Mastercard’s Gerber Says CISOs Can’t Protect What They Can’t See

Today, the scale and stakes of what organizations can no longer see are approaching a tipping point.

The result is not simply greater complexity, but a growing inability for organizations to identify where their own infrastructure begins and ends.

“If you think about the blind spots very often for companies, it’s very hard to figure out exactly their digital footprint in the modern age,” Johan Gerber, executive vice president of security solutions at Mastercard, told PYMNTS. “And if CISOs can’t see these things, they can’t protect [their organizations].”

The modern company no longer operates inside a perimeter; it exists as an ecosystem. Today’s applications frequently run simultaneously across hyperscale cloud providers, edge networks and services that may never pass through a central IT ledger.

The shift has created a dangerous mismatch between how businesses think they operate and where their technology actually lives.

The emerging alternative is exposure management. Rather than treating every vulnerability as equal, the emphasis shifts to determining which weaknesses are likely to be exploited and therefore demand immediate attention.

“We’re moving from vulnerability management to exposure management,” Gerber said. “Now I can truly say I’ve got 40 vulnerabilities, 10 of them are acute because we can see them being attacked in other places in the industry. That means my exposure is X.”

Risk, in other words, has become contextual, dynamic and tied to adversary behavior. Cyberthreats are no longer tied only to static software defects that require teams to patch them before attackers can move in.

Breaking Down Security Silos

Security teams are also confronting the structural problem of years of accumulated tools that rarely share context. Many organizations operate dozens of specialized products, each producing its own stream of alerts.

Gerber added that practitioners refer to the resulting inefficiency as the “swivel chair” problem, where analysts move from one dashboard to another without a unified picture.

At the same time, resources remain constrained.

“One of the biggest problems that every CISO faces is, ‘I have limited resources. I’ve got more vulnerabilities and exposures than I know how to deal with,’” Gerber said.

A more consolidated approach begins with mapping the attack surface by identifying where systems are exposed to the internet, and then layering threat intelligence to understand which weaknesses are being actively exploited. Protection is applied not as a separate activity, but within the infrastructure through which traffic already flows.

“What we want to do is not only understand where exposure vulnerabilities are, but how to now protect them,” Gerber said.

Against this backdrop, automation, particularly when embedded into the infrastructure through which traffic already flows, can change the security equation. Instead of requiring organizations to deploy and manage yet another tool, protection can occur directly within the connective tissue of the internet, so long as it isn’t held up by walled gardens and organizational silos.

Continuous Posture

Continuous measurement is becoming central to this emerging model of enterprise fraud prevention. Through posture management, organizations can assess their external security profile at regular intervals instead of relying on periodic audits, Gerber said.

“Every 10 days, we assess your cyber posture from the outside in,” he said.

These evaluations analyze how systems communicate with the public internet, revealing dependencies, software versions and configuration weaknesses.

The result is longitudinal insight.

“You can actually get a trend line, ‘Am I going up, down or sideways?’” Gerber said.

Artificial intelligence is accelerating the threat environment and the defensive response. Automated systems can now conduct threat-hunting exercises continuously, identifying malicious signatures more frequently than human teams could manage alone.

However, Gerber cautioned against assuming automation will replace human judgment.

“The human in the loop, at least for now, is still a very, very important concept,” he said, reflecting the need for interpretation and accountability even as machines handle scale.

Risk Facing Small Businesses

Small to medium-sized businesses (SMBs) represent a substantial share of economic activity, yet they often lack dedicated security expertise.

For these organizations, complexity itself is the principal barrier. Security must therefore be delivered as an embedded service, not an additional operational burden.

“Everybody wants more protection, but they all fear the complexity of it,” Gerber said. “Small businesses represent more than half of the world’s GDP. If that sector gets attacked at scale, it could have a negative impact on the economy.”

The concern is not a single catastrophic incident but a distributed wave of automated intrusions hitting thousands of organizations simultaneously.

“Cyber events are economic events,” Gerber said, adding that incidents can idle not only a targeted company, but also the ecosystem of suppliers and service providers that depend on it.

To counter that possibility, defenses must also operate at scale. The goal, Gerber said, is “to provide that protection for … small businesses … literally at the click of a button.”