Mastercard Takes a Unified Approach to Security
We are all in this together. That was theme that swept the world in the wake of the coronavirus pandemic. The sentiment was reiterated at Mastercard after CEO Ajay Banga released a letter to the financial institution’s community, reiterating its commitment to serving its customers, employees, and society as a whole during this unprecedented time.
“At Mastercard, our focus has always been on helping to build a more connected world, and in today’s environment, this is more important than ever,” Banga wrote. “We remain committed to that cause and are moving forward in a way that supports human safety and global efforts for sustainability now and recovery in the future. We are in this with each and every one of you for the long haul and I am confident that, as long as we keep plugging in to our basic human decency, we will emerge from this and find new strengths and growth we never imagined.”
A core component of this crisis response is ensuring that Mastercard employees are safe and can continue their work securely, Banga added.
“During this time of uncertainty, we pledged to all our employees that there will be no layoffs related to the COVID-19 crisis in 2020,” he wrote. “And we’ve initiated several temporary policies according to guidance from regional authorities, international health organizations, and our employees’ own concerns and comfort levels, including working from home, split working schedules, restricted or postponed travel, among others.”
This approach models a philosophy held at Mastercard that safety and security are not just the responsibility of the security department, but of all employees who play a valuable role in protecting the organization’s assets, says Ron Green, chief security officer for Mastercard.
“In the past, the organization would have felt that the security team takes care of that—we have other stuff to do,” Green explains. “Today, security is something that we all have to do at Mastercard.”
Corporate security leaders have discussed the idea of converging their physical security and cybersecurity teams for more than a decade. Roughly 25 percent of organizations in certain parts of the world have taken that step—sometimes also including business continuity—according to research by the ASIS International Foundation, The State of Security Convergence in the United States, Europe, and India.
The benefits of this approach include greater ability to align security strategy with corporate goals, greater communication and cooperation, more efficient security operations, and more visibility and influence with the board and C-suite, according to the report.
Mastercard has merged its physical and cybersecurity teams to better address threats that the financial institution faces.
“Our adversaries, they don’t think that way—cyber and physical being separate—they just attack,” Green tells Security Management. “They don’t have that artificial boundary to hold them or slow them up. They don’t care. Because we’re combined, we just think about security.”
Other organizations are coming to a similar conclusion—especially when it comes to preventing fraud. For example, the U.S. Secret Service recently merged its Electronic Crimes Task Forces and Financial Crimes Task Forces into a single network known as the Cyber Fraud Task Force.
“Online payments and banking are now globally pervasive, credit card numbers and personal information are illegally sold on the Internet and Dark Web, and cryptocurrencies have become one of the primary means by which criminals launder their illicit profits,” the Secret Service said in a press release. “No longer can investigators effectively pursue a financial or cybercrime investigation without understanding both the financial and Internet sectors, as well as the technologies and institutions that power each industry.”
Mastercard benefits from having a CEO who buys into the philosophy of convergence, Green says. Along with being the CEO, Banga is the co-founder of the Cyber Readiness Institute, served on U.S. President Barack Obama’s Commission on Enhancing National Cybersecurity, and led discussions at the Business Roundtable on security matters. Banga’s interest in security—and in making it a core component of Mastercard’s mission—has helped Green and his team receive buy-in from other executives for their work.
Green briefs the executive leadership team on security threats and provides data about risks to their specific teams.
“The ability to report on the status of their teams’ susceptibility, that gives the executives data to go in and talk to their teams,” Green says. “If you want to get your executives engaged, you have to make them knowledgeable and provide them with how they can help.”
These actions have also encouraged the mind-set that security is everyone’s responsibility at Mastercard—not just the security team’s domain. This has become especially critical in recent years as social engineering and phishing have become some of the main attack methods for malicious actors to infiltrate organizations and compromise networks. (See “A Patrol Problem,” Security Management, August 2020.)
“One of the principal reasons we’re focused on security as everybody’s responsibility is if you look at the way the threat moves, many breaches today start from compromising an unintentional insider through phishing and social engineering them to do the wrong thing,” Green says. “Companies are then compromised, and data is stolen or altered. But it starts with people not being focused on security.”
