Senior Information Security Engineer at Mastercard

Our Purpose

Mastercard powers economies and empowers people in 200+ countries and territories worldwide. Together with our customers, we’re helping build a sustainable economy where everyone can prosper. We support a wide range of digital payments choices, making transactions secure, simple, smart and accessible. Our technology and innovation, partnerships and networks combine to deliver a unique set of products and services that help people, businesses and governments realize their greatest potential.

Title and Summary

Senior Information Security Engineer:

Who is Mastercard?
Mastercard is a global technology company in the payments industry. Our mission is to connect
and power an inclusive, digital economy that benefits everyone, everywhere by making
transactions safe, simple, smart, and accessible. Using secure data and networks, partnerships
and passion, our innovations and solutions help individuals, financial institutions, governments,
and businesses realize their greatest potential.
Our decency quotient, or DQ, drives our culture and everything we do inside and outside of our
company. With connections across more than 210 countries and territories, we are building a
sustainable world that unlocks priceless possibilities for all

Mission First, People Always
As Corporate Security, we are responsible for keeping Mastercard safe and secure from cyber
and physical threats, and it is our people on the frontlines who make this happen every day.
By taking care of our people, their wellbeing, and career development, we provide them the
necessary tools and environment to ensure the success of our mission.

Overview:

Mastercard is seeking candidates to join the Data Protection team with a focus on ShadowIT risk management, governance, and enforcement.

• As Mastercard accelerates innovation through SaaS, cloud services, and automation platforms, unapproved technology usage presents material data security, privacy, and compliance risks. This role is critical to defining and operating a clear, defensible blocking and escalation framework that protects Mastercard data while enabling informed business decisions.

• Can you design and operate a structured blocking and escalation strategy for unapproved applications?

• Can you balance security risk, business impact, and policy alignment in high visibility decisions?

• Can you lead governance processes and metrics that scale across a global enterprise?

• Role

• Contribute to the execution of the Shadow IT and Data Protection roadmap, with primary ownership of enforcement, escalation, and governance processes

• Develop and maintain a Shadow IT blocking strategy framework for unapproved applications, including:
  – Blocking criteria and decision thresholds
  – Risk scoring aligned to data sensitivity, access, and exposure
  – Defined escalation paths for exceptions and high impact cases

• Document all blocking decisions with clear business justification, technical impact assessment, and alignment to security and data protection policy

• Establish and maintain communication protocols to notify stakeholders of application blocks, including timelines, approved alternatives, and available support resources

• Manage unblock requests and escalations and exception processing, coordinating with Security Operations and business stakeholders to evaluate risk and determine outcomes

• Partner with application, platform, and business teams to define paths to compliance, including remediation, onboarding to approved services, or decommissioning

• Track and report Shadow IT metrics, including blocking trends, unblock volumes, escalation outcomes, incidents, and stakeholder satisfaction.

• Work side by side with other team members to build and mature the Shadow IT governance process, while taking lead ownership of defined processes such as:
  – Escalations and exception handling
  – Cross functional coordination
  – Technical impact assessment
  – Policy alignment and enforcement

• Build and operationalize a next generation Shadow IT governance model that provides transparency, consistency, and defensibility across the enterprise

• Develop a way to automatically tag approved apps

• Work with stakeholders to ensure all browser types experience is consistent (notifications, blocks, etc)

• Work with stakeholders to ensure

• All About You

• Experience operating or designing security governance or enforcement programs in large, complex environments

• Strong understanding of information security, data protection, and risk management, particularly as applied to SaaS and third party technologies

• Demonstrated ability to make and defend risk based decisions that balance security, policy, and business impact

• Experience working cross functionally with Legal, Privacy, Compliance, and Technology teams

• Ability to clearly document decisions and articulate technical and business impact to diverse audiences

• Strong verbal and written communication skills, including executive ready summaries

• Demonstrated technical competency in security engineering through hands on experience or relevant qualifications

• Design and implement data models and analytics frameworks to support Shadow IT blocking decisions, escalation tracking, and governance reporting

• Develop automated processes and dashboards to provide visibility into blocking activity, unblock requests, escalation outcomes, and trend analysis

• Evaluate and integrate data sources (e.g., SaaS discovery tools, cloud telemetry, intake systems) to ensure accurate and timely Shadow IT decisioning data

• Analyze and interpret complex datasets to identify risk patterns, repeat offenders, policy gaps, and opportunities for control improvement

• Perform completeness and quality assessments to validate Shadow IT enforcement coverage and identify governance gaps or process breakdowns

• Demonstrated ability to perform data analysis across security policies and technology usage to identify trends, assess risk, and inform governance decisions, including the capability to quickly learn and operate tooling used to manage product roadmaps and evaluate scoring criteria for alignment with Mastercard’s risk appetite.

• Required Skills

• Data security and governance (in depth knowledge)

• Information security engineering

• Risk assessment and decision frameworks

• Policy interpretation and enforcement

• Cross functional coordination and escalation management

---

• Additional Nice to Have
• Experience with SaaS security posture management (SSPM), CASB, or DSPM
• Familiarity with enterprise intake, exception, or risk acceptance processes
• Cloud security experience
• Automation or data analytics experience
• Alteryx (or equivalent ETL), PowerBI (or equivalent visualization), Power Automate, etc experience is a plus
• Application development experience is preferred, including the ability to develop scripts, work with APIs, and leverage AI capabilities in support of Shadow IT initiatives.

---

• Relevant Previous Experience
• Security Engineering
• Security Governance or Risk Management
• Cloud or Saa

S Security Engineering:

• Technology Risk or Security Consulting

---

Other Key Words:

Shadow IT, Blocking Strategy, Escalation Management, SaaS Risk, Data Protection, Third Party Risk, Governance, Metrics, Policy Enforcement

Mastercard Corporate Security Roles have been aligned with the NICE framework (National Initiative
for Cybersecurity Education). For this role the NICE Work Roles most closely aligned are:
Cybersecurity Architecture, Secure Systems Development, Security Control Assessment, Systems Security Management, Technology Research and Development.

Corporate Security Responsibility

All activities involving access to Mastercard assets, information, and networks comes with an inherent risk to the organization and, therefore, it is expected that every person working for, or on behalf of, Mastercard is responsible for information security and must:

• Abide by Mastercard’s security policies and practices;

• Ensure the confidentiality and integrity of the information being accessed;

• Report any suspected information security violation or breach, and

• Complete all periodic mandatory security trainings in accordance with Mastercard’s guidelines.