A

Hello, everyone. This is Tom Uren. I'm here with another Risky Business News sponsor interview. Today I have with me Mike Lashley, who is the Chief security officer of MasterCard. Is it MasterCard Threat Intelligence or just MasterCard?

B

I'm the chief security officer for the, for MasterCard, the entire company globally. But MasterCard Threat Intelligence is one of our new offerings that we have.

A

Great to have you on the podcast, Mike. So I've got to admit, I was surprised when I heard that MasterCard had bought recorded Future. And that's the first time I can recall that a financial company has bought a threat intelligence company. So, like, what's the big picture? What does mastercard see that other financial institutions aren't seeing? Why are you getting into threat intelligence?

B

Well, thanks, Tom. First of all, I appreciate you inviting me onto the program today. With our acquisition of Recorded Future, I feel like I'm the luckiest CISO on the planet. I wear both hats. We have a converged cyber and physical organization. So I am the Chief Information Security Officer as well as the cso. But last year I had seven threat intelligence analysts that work for me. And now with the acquisition of Recorded Future, I have 1007 threat intelligence analysts that I get to leverage to keep our organization safe. And, and if you think about it, trust at scale is such an important part of our business proposition, really embedding security and trust at every layer across the digital economy and helping organizations navigate that complexity safely and confidently. And we're working with Recorded Future law enforcement and intelligence agencies, even before the acquisition, to help keep those payments secure. Now, if you think about Recorded Future specifically, and that threat intelligence data they have is one of the really, really what I think is the best cyber threat intelligence organization on the planet. And it can improve those fraud detection solutions that we already have, things like decisions intelligence platforms and safety net that help us protect fraud. But with the launch of MasterCard threat intelligence, now that we have combined MasterCard and Recorded Future, this is really the first combined commercial offering we've had since the acquisition. And it's a milestone. It's the first threat intelligence solution that's applied to payments at scale. Now, bringing recorded future into MasterCard, that's allowed us to integrate that intelligence directly into our capabilities. That gives us real time, actionable insights and really predictive analytics for our clients globally. And then think about the opposite side of that same coin, right? Conversely, MasterCard sees over 160 billion transactions a year. And at that edge, we see cyber threats and we see, see fraud trends in those payment platforms. And now we can help feed that recorded future threat intelligence engine. So it really is a symbiotic relationship. We benefit from the cyber threat intelligence that recorded future offers. They can now benefit from those 160 billion transactions a year across our networks and additional data. Those are data sets that no other threat intelligence provider can match. And so really it benefits both organizations. And then by sharing that intelligence, we're helping organizations build a unified approach to defense. We're not just securing transactions, we're helping secure the whole digital economy.

A

Right. So my understanding then is that because you're like tightly integrated now, there's really a whole lot more signals that you can share intimately and you just get a better picture of what's going on. And because fraud and cybercrime are becoming ever more intertwined, that becomes more valuable. So how do you expect that to evolve like that? Seems like a step forward, but I guess, you know, it's always an arms race or whatever analogy you want to use about cybercriminals. So how's it going and what's next?

B

I guess, well that's actually an arms race is a great analogy. Like fraud today, it's more sophisticated, more pervasive, and harder to attack than it's ever been before. And it's really not just a financial issue. Fraud is a cybersecurity crisis that impacts the bottom lines and reputations of businesses and organizations across the globe. Think about it. In 2024 alone, US consumers lost over $12.5 billion to scams. Global fraud losses topped $1 trillion. And then over the next decade, we expect a global card fraud. Those losses are going to reach almost $400 billion. And of course with new technologies like AI that's allowed FR cyber threat actors to up their game. But, but I'm actually an optimist. You talk about that arms race. Really, you know, the side with the best data, the best models and the best computing power wins. And right now, quite frankly, we, we have that advantage. And when you again you think about MasterCard threat intelligence, that's a prime example of how today we have, we have the upper hand. By analyzing billions of data points, MasterCard threat intelligence actually identifies vulnerabilities before they're exploited and accelerates the detection and, and our reducing fraud losses. Now as AI evolves, MasterCard threat intelligence will leverage even more advanced analytics to implement precise code level defenses against those threats, really ensuring resilience and scale now and beyond the technology, it fosters transparency and collaboration across not just MasterCard networks, but all financial institutions. That operate across our networks. And so it enables cross border information sharing, you know, reducing losses, strengthening trust across the global payments network. So in short, global threat intelligence isn't just about stopping attacks, it's about building a safer, more connected financial ecosystem. So again, it's an arms race, but with the ability to share actionable threat intelligence in real time with billions of data points to help that intelligence be more effective, it really is again, a win for the good guys.

A

Yeah, so what you say actually totally makes sense to me. Like it makes sense that you're, I guess, kind of in a position to take advantage of that. I want to ask a meta question about what makes MasterCard special in the sense that you're the first one to do it. So it seems like the drivers that you've described could apply to anyone across the entire financial sector. And I've always thought that at least in Australia, the banks are particularly good at cyber risk because they lose money. And so it was very easy for them to measure how much it was costing and you know, therefore how much you could spend. And so a lot of financial institutions are in that situation, they see the risks, they can see that it has costs, therefore it's worth spending money on. And what, what drove you to take that next step of actually buying another company? And why you first?