Not everyone is a security expert. But all employees have some degree of access to corporate networks and sensitive data that if compromised could place the organization at risk. All employees need to have some basic security knowledge and receive training to help reduce risk, Green says.
To help educate the general workforce, Mastercard created its Secure It awareness program that focuses on one topic each month. The overarching themes and programs are developed in house, but Mastercard works with a video company to produce sketches that are then shared through its Secure It TV programming.
“It’s got a usual host of characters that people have become accustomed to handling a security issue, such as connecting to Wi-Fi in a coffee shop or managing passwords,” Green says.
Secure It also brings in outside speakers, such as Frank Abagnale, who operated as a con man from the time he was 15 until caught by authorities at age 21 and whose story was dramatized in the movie Catch Me If You Can. He later worked for the U.S. federal government and is now a security consultant for the FBI academy and private organizations.
These speakers share information on high-profile security topics, as well as security risks that impact employees’ everyday life—such as how to secure your home Wi-Fi network like a professional.
“We do a lot to bring it home,” Green says. “If someone tries to trick you into giving up information, or breaking into networks, that puts you and your personal information at risk. We gear up people to think about security in their everyday home life.”
The security team also partnered with human resources and communications to help articulate and explain technical concepts to a nontechnical audience, says Neil Parker, Mastercard’s business security officer, employee digital experience, and member of the ASIS International Young Professionals Council.
“The technical guys are never going to articulate it in a way to change the mind-set—this is where we need HR, communications, operations, and others to help out,” he adds.
Additionally, Mastercard conducts regular phishing training and test campaigns. Mastercard previously only ran these campaigns twice a year, but recently began conducting them every month for all employees—including the CEO and his direct reports.
“We’ve established standards around acceptable behavior, and there is training if you fail the tests,” Green says. “There are also consequences associated with it because our employees are accountable for their conduct. We have a ‘three strikes and you’re out’ policy.”
In his monthly briefing with the CEO and senior executives, Green will share the results from previous phishing exercises so they can take that data back to their teams.
“Those executive leaders talk to their teams about the importance of paying attention, having the right hygiene when it comes to protecting Mastercard,” Green says.
This became especially critical as many Mastercard employees made the transition to working fully remote during the coronavirus pandemic. In March and April, Mastercard briefly paused its phishing tests to employees. It also beefed up briefings and information for employees to help them secure their new home office space and help reduce risk to Mastercard.
“With the pivot to put everybody at home, the threat landscape changed,” Green says.
Through a Secure It challenge, Mastercard provided videos on securing home routers, things to consider when using an Alexa or Google Home system, and more. Employees who participated in the challenge received a pin for their efforts, and Green says that the voluntary program has caught on.
“I think the transition has been easy for us,” says Parker. “We never wanted to look at just security within our walls but security being a way of life. We enable our employees to connect to work from everywhere. You need to be thinking about security everywhere, as your normal way of life.”
Programs like Secure It have helped employees see the security team as a business enabler instead of a police force for the organization, Parker adds.
“When we look at legacy and how to get employee buy-in, the big change for corporate security is not being seen as policing the organization,” he explains. “We’ve helped lead the way with that by combining the cyber and physical teams, and by doing that, it’s changed us from being the police to being a partner and business enabler—expediting buy-in.”
And these programs have helped to make a difference in protecting Mastercard. Banga issued an ambitious goal to the security team: reduce phishing attempt click-through rates to a 1 percent average across the organization. After testing nearly every month, Parker says Mastercard is very close to meeting that goal—despite increasing the difficulty of its testing.
Mastercard is also sharing its best practices with smaller and medium-sized businesses that cannot afford a security apparatus as robust as its own.
“We partnered with the Global Cyber Alliance and created the Cyber Readiness Institute to help provide best practices for small and medium businesses,” Green says.
Mastercard has also made tools available to help smaller organizations think through core security components, such as asset management, anti-malware, and network scanning.
“We give you the why of why you need to do it, and also provide videos and free tools so you can manage your assets,” Green explains. “We’re giving you the ability to raise the game and protect yourself.”