devices and traffic, you can't defend it, right? And so these are typical right to, uh, what are the risks, right? And what is typically, or. Normally overlooked and rightfully so. A lot of these hotels may not have, let's say let's, let's talk independent space, and even in the branded space where they don't have IT support from the brand or they don't have an IT manager per se, or someone with the expertise, even more so those things will be overlooked, right?
Because they're relying on a vendor to guide them. Correctly. And a lot of times they're misled or they just don't know enough about what needs to happen, uh, with inter uh, with, with protecting these, uh, these environments.
And there's one more that we should be really cognizant of, honestly, is backups and recovery. Right? A lot of people, uh, they're overlooked. A lot of folks and operators, uh, in many places they have backups, however. They have failed or never tested restoration under pressure.
Right? And so these things, I mean, you don't want to get to the moment where you're completely down to then really try to restore backup to them. Finding that moment that you don't really, you cannot do that, right? So there's gotta be some sort of business continuity plan that addresses that.
Adam Mogelonsky: that's, uh, that's a good point. Um, so the one, the thread I wanted to pull out from that is remote access. Um, so can you walk us through the process where two parts, number one, you would install a protocol saying. Okay. We need to have a simple process for, uh, granting people remote access and then making sure we monitor that and delete that, uh, that user provisioning later on.
Um, and then number two from that is how would you actually set up the device traffic so that way they have full transparency and they're able to audit and see, uh, any devices that they can't recognize.
Carlos Lugo: Yeah. Um, so in that sense, you're right, this, there should be some sort of protocol or standard operating procedure that is if a vendor's coming in on site. Um, that there is a mechanism of somebody that is actually going to either disable the account right once they leave or reset the password, right? So then at that point it just doesn't stay open-ended and stuff like that.
The other thing that I will, I will say is, uh, do not have any sort of like, um, uh, generic accounts, right? Like admin, admin or admin password. That's the password and things of that nature. Uh, those are things, and, and you and I have talked to this in length. In the past two is don't put sticky notes under the keyboard and, and on, just on just things that you should probably know.
But sometimes common sense is not super common. And then, um, and then lastly is, um, the, the, the other part of the question, which is how would you segregate the traffic? So it would be really a design thing, right? So you need someone that could design your network and create those different lanes, right?
To make sure that those, that that network segmentation. Is there, meaning if you want just PMS devices to communicate to the PMS, they should be in a complete separate lane. Right? Which to be, you know, we call that a blan, uh, which is your, your virtual local, uh, land. Right? So the other side of it is. You know, if you don't have that segregation, then you have a flat network.
So that means everyone could get to every device throughout, and you want to make sure that, that, that segregation exists, right? So the design piece is super important and obviously the implementation. So I hope that answers your question, but I think is, is in the same line of how will you do with getting too technical, right?
There's, there's a lot of ways of, uh, segregating the traffic or, or the segmentation of that network to make sure that there's no exposure from, uh, one side of the operation to another one.
Adam Mogelonsky: Uh, well, I mean, uh, we sort of have to get technical because you have to understand the technical aspects to understand why these things are important in terms of creating, uh, different VLANs or, uh, different virtual local area networks in order to segregate. Um. Different users and, uh, or the traffic to thereby protect the entire organization.
And, um, that's a good segue to talk about cybersecurity. So we all know the risks of cybersecurity. I think that that's, uh, you know, a little bit 1 0 1, but I'm wondering if you could start the conversation on cybersecurity. By looking at the seg segregation of traffic in terms of what's called a lateral move and the risks there.
So what's a lateral move and how does it relate to traffic segregation?
Carlos Lugo: Yeah. So lateral move will be essentially what, what we kind of touched on a minute ago, which is one, one unprotected device or unmanaged device that that could see the entire network, could actually move all throughout your network, right? And then, and then have access to other things like storage or, or personal or even critical data.
Um. You know, some of the, uh, important things to consider there is like, you know, is a part of the segmentation, right? Is access controls, right? Patching, visibility, and secure remote access. Right? And we, you know, this kind of all kind of ties into each other because, uh, some of the things that, you know, like, let's talk about partitions.
