In Conversation with Johan Gerber, Executive Vice President of Security and Cyber Innovation, Mastercard
Johan Gerber is Executive Vice President of Security and Cyber Innovation at Mastercard. In this role, he oversees Mastercard’s product strategies for cyber security, financial crime, consumers, online credential management, and dispute resolution. His responsibilities include overseeing the operations of both Ethoca and RiskRecon, two wholly owned subsidiaries of Mastercard. As head of Mastercard’s Security Standards group, he is additionally focused on facilitating Mastercard’s best-in-class security framework of standards, policies, and technologies that support EMV, PCI, and other industry initiatives to enable a secure and convenient digital transaction ecosystem.
Johan has contributed to the Oxford Cyber Security for Business Leaders programme as a guest speaker and inspiring thought leader on so many relevant topics. Below read some of Johan’s thoughts about the most pressing issues in cyber security and business today.
How do you solve for the customer in the cyber security equation?
The cyber equation is all about risk, and risk is difficult to estimate - especially long term. Because of this, we need to demystify the cyber environment and help organisations understand that cyber risk is simply another problem that needs to be addressed practically. Just like adding sprinklers to protect against fire or cameras to mitigate theft – cyber security is another risk mitigation strategy, albeit one with an aggressive, remote attacker.
Education is critical. We educate our customers about cyber security –what it is, why it’s important to their business, and so on. We believe in providing practical and actionable information that can be easily understood and applied to business processes and tools to solve for defined business problems.
How do you contemplate the issues of customer privacy when it comes to biometric data?
Biometric data is sensitive, personally identifiable information (PII), which is why we ensure the necessary privacy policies and regulations are met. We have set standards and developed best practices on the use of biometrics for authentication. For example, we adhere to SCA – Strong Consumer Authentication – which requires two-factor authentication.
Beyond biometric data, ensuring an individual’s data is handled responsibly should be at the centre of an organisation’s data practices. This means privacy and security are essential in collecting, protecting and using consumer data.
We introduced data responsibility principles to underscore what businesses should aspire to in order to act as responsible data stewards, including: Security & Privacy; Transparency & Control; Accountability; Integrity; Innovation; and Social Impact.
Consistent with this is our approach to digital identity and our principles of digital identity. These principles focus on Data Rights and Ownership; Confidentiality; Consent; Transparency; and Security. This is about giving the user control over how they manage and share their information, including through the devices they use every day. In no situation will Mastercard collect users’ identity data, share it or monitor their interactions.
Our thinking around digital identity starts and ends with the individual. We support a distributed model and that the data sits with its rightful owner - the user - and doesn’t involve amassing personal data in honeypots, or any one location, vulnerable to attack. By establishing the user’s identity data store on their mobile device, it provides a highly resilient, distributed identity infrastructure – eliminating any need for a centralised identity database. Adigital identityprotects an individual’s privacy by giving them complete control of their data. They decide the information they want to provide and control where they share it.
How prepared are most companies when it comes to cyber security?
Many organisations may be hesitant to guarantee that they are fully prepared for cyber risk, because implementing cyber security is complex and dynamic. In fact, many Chief Information Security Officers believe that their organisations don’t have enough resources to mitigate all risk. The most mature companies understand their risks and have plans to reduce them, but very few of those companies would say they are comfortable mitigating all risk.
The size of the company plays a large part in their ability to invest in and implement cyber security. Large enterprise-level organisations usually have comprehensive cyber security programs—they can and will more readily invest in them, because they understand that cyber hacks aren’t worth their reputational losses. However, many smaller companies often have minimal cyber security measures in place and may simply be holding out hope that they will never be hacked.
Perhaps the most important question is, ‘How secure are the many third-party service providers we work with every day?’ Companies of all sizes utilise third-parties – giving them access into their digital environments for any number of reasons. Unfortunately, most of these third-party service providers do not have adequate cyber security practices and solutions in place. As a result, even large enterprises with effective cyber security strategies may unknowingly be at risk for cyber threats resulting from their third-party business relationships. In the cyber sphere, an organisation is only as strong as its weakest link.
Who should be responsible for cyber security strategy within a large organisation?
Traditionally, the Chief Security Officer (CSO) has been responsible for the physical security and safety of employees as well as physical assets and facilities of an organisation. Many CSOs have a law enforcement background. The Chief Information Security Officer (CISO) is the senior-level executive within an organisation who is responsible for establishing and maintaining the enterprise vision and strategy to ensure data, information and technologies are adequately protected. Typically, a company’s cyber security strategy falls to the CISO to guide and execute throughout the organisation.
Cyber security is an issue for all industries and one that all senior executives should be prepared for. The Oxford Cyber Security for Business Leaders Programme will breakdown topics, normally left to information technology specialists, so that business executives leave feeling confident they can apply these learnings within their current and future roles. These topic areas can sometimes appear mystifying to a busy corporate executive, but have profound implications in terms of both risk and opportunity. Register today - course begins 14 October.