What CISOs can learn from the frontlines of fintech cybersecurity
At Span Cyber Security Arena, I sat down with Ria Shetty, Director, Cyber Security & Resilience for Europe at Mastercard. Our conversation cut through the hype and focused on what CISOs deal with every day: how to embed security into innovation, manage supply chain risk, and prepare both systems and people for the threats ahead.
For Shetty, the idea that innovation competes with security is a false choice. “They go hand in hand,” she says. User trust is central to her approach. “That’s the most valuable currency,” she explains. Lose it, and it’s hard to get back. That’s why transparency, privacy, and security are built into every step of her team’s work, not added at the end.
Security is part of the product
Mastercard has acquired several cybersecurity companies in recent years, not just to protect its own systems but to help customers improve their defenses. Shetty focuses on the customer side. Her team works with banks, merchants, and partners to raise awareness, provide tools, and help them secure their full environment.
“Protection on the payment side is great, but if a customer is compromised elsewhere in their environment, that becomes our problem too,” she says. Her team promotes a complete view of security. That includes third parties, partners, and vendors. “You’re only as strong as your weakest link.”
The same cybersecurity products offered to customers are used internally. “We wouldn’t recommend anything we don’t use ourselves,” she adds.
Supply chain attacks
Supply chain attacks remain one of her biggest concerns. Many organizations still assume they’re too small to be a target. That’s a dangerous mindset. Shetty points to many recent examples where attackers reached big companies by going through smaller suppliers.
“It’s not enough to monitor your vendors. You also have to hold them accountable,” she says. Her team helps clients assess vendor cyber hygiene and risk scores, and encourages them to consider that when choosing suppliers. “It’s about making smart choices early, not reacting after the fact.”
Vendor security needs to be an active process. Static questionnaires and one-off audits are not enough. “You need continuous monitoring. Your supply chain isn’t standing still, and neither are attackers.”
Don’t ignore the human element
Shetty is clear on the importance of user awareness and training. Some in the industry dismiss it as checkbox activity. She strongly disagrees.
“You can have the smartest tool out there, but in the end, it depends on the human,” she says. A single click on a phishing link can lead to compromise. As phishing attacks become more personalized, even experienced users are vulnerable.
She recently received an email, supposedly from her boss, signing her up for a cybersecurity conference. It sounded plausible and matched her usual work habits. “For a moment, I had to second-guess myself. It looked real.” It was a test, one she passed, but the hesitation was real. “That’s how good these attacks are getting.”
Training must be relevant, ongoing, and tailored to different users. Not everyone is tech-savvy. She saw this firsthand while working on payment systems under PSD2. Her team had to train banks, who then trained older customers on how to register cards online and use multi-factor authentication.
“You can’t just roll out a system and assume people will figure it out,” she says. “It’s on us to communicate clearly and provide useful education.”
The pace of threats is picking up
The speed of change is what worries her most. Threats evolve quickly. The amount of data to protect grows every day. At the same time, regulators and customers expect high standards, and they should.
She’s concerned that some organizations focus too much on shiny new tools and forget the basics. “It doesn’t help to spend money on the latest tech if you’re not patching, managing access, or backing up systems.”
She also points out that attackers use the same tools defenders do. “AI isn’t just for us. It’s for them too,” she says. As defenders innovate, attackers do the same. That dynamic makes staying ahead even harder.
Getting through to the board
Shetty often speaks with SMEs who struggle to get buy-in from the board. Even when security leaders make a strong case, leadership may not fully understand the risk. In some cases, board members are far removed from technology use.
“They’re being asked to understand cybersecurity when they don’t even use email themselves,” she says. That disconnect can delay budget approvals or limit how much can be done. The problem is especially common in smaller companies.
This is starting to change. She has seen more awareness after recent supply chain breaches. Still, many companies don’t want to invest beyond the minimum. She thinks that’s a short-sighted approach.
“If you cut corners in cybersecurity, you’re going to pay for it later, and not just in money. Reputational damage is far worse and harder to repair.”
She understands the budget pressure but urges SMEs to push anyway. The math is simple. “A couple of thousand spent now could save a million later,” she says.
Resilience means shared responsibility
Shetty sees cybersecurity as a shared responsibility. Her team can provide tools and guidance, but success depends on how organizations handle their people, processes, and partners.
The goal isn’t to chase the latest tool or trend. It’s to execute well on what matters. That means building security into innovation from the start and keeping user trust at the center of every decision.