So guest network fully isolated from every. Everything internal, right? So the guest network should never see anything from the admin network and vice versa, right? Um, back of house segmentation by function, let's say front desk systems, segregated from corporate admin systems, from the POS system, to the camera system, to the IOT and the vendor access control systems all live within the same ecosystem.
That doesn't necessarily mean they need to be able to cross order or go sideways and, and then be able to move into the next. Uh, framework that where you can actually navigate into other areas of the network, if, if that makes sense. Right? And then, uh, least privilege access devices and users only reach what they need, right?
Uh, that is super important, right? Um, logical access is super important, right? Zero trust that we talked about in the past. Also, separate management networks for infrastructure devices, right? And, uh, and then lastly, vendor remote access through like, uh, multifactor authentication. Time bounded, right? Like we talked about, like if they, if they're here for two hours, maybe that just, you give it a threshold and then that locks it out and then, and then logging, right?
Making sure that the logs are turned on, right? When they logged in, when they logged out, was there any login failures, right? That you could actually go, uh, and then, you know, that, did those accesses from the outside are not always on. Right. So then they don't have, someone may have the ability outside of the vendor to pen to get in, and then once they're in the network, then they're easily to move around and then poke around.
Uh, this reduces, obviously the, the blast radius, uh, when something inevitably goes wrong. So you can minimize the impact by segregating, uh, the network.
Adam Mogelonsky: While we're on the notice cybersecurity, how do you properly segregate? A network to prevent these lateral moves to prevent a bad actor from moving across into other systems when you're dealing with a remote team.
Carlos Lugo: Yeah, that's again, part of the design, right? So se the separation of that. You know, a lot of times from the outside world, what we do is that we create rules in the firewall, right? And then that firewall will be, let's say, a rule that says, Hey, we're gonna give this, this vendor. What we call a nad, which is a network address translation, right?
So you take a public IP address, which is facing to the world, the your, they will come in through that. They will hit that IP address on their browser or or whatever tool they use, and then at once it hits the firewall at your location where your network is at. Then at that point it says that, oh, that outside IP address can only go into this device.
So now you have a network address translation that only goes on a one-to-one. Right now they have no visibility to anything else. Everything is tunneled in there and there's, there, there's, that's the easiest route to do it, right? So then allow that, uh, not to be in any, any rule, which is any, any, gives you access to anything that's insider, your network.
It should be a one-to-one correlation.
Adam Mogelonsky: Hmm. Okay. Um, so let's. Shift away from cybersecurity. And now let's move into, uh, the third aspect of all this. We have the infrastructure, the physical cybersecurity, and now let's, uh, go over to the third head, which is the IT systems. And let's start off here by asking what are some of the biggest myths in it today?
And, uh, and things that are assumed, uh, but aren't necessarily what happens in reality.
Carlos Lugo: Well, the, the biggest myth, number one, and this is my personal opinion, um, you know, spending less upfront doesn't always translate into cost savings down the road, right? That, that's just outside of the systems. But they all come with an investment. Um. Then I could get into a few, like, wifi issues are always a internet service provider issue.
That's not true. Right? Often is internal design, the issue density of devices, uh, interference or even just switching gear. So wifi issues are always the internet service provider. That is a, that is a huge myth, right? Um, cloud and, uh, software as a service means we're secure. That's submit. No, it reduces some risk.
But identity endpoints and network still matters, right? And so, uh, don't think because you got a cloud-based system or software as a service that you're utilizing, that doesn't always translate to just being a secure network, right? Um, another one I will say is, um, more bandwidth fixes everything, you know, and, and, and more hardware fixes the problem either or, right?
Is, is just not always the way to look at it. Bandwidth helps, right? But bad architecture still performs poorly. Um, and then, uh, I got maybe a couple more. Um, so cybersecurity is an IT problem. That's a huge myth, right? It's not an IT problem, it's a business continuity, risk issue, right? Operations, finance and leadership must always be involved, and a lot of times they tend not to at the hotel level.
Uh, and then lastly, I'll throw you one more is, um, uh, if it's working, don't touch it. Whoa. I don't know, man. Um, you know, deferred maintenance is just how hotels end up in emergency CapEx. That's just my take on it. To me, that's a huge myth. Oh, it's been working, don't touch it. Well, that doesn't mean that you don't have a, some sort of like plan to patch it, update it, right?
