K&N Engineering shifts left for greater cloud security
Organization: K&N Engineering
Project: Code to Cloud Security Transformation
Security leader: Iqbal Rana, CIO
Manufacturing company K&N Engineering manages its own direct-to-consumer ecommerce environment in AWS. CIO Iqbal Rana, who oversees security, has always followed security best practices in the cloud, relying on cloud-native security capabilities and controls implemented by his security team to ensure “we had all the rights things in place.”
But an assessment by his cyber insurance company a couple of years ago alerted him to a security vulnerability in the software deployment tool used by his IT workers.
That alert prompted Rana to immediately address the vulnerability — and to more aggressively look at the risks within his vendor environment and in IT processes, he says.
That led to K&N’s Code to Cloud Security Transformation, which tackles vulnerabilities not only in vendor tools but also in the code his team was deploying.
The initiative involved implementing a code-to-cloud security framework and Wiz technology, which integrated security into every stage of the development lifecycle across K&N’s AWS and Azure environments.
Now his team can proactively identify and remediate vulnerabilities before deployment, ensuring secure, compliant, and efficient cloud operations.
“So we not only fix the deployment risk but also code risk as well,” he says, explaining that the technology prevents code with known vulnerabilities from being inadvertently deployed. “And it doesn’t end there. When the code is deployed [and] you’re live in production, at that point it keeps checking on an ongoing basis. So we have a dashboard that will tell us not only any infrastructure vulnerability but also any problem with the code.”
Rana says the technology enabled a transformative shift-left strategy, as his team can now uncover and remediate hundreds of hidden vulnerabilities. It also gave the team near real-time visibility into risk exposure while strengthening compliance and safeguarding critical revenue streams.
Security transformation fortifies McDonald’s resilience while reducing risk
Organization: McDonald’s
Project: Securing the Arches
Security leader: Mike Gordon, CISO
McDonald’s has more than 44,000 locations operating in more than 100 countries, serving 69 million-plus customers daily. Approximately 95% of its restaurants are operated by local franchisees.
The company’s technology stack reflects its size, global reach, and distributed nature. Its cyber risk does, too. For example, its mobile app connects some 250 million consumers to its restaurants.
“Digital transformation created a much more connected ecosystem at McDonald’s than was ever imagined by Ray Kroc,” says company CISO Mike Gordon. “As such, cyber risk was way higher than it ever was.”
An assessment of the company’s security posture performed a few years ago confirmed as much, showing tech leadership there was room for improvement. The assessment determined that the company’s maturity on the NIST Cybersecurity Framework trailed industry peers. It also showed that its cybersecurity capabilities, including foundational controls and visibility into threats and vulnerabilities, varied widely across regions.
As a result, McDonald’s CIO championed a transformation and hired Gordon in early 2024 to execute it.
The Securing the Arches (STA) program modernized and unified cybersecurity across both the company’s corporate and licensed markets. STA established a consistent foundation for identity controls, vulnerability management, data protection, and threat detection across the company’s 100-plus markets. It also established consistent, enterprise-grade protections through shared services that include a global SOC, secure development pipelines, proactive testing, and systemwide endpoint visibility.
The size and structure of this transformation required strong executive skills.
“I’m not a CISO of one company; I’m fundamentally the CISO of about 150 companies, of which I actually only have direct control over one,” Gordon explains, saying transformation success meant building relationships and influencing other leaders as well as deploying the right technology and technical skills within the security team.
STA has strengthened the company’s resilience and reduced risk, thereby providing the security foundation needed to support McDonald’s accelerating digital growth. As the company’s cybersecurity maturity has climbed, Gordon says he’s now enacting Securing the Arches 2.0 with a focus on continually improving the effectiveness of the cybersecurity program. “We’ll continue to evolve,” he adds.
MISO brings maturity and metrics to threat action operations
Organization: Midcontinent Independent System Operator (MISO)
Project: STRIKE (Strategic Threat Reduction & Intelligence-Driven Knowledge Engine)
Security leader: Eric Miller, VP and CISO
Like many security departments, MISO’s security team used common tools such as NIST frameworks and other maturity models to score its program and track its maturity improvements.
“But from a threat intelligence and a threat hunting perspective, there wasn’t really a particular meaningful metric to indicate how successful our program was,” says David Webb, director of MISO’s cyber threat action center.
As a result, MISO security leaders and other executives weren’t able to clearly track the center’s effectiveness or whether it was maturing. So in 2024 Webb and threat researcher Nate Apperson started the Strategic Threat Reduction & Intelligence-Driven Knowledge Engine, or STRIKE.
STRIKE transforms cybersecurity risk management by integrating global threat intelligence, MITRE ATT&CK mapping, and NIST frameworks into a unified model. It delivers real-time scoring that quantifies visibility gaps and control effectiveness against real-world adversary tactics. It also prioritizes actions based on threat likelihood and readiness. And it provides a prescriptive path for technical configuration, thereby reducing remediation and analysis cycles to near-instant.
According to Webb, STRIKE ensures security activities align with threat intel and contribute to advancing the overall cyber security strategy. It also provides metrics for measuring the effectiveness of threat hunting — a vital benefit.
“When we do a threat hunt or when we complete one, what’s the output? We wanted more than just a check mark on the top of the page saying that we’ve completed the threat hunt,” Webb explains. “We want to show that we are reducing risk throughout the organization.”
It’s a common challenge, he says, as traditional risk management relies on siloed frameworks and subjective prioritization. This leaves gaps between threat intelligence, control requirements, and technical remediation.
To overcome that challenge, STRIKE operationalizes threat intelligence to identify active adversary behaviors and align them to MITRE ATT&CK techniques, thereby ensuring risk decisions are based on real-world threats. STRIKE also creates links between ATT&CK techniques, NIST CSF functions, and NIST SP 800-53 controls, thus clarifying which controls mitigate which adversary behaviors and highlighting gaps across policy, process, and technology. Additionally, Webb says that by incorporating DISA STIGs, STRIKE provides the technical steps to close control gaps.
Tying it all together is STRIKE’s Detect & Protect Scoring Framework, a quantitative model that measures visibility (detect) and defensive strength (protect) against high-risk techniques with scores weighted by threat likelihood and updated dynamically.
