At Mastercard, we have a security view as broad as the entire global payments system, and as focused as phishing awareness within our own company. With cyber threats evolving and growing in sophistication, it is critical that cybersecurity become a part of our daily lives, not only the province of cybersecurity professionals. We leverage our global scale and deep domain expertise to increase cybersecurity awareness and elevate defenses, not just internally but also with our entire ecosystem.
Mastercard’s business is based on trust. We are involved in millions of transactions a day across our global network of customers and partners. Securing every interaction in that chain is critical. As an organization, we have many robust tools to defend ourselves, but protecting our sector depends on more than that.
Small and medium businesses are quite rightly focused on their customers, products, and services. Nearly all businesses these days are dependent on technology to some extent, and that technology needs to be safeguarded. If someone buys flowers for their mother on Mother’s Day and the merchant is hacked and their details are stolen, it can potentially erode their trust in the entire payments ecosystem.
We take it upon ourselves to help small and medium sized businesses with free resources like our Cybersecurity Toolkit, which includes operational tools that help them manage their assets and vulnerabilities; guidance on how to create and maintain strong passwords; steps for implementing multi-factor authentication, backing up critical data, preventing phishing and viruses; and more. The kit includes educational materials such as training videos as well as template policies, forms, and other foundational documents they can customize for their organization. Once businesses have embedded the basics of cybersecurity understanding and tools, they can move onto their own more scalable solutions.
Our view that everyone needs to be security literate holds true within the company as well. CISOs play a critical role in translating between the technical details of security and the business. It is not easy to strike the balance between being too hard – being perceived as obstructing business growth and goals; and too soft - allowing a major incident to happen. This is why the average CISO only lasts 18 months in the job. But the best CISOs see security education for those outside the security function - from the board on down - as foundational to successfully protecting the company.
For example, we conducted a cyber threat exercise where we had our board members jackpot an ATM. While we created an abstraction layer to save them from the nitty gritty technical details, we had them use real hacker tools and real attack methods. They learned how attackers do reconnaissance, and how they identify, research, and exploit their targets. The goal is for them to understand how attackers think and how we fight them, and then incorporate that understanding into how they guide the company.
The same is true for our security dashboard that we provide the board – it does not require technical expertise to decipher. But it is critical that they understand our security posture so that they can ask the right questions and recognize why heavy security investments are needed. So while we try to stay out of the weeds, we do not shy away from educating our colleagues on cybersecurity terminology that is relevant to the business.
We also invest in security awareness and education for everyone within the company. Through our phishing simulation program, we have helped both management and employees understand more about one of the most common security risks we face today. By teaching our people what phishing is, what its impact can be, what to look for, and why it is critical that everyone stay vigilant, we have been able to drive a sustained change in employee behavior. Today, we are much better at spotting and reporting phishing than when we began the program two years ago.
As the threats and capabilities of our adversaries increase, an all-hands-on-deck approach is needed. This requires common understanding between our first lines of defense, our key decision makers, government officials and the regulatory community.
As I think about the future of the financial services sector, I see the need to continue to build alignment on global regulations, frameworks and assessments that govern it. Both private and public sectors need to work together to find areas and means to reduce fragmentation and drive common understanding.
By using common assessments grounded in widely used frameworks and standards, regulators are more easily able to receive, understand and analyze the information they request. In turn, this helps us all more easily identify concentration risks, emerging threats, and other security trends.
Without this convergence on security frameworks, competing and singular assessments pose challenges for how best to measure and evidence security efforts. We therefore support policy and regulatory alignment wherever practical.
Strengthening all the links in our cybersecurity value chain also has a time element. To stay ahead of rapidly evolving technologies and highly adaptable cyber criminals, we engage in an activity called threatcasting.
Used by the US Army and Secret Service, threatcasting involves convening a group of subject matter experts on a wide range of disciplines and making educated guesses on what the key threats will be in ten years. Then the group considers what red flags or tripwires along the way would show that the possible future is coming true. We predict when those flags will take place. If those flags all happen in one year instead of five, perhaps that ten-year future is much closer than previously thought. Then those signs become part of the mission set that our intelligence team actively looks for as they go about their jobs.
Some topics we have engaged with over the last three years have been artificial intelligence, internet of things (IoT) security, and quantum computing. While it is still too early to know if these potential scenarios are materializing, we keep tabs on them and adjust our security postures based on the flags we see. For example, we currently see the emergence of quantum computing that can break current cryptography models as about seven years out. We keep a close eye on any breakthroughs that may shorten that timeline, and in the meantime, work to develop quantum-resistant encryption methods so the future cannot sneak up on us.
Another example is artificial intelligence. Because of the massive volume of transactions we see, we have large data sets that can help us predict fraud and other cybercrime patterns at a global level. However, we are seeing a policy trend towards data localization; mandates that require data to be held and secured in the region in which the data is generated. The downside of this approach is that we are no longer able to see emergent patterns of cybercrime wherever they begin and then apply defenses around the world. Unlike criminals, who are unbound by borders and apply successful tactics anywhere they can, we are then forced to learn the same lessons over and over by region. We pay attention to these macro trends so that we can plan and develop solutions to maintain our ability to protect against emergent cyber threats.
While CISOs and cybersecurity teams will continue to play a critical role in the protection of financial services firms against cyber threats, we must move away from the paradigm where cybersecurity considerations are siloed from the rest of the business. This applies across the entire global economy, from small and medium sized businesses to large multinational organizations. Internally, it applies to the most junior employees all the way up to the board level.
As we look to the future, regulatory and policy alignment is needed to reduce fragmentation, drive common understanding and maintain standardization of cybersecurity controls around the world. Thinking about the decade ahead will help us prepare for the cyberthreats that may emerge, so we can incorporate smart thinking into both the education and cyber defense tools we invest in today.
© 2021 FS-ISAC, Inc. All rights reserved.
Ron Green is chief security officer for Mastercard, where he leads a global team that ensures the safety and security of the company's network, as well as internal and external products and...Read More
services. He is responsible for corporate security, security architecture and engineering, cryptographic key management, business continuity, disaster recovery and emergency management. Ron is a member of the company’s Management Committee. Ron joined Mastercard in 2014 after serving as deputy chief information security officer at Fidelity Information Services (FIS). Prior to this position, he was director, Investigation and Protections Operations at Blackberry. Ron also served as a senior vice president across several areas at Bank of America. He has extensive experience working with international and federal law enforcement agencies both as a special agent in the United States Secret Service and as an officer in the United States Army. With the Secret Service, Ron worked protection and fraud investigations. He was one of the first agents to receive formal training on seizing and analyzing electronic evidence, and worked on a number of international cyber-crime investigations. Ron is currently chair of the Financial Services Sector Coordinating Council (FSSCC), and a member of the US Secret Service, Cyber Investigation Advisory Board. He holds a bachelor’s degree in mechanical engineering from the United States Military Academy at West Point, is a graduate of the FBI’s Domestic Security Executive Academy and holds a graduate certification in Information Assurance from George Washington University.