Test backups, test, uh, continuity, uh, all those things, right? And so there, there's a lot to be said there.
Adam Mogelonsky: Well, um, let's pull out one thread here is cybersecurity is a business issue. It is something that every leadership team needs to know about. It isn't just it. Do you think that that is because people just don't understand cybersecurity or do you think there's something else happening?
Carlos Lugo: Uh, I think there's a combination of that, right? I think one of them is, um, and you and I have talked about this. Uh, we, we hit it on at chief as well in Barbados with, uh, when we were there on stage, which is really the, the human element too, right? Uh, how people get ex, you know, the human engineering factor of how, you know, the penetration and, and how people actually gets to devices a lot of times is.
Somebody internally, uh, they picked up the phone, gave access to somebody else, or they got phished by via an email, or they clicked on the wrong link. Now sudden you're exposing a whole bunch of stuff. So there's a whole bunch of stuff there. Systems, absolutely. It should be a part of it simply because someone needs to manage the systems.
They need to, um, you know, detect the, uh, whenever there's a bad actor and there's gotta be a response mechanism to that, right? On how to quarantine that, how to solve for it. But without that investment, there's no way to flag them. But the reality is that, you know, this, this has the, the means of the maintenance to like bringing in an operation to its needs.
If you can't build reservations, you can't collect credit card payment, you can't open door locks, you can't do anything with your HVAC controls and uh, and all and all the other things that are inherent, uh, problems from that. I think that that's why the two, uh, actually there's those things going on.
It's not just it, but it's definitely an operational, uh, hindrance if they're not addressed.
Adam Mogelonsky: So, okay. So, uh, um. Let's pull out a visual image there. Uh, a bad actor gets in and they lock people out of their rooms. So now you have people coming back from the pool that can't get into their rooms and change. Do you think they're happy or not?
Carlos Lugo: I don't think there will be, and not unless, well, it depends if they just came from the bar and they could go back. But, um, you know, the, the reality is that we've come to. To expect all these things to work flawlessly, right? As a guest, right? We, we travel, other than being also, uh, people involved in technology, we do have expectations in, in these things to work.
If you don't know the working mechanisms behind it, which I will say about 80 to 90% of the people that travel don't understand how it all works, it's okay, but the expectation that it should work is something that I don't think is going to go away. And so my expectation is if I tap that key, it better work.
Adam Mogelonsky: Okay. Let's pull out another thread from, um, some of the myths you addressed here about, um, overall network traffic and, uh, and I guess the, the size of what people are doing when you have so many devices getting onto a wifi network. what is important from an infrastructure standpoint in 2025 in terms of future proofing a hotel to be able to handle all that, all that bandwidth?
Carlos Lugo: Yeah, I will, say simply, um, well, it's not simply put because there's a lot going on there, but, uh, foundationally, right. I work in the foundational space, meaning the design for growth a lot of time is trumped over time based on the fact that we might've designed a, a wifi, um, system for, in-building for let's say a hotel.
Um, knowing that, let's say we have 200 rooms, people travels with, you know, uh, an average of three devices per person, let's say out of, out of, at a very minimum, we're probably looking at 600 devices at any given point, right? Uh, are they all congregated all in the same place altogether? Probably not. Right?
And so density plays a role here. Um, but at the same time, the end points. Kind of determine the future growth and the endpoints, meaning your phones, tablets, and all that stuff with like all the, the big cameras, uh, megapixels now 30, 40, 50, and, and the throughput of data that's required.
Um, if the network's not designed correctly, meaning the, the, the right cabling, uh, the right endpoints to in, in the right switching gear. Um, to actually drive that data throughput, uh, you, you will struggle over time, right? So the more devices you're introduced into the network, uh, the more, uh, the more capacity will be needed.
The more, uh, people are uploading and downloading is gonna then cost, you know, more bottleneck of throughput on your, on your bandwidth. And so those things have to be looked at over time. And, and then fine tune those over time. Sometimes it's just not the gear. Sometimes it's just how things are configured, right?
If, if you can only handle, uh, give somebody 10 megs of data, um, I don't know. I will argue that we can't even do a, a, a virtual call anymore with 10 megs, right? And so, um, all those things matter, right? And so as, as, as easy as it is for everyone to walk into a place and say, I'm connected to the internet. I got, and I'm doing fine.
