Cybersecurity is no longer a niche concern — it’s a test of global collaboration, a boardroom imperative and a matter of survival for the small businesses increasingly targeted by cyberattacks.

Kiersten Todt has witnessed this transformation from the frontlines, with a résumé spanning the White House, the Cybersecurity and Infrastructure Security Agency, and leadership roles in the private and nonprofit sectors, including the small business-focused Cyber Readiness Institute.

She joins Mastercard this week as its senior vice president for Cybersecurity Partnership & Engagement, deepening the company’s collaboration with governments and global partners in an increasingly complex threat landscape and ensuring secure innovation becomes the engine — not the obstacle – of progress. She brings a blend of strategic vision and operational reality as the company expands its portfolio of cyber, fraud identity and AI-enabled services. 

“So much of what we often do in cybersecurity is about managing the moment,” she says. “But Mastercard is uniquely positioned to be future-focused. Mastercard has the resources, the capability, the capacity and the touchpoints globally to lead in this space and ask, ‘What is the vision? How do we build a more secure and resilient infrastructure, a more secure and resilient ecosystem?’”

The Mastercard Newsroom sat down with Todt last week to discuss her approach to building frameworks that empower industry, foster information sharing and integrate security into the fabric of innovation.

The interview has been edited and condensed.  

Todt: This has always been a debate. As in most issues with policy, it's not a science, it's an art. The government has an incredible ability to convene, and its role, really, at the end of the day is to establish a framework that guides industry and is based on risk management. The government can empower industry by providing guidelines for managing its risk and helping industry prioritize what’s important. Compliance doesn't work because it ultimately turns into a checklist that falls short.

One of the key elements of risk management is that it should never be done in isolation. Government shouldn't do this in isolation of industry and vice versa. They have to work together so that the end result is the best possible approach to resilience. Collaboration between industry and government is critical for effective and impactful cyber risk management. 

Todt: As the environment has shifted, a lot of this is actually happening organically through action. When I was most recently in the federal government, we had established efforts to work with industry to proactively address cyber vulnerabilities. But almost immediately the collaboration was happening in response to attacks, and government and industry didn't really have a choice but to work together. There was a framework already set up, but these events and breaches activated that type of engagement. Both sides have critical information to share, and there's this appreciation more and more that by coming together there's an ability to do a better job of understanding where the threat is.

We often talk about indicators of compromise. But when I was in government, we looked to identify indicators of interest. What are we seeing that's telling us that something could happen? Government can't answer that question without industry. Industry can't answer that question without government. What happens is you're putting together a puzzle without all the pieces, and the way that you get a better picture is by working together. Industry can share what it is seeing on its network and government can work across sectors to help identify patterns, campaigns, tactics. Together, a better, more comprehensive threat picture is created. With its technology capabilities, data assets, threat intelligence, Mastercard is a powerful partner to governments worldwide.  

Todt: AI is going to give cybersecurity a tremendous advantage. We're already seeing this through automation, through vulnerability management, through remediation, the ability to design secure code, all these things that we've struggled with over the years. Adversaries, however, are quickly figuring out how they can use it for their own purposes. We're really seeing this, especially in AI-powered ransomware, where they're able to exploit vulnerabilities in 15 minutes rather than weeks and automate scans for vulnerabilities and negotiations that previously had to be done manually.

But the good news is that unlike other technology revolutions, we're aware of all of this at the beginning. While AI and machine learning have been around for a while, they have only been mainstreamed within the last few years. As a global society, we're aware of how important it is to use these technologies properly. We understand that there has to be a framework for this technology innovation that actually helps the technology do better. Secure innovation shouldn't be an oxymoron. It helps innovation when we're building the security in from the beginning. Because of both industry and government's deployment of AI, we know that there has to be a broad global effort, and I think you're seeing companies and countries come together to understand what needs to be done and to figure out how to build a framework for action. 

Todt: At the Cyber Readiness Institute, we focused on human behavior. How can we help improve small businesses by educating them about some of the baseline levels of cybersecurity that are required to help small businesses not go out of business? We saw the dependency of global supply chains on small businesses with one of our member companies at CRI during COVID. They had a small business that fell victim to ransomware, went out of business and disrupted the company’s global supply chain. We've got to do better. It's the rising tide that lifts all ships. We've got to invest in small business cybersecurity.

When it comes to integrating cybersecurity, cyber hygiene practices into the infrastructure of small businesses, automation certainly helps. There is also an opportunity for government to incentivize businesses that provide security products to make those security capabilities a default in the technology. Recent technology advancements allow us to move security away from the end user, from the small business, and build it in to the tech infrastructure.  We cannot underestimate the critical importance of investing in and prioritizing the cybersecurity of small businesses. 

Todt: For a long time, cybersecurity was viewed as a competitive advantage that was a choice, something that each organization could choose to invest in – or not – and something that was done in isolation. There was a period of time not too long ago where businesses would say, I'm not going to invest in cybersecurity, I'll just invest in the response if something happens to me.

But what we've been seeing and appreciating is this shift toward partnership, collaboration, this shift toward shared defense, that comprehensive cybersecurity and resilience can't be achieved by one organization alone. Governments around the world, private industry, tech innovators recognize that the security of the digital ecosystem is a collective responsibility. I'm also encouraged by the integration of cybersecurity into business strategy and innovation. It's not just IT. Cyber resilience is now a boardroom issue. It's tied directly to trust, to brand, to growth. That awareness is transforming how organizations really invest in and prioritize secure technologies, threat intelligence and cross-sector collaboration. Embedded security is imperative to sustained growth in the future.

Mastercard is in such a unique position to lead across sectors, governments, industry to raise the bar and be a valued, strategic partner. Every day  Mastercard sees how powerful collaboration can be, how partnerships across governments, industries, sectors, regulators are redefining what resilience looks like and integrating cybersecurity into the innovation process itself. Because it sits at the intersection of technology, trust and commerce, Mastercard can anticipate the threats before they emerge and ensure the secure, resilient growth of the digital economy.