Mastercard’s Well-Oiled Resilience Machine

MasterCard’s definition of resilience is to prepare for – and deliver despite – any local, regional, or global crisis that might arise, says Fadwa Rachi, Director, Head of Mastercard's European Cyber Resilience Centre. Mastercard can execute on that definition because leaders drive an exceptionally proactive culture and because its highly organized response teams – uniting over 30 different departments – take a situationally adaptive approach to communication, deployment, and exercising. Listen in as Rachi describes how Mastercard’s resilience machine runs.  

Transcription (edited for clarity)   

Elizabeth Heathfield, Chief Corporate Affairs Officer, FS-ISAC: Welcome to FS-ISAC's podcast, FinCyber Today. I'm Elizabeth Heathfield, Chief Corporate Affairs Officer at FS-ISAC. Here at our EMEA Summit in Brussels, Europe's Digital Operational Resilience Act, or DORA, is top of mind. But what does it mean to truly be operationally resilient in any crisis? I spoke with Fadwa Rachi, Director of Mastercard's European Cyber Resilience Centre, about building the structures, processes, and most of all, the culture to truly weather any storm.

Heathfield: Thank you so much for joining us. I'm excited to speak with you. So we are talking about operational resilience, and we're living in a world where basically it's so complex and interconnected, and anything could go wrong at any one time. How do you define operational resilience, especially for a company as large and ubiquitous in the global economy as Mastercard?

Fadwa Rachi, Director, Head of the European Cyber Resilience Centre, Mastercard: Thanks for that. Thanks for having me as well. I think defining operational resilience is really important, but I do feel like there are a lot of definitions out there. And it's really important for your organization to be able to determine what that means for you and for that to be understood in your organization. So I want to start with that first message. I think for us, the way we define operational resilience is really the ability to absorb shocks, to go through some of the waves, to be able to recover from that, but also being able to continue to deliver minimum services, right? It's not just about the recovery; it's how you go through the motion.

And I think with the volatility that we see from a political point of view, equally climate volatility, and many other changes in the operating field, it's really important for organizations to be able to adapt to these kinds of changes. And sometimes these changes can be very rapid. So it's about having that flexibility in your approach when it comes to resilience as a whole, because what it really means to be resilient is to be able to go through the motions, to learn from what you've gone through. And I think we'd be naive to think that we'd be excluded from these kinds of changes. Every organization will go through it, so it's how you deal with it and how you come back on the other end of that situation.

Heathfield: How would you advise firms to, as you said, define what [operational resilience] means for your organization? So how should they do that? And then how should they take it through and start socializing it so that they can ensure that everybody's on the same page?

Rachi: I think first of all, the tone is set at the top, as with many things. Your top management needs to understand what [operational resilience] means for your organization, agree on what operational resilience means for your organization, and then communicate that clearly to staff.

People really need to understand what it is, not just repeat it. How you go about defining is really questioning what, if we were hugely impacted, are the minimal critical services we need to continue to deliver – if you're critical infrastructure or not – to at least service your customers and provide them the bare minimum of what you do, whatever that service may be, or whatever the end product may be. So what is it you really need to continue to do at a minimum?

It doesn't mean you don't continue to do all those other things that are equally important, but that should be your main focus: protecting those core essentials, the crown jewels of your organization during an incident, during a crisis, during whatever you're going through. And that's how I would start defining it. And I think that's also how regulators look at it – are you continuing to deliver the minimum for your organization, for your customers?

Heathfield: After you've defined operational resilience and you've communicated it to everybody, how do you start planning for incidents that could happen, especially when you don't know exactly where they're going to come from, as you mentioned earlier?

Rachi: Yeah, I think you should get ready not for everything, because that's impossible, but for anything. And the way we've approached that is by having what we call an all-hazards approach. It’s a flexible framework that we can adapt to respond to an incident or to a crisis, regardless of the source of that situation, and I think that helps us to respond consistently and in an appropriate manner. Everybody understands what their roles are within that structure.

Training is equally really, really important in that people build that muscle memory. I think also having the right responders in your team is really important. And what I mean by that is one, they understand what your overall response strategy is. They don't need to know your plan letter by letter or anything of that sort. But they need to be able to understand the gist of it and then adapt it where it is required. And lastly, they need to have the authority to make certain key decisions as well, because time is really important during your response. So they need to have that gravitas and authority to be able to do that.

Heathfield: Can we talk a little bit more about at what level the all-hazards playbook is pitched? Because FS-ISAC runs the all-hazards playbook for the entire financial sector, so we have leveraged it in many different contexts. But I think at a firm level, it's important to define what it is and what it isn't, right? It's not prescribing, as you said, a response for every little thing that could go wrong. So how do you strike the right balance of structure and detail to have that flexibility to be able to respond to anything?

Rachi: Yeah. I want to say we do have those detailed plans, right? For certain scenarios that we deem important, that are a risk to the organization. We do have that, but we also know that in the heat of the moment and when an incident happens, when a crisis occurs, people don't necessarily have the time to start going into it. They should train that, exercise that upfront, so they have a high-level understanding of that. But the all-hazards approach means that, regardless of the incident – is it a human-caused error? Is it a technology error or any other sort? – they have a high-level structure of intake, triage, response, recovery, and lessons learned.