Those things will actually slow down over time, depending on that design. How many devices come on and, you know, what kind of, uh, interactions are happening within that network. So foundationally, I will say the, the, the design has to be future-proof. And you do that by bringing in fiber. Uh, fiber is the way to fiber optic is the way to actually future prove it.
Uh, and, um. And, and you know, because whatever you spend now, you won't, will not have to do anything else for the next 25, 30, 40 years. Right. Uh, which is a real good investment. And then I don't want to get into the, into the, uh, the impact of, uh, environmental, but it's a great environmental. You know, reduction when we're talking about CO2, uh, reduction, uh, et cetera, right?
So just by having fiber, there's a lot less footprint of switching gear, a lot less. You have to power up a list that you have to cool down in. It. Closets a lot less fire suppression, uh, that has to go into those. I mean, there's just a whole bunch of other things that people don't really account for,
Adam Mogelonsky: Right. And, uh, you're talking fiber versus copper, where copper itself, uh, it erodes over time, so you're saving on that. Um, so you know, you have fiber optic coming into a hotel and. I want you to just color that in terms of the, uh, lit. The lit and then the dark, uh, the dark, I guess actual lines that are in there in terms of the ability to be ready for the next 30 years in terms of just having more that you can light up or if one gets broken, you, uh, you can light up another one.
Can you talk about that in terms of the future proofing of, uh, infrastructure?
Carlos Lugo: Correct. Yeah. So for instance, like if I, you know, a lot, a lot of, uh, the ways that I inter do interconnectivity today is like, let's say for instance, if I'm gonna run to my MDF, which is my main distribution frame where all my servers and most of my IT operation runs from, um. That my IDFs are connected to fiber and not copper, right number for se.
Several reasons, but I'll get to that in a second. But let's say I'm gonna run 12 strands from every IDF to my ID to my MDF. Well, I don't need, let's say I don't need all 12 strands, but I'm gonna run 12, right? Maybe I'll just need six. So what I'll do is I'll terminate six, which will be lit up, and the other ones will, determinants will keep 'em dark, right?
So when you leave the other six strands dark, you don't terminate 'em. Right. Um, and then at that point, if you need to then increase more, uh, into, in the IDF side, then you just terminate the other ends and light up more. Or if some fiber strains went bad out of the six that you terminated, you could go back and terminate other ones, and then now you have that fiber that was there.
A lot of times the problem is people don't, don't think about it ahead of time, and running the extra fiber is a lot more cost effective. Then to do it later down the road to fish it again, that labor's gonna cost you more. Uh, it's gonna cost you a lot less to just run it, leave half dark, and, and then, you know, light up the other.
If, if, I hope that answers your question.
Adam Mogelonsky: It, it does. I mean, it's, um, it's spending now to save for the future.
Carlos Lugo: Absolutely.
Adam Mogelonsky: to also prevent, uh, or safeguard against any, any risks that, uh, that could potentially disrupt communication, um, and the, and the network itself. So. one other thing to, to look at, you mentioned, uh, you know, video calls, streaming pic, uh, pictures that are lots of megapixels and the average number of devices that guests are bringing.
But another part, uh, that is potentially straining networks. Maybe not on the bandwidth side, but on the, um, on the actual endpoints in the cabling side is, uh, internet of things, devices, and a lot of these sensors that have to be input around the rooms. So can you talk about the strain on the, on the actual network in terms of bandwidth as well as your best practices for cabling, uh, designing endpoints around a room and just how many devices are there in a room now?
Carlos Lugo: Oh my God. So I, I'm really passionate about this one because historically. We used to always throw all sorts of stuff into the network without segregation. Now we're talking about many, many moons ago. Obviously we've gotten smarter over the years with a lot better. However, there's, there's more being added now to the a to the public network and what is expected of these partners who actually support.
Right? So, and I'll get into that into a second, but, but the answer here is this. Um, so I, I budget. By aligning honestly, outcomes and risk. Right? Then building a, a face plan first, I separate the needs into three buckets, right? Um, and so, uh, keep the lights on and risk reduction, right? Operational efficiencies and innovations.
