Threat intelligence teams face constant pressure to turn vast volumes of threat data into insights that security leaders can act on. The challenge is deciding which threats matter most and why – and delivering those insights to the right people at the right time. This is particularly difficult in organizations where ownership, authority, and risk are distributed rather than centralized.

In a recent Silobreaker webinar, Michael Francess, Director of Cybersecurity Advanced Threat at Wyndham Hotels & Resorts, joined Silobreaker CEO, Geoff Brown, to discuss how Wyndham has built a threat intelligence capability designed to support real decisions, and what it takes to make intelligence relevant at scale – precisely the kind of use case Brown had in mind when he described the platform as an “intelligence engine” for turning diverse signals into insight.

Operating security in a federated enterprise

Wyndham is one of the world’s largest hotel groups, with more than 8,000 properties across 25 brands. Operating as a pure‑play franchisor, individual hotels are independently owned and responsible for their own day‑to‑day IT and operations.

From a cybersecurity perspective, this creates a federated model, where local entities have autonomy, while corporate sets the standards and manages shared risk. There is no single, centrally managed “estate” to defend.

As Francess explained, this model introduces inherent visibility gaps and coordination challenges. Corporate security teams can’t directly manage hotel networks, but they remain accountable for brand risk, customer trust, and regulatory exposure.

Wyndham’s ability to manage risk depends on corporate security teams making clear, evidence‑based judgements and earning the credibility needed to influence decisions across IT, security, and leadership.

Threat intelligence plays a central role in helping corporate teams navigate those visibility and coordination challenges.

Why threat intelligence matters at Wyndham

Wyndham’s approach to cybersecurity has been shaped by its history. Under its former structure as Wyndham Worldwide, the organization had suffered significant security breaches and was one of the first companies fined by the U.S. Federal Trade Commission for data security failures.

This experience left a lasting imprint on leadership. Executives who lived through those incidents understand the business impact of cyber risk and the importance of a culture that values prevention and institutional learning. That context resulted in serious executive-level commitment to cybersecurity, including CEO and CISO support.

Francess emphasised that experiencing incidents alone does not lead to more resilient organizations. What matters is how they respond to them, internalize the lessons, and adapt accordingly.

From threat hunting to decision support

When Francess joined Wyndham, the organization already had a mature threat hunting capability. Intelligence initially supported this function by providing context for what the SOC was seeing and producing reports for cybersecurity stakeholders.

Over time, expectations changed. Intelligence consumers expanded to include risk, compliance, IT leadership, and the executive team. The focus shifted from ‘what are we detecting?’ to ‘what does this mean, and what should we do?’

That shift accelerated during the COVID‑19 pandemic, when Wyndham saw a surge in opportunistic phishing and fraud tied to pandemic‑related themes. Leadership asked for frequent briefings explaining what was happening and whether it mattered to Wyndham specifically.

Francess and his team began producing regular intelligence updates focused on relevance, including attacker activity, how it intersected with Wyndham’s business, and what decisions might need attention. These briefings drew on open‑source reporting, trusted industry sharing groups, and peer intelligence from the hospitality sector.

As these reports reached executive level, demand for intelligence grew. Intelligence was supporting security operations, as well as helping inform broader business decisions.

The limits of one‑size‑fits‑all reporting

Early on, intelligence was delivered through a structured Word document – a format that worked when the audience was small and relatively consistent. Over time, that changed. Intelligence was being consumed not just by the SOC, but by IT leadership, risk and compliance teams, audit, HR, and senior executives. Each group was responsible for different decisions, and they were often looking for different answers from the same material.

As the audience for intelligence expanded at Wyndham, the team encountered a familiar problem. A single, standard report trying to serve stakeholders with very different concerns could no longer meet everyone’s needs.

In an effort to make the report more broadly relevant, important detail and nuance was lost and priorities became blurred. What emerged was a lowest‑common‑denominator output that required significant manual effort to produce, but only partially addressed what any one group actually needed.

In response, Wyndham moved away from uniform reporting toward intelligence outputs shaped by specific stakeholders and requirements. Rather than asking everyone to consume the same report, the team focused on tailoring intelligence to the questions different internal audiences were trying to answer, whether that meant deeper analysis for IT and security teams or higher‑level context for leadership.

Francess noted that adopting Silobreaker helped support this shift by enabling the team to move away from manual collection and toward a more requirements‑driven approach. Instead of relying on ad‑hoc reading and static documents, the team was able to define intelligence requirements based on business needs and stakeholder decisions, drawing from a broader range of sources – including open, closed, and deep and dark web data – through a more automated pipeline.

The objective was to move beyond everyone receiving the same long document once or twice a week, and toward intelligence products that were better matched to how different teams actually use them.

When intelligence changes outcomes

Throughout the discussion, Francess observed that intelligence proves its value when it changes outcomes.

One example involved email security. Responsibility for the secure email gateway initially sat with IT, and over time, allow‑listing decisions inadvertently introduced significant risk by bypassing protections.

Threat intelligence helped trace specific infections back to those policy choices. By showing a clear link between configuration decisions and real incidents, the intelligence team was able to guide IT and leadership on how to adjust controls and reduce exposure.

In this way, intelligence can provide the evidence‑based context that helps organizations make better decisions.

Integrating intelligence with operations

Francess also highlighted the importance of access and relationships. Intelligence teams can’t operate effectively if they lack visibility into detection data, incidents, and operational decisions.

At Wyndham, threat intelligence is expected to inform everything from SOC tuning to strategic planning. This works because intelligence practitioners are connected to operational reality and have earned the trust of internal teams across the organization.

He also warned that when intelligence is built on assumptions rather than evidence, it quickly loses credibility – and that senior leaders are quick to spot the difference.

Making threat intelligence work in complex organizations

When it comes to security, organizations often start reactively, responding to headlines or urgent queries that may or may not be relevant.

But as trust and confidence is established, intelligence teams can help leadership focus on what matters and avoid wasting attention on what doesn’t. At their most mature, intelligence programs can even support anticipatory thinking – flagging risk scenarios and adjusting controls before incidents occur.

Wyndham’s experience highlights the challenges shared by many large enterprises, where multiple stakeholders with different priorities rely on threat intelligence to bring greater focus and coherence to decision‑making.

In these environments, threat intelligence delivers value by focusing on relevance over volume and aligning outputs to real decisions. Rather than producing intelligence for its own sake, the goal is to help people think clearly under uncertainty and act accordingly – supported by tools that make it easier to surface and share the key insights that decision‑makers need most. The full webinar “Turning threat intelligence into decisive security impact” is available to watch on demand here.