For CISOs facing growing operational risk, the challenge is no longer just about deploying the right tools. It requires integrating intelligence, operations, technology, and business strategy into a coordinated defense capability.
I recently spoke with Michelle McCluer who outlined how Mastercard approaches this challenge through its Global Fusion and Intelligence program. The conversation offers several key lessons for security leaders looking to evolve beyond siloed operations and toward a more anticipatory, intelligence driven model.
At the center of that evolution is the fusion center.
Lesson One: Break Down Silos Before a Crisis Forces You To
The fusion center model emerged from a costly realization after 9/11. Critical intelligence signals existed across agencies, but they were not effectively shared or connected. Many corporate security programs still face the same issue. Threat intelligence, fraud, insider risk, physical security, legal, and IT may collaborate periodically, but they rarely operate as a single system.
At Mastercard, more than 30 teams contribute to a coordinated fusion structure. Hundreds of professionals across regions share intelligence, operational context, and business priorities on an ongoing basis. This is not an informal exchange reserved for major incidents. It is built into daily operations.
If intelligence is not moving smoothly across functions before an incident, it will not move effectively during one. Establishing formal coordination, defining shared workflows, and creating consistent information-sharing routines helps build resilience long before a breach, fraud campaign, or geopolitical disruption tests the organization.
A fusion center does not require a physical command room. It requires clear governance, defined roles, and a shared commitment to collective accountability.
Lesson Two: Treat Geopolitical Risk as a Core Security Input
Many security programs still treat cyber risk and geopolitical developments as separate concerns. Mastercard’s model integrates them.
With operations in more than 200 countries and territories, geopolitical instability is not theoretical. Civil unrest, sanctions, regulatory shifts, regional conflict, and economic disruption can have direct effects on employees, partners, and customers. Mastercard’s fusion structure monitors these developments alongside cyber threats and fraud indicators.
For CISOs, this requires expanding what qualifies as a security signal. Security programs cannot focus only on malware indicators and vulnerability management. Political instability, supply chain disruption, and regulatory shifts can create immediate operational risk. Incorporating geopolitical intelligence into security reporting and leadership discussions gives executives a clearer picture of exposure.
This broader view also strengthens security’s standing inside the business. When security leaders can connect global developments to business impact, security becomes a strategic contributor rather than a technical function.
Lesson Three: Build Trusted External Partnerships Before You Need Them
A consistent theme in the conversation was the importance of trusted relationships outside the organization. Mastercard works closely with public sector agencies and industry partners on cybercrime, illicit finance, and critical infrastructure protection.
The value of these relationships comes down to speed and trust. When suspicious activity emerges or a large-scale incident unfolds, the ability to pick up the phone and connect directly with a known counterpart can accelerate response and containment.
For CISOs, participation in information-sharing organizations and public-private partnerships should not be treated as a checkbox activity. It is a practical operational advantage. Relationships built during stable periods often determine how quickly an organization can act when disruption occurs.
Security leaders should assess whether their teams have active, working partnerships or only passive memberships.
Lesson Four: Prepare for Emerging Technology Risks Before They Become Operational Problems
Artificial intelligence and quantum computing were discussed as major forces reshaping the threat environment. AI is already enabling more scalable fraud, more convincing social engineering, and faster attack automation. Quantum computing, while still developing, has long-term implications for encryption standards that support global commerce.
The key point is not simply that these technologies exist. It is that adversaries often test new capabilities faster than enterprises can adopt them responsibly. Organizations must weigh governance, regulation, and reputational risk while attackers operate without those constraints.
Security teams cannot afford to wait until these technologies are widely deployed before planning for their misuse. Forward-looking programs assess emerging technology risks early, identify likely abuse cases, and begin aligning architecture and controls to reduce exposure.
CISOs should ask whether their roadmap reflects longer-term threats or only the risks already showing up in day-to-day operations.
Lesson Five: Build Long-Range Threat Thinking Into the Program
Mastercard’s Threatcasting Lab, developed in partnership with Professor Brian David Johnson from Arizona State University, looks ten years ahead to study plausible threat scenarios. Those findings are then used to inform current strategy, architecture decisions, and resilience planning.
For many security teams, long-term planning is overshadowed by operational workload and incident response. Without structured foresight, organizations risk staying locked in short-term cycles that prioritize immediate issues while leaving long-range exposure unaddressed.
CISOs can adopt smaller versions of this approach by running scenario planning workshops, conducting tabletop exercises tied to emerging technologies, and facilitating cross-functional discussions about second- and third-order impacts of geopolitical or technological shifts. The goal is not prediction. It is preparation.
Lesson Six: Treat Security as an Enterprise Capability, Not a Standalone Function
One of the most important takeaways from Mastercard’s fusion center model is structural. Security is not treated as a standalone technical department. It is positioned as an enterprise capability that integrates intelligence, operations, fraud, technology, and regional leadership.
Strengthening the security function requires fluency in business priorities, regulatory environments, and operational realities. It requires teams that can interpret interconnected risks, communicate clearly with leadership, and translate intelligence into action. It also requires security leaders who can explain risk in terms the business recognizes, including customer trust, financial exposure, and operational continuity.
Mastercard’s approach shows that resilience is built through coordination and shared visibility, not through tools alone. When intelligence, operations, and business decision-making are connected, organizations are better positioned to detect threats earlier and respond with speed and clarity.