Um, but when we're talking about how many different things are out there, uh, and the iot world, there's, there's unlimited amounts of, uh, devices. Let's talk about, uh, just from the side of like, um. The Modern Hotelier, no. Right. Um, carry a huge number of iot endpoints. Uh, door locks. Let's talk about that. BLE gateways, lock controllers, mobile key systems, right?
Uh, thermostats and hvac, right? Uh, and, and building automation systems, right? Lighting controls and occupancy sensors. Uh, IP cameras and video management systems. Smart TVs, casting devices set top boxes. POS terminals, kiosks set, elevators and, and, and life, uh, safety monitoring interfaces, uh, panic alert buttons, um, uh, water leak sensors, refrigeration sensors, energy meters.
Should I continue voiceover IP phones, asset tracking tags? I mean, I could go on and on. Right? Here's, here's the deal. The, the strength really comes from. Always on chatter broadcast or multi multicasting traffic, right? And then the fact that many of the iot devices are not designed with strong security, and so they also expand troubleshooting complexity, right?
So more devices, more vendors, more failure points. So we're putting a ton of stress into the networks and a lot of times people don't know how to troubleshoot what they got going on because they really don't have any control. Where the devices are, how they're hitting the network, how do you isolate 'em, et cetera.
And so that's one piece. Designing for capacity just means a lot more density today. Right? With wifi seven, uh, leading the front now, it requires a lot more density. It's a lot less penetration than it used to be. Um, and, and now it requires more density, which means more access points in order for, for that to be so, it, it is going to become a little bit more expensive.
To do this kind of work. However, one you, once you make that type of investment in fiber and going into wifi seven and beyond, once you have that, that, that layer of fiber in your building, everything else becomes a lot simpler because now you're, you're, you're poised for unlimited amounts of bandwidth, not limited on distances where you're going from and to, right?
And then, then also is the, the other side of it is how much are you saving? Over the years because now you don't have to change or upgrade your infrastructure every 10 to 15 years.
Adam Mogelonsky: A lot of interesting points there. Um, let's pull out one that is a, uh, a matter for me and that is what the guest sees in terms of casting.
And I pull that out because probably the number one complaint you'll see is that the wifi is slow. And then on top of that, the one of the next ones I see is that casting doesn't work.
Or you know, they get on and then the, they can't stream Netflix 'cause it's, it's just buffering. So can you talk about that specific use case in terms of what goes into casting? Um, you know, time-based permission, so that way the, the creds get wiped after a guest leaves and making it frictionless for logging in.
And then of course, the, uh, I think we've, we've handled the whole idea of just density and, uh, and just the total load on bandwidth from having everyone, everyone logging at 7:00 PM to watch their favorite, uh, Netflix show.
Carlos Lugo: Yeah, I'll start with the latter there, which is the ease of connectivity. Uh, first I think the, the over the top applications providers today have made it really simple to connect, right? If you launch the application on the TV and you already remember they give you a QR code, uh, hit that function, the whatever code they give you there, and now you're connected.
So that, that's the easy part of that thing. Now, the hard part now is really having a re, a robust. Network network that actually can do the multicasting that is required, right? So, uh, now you got to be, that device is connected through HDMI to the tv, the puck or whatever you have there, right? Or, Chromecast or whatever.
Then now also connects to the network, and then your device has to be connected to the same SSID network, right? And then once you log in, if you're trying to cast, then it goes over. The internet back down into that device, that device has to translate into the TV codec, right? And then provide the, the image.
So a lot going on there, right? But if you do have a bad network or a very slow network, whether it is because you're not running fiber or you got poor up links, uh, from switching gear to switching gear, you don't have multi, uh, multicasting turned on. There's a ton of things that could, that could go wrong here.
You are going to have a pretty crappy experience, right? Um, pixelation, maybe not even connecting at all. May, maybe just, you know, a lot of lagging, uh, a lot of buffering. And so it is super important that if you are going to, uh, embark into that type of, uh, uh, scenario, that you do have a, you know, a someone to actually review your, your settings and making sure that you have the capacity to handle that.
Um. Then lastly to, I think the other question you had there was about wiping the credentials. Um, assuming that you have a, uh, already an interface, uh, built into your property management system, that as soon as you check out of that room, um, automatically the PMS right hits your, your, uh, your guest room entertainment system and automatically wipes out based on the occupancy of the room, right.