And how do we go about that? When do you stand down your crisis, right? Which is really, really important. And when you have those key decisions, who makes those key decisions? And who should we be involving from the different response teams that we have? Because we have different levels of response: the tactical level, the strategic level, and the operational level as well. We’ve divided them into buckets. You have your office response teams that are really your local teams that have the local insights to understand the culture, and who have those partnerships locally. And then on top of that, we have the regional crisis response teams that are providing additional resources, overseeing the response across the region if it's impacting multiple countries within that region, and who can help define the strategy. And then you have your global, corporate crisis response team that is responsible for the overall oversight, the strategic direction, especially on global incidents.

And I also want to say that if it's a local incident, we activate the [office response teams]. If it goes up, we activate the [regional crisis response team]. But it doesn't mean we stand down the office response teams, because they are our ears and eyes on the ground. Having that structured response team with similar membership, and equally having that framework around intake, triage, etc., allows us to apply the all-hazards framework whilst also having some of those detailed plans where it is necessary, where we think it's likely right.

Heathfield: Right, the more critical scenarios where you have more detail, but then you have this larger, more flexible response because you may not know. And people know that just because it hasn’t happened before, it doesn't mean it won't happen in the future.

Rachi: Yeah, take the pandemic. And that allows people to understand the different steps that we will go through and what to expect. Our responders have been trained, exercised for years on different scenarios, and they've learned to adapt flexibly.

Heathfield: So let's talk about all the different types of functions that need to be involved and then how the coordination happens. You've talked a little bit about the three levels – essentially, the local, regional, and global – but then, within that, there are all these different functions that need to coordinate. Who is involved, and how do you coordinate them all together?

Rachi: It's really important that at the start of your incident or your crisis that you're facing, you understand the scope. We start by bringing in what we call the core team. We assess the situation, what's going on, what is the status. We do a round table. Everybody is able to provide their feedback.

From there, we determine, okay, is this impacting staff? For example, should we bring in what we call P and C – People and Capabilities – which is basically HR. We might bring others. So we're not activating the full team for every single incident, but we have a base core team we know will always be required during a response, like legal, like comms, and like our crisis commanders, for example, as well.

Usually our commanders have a holistic view of our business. They know who to bring in [for each] part of the business because it is very complex - the environment that we operate in, the different products, different services, etc. So we really heavily rely on our commanders to be able to bring in the right people. That's their responsibility as well.

Heathfield: How do you ensure that you have the mechanisms in place for all of these teams at the local, regional, and global levels? And then also across the different functions to really effectively communicate quickly with minimal back-and-forth and dilly-dallying, if you will?

Rachi: Communication is really important in an incident, in a crisis situation. We have the framework, as I said before – the comms team is always involved in any crisis or incident that we deal with. And they help us tremendously, be it from an internal perspective or from an external perspective.

I think what we do really well is regularly share updates on the status of what we are seeing, even at the start of an incident. It's really important to have a common operating picture that you're working with. We determine what the next actions are, and we share those with those who need to know about it. We also communicate with our staff internally so they know what's going on. And in a pre-crisis situation, I run, as I said, our European Cyber Resilience Centre [ECRC]. We're also communicating very proactively on a regular basis.

So what you're seeing brings together 30-plus teams from across the business, different disciplines – from your comms team, your legal team, the very technical teams, more vulnerability management, your SOC, etc. And we have weekly calls, we have daily chats, almost, about what is going on. We've cultivated that culture of sharing information openly. Doing that in a structured manner is really important.

What I mean by that is you need to sometimes simplify information so you don't have information overload. You also need to prevent recurring activities – multiple people doing the same thing – and you can do that by communicating proactively. If you are dealing with an incident and you are gathering that information early on, it will help you to respond more effectively, more efficiently. So having this fusion center structure in and of itself, by nature, helps you break down silos. But we really encourage teams by sitting them together in the Centre, by having these regular conversations, by sharing knowledge, sharing information that we see from the outside world and internally in a secured manner. All the members are key members of the ECRC, but they also know that the information needs to stay within those four walls because those are the responders.

Heathfield: Clearly you take a really proactive approach to crisis management. And there are more and more incidents, yet I still see a lot of firms getting caught off guard or being on the back foot sometimes … where people just wouldn’t have thought that this would happen, and don't know how to deal with it. How would you suggest instilling that proactive culture that you guys clearly have been really excelling at over the last several years?

Rachi: It really starts at the top layer of your organization – the support that they provide and the importance they give to crisis management. Oftentimes in organizations, that hasn't been the case in the past, where they only think it's important when an incident happens or when a crisis happens, and then it's full steam ahead, all hands on deck. But you really have to prepare before the crisis happens. Do you have the right plans? Do you have a good response team? Are they trained? Are they exercised to understand the different roles and responsibilities? Have they built that muscle memory to be able to adapt?

Heathfield: We use that frame a lot as well.

