Winners of the 2026 CSO Awards showcase cyber innovation that enables business
K&N Engineering shifts to cloud security
Organization: K&N Engineering
Project: Cloud security conversion code
Safety leader: Iqbal Rana, CIO
Manufacturing company K&N Engineering manages its direct-to-consumer ecommerce site on AWS. CIO Iqbal Rana, who oversees security, has been following cloud security best practices, relying on native and cloud security capabilities managed by his security team to ensure “we have all the right things in place.”
But an audit by his cyber insurance company a few years ago alerted him to security risks in a software distribution tool used by his IT staff.
That warning prompted Rana to quickly remediate the risk — and take a closer look at the vulnerabilities in his vendor environment and IT processes, he says.
That led to K&N’s Code to Cloud Security Transformation, which addressed risks not only in the vendor’s tools but also in the code its team was deploying.
The program involves implementing a code-to-cloud security framework and Wiz technology, which integrates security at all stages of the development lifecycle across K&N’s AWS and Azure environments.
Now his team can proactively identify and remediate vulnerabilities before deployment, ensuring a secure, compliant, and efficient cloud operation.
“So we’re not only fixing the risk of deployment but also the code,” he said, explaining that the technology prevents code with known vulnerabilities from being unknowingly distributed. “And it doesn’t end there. Once the code is used [and] is live in production, at which point it is constantly testing. So we have a dashboard that will tell us not just any infrastructure vulnerability but any code problem.”
Rana says that technology has enabled the strategy to shift left, as his team is now able to uncover and fix hundreds of hidden vulnerabilities. It also gave the team near real-time visibility into risk exposure while strengthening compliance and protecting critical revenue streams.
Security reforms strengthen McDonald’s resilience while reducing risk
Organization: McDonald’s
Project: Protecting the Arches
Safety leader: Mike Gordon, CISO
McDonald’s has more than 44,000 locations operating in more than 100 countries, serving 69 million customers every day. About 95% of its restaurants are operated by local franchisees.
The company’s technology stack reflects its size, global reach, and distributed nature. Its cyber risks are, too. For example, its mobile app connects about 250 million consumers with its restaurants.
“Digital transformation has created a more connected ecosystem at McDonald’s than Ray Kroc imagined,” said company CISO Mike Gordon. “Therefore, cyber risk was much higher than before.”
An assessment of the company’s security posture made a few years ago confirmed a lot, showing the technical leadership that there was room for improvement. The assessment determined that the company’s maturity on the NIST Cybersecurity Framework trails industry peers. It also pointed out that its cyber security capabilities, including basic controls and visibility into threats and vulnerabilities, vary widely across regions.
As a result, McDonald’s CIO championed change and hired Gordon in early 2024 to implement it.
The Securing the Arches (STA) program has been updated and integrated cyber security across all of the company’s corporate and licensed markets. STA has established a consistent foundation for identity management, vulnerability management, data protection, and threat detection across the company’s 100+ markets. It also established consistent, enterprise-grade security through shared services including a global SOC, secure development pipelines, functional testing, and endpoint visibility of the system.
The scale and structure of this change required high-strength skills.
“I’m not the CISO of one company; I’m basically the CISO of about 150 companies, in fact I only directly manage one,” explained Gordon, saying that successful transition means building relationships and influencing other leaders and applying the right technology and technical skills to the security team.
STA strengthened the company’s resilience and reduced risk, thereby providing the security foundation needed to support McDonald’s digital growth. As the company’s cybersecurity growth accelerates, Gordon says he is now endorsing Securing the Arches 2.0, which focuses on continuously improving the effectiveness of the cybersecurity program. “We will continue to improve,” he adds.
MISO brings maturity and metrics to threat intelligence operations
Organization: Midcontinent Independent System Operator (MISO)
Project: STRIKE (Strategy-Driven Information Engine)
Safety leader: Eric Miller, VP and CISO
Like many defense departments, MISO’s security team used common tools like NIST frameworks and other maturity models to find their plan and track growth.
“But from a threat intelligence perspective and a threat hunting perspective, there really wasn’t any meaningful metric to show how successful our program was,” said David Webb, director of MISO’s cyber threat center.
As a result, MISO security leaders and other managers could not clearly track the facility’s performance or maturity. So in 2024 Webb and threat researcher Nate Apperson started the Strategic Threat Reduction & Intelligence-Driven Knowledge Engine, or STRIKE.
STRIKE transforms cybersecurity risk management by integrating global threat intelligence, the MITER ATT&CK map, and NIST frameworks into a unified model. It delivers real-time scores that measure visibility gaps and manage effectiveness against enemy real-world tactics. It also prioritizes actions based on threat presence and preparedness. It also provides a set method for technical configuration, thereby reducing maintenance and analysis cycles to near-instant.
According to Webb, STRIKE ensures that security operations are aligned with threat intel and contributes to improving the overall cyber security strategy. It also provides metrics to measure threat hunting performance – a significant benefit.
“When we do a threat hunt or when we finish one, what comes out? We wanted more than just a check mark at the top of the page that said we’ve completed a threat hunt,” Webb explained. “We want to show that we are reducing risk for the entire organization.”
It’s a common challenge, he says, as disaster management has traditionally relied on closed structures and prioritization. This leaves a gap between threat intelligence, regulatory requirements, and technical readiness.
To overcome that challenge, STRIKE uses threat intelligence to identify active adversary behavior and align with MITER ATT&CK strategies, thereby ensuring risk decisions are based on real-world threats. STRIKE also creates links between ATT&CK strategies, NIST CSF activities, and NIST SP 800-53 controls, thereby clarifying which controls are in place to mitigate which adversary behaviors and highlighting gaps in all policy, procedure, and technology. Additionally, Webb says that by incorporating DISA STIGs, STRIKE provides technical measures to close regulatory gaps.
Rounding it all out is STRIKE’s Detect & Protect Scoring Framework, a quantitative model that measures visibility (detection) and defensive capabilities (protection) against high-risk strategies with a probability-weighted and dynamically updated threat score.
