Ok&N Engineering shifts left for better cloud security
Group: Ok&N Engineering
Venture: Code to Cloud Safety Transformation
Safety chief: Iqbal Rana, CIO
Manufacturing firm Ok&N Engineering manages its personal direct-to-consumer ecommerce surroundings in AWS. CIO Iqbal Rana, who oversees security, has all the time adopted security greatest practices within the cloud, counting on cloud-native security capabilities and controls applied by his security workforce to make sure “we had all of the rights issues in place.”
However an evaluation by his cyber insurance coverage firm a few years in the past alerted him to a security vulnerability within the software program deployment software utilized by his IT staff.
That alert prompted Rana to instantly tackle the vulnerability — and to extra aggressively have a look at the dangers inside his vendor surroundings and in IT processes, he says.
That led to Ok&N’s Code to Cloud Safety Transformation, which tackles vulnerabilities not solely in vendor instruments but additionally within the code his workforce was deploying.
The initiative concerned implementing a code-to-cloud security framework and Wiz know-how, which built-in security into each stage of the event lifecycle throughout Ok&N’s AWS and Azure environments.
Now his workforce can proactively establish and remediate vulnerabilities earlier than deployment, guaranteeing safe, compliant, and environment friendly cloud operations.
“So we not solely repair the deployment danger but additionally code danger as nicely,” he says, explaining that the know-how prevents code with identified vulnerabilities from being inadvertently deployed. “And it doesn’t finish there. When the code is deployed [and] you’re stay in manufacturing, at that time it retains checking on an ongoing foundation. So we’ve a dashboard that may inform us not solely any infrastructure vulnerability but additionally any drawback with the code.”
Rana says the know-how enabled a transformative shift-left technique, as his workforce can now uncover and remediate tons of of hidden vulnerabilities. It additionally gave the workforce close to real-time visibility into danger publicity whereas strengthening compliance and safeguarding essential income streams.
Safety transformation fortifies McDonald’s resilience whereas decreasing danger
Group: McDonald’s
Venture: Securing the Arches
Safety chief: Mike Gordon, CISO
McDonald’s has greater than 44,000 areas working in additional than 100 international locations, serving 69 million-plus prospects each day. Roughly 95% of its eating places are operated by native franchisees.
The corporate’s know-how stack displays its dimension, international attain, and distributed nature. Its cyber danger does, too. For instance, its cell app connects some 250 million shoppers to its eating places.
“Digital transformation created a way more linked ecosystem at McDonald’s than was ever imagined by Ray Kroc,” says firm CISO Mike Gordon. “As such, cyber danger was manner larger than it ever was.”
An evaluation of the corporate’s security posture carried out a number of years in the past confirmed as a lot, displaying tech management there was room for enchancment. The evaluation decided that the corporate’s maturity on the NIST Cybersecurity Framework trailed business friends. It additionally confirmed that its cybersecurity capabilities, together with foundational controls and visibility into threats and vulnerabilities, diversified broadly throughout areas.
In consequence, McDonald’s CIO championed a change and employed Gordon in early 2024 to execute it.
The Securing the Arches (STA) program modernized and unified cybersecurity throughout each the corporate’s company and licensed markets. STA established a constant basis for identification controls, vulnerability administration, knowledge safety, and menace detection throughout the corporate’s 100-plus markets. It additionally established constant, enterprise-grade protections via shared companies that embody a worldwide SOC, safe growth pipelines, proactive testing, and systemwide endpoint visibility.
The scale and construction of this transformation required robust govt abilities.
“I’m not a CISO of 1 firm; I’m essentially the CISO of about 150 firms, of which I truly solely have direct management over one,” Gordon explains, saying transformation success meant constructing relationships and influencing different leaders in addition to deploying the suitable know-how and technical abilities throughout the security workforce.
STA has strengthened the corporate’s resilience and decreased danger, thereby offering the security basis wanted to help McDonald’s accelerating digital development. As the corporate’s cybersecurity maturity has climbed, Gordon says he’s now enacting Securing the Arches 2.0 with a deal with frequently bettering the effectiveness of the cybersecurity program. “We’ll proceed to evolve,” he provides.
MISO brings maturity and metrics to menace motion operations
Group: Midcontinent Unbiased System Operator (MISO)
Venture: STRIKE (Strategic Menace Discount & Intelligence-Pushed Data Engine)
Safety chief: Eric Miller, VP and CISO
Like many security departments, MISO’s security workforce used frequent instruments corresponding to NIST frameworks and different maturity fashions to attain its program and monitor its maturity enhancements.
“However from a menace intelligence and a menace looking perspective, there wasn’t actually a specific significant metric to point how profitable our program was,” says David Webb, director of MISO’s cyber menace motion heart.
In consequence, MISO security leaders and different executives weren’t capable of clearly monitor the middle’s effectiveness or whether or not it was maturing. So in 2024 Webb and menace researcher Nate Apperson began the Strategic Menace Discount & Intelligence-Pushed Data Engine, or STRIKE.
STRIKE transforms cybersecurity danger administration by integrating international menace intelligence, MITRE ATT&CK mapping, and NIST frameworks right into a unified mannequin. It delivers real-time scoring that quantifies visibility gaps and management effectiveness in opposition to real-world adversary ways. It additionally prioritizes actions based mostly on menace probability and readiness. And it supplies a prescriptive path for technical configuration, thereby decreasing remediation and evaluation cycles to near-instant.
In accordance with Webb, STRIKE ensures security actions align with menace intel and contribute to advancing the general cyber security technique. It additionally supplies metrics for measuring the effectiveness of menace looking — an important profit.
“Once we do a menace hunt or once we full one, what’s the output? We wished greater than only a examine mark on the highest of the web page saying that we’ve accomplished the menace hunt,” Webb explains. “We need to present that we’re decreasing danger all through the group.”
It’s a standard problem, he says, as conventional danger administration depends on siloed frameworks and subjective prioritization. This leaves gaps between menace intelligence, management necessities, and technical remediation.
To beat that problem, STRIKE operationalizes menace intelligence to establish energetic adversary behaviors and align them to MITRE ATT&CK strategies, thereby guaranteeing danger selections are based mostly on real-world threats. STRIKE additionally creates hyperlinks between ATT&CK strategies, NIST CSF features, and NIST SP 800-53 controls, thus clarifying which controls mitigate which adversary behaviors and highlighting gaps throughout coverage, course of, and know-how. Moreover, Webb says that by incorporating DISA STIGs, STRIKE supplies the technical steps to shut management gaps.
Tying all of it collectively is STRIKE’s Detect & Defend Scoring Framework, a quantitative mannequin that measures visibility (detect) and defensive energy (shield) in opposition to high-risk strategies with scores weighted by menace probability and up to date dynamically.