Rachi: It is really, really important because it allows for flexibility. You understand, as I was saying previously, the overall strategy, what we do or do not do as an organization, but you adapt it flexibly. And I will say that, in our organization, we have top-level support. If I pick up the phone, I know that certain very senior stakeholders will respond to that situation. So the attention that is given to that – I just think personally that, after COVID, we have seen a better appreciation or more instant response to crisis management. [The COVID crisis] definitely has helped move things along a little bit because that was something that people thought would never happen at that scale. But it did, right? So I think we need to continue to push that message to say, ‘expect the unexpected.’

Heathfield: What would you say are the essential elements of an effective and flexible incident response plan? We touched on it a little bit, but let's go step by step on it.

Rachi: One, clear roles and responsibilities. You don't want people to fall over each other, start doing the same thing. Everybody needs to understand your framework, your all-hazards plan as part of the response team, and needs to understand their role within a crisis, within an incident. So during our calls, when we do have a crisis call, we will say, ‘Okay, this is the situation, and this is led by the crisis team. These are the actions that need to be taken,’ and they are given clear owners. And overall, we know who to provide those actions to, and people understand where their role starts and where it ends. I think that one's really important.

Then having a good understanding and that common operating picture, that we talked about, at the start of an incident. And then during, regular updates. Because if you're working off of different facts, you might be working against each other, and you're not all working towards a common goal.

Have clear, instant classification and authorization as well within your organization. How do you define crisis? What is important? How much attention do you give to this incident versus another? That is also really important because you cannot respond to every single thing with the same level of importance. So prioritization is also really important.

And I would say in your containment and remediation, knowing at what point you stand down is super, super important, I think. Communicate that, make it very clear to everybody on the response team and even within your organization, that this is no longer a crisis situation. We're moving to a BAU [business as usual] situation.

Equally, I would say the last step is lessons learned. How do you go back and see how well did we respond as a response team, but also, whatever the incident might be, how does what we learned from that apply across the rest of the organization, right? Especially in multinational organizations, [an incident] might occur in one small part of the organization. You need to make sure that you're applying that [learning] throughout the whole organization, otherwise it'll just pop up at another end. So we're really good at that, I think, about learning and thinking about the bigger picture of things and their larger impact.

Heathfield: So obviously, one of the things that FS-ISAC does, when we run our exercises, since we have such a large threat intelligence arm, is use the latest threat intelligence to inform the scenarios that we build for our exercises. How do you guys do that? And how would you suggest that firms look at threat intelligence to know that they're exercising something that's actually real and plausible that could happen?

Rachi: I think threat intelligence is really important here. It helps you, as you said, understand, and gives you situational awareness of what's going on currently. We use it as we respond to incidents, in a pre-crisis situation as well, continuously monitoring what's going on, what is out there, what the potential threats are. And I think in your actual exercises, it's really important as well, right? Are you exercising the right thing? What does the landscape look like for you as an organization?

And you have your global risks that every organization might face, and you also should probably look at it on a regional level – what is factoring in this region? We are seeing certain phenomena in Europe that we're not seeing somewhere else. So probably our European regional crisis response team will be asked to deal with a situation there, whereas maybe our EMEA one might not. I'm just giving examples here. And so you want to make sure that they have built that muscle memory and that the others understand also what that means.

So it's to your point, actually, I just want to second that it's really important that you do take [threat intelligence] as a part of building your exercise. The way you do that, that was your original question, is early on when you're defining your exercise schedule, you're defining what type of exercise you will run and what scope it will cover. It's important that you have the conversation with your risk teams, that they understand you have your global risk teams that you can consult with, also your regional risk teams. But also have those conversations with organizations like FS-ISAC. They also have a really good understanding of the risk landscape, and that can help shape yours. Don't just look internally; also look externally for risk assessments.

Heathfield: Is there anything that I haven't touched on that you think is important to mention that the sector would all benefit from knowing?

Rachi: As I lead our ECRC, European Resilience Centre, I think, and I've said this before, we need to come together – as private sector, public sector, law enforcement, and other regulatory agencies – to really tackle cybercrime. These cybercriminals are working together, and they're coming together, they're becoming more audacious, they are targeting bigger companies, and even the smaller ones, using tactics such as AI. We're also seeing certain trends, rapid digitization, increased connectivity, etc., which are all good things, but they are also fueling cybercrime to become a real industry. We also need to unite to fight cybercrime. So I really want to give that message [to] come together, [that] security and unity are super critical against what is a very challenging situation for all of us.

Maybe on a crisis-specific one, having been a crisis manager for a few years, I want to say two things. One, I’ve said this before and I want to emphasize it again, know when to stand down your response. Know when things have become business as usual, that this is now the new normal that we are operating in.

Especially during those long-lasting crises, such as the pandemic, you need to give people breathers from that crisis situation … allow them a little bit of time off that response, put other people into that response who are equally qualified to do that. And sometimes you're going to have to force their hand a little bit because we are so into this subject. They really want to do good for the organization, for the greater good in general. Sometimes you'll find they don't want to [take a break], but it's really important for them to take a moment of rest, because you can't do that for a very prolonged time. It's a very intense, stressful situation. We need to stay sharp, and that means you need to rest.