Strengthening IT governance and resilience for a fast-growing hospitality player in Malta
.jpg)
The challenge
A fast-growing hotel in Malta was facing increasing exposure to IT and operational risks as its growth began to outpace the maturity of its internal control environment. The organisation in question was not subject to prescriptive frameworks, resulting in limited formalisation of IT governance and risk management practices.
Critical IT functions had been outsourced to third parties and related entities, with limited internal oversight or clearly defined accountability. At the same time, key policies, procedures, and controls remained undocumented or inconsistently applied. Leadership proactively recognised the need to strengthen IT security and governance, but lacked a clear understanding of the organisation’s risk profile, priority areas for intervention, and the extent of potential vulnerabilities.
Our approach
We started with the hypothesis that the organisation’s rapid growth had created structural gaps in governance, leading to fragmented control ownership and increased exposure to cyber and operational risks. To validate this, we conducted a focused but comprehensive internal audit review combining qualitative and technical assessment techniques.
We engaged with key stakeholders responsible for IT operations and security to understand existing practices, decision-making processes, and reliance on third-party providers. On-site visits allowed us to assess the physical and technological environment firsthand, bridging the gap between documented processes and actual practice.
A detailed review of existing policies and procedures was undertaken to evaluate completeness, relevance, and alignment with leading practices. To complement this, we carried out controlled penetration testing exercises (with management consent), enabling us to test the effectiveness of controls in practice and identify exploitable vulnerabilities within the network environment.
The solution
The review identified various critical and systemic weaknesses. From a technical perspective, core network infrastructure presented elevated risk exposure, significantly increasing the potential attack surface.
In addition, guest network controls were insufficiently segregated from internal systems, creating potential pathways for unauthorised access and lateral movement. Beyond network vulnerabilities, broader governance and resilience gaps were evident. These included the absence of a formal business continuity and disaster recovery plan, inadequate physical security controls, and continued reliance on end-of-life server infrastructure with limited vendor support.
We translated these findings into a prioritised, risk-based remediation roadmap. Immediate actions focused on reducing critical exposures (e.g. hardening network configurations, disabling unnecessary services), while medium-term initiatives addressed control formalisation (e.g. policy development, access management frameworks, vendor oversight). Longer-term recommendations centred on infrastructure modernisation and the establishment of a sustainable IT governance model aligned to the organisation’s growth trajectory.
Impact
The engagement provided leadership with a clear, fact-based view of their IT risk landscape and a structured path to remediation. By addressing high-risk vulnerabilities and implementing stronger governance practices, the organisation materially improved its security posture and reduced its exposure to operational disruption and cyber threats.
Equally important, the initiative established the foundations for a more mature internal audit and risk management capability. With clearer accountability, enhanced oversight of outsourced providers, and a roadmap for continuous improvement, the organisation is now better positioned to scale its operations securely. This should result in the protection of both customer data and long-term brand value.
