Every day, and more so than ever in an increasingly cashless society, millions of people trust Mastercard’s global network to make secure business transactions that power economies around the world. It’s an enormous responsibility—and one growing exponentially more difficult as transformative technologies like AI and quantum computing accelerate cyber risk. Mastercard has steadily risen to the challenge, turning the ever-more sophisticated threats facing financial companies into an opportunity by investing in anti-fraud IT innovation.
Chosen by peers as CBM’s Director of the Year in recognition of her role in those efforts, Mastercard Chair Merit Janow draws on a wealth of experience in finance, cyber risk, global operations and governance in leading the payment solutions company’s board. A widely recognized expert in international trade and investment, she began her career as an attorney specializing in cross-border M&A, going on to serve in a series of senior government posts, including deputy assistant of the USTR for Japan and China, executive director of the U.S. Justice Department’s international antitrust advisory committee and member of the World Trade Organization’s Appellate Body. For nearly 30 years, she’s been a professor at Columbia University, also serving as dean of its School of International & Public Affairs for eight years, during which she built out and launched a program on technology and public policy with a focus on cybersecurity.
Janow’s governance background is equally formidable. During two-plus decades of corporate and nonprofit board service, including tenures as chair at Nasdaq and American Funds, she saw companies through every crisis imaginable—the financial meltdown of 2008, a sudden CEO succession, a worldwide pandemic, transformative tech. Jennifer Pellet, CBM’s managing editor, recently met with Janow at Mastercard’s New York City Tech Center to discuss oversight in an era of transformative tech and other governance challenges. Excerpts of that conversation, edited for length and clarity, follow.
You have an extensive background in technology and policy. How does that inform your role at Mastercard?
I’ve always had a deep interest in technology and digital policy issues in a global context. Building a program around that at Columbia meant having their data analytics and coding courses available to graduate students, and then policy courses that bring these together across finance, across the economy, development, environment. And in cyber, we focused a lot on financial stability and cyber risk and on cyber conflict, set up task forces and with different expertise, and worked with the New York Fed and also Washington policymakers.
I would say that informed my role at Mastercard with a greater awareness of threat actors and a better understanding of the regulatory and policy approaches being taken around the world with regard to data and technology and privacy and security. Things like what it means to build a sound digital ecosystem, how hard that is, opportunities for public and private cooperation and the changing shape of globalization itself, such as a certain amount of fragmentation occurring in how countries want to manage these areas in the digital space.
Now, Mastercard as a company and its management team has had a remarkable, long-standing, deep institutional investment in building that sound digital ecosystem around privacy and security and managing privacy and data in a global context. And mitigating cyber risk is critical and integral to the business. So it’s not only critical for the business that it operates, but it’s also a source of innovation for the products and services it’s offering to banks, to issuers, acquirers and merchants.
What does looking at cyber risk from those two angles mean from a governance standpoint for Mastercard’s board? How does the board contribute?
There’s a high degree of engagement by the board around cyber, but also around data privacy and security and broader data governance. We get annual reports from the chief information security officer. The risk committee focuses closely on data privacy from the chief privacy and data officer, on cyber readiness and on operational programs. Sometimes we do simulations of reactions if there is a cyber incident of some kind.
But I want to stress that cyber is also an area of business innovation in terms of innovation around the analytics for fraud prevention and detection, which is crucial to banks and merchants. So, it’s ensuring that the board has oversight through each of the different committees with regular updates by key people, and lots of KPIs and metrics that we are tracking and engaging. It’s interesting because at some level the board is tasked with focusing on the strategic issues and sometimes the operational cyber issue is very tactical. So you have to find ways of bridging that conversation because you need to be able to ask the right questions, have the right metrics that you’re tracking.
But the expertise around these issues within the company is deep. That’s where Mastercard is a true leader, and where they are really investing. They have extraordinary technology expertise, and they’ve been acquiring products and services that give additional insights and protection and adding those on.
It’s evolving so quickly—how do you stay on top of what’s going on? What questions do you ask?
At the board level, what you hear in the different committees is first of all, what is the culture around data governance? It’s fundamental to this business. And the company has principles they’ve articulated that they live by around transparency and accountability—that it’s your data, you own it.
The board appreciates and understands and wants to hear about what the company is doing in the sphere of building that sound digital ecosystem because it’s a major player, and it’s not the only one. You’ve got to be building that ecosystem for a safe and sound world, right? So this is one company that is invested in increasing cyber rating for small and medium-size enterprises, investing in cyber education programs in various parts of the world and collaborating with other partners, Microsoft or the CyberPeace Institute.
It is important for the board to hear from management what they are doing both with respect to their internal operational risk and cyber risk activities, as well as what they’re doing in the world. There are different ways in which that comes to the board on a regular basis through these different committees, and we also do board-level education and engagement. Having very defined metrics that you are tracking in committees, regular briefings of the full board, out-of-boardroom board education and out-of-the-boardroom simulation exercises are all ongoing and crucial for the business.
What do you view as the most pressing cybersecurity challenges facing companies today? How should boards prioritize and address these issues?
I wouldn’t point to one. The point is that it’s not static. It’s ongoing. So there isn’t a single answer. The threat environment is only getting more complicated, more constant, more global, and more state actors are involved. There are more fraud schemes, more deepfakes. So it’s this complexity, globality, constancy that is the basic state of play. That is the biggest challenge.
And of course, you’re operating in an ecosystem, and so the weakest links bring vulnerabilities into the system, which is why it’s valuable for established, expert players to be expanding cyber readiness around the world in small and medium-size businesses by building that cybersecurity awareness and culture in many parts of the world and where that expertise is not as embedded. That’s part of the challenge. And boards need to be constantly ensuring that they’re getting to the right issues.
