An Exlusive Interview with Steven Brown

Thank you for accepting our invitation to speak at Cybersecurity Summit ~ Cyberfy, and to do this interview.

1. Given the evolving threat landscape, what are the key cybersecurity challenges that organizations, particularly in the financial sector, should be prioritizing right now?

Over the last few years alone, attacks such as SolarWinds Orion, Apache Log4J and MoveIT have all highlighted the entities’ vulnerability to supply chain cyber-attacks. As a result, stakeholders are at risk of attack—even those with strong individual cyber and fraud protections in place.  

Yet, it is important to underline how some players have tended to lack either the understanding about how these disruptions are impacting them – or the capabilities to mitigate the risks. 

Organizations are not always able to look across third-party business relationships because of the lack of systems and processes available. Of course, the entity you’re doing direct business with is important – but what about who these entities are doing business with? For example, if a business that you’re heavily reliant on is working with a sanctioned organization or suffers a major cyber breach due to one of their own suppliers – that’s a risk that you might not have visibility into. 

In addition, most current risk monitoring practices are outdated – they involve teams of people, antiquated manual surveys and a large dependency on other organizations’ inputs/disclosures. In short, it requires extensive resources and is labor intensive – yet yields inconsistent results. It requires automation.  

There’s also the consistent monitoring required to be best equipped to mitigate risk. It’s imperative to proactively identify risk before disruption can occur, however, often continuous and proactive has previously been unavailable to organizations.  

Lastly, there are fragmented risk monitoring systems – meaning that different systems/teams/processes monitor different types of risk and lack a comprehensive view.

2. Can you share how Mastercard’s approach to cybersecurity resilience has evolved over recent years, particularly in response to emerging technologies and threats?

At Mastercard, we continually invest in cyber security and network protection to address evolving widespread threats to the ecosystem. In fact, we have invested more than $7 billion over the past five years.  

Our cybersecurity solutions such as our third-party and supply chain risk management platform RiskRecon demonstrate Mastercard’s commitment to investing and providing much needed capabilities to our customers and partners to drive operational resilience.  

RiskRecon uses Mastercard’s unique network view to protect banks and their customers against large-scale cyber-attacks by continuously monitoring 19 million entities to identify fraudulent trends. This data is then used to inform risk assessments against transactions, connections to third-parties, 4^th parties and beyond, building trust across the ecosystem.

3. With the increasing regulatory scrutiny in cybersecurity, including the implications of the Digital Operational Resilience Act (DORA), how does Mastercard balance compliance with innovative cybersecurity strategies, and what specific steps are being taken to align with these new regulations?

As the world changes Mastercard is evolving too, enhancing collaboration with partners, through our fusion centers, and, in Europe, through our recently inaugurated European Cyber Resilience Centre that allows us to bring together law enforcement, private and public sector and cyber security experts from across the region. 

This approach sharpens our collective response and strengthens our ability to share intelligence about potential future threats. Strong alignment  with policy makers, too, as illustrated in recently adopted legislation, such as DORA, and cross-sector legislation such as the NIS2 Directive and the Cyber Resilience Act are important steps in helping avoiding fragmentation. 

Through these collaborative approaches: analysing the threats, sharpening intelligence, influencing the right regulatory approach and mitigating cyber risk all help us anticipate what the future may hold – and sharpen our collective defence.

4. What are the best strategies for understanding and mitigating risks in supply chain cybersecurity?

Greater automation lies at the heart of more operationally mature third-party risk solutions. The top pain points we see are the practical problems risk leaders want solved, and both are aspects of improved operational maturity. Risk teams are significantly challenged by a heavy resource burden for the tools and process and accuracy/quality challenges for risk assessment. Fewer TPRM programs are giving the green light to vendors without some level of remediation, which suggests they’ve gained more authority to act. That’s a positive development for managing third‑party risk. But we also see some signs pointing to limitations in that authority.

Just over 3 in 10 organizations make a habit of reducing the scope of TPRM assessments for vendors with a strong security track record. This seems like a missed opportunity to adopt a risk‑based approach that could create efficiencies by diverting focus to poor performers. Almost half of TPRM programs claim to have the authority to block the onboarding of new vendors based on security concerns revealed during assessments. But a much lower proportion (28%) say they’re able to terminate existing vendors over security concerns. Ideally, those should be in better alignment, since they’re two sides of the same TPRM coin.

And finally, nearly 60% of programs report having the authority to require vendors to implement additional security controls. While that represents the majority, it leaves 40% of teams without the ability to use a tool that would seem fundamental to managing risk. One can’t help but wonder if such limitations contribute to the rising frequency of third‑party incidents documented earlier in this report. Time will tell.

5. What trends do you see shaping the future of cybersecurity resilience, and how is Mastercard preparing to address them?

In an increasingly digital world, cybersecurity is climbing the priority list for business leaders. While the excitement around evolving technologies is palpable, the boardroom is becoming increasingly aware of the risks that come with it. The impact of a cybercrime can be debilitating. Globally, the average data breach cost victims $4.45 million in 2023.  

In response to this growing threat, cybersecurity has quickly developed from an IT challenge to a C-Suite priority; it’s now the top digital risk businesses face today.  

The best way to fight cybercrime is to understand the risk. What does it look like? Why does it happen? How can it be stopped? These are vital questions that both cyber leaders and their vendors need to know if they are going to address the risks effectively. Cybersecurity and operational resilience are now an integral part of any organisational strategy. The ability to identify vulnerabilities, detect threats and mitigate risks can be the difference between success and failure.  

While enhancing consumer convenience, the increased reliance on third parties has led to greater complexity in payments acceptance and processing. An explosion of digital players, applications and devices is continually infused into the payments ecosystem, creating infinitely more undefined, and often inadequately protected web of connections between networks.  

The ecosystem is under perpetual threat of widespread attack as a lack of proper third-party or supply chain risk management leave networks vulnerable. Criminal groups and indeed nation states are exploiting the weak links in that supply chain, targeting applications and providers that neglect to utilize network, regulatory and security standards and protocols.  

At Mastercard, we continually invest in cyber security and network protection to address evolving widespread threats to the ecosystem. Our acquisitions (and development) of capabilities such as RiskRecon & Baffin Bay, demonstrate Mastercard’s commitment to invest and provide much needed capabilities to our Customers and Partners to drive operational resilience.

Mastercard hold a unique position to be able to gather and analyse intelligence that is then used to inform risk assessments against transactions, connections to third-parties, 4th parties and beyond.  Risk assessments exist to compel a form of action and Mastercard provides and advises on mitigative capabilities that drive operational resilience throughout and help build and maintain trust across all points of the ecosystem.

Thank you for sharing your insights and strategies with us. We appreciate your time and look forward to your session at the Cybersecurity Summit ~ Cyberfy. Your contributions to advancing cybersecurity resilience, particularly in the financial sector, are crucial, and we’re excited to hear more during the summit.