A conversation with Ron Green, chief security officer at Mastercard. One of a series of security leadership profiles prepared by Cybersecurity Collaborative in conjunction with SC Media. Cybersecurity Collaborative is a membership community for cybersecurity leaders to work together in a trusted environment. Find out more here.
About Ron Green: Ron Green is chief security officer with Mastercard. In that role, he leads a global team that ensures the safety and security of the Mastercard network as well as internal and external products and services. He is chair of the Financial Services Sector Coordinating Council (FSSCC). He holds a bachelor’s degree in mechanical engineering from the United States Military Academy, is a graduate of the FBI’s Domestic Security Executive Academy and holds a graduate certification in information assurance from George Washington University.
What makes a successful security leader?
For starters, you have to be a team player to make it in this field. You need to work well with all parts of the enterprise — not just the security team. You need to understand the business and build trust, just as a quarterback needs to trust the offensive line. Finally, stay humble; no one can know everything about cybersecurity — it’s a vast, complex field.
What internal and external priorities should today's security leaders focus on?
Fostering a spirit of inclusivity both within the security team as well as with partners and stakeholders is critical. We need everyone to feel empowered and comfortable sharing their ideas, as that diversity of thought is essential when defending against the adversary. Second, creating security standards provides the business with a framework in which employees operate. Equally important, however, is ensuring communication and compliance of those standards so everyone understands expectations. Finally, readying the business so it can take advantage of emerging technologies, like the cloud, 5G and internet of things (IoT), is definitely a priority — but it's also important to never lose sight of the basics. Keeping systems and software up to date and educating employees about security basics — like phishing and data protection — are equally critical.
Externally, there has never been a greater need for information sharing and collaboration with others in the same sector as well as across sectors. The adversaries work together to attack; as such, we must work together to improve our collective defenses. I also believe that we are only as strong as our weakest link. Today, we are all so interconnected that those businesses that haven’t made cybersecurity a priority — either because it is too complicated or too expensive — adversely affect us all. As experts, it is our duty to help others, especially small business owners, improve their defenses and overall security posture.
How can cyber leaders work with corporate peers to win buy-in from c-suites and boards of directors?
Security is very much top of mind with both our c-suite and our board of directors. But, as experts in our space, we often forget that not everyone understands the security world. We must be deliberate when discussing security with others by putting our messages into a context they can understand. This means adjusting our terminology to simplify the complicated.
Dashboards are also helpful tools because they showcase the challenges while illustrating the positive strides we are making over time. Bringing others into our security world also helps. For example, we host capture-the-flag events with our board of directors. This immersive experience pairs them with a member of the security team and teaches the board member how to hack into a system. Through this hands-on experience, they gain first-hand exposure to security concepts and a greater reference point.
Finally, security is everyone’s responsibility, including the c-suite. We enable our peers with security standards and policies, and clearly communicate expectations so everyone is aware and can be held accountable for their actions. But we go one step further by embedding our top-notch team of cybersecurity experts within their team to partner, advise and assist them with implementing controls.
What kinds of non-technology training do security leaders need to be successful in large and/or global enterprises?
Before working in cybersecurity, I was an agent with the United States Secret Service. During that time, I faced several life-or-death situations that solidified for me some of the greatest lessons of my career. First, clear and direct communication is critical if you want to inspire action. This is especially true when working in a large global enterprise with colleagues that often speak several languages. Second, use critical thinking and have confidence in your decision. While I’m no longer facing life-or-death situations, the stakes are still high and quick decision-making is essential.
What attracted you to join the Cybersecurity Collaborative as an Executive Committee member?
We knew (or recognized) many of the Cybersecurity Collaborative members. As an Executive Committee member, we realized this was an opportunity to improve security for all by helping to shape the member discussions.
What do you value about Cybersecurity Collaborative’s Executive Committee?
Partnerships like this are valuable for a number of reasons, but benchmarking tops the list. By sharing information with one another in a trusted setting, we’re all able to glean insights into what others are doing and learn firsthand what is, or isn’t, working. This also opens the door for deeper discussions about process and technology improvements we can make to help our people succeed.