A lot of places don't have that today. Uh, which I think is where you're going with this, Adam, is that, you know, if you, if I'm a guest, I don't want to assume that that hotel has that mechanism. If you actually logged in to like, say, Netflix, Hulu, et cetera, that don't think that the hotel's got that capability built in today, or at least that integration, make sure that you log outta your, outta your, uh, over the top applications before you actually check out.
Adam Mogelonsky: Yeah, and my hypothesis is that the reason why. Many hotels don't have that integration is because it does cost a lot to have that. And with the proper, um, uh, interactive TV interface that maybe is also communicating with the guest room management system. These are tech budgets that do add up into the hundreds of thousands of dollars per year.
So. Next question though is you as a advisor for a hotel looking at infrastructure, cybersecurity, IT systems, um, GRMS, guest room management systems, how do you put it to a budget together that balances CapEx and opex according to the guest experience and the level of, uh, security that we need?
Carlos Lugo: Yeah, that's often driven, uh, that's often driven by the, by the ownership. Hotel. I mean, what kind of guest experience did they want to their guests to have? Um, and, and I'm not a fan of value engineering anything, the moment, and I, and I say this lightly, right, because I'm more generous with someone else's money than my own, but I'm very frugal when it comes to that kind of stuff because at the same time, I don't want to, um, go spend money on something that you're not trying to deliver.
So the way I would design this would be based upon what kind of a guest experience. The ownership group wants to deliver for their guests as well as, you know, what is their appetite to compete with their comp set around there if they're losing business around, and what is their appetite to invest in technology?
Right? I think those three are super important. , Can we do it in every hotel? Absolutely. We can. And put all the systems into place that we could automate. Everything from the moment that you walk into the, to the moment that you leave. To make everything, uh, mobile first, right? Um, and guest experience first.
However, I think we're going to have challenges when it comes to, um, let's say, uh, you know, assets that are in distress, uh, that don't have capital and want to move that. However, there's another school of thought here is that I work with ownership groups that. Depending on the school of thought, they will prefer to be everything.
CapEx versus operational expense. Some of them don't have a lot of capital, don't wanna go get, uh, some loans to invest, but then they're, they're, they print money at their property, so they'd rather just use, uh, operational expense to actually run with that. And so it all depends on the situation of the asset.
I think. Um, the takeaway for me here is more, I, I take it based upon bear. Uh, my, my understanding of. Where do they want this asset to be in terms of their demographic? What, what do they they want the guest experience to be and what kind of, uh, budget or investments they want to make into, uh, technology.
Adam Mogelonsky: And putting an ROI against all that as well.
Carlos Lugo: Right, right. And, and that's the one thing that I always, you know, like the ROI is one thing because not everything is a return on investment. Think about the, the, the PBX in a hotel. No one ever, ever. Pick up the phone anymore in the room for some reason. Right. And I, I, I'm a, you know, I'm one of those, um, and what used to be a return on investment that now I can actually do call accounting and bill you for local calls and long distance.
Uh, I, those things don't exist anymore. You know, like I, I, you know, I can't use the phone really for a whole lot right now.
Adam Mogelonsky: Well, okay, so, um, this raises a whole thing about technology infrastructure design in 2026 going on.
Does a hotel even need a private branch exchange? In the rooms versus just having a voiceover internet protocol,
Carlos Lugo: I think the answer is going to always be yes, and I'm gonna tell you why. This is just from my lens, right? All it takes is for one person, God forbid, to catch a heart attack and not when they couldn't call 9 1 1. Then at that point, the hotel is responsible for not having a life safety line that they could call that.
That's just, and that's really just my simple explanation. However, I will say that, um, they, they will also need it because now a lot of things that are being done with AI agents in a hotel have to be driven by the presence of a phone system. Uh, and so until the phone system is no longer necessary. Which what?
We're probably about five, I will say five years away. A lot of properties will move away from it because they made some investments that they planned it out for the next 10 to 15 years and they're just going to realize those. Right? and so I don't see a world without phones for a very long time.
However, I think there'll be a time where it will not be needed. If you could figure out a way to do E nine one one for your cell phones, in a lot of ways you can. Um, but there's gotta be a better way that, that, that is automated to where you don't have to go into your nine one one settings on your phone, update the address and where you are every time you move, that it's not your home line.