B

Yeah, well, I think because, because we are invested in protecting the global ecosystem right from, from the, the smallest business to the largest financial organization. So threat intelligence, it has moved from being a technical tool that CISOs or CSOs like myself use to really a strategic investment. It's a business enabler and quite frankly, it's a market differentiator for those who know how to harness it. You mentioned it. Over three quarters of enterprises now spend a quarter million dollars or more annually on threat intelligence. And that number will only grow going forward. And that's because criminals are operating with speed and sophistication really that we haven't seen before. We just talked about it. They're using technologies like AI to steal credentials, inject malicious code, to skim payment data from compromised websites. And every one of those breaches erodes trust and brand integrity for a business. And really cyber resilience is fundamental to businesses. Customers and regulators demand it. It's not optional anymore. And you need threat intelligence to drive that resilience. Now our goal, and one of the reasons that we acquired recorded future is to really help shift customers from being reactive to those cyber threats and those fraud threats, to being proactive, to having intelligence led protection to get off the back foot. And threat intelligence enables that by identifying the threat actors and the attack patterns before they impact the transaction. And we talk a lot about, you know, intelligence and information sharing, but this turns out raw data into actionable insights. Take a merchant anomaly that now becomes a warning. Patterns can be spotted sooner, responses happen faster. So, and we're already seeing it in action since market testing began with MasterCard threat intelligence, over six months, those domains impacted nearly 9,500, 9,500 e commerce sites and were linked to an estimated $120 million in fraud. So we know this approach works. And fraud and cybercrime, as they converge, threat intelligence is really going to bridge those worlds for stronger protection and for a more secure financial future.

A

So one of the phenomena I've observed in the last couple of years is, so in Europe, there's Operation Endgame, which is targeting different parts of the ransomware ecosystem. So not necessarily the ransomware actors themselves, but the enablers of that. So things like info stealers, for example. And there's another thing I've noticed called the cybercrime atlas, where it's a group of people who are getting together, stakeholders, I would guess, and talking about what the ecosystem looks like to try and disrupt the ecosystem. So do you see yourself taking part in those kinds of initiatives where it's, you know, here are the. I don't know, the cybercrime supply chain, I suppose, is what we're looking at, and trying to disrupt those in some sort of, like, international collaboration or with regulators or whatever.

B

Oh, absolutely. Listen, our adversaries are no longer script kiddies in their grandmother's basement, though. Those guys are still out there, and we need to watch out for them. But really, today, we're combating these, you know, organized transnational criminal groups, even nation states. You just talked about it. The bad guys are now talking, just like the good guys talk. And so we need to work together across organizations, across industry sectors, with the public and private sector, even NGOs, really, as a unified team to protect the greater digital ecosystem. It really is. It's a shared responsibility across all of us. And when I travel around the globe and I talk to the regulators, I talked to governments, I talked to law enforcement intelligence agencies, what I find is even national law enforcement agencies, national intelligence agencies, they have a very good understanding of what's going on in their location in their region, but really globally, they don't have as good of a view. And that's where someone like MasterCard can step in. Again, I mentioned those 160 billion transactions a year that we see globally. So we can see a fraud or cybercrime trend pop up in Peru and, and then we'll see it replicated in India. And then when we see those indicators in Australia, we can act before the crime happens to help head that off, to prevent fraud, to prevent cybercrime and really, you know, security, it's got to be embedded across the ecosystem, not just at the perimeter. And we do work closely with regulators, law enforcement, industry associations, folks like Interpol, Europol, Enisa in Europe to strengthen the collective defense. Today, we actively participate in more than 50 regulatory, law enforcement industry groups worldwide. And those partnerships enable us to share best practice to drive common standards for threat intelligence sharing and response. Ultimately, collaboration is essential for our resilience as an organization and the greater resilience of the global digital ecosystem. And by combining intelligence, technology and trust, we can help organizations navigate complexity and build a safer digital economy for everyone.

A

So, Mike, you said that right at the beginning that you were both the chief security officer and the chief information security officer. Is that something that will become more common in the future?

B

You know, I will tell you, it depends on the, the type of organization you have, the size of organization you have. For MasterCard, it is an outstanding security strategy. It allows us to really focus on things like insider threat. So we understand whether, you know, there is a cyber indicator for what might potentially become a physical threat. When you think about cyber attacks these days, things that have a digital footprint often have a physical impact. We see them as precursors to kinetic attacks in wars these days. So really having that combined physical and cyber security operation enables us to have, and myself as the CSO to have a really a good 30,000 foot view across all of the threats to our enterprise. So for MasterCard, it's a great business model. It helps us again, stay in front of a lot of the threats. But I would say, you know, you have to evaluate each and every business. If you're a retailer with 400 retail shops across the country with tons of stock and you're more worried about shoplifting things, maybe it's not the right model for you, but for MasterCard, it really is an effective business model.

A

Mike Lashley, chief security officer of MasterCard, thanks a lot.

B

Thank you very much, Tom. I appreciate your time and being here on the program.