K&N Engineering Shifts Left for Greater Cloud Security
Organization: K&N Engineering
Project: Code to Cloud Security Transformation
Security Leader: Iqbal Rana, CIO
K&N Engineering, a notable player in the manufacturing sector, has taken a significant step forward in enhancing its cloud security through a strategic initiative known as the Code to Cloud Security Transformation. The organization’s Chief Information Officer (CIO), Iqbal Rana, holds the pivotal role of steering this change, having consistently adhered to security best practices within their direct-to-consumer e-commerce framework hosted on Amazon Web Services (AWS). Rana emphasizes the importance of leveraging cloud-native security measures and controls to ensure a robust defense against potential cyber threats. Up until recently, Rana believed they had implemented all necessary security measures.
However, a proactive assessment conducted by the company’s cyber insurance provider a couple of years ago unveiled a concerning vulnerability linked to the software deployment tool utilized by K&N’s IT staff. This revelation acted as a wake-up call for Rana, prompting an urgent response to the identified flaw. Subsequently, he broadened his focus to encompass not only internal processes but also the risks associated with third-party vendors.
This imperative led to the inception of the Code to Cloud Security Transformation initiative, which aims to address vulnerabilities across both vendor tools and the code deployed by the organization. The initiative introduced an integrated code-to-cloud security framework, leveraging advanced technology from Wiz to embed security measures throughout the entire software development lifecycle. This approach now extends across both K&N’s AWS and Azure environments.
The restructuring enables K&N’s IT team to proactively identify and remediate vulnerabilities before they can be exploited, thus guaranteeing secure, compliant, and efficient cloud operations. Rana points out the dual benefit of this initiative, explaining, “So we not only fix the deployment risk but also code risk as well.” The revolutionary technology actively prevents the deployment of code that contains known vulnerabilities, offering a safety net for the organization.
Moreover, once code is live in production, the technology continuously monitors its integrity, ensuring ongoing security assessments. “We have a dashboard that will inform us not just of infrastructure vulnerabilities but also of any issues regarding the code,” he adds. This newfound capability represents a transformative shift-left strategy, empowering K&N’s team to uncover and remediate hundreds of latent vulnerabilities effectively. The enterprise now enjoys near real-time visibility into its risk exposure, significantly bolstering compliance and protecting critical revenue streams.
Security Transformation Fortifies McDonald’s Resilience While Reducing Risk
Organization: McDonald’s
Project: Securing the Arches
Security Leader: Mike Gordon, CISO
In the realm of global fast food, McDonald’s operates over 44,000 locations across more than 100 countries, catering to over 69 million customers daily. Approximately 95% of its outlets are run by local franchisees, complicating the organization’s cybersecurity landscape. The brand’s extensive technology stack mirrors its global presence and interconnectedness, amplifying not only the potential rewards but also the associated cyber risks. Mike Gordon, the Chief Information Security Officer (CISO), outlines how this interconnected ecosystem, born from digital transformation, exposes the company to unprecedented cyber vulnerabilities.
An evaluation of the organization’s cybersecurity posture conducted a few years back illuminated significant gaps, revealing that McDonald’s maturity level on the NIST Cybersecurity Framework lagged behind its industry counterparts. This assessment demonstrated that the variability in cybersecurity capabilities across regions compromised foundational controls and visibility into potential threats and vulnerabilities.
In response, the CIO initiated a comprehensive transformation effort, culminating in Gordon’s appointment in early 2024 to drive this program forward. The "Securing the Arches" initiative aimed to modernize and unify cybersecurity protocols across both corporate and licensed markets. This ambitious project laid down a consistent framework for identity management, vulnerability assessment, data protection, and threat detection that spans over 100 markets worldwide.
Implementation of standardized enterprise-grade protections was critical, including the establishment of a global Security Operations Center (SOC), secure development pipelines, proactive threat testing, and comprehensive endpoint visibility. The enormity and complexity of this transformation demanded exceptional executive skills from Gordon. He aptly summarizes his role by stating, “I’m not a CISO of one company; I’m fundamentally the CISO of about 150 companies, of which I actually only have direct control over one.” Achieving transformative success hinged on building relationships, influencing fellow leaders, and deploying the right technologies and skills within the security team.
The Securing the Arches program has markedly enhanced McDonald’s resilience against cyber threats while simultaneously mitigating risk, thus providing a sturdy security foundation to support the fast food giant’s rapid digital expansion. As the company’s cybersecurity maturity continues to grow, Gordon anticipates enacting "Securing the Arches 2.0," a continuous improvement strategy aimed at bolstering the effectiveness of their cybersecurity operations. “We’ll continue to evolve,” he states confidently.
MISO Brings Maturity and Metrics to Threat Action Operations
Organization: Midcontinent Independent System Operator (MISO)
Project: STRIKE (Strategic Threat Reduction & Intelligence-Driven Knowledge Engine)
Security Leader: Eric Miller, VP and CISO
In a landscape where security departments face mounting challenges, MISO’s security team has employed various frameworks, including NIST standards, to assess and enhance its cybersecurity maturity. Eric Miller, the Vice President and CISO, notes, however, that the traditional metrics surrounding threat intelligence and hunting were not efficiently illustrating the security team’s effectiveness, which created gaps in accountability.
To tackle this challenge head-on, MISO’s security leadership, along with other executives, embarked on a journey to establish the Strategic Threat Reduction & Intelligence-Driven Knowledge Engine, also known as STRIKE. This initiative represents a significant transformation in how cybersecurity risk management is approached. STRIKE amalgamates global threat intelligence, MITRE ATT&CK mapping, and NIST frameworks into a single, cohesive model. By delivering real-time scoring, it quantifies visibility gaps and evaluates control effectiveness against actual adversary tactics.
Furthermore, STRIKE prioritizes responses based on both threat likelihood and readiness. It also provides a prescriptive path for technical configurations, reducing remediation timelines to nearly instantaneous performance. Miller asserts that STRIKE ensures alignment between security activities and threat intelligence, which is critical for advancing MISO’s broader cybersecurity strategy.
“One of our key questions is, after we conduct a threat hunt, what tangible benefits or insights do we gain?” states David Webb, director of MISO’s cyber threat action center. He emphasizes the need to demonstrate their actions are indeed lowering risk across the organization rather than simply marking tasks as completed. Traditional risk management methods, which often rely on isolated frameworks, can hinder proper prioritization and accountability.
By operationalizing threat intelligence through STRIKE, MISO is equipped to identify real-world adversary behaviors and link them to the corresponding MITRE ATT&CK techniques. This improved connection ensures that risk decisions are reflective of actual threats penetrating the organization’s defenses. Furthermore, STRIKE effectively links ATT&CK techniques with NIST CSF functions and SP 800-53 controls, illuminating the controls necessary to mitigate various adversarial tactics. The integration of Defense Information Systems Agency Security Technical Implementation Guides (DISA STIGs) further enriches STRIKE by offering concrete steps to close existing control gaps.
At the heart of this transformation lies STRIKE’s Detect & Protect Scoring Framework, a quantitative system designed to evaluate visibility and defensive strength against high-risk methodologies—both weighted by their likelihood of occurrence and updated dynamically to reflect the evolving threat landscape.