That, that it's not your home and address that you put on there when you down 9 1 1, if that makes sense.
Adam Mogelonsky: I mean, it's an interesting problem because, uh, a lot of people would love to shift away from something outdated like A PBX, where it's only really needed, literally one in a million check-ins, right?
Carlos Lugo: Correct.
Adam Mogelonsky: Yeah. So what other, uh, big infrastructure projects are you, uh, are you looking and prioritizing for investment and deployment for, uh, this coming year?
Carlos Lugo: Yeah. Uh, that's a good question because everything is changing. Um, but, um, for most properties in 2026, uh, you know, priority stack looks like. Network modernization, right? Switches, routing, wifi, uh, capacity upgrades, uh, structured cabling and fiber backbone where, where constraints exist and segmentation and firewall architecture refreshes, um, and then resiliency, right?
Like dual ISPs, uh, you know, you gotta, you got filter over. Uh, especially, um, I'm, I'm, I'm trying to change the, the mentality of. Well, I have a, a primary that's coming in through fiber, but I got a secondary. Oftentimes the secondary comes over the same fiber coming in. So if you lost the primary, more than likely your secondary will go.
I'm trying to make sure, you know, starlink is a game changer now, and so I, I highly recommend the people who starts to look at a secondary circuit, um, you know, on, on, on starlink, um, you know, UPS and power conditioning is another thing that's super important. And documentary recovery, right? We just touched on that a minute ago.
Uh, monitoring. And observability, right? With alerting and performance baselines. We talked about MDRs, right? Managed detection and response. Um, and then identity and access upgrades, right? Like if you don't have multifactor authentication, these are things that, that, I mean, preaching, hard privilege access that we talked about earlier for vendor controls and others that they just get access to what they really need and nothing else.
Because these are multipliers. Everything else becomes easier and safer once these are done. Right? And so that, those are the things that I'm really focusing on in 2026, uh, is just really pushing people to make long-term decisions. Right? But it's easier said than done because when I work with groups that own 10, 20, 25, 30 properties, and they have X amount of CapEx, they gotta share the love between all of those.
Then it becomes a priority of, you know, how do we prioritize and what, and that a lot of times that's the determined upon do they have a PIP that they need to fulfill? Are they dumping an asset? Are they in acquisition mode? You know, how they using that CapEx? So there's so many variable.
Adam Mogelonsky: So talk about variables. Um, what metrics would you use in 2026 when measuring infrastructure performance?
Carlos Lugo: Yeah. So, um, the best metrics for me are the ones that are tied performance to operations, right? Because if it's, you know. If it's being, um, monitored or managed right, um, then it could be measured. And so, um, and it is all basic around the guest experience for me, right? How are we gonna deliver the guest experience, but also how we going to deliver efficiencies for the operation.
So those two are like the pillars of how I approach that. So, uh, here are the metrics that I will use. It will be more around metric, I mean uptime, and um. Incident frequency, right? Um, time to restore a de, uh, a service or a device, right? Guess wifi satisfaction, you know, survey data plus complaint rates, right?
Um, coverage and capacity, you know, and, and I'll stop there real quick because we work in hospitality is based on sentiment, right? A lot of times it's based on how people feels and not what the right. So for me, in order to be able to. To drive that feeling, I have to be able to cover all of these things to make, to ensure that that feeling that, hey, it didn't work when I wanted it to, also is being met by the fact that, Hey, I'm looking at all this stuff, so that doesn't make sense.
Could it be possibly your devices? Right. So. And so, uh, you know, here's another metric that I like. The covers incapacity, right? Not just signal strength. And, and I talked about this all the time. People says, oh, but I have full bars on my, on my phone. Well, that's just good radio frequency, good rf that doesn't translate to throughput.
Throughput is the name of the game. How much data can you pass through? Doesn't matter if the frequency is one bar out of five, but you're still passing good data through there. That just tells you there's great throughput just to rate your frequency. You may be far from an, from an actual antenna. Um, so not just signal strength, but client density and throughput, right?
Latency and jitter, right. For real-time symptoms. Voice video casting and POS. Always prioritize voice over anything, right? Um, packet loss and, and, uh, and the retransmission of those. Uh, and these are already technical because without the tools you don't see 'em. But I actually get to see a lot of this stuff and then, you know, and then beat it up.