Many high-performing boards are working closely with management around those questions on an ongoing basis; it’s very constant. But for a company like Mastercard and others, cybersecurity is not only table stakes but a source for innovation and new services, and the board has to focus on both dimensions. But to me, there are building blocks in these areas, including when you start talking about bringing AI into the conversation, and those building blocks are around data governance, privacy and security. It’s so crucial, such table stakes for companies and global businesses. And often, as this security is multilayered, it has to be built into the design of products and services from the beginning.
So the challenge is the world. The world is very complex, and it constantly changes. And you have to navigate that complexity. There are always crises to navigate, and people are very complicated. Maintaining candor on the board and openness, looking to the future, asking what are the next great things that we must achieve and advancing and fostering talent within companies, keeping your eye on the strategic priorities and execution around those and around culture. We talk about that at Mastercard—a culture of decency.
You have deep expertise in international trade and investment, particularly in the Asia-Pacific region. What role should boards play in vetting a company’s global outlook for companies to manage risk and ensure it is positioned to compete internationally?
What global companies are increasingly needing to do is to develop structures, approaches that address local market conditions and that also are deeply intentional about managing the policy implications and the risk associated with the choices they make in those different countries.
Over the course of a year, there should be a geographical dimension that’s brought out so that boards understand how the company is faring in different markets—Asia-Pacific, Europe, Latin America, Africa. In the Mastercard context, the board travels at least once a year to a major jurisdiction that’s important for the business. And we hear from customers and also from local leadership. It’s also not uncommon to hear from policy leaders or other experts.
We bring quite a lot of outside expertise into the boardroom wherever we are at a meeting. I have often organized, or the company has organized, depending on the board, panel discussions with experts or including a global perspective. And Mastercard has a global board membership as well—Japanese, Brazilian, Singaporean— which really helps.
American Funds Capital Group is a global business, although the role of the board is a little different in the mutual fund area than in a corporate setting. And Activ is an automotive technology company based in Europe with operations globally. So what happens around the world matters at all of these companies. Having a global perspective, including around how the world is changing, is increasingly critical for companies of different sizes and from different industries, because there are some very big changes happening in the world.
What big change do you see right now?
Globalization is not dead, but the shape of it is changing. Services growth continues globally, but there is more fragmentation happening, and that’s happening through government policies. It’s important for companies to understand that, to be a trusted local partner and to understand the priorities that are evolving in different jurisdictions.
Can you give an example of the shifting priority you’ve observed?
For many global companies, it’s really important to be able to operate across boundaries. So maintaining interoperability is very, very important to the functioning of the business and the effectiveness and efficiency. For example, what Europe introduced in their privacy regulation of GDPR is very well understood now. Global businesses had to find, and have found, ways to be absolutely faithful to the requirements of each jurisdiction but also develop ways of operating across systems. That’s the kind of architecture the world is requiring.
Talent is a perennial challenge for all companies. In boardrooms, what talent concerns are you seeing come up?
You have to create a culture within the company that says it’s a great place to work. There’s a lot of emphasis on that at Mastercard, American Funds Capital Group and all the businesses that I’m part of. Maintaining that is a constant central focus and it requires a lot of different dimensions to it that boards and management have to pay attention to.
Mastercard’s CEO developed the Mastercard Way, which is about that culture inside that you want and also nurturing talent. You have to constantly be creative also about making sure people feel they have the opportunities to grow and move.
Obviously, I also care about women in leadership and also about ensuring that diversity in the broadest sense because I believe that there is strength from that, depth from that and creativity. You want to be a place where all of that reveals itself in a productive way.
What do you think about recent pushback from the investment community on DEI initiatives?
It’s very important for companies to pick the dimensions that make sense for their business and also establish the culture that allows everyone to thrive. It’s an important [topic at Mastercard] and one the company really cares about in very concrete ways. The nurturing of talent and diverse talent, globally as well as in the United States has been a strength of the business and is a priority.
When you think about the initiatives of the company around talent but also around sustainability and the environment, Mastercard is well known for its center on financial inclusion and its initiatives around financial inclusion. That’s [an aspect of diversity that] makes sense for the business. It also has huge consequences in the world when you’re bringing people into the financial system and equipping them with more access.
You’ve got to find an approach to diversity that is very genuine and that makes sense for your business, that embodies your values.
How has your approach to governance evolved during the more than two decades you’ve been serving on boards? What have you learned?
One of the things that I’ve come to really appreciate is that each member of a board brings something distinctive to the mix. There is tremendous value in the mix of perspectives that you want around the table—a global perspective, a technology perspective, a CEO perspective, a consumer perspective, an understanding of the world and the economy.
That mix is important, and then, of course, establishing the culture of the board is essential. Collegiality is hugely important because the world is complicated, and there will always be volatility. You will have to work closely with management in times of stress and also in success, so collegiality is very valuable.
I’ve come to appreciate directors who speak when they really have something to say and who ask questions that really bring out a dialogue around important strategic issues, with each other and with management. The purpose there is to engage and to focus on things that really matter for the business, and to really bring out in a candid way conversations that are central to the business.
The board is trying to add value but also guide the management and be thoughtful about the line between the board and management. So the mix of expertise, and then the numerous practical dimensions of board participation and leadership that you learn with time and that can help bring people together in pursuit of the shared purpose of success for the company, both for the present and thinking about the company going forward in the future. Those are things that when you first join a board may not be top of mind, but over time, you really come to appreciate.