Packet loss, right? We talked about authentication success rates. Captive portal, right? Single sign-on stability. Uh, and then security posture indicators, right? Patch compliance, MFA coverage block threads. Meantime to detect, right? These are all metrics that everyone should be living by in a world of, of cyber attacks and, and, uh, and network uptime.
Adam Mogelonsky: Wow. I mean, um, you've given us a lot of different acronyms that are related to cybersecurity infrastructure. Um, and of course for somebody who is not new to this, our, my recommendation is simply. To press pause and uh, go onto Google and look up each one of these terms so that way at least you understand them, uh, everything from single sign on and identity management software through to meantime to detect and, uh, what an internet packet is.
That way, you know, what packet loss means, and uh, everything of that nature in terms of really understanding how the digital world is built. It's incredibly. Complex, but also incredibly exciting at the same time. And it certainly keeps you busy, uh, and
myself. Um, so, uh, to close out here, I'm wondering what technology trends are you excited about, uh, for the coming year?
Carlos Lugo: you know, the, there's so many, right? There's so many, but I, I think I'm gonna hit you with some that are somewhat tangible, some intangibles. Some things you can't touch, some you can't. But, uh, I identity first, right? And better segmentation tool. This easier to, for lean teams to manage, right? Um, AI assisted, um, monitoring operations like faster root cost analysis, predictive alerting, right?
Uh, modern wifi and RF optimization for dense or for density in high demand environments. You know, I deal with quite a, uh, a few clients that do have a lot of big. Half a million square feet and more of meeting space. This is a deal there. Uh, and then better integration ecosystems. Like more vendor platforms becoming API mature and interoperable.
Um, I will give you something else that I'm skeptical of too, and I'll close it out with this, right, because AI everywhere, I'm skeptical, right? Without data quality and process maturity, I am super skeptical about AI everywhere. Um, a, um, IOT deployments, uh, that ignore lifecycle security. Or lifecycle and security.
So, cheap devices. No, I am super skeptical. No patch path. If you can't patch it, I'm super skeptical. Uh, and, uh, weak vendor controls, I, you know, those things I'm super skeptical of. And then, uh, once I switch all tech stacks, super skeptical. I don't believe in one size fits all, I believe to finding the problem and then.
What's the how, Mr. Adam, the why is the problem, the how
Adam Mogelonsky: Yeah.
Carlos Lugo: is the technology, how are we going to attack your problem? Everybody's got unique issues, so I'd rather get to know what your issues are that we're trying to solve so then we can get to the how I learned that from my man Adam. So staffing and guest mix, right?
So that don't occur every property type, right? But one size fits all is I'm very skeptical of. And then shiny gets facing tech. Right. I'm super skeptical of that's not supported operationally and becomes shelfware, and we see a lot of that everywhere.
Adam Mogelonsky: Oh yeah. Use, use the term shelfware. I use the term zombie platforms 'cause they're just there and they just, uh, they're not given any life. They're not used.
Carlos Lugo: Right. And other things that are vaporware. We love that too because they, they just tell you, oh, I have this, you know, ai, conversational, soft, or, you know, phone system when it turns out to be, is no phone. It's just, you know, an AI agent living out somewhere in space on the cloud, and then they wanna sell it to you.
Like, if it is going to solve the issues that you have on the property, don't, you know, there's a lot to learn. This is why, um, you know, uh, reaching out to some experts on the field are super, uh, super important to guide you, right?
Adam Mogelonsky: Yep. Well, Carlos, it's been a fantastic conversation. Uh, truly very technical and, uh, a lot of, um, a lot of terminology for people to learn and digest. But that is, that just speaks to, uh, what's happening under the hood at hotels and. The complexity of everything that has to go in towards creating that seamless guest experience and also protecting the business.
Carlos Lugo: Going on the engine brother,
Adam Mogelonsky: Yeah, I mean, yeah. The, the why on my end is, uh, is you know, the guest experience, we want the great guest experience, but the how is the technology, the IT systems, the cybersecurity and the infrastructure all underneath it. Carlos. Thanks so much for coming on. It's been a fantastic, uh, conversation.
Thank you.
