Fast food chains such as Chipotle Mexican Grill, are facing familiar challenges when it comes to cloud security: managing complexity, risk, and cost across an ever-expanding multi-cloud footprint.
That’s according to Chipotle deputy chief information officer Shawn Harris, who claims it is critical for cloud leaders, CIOs and security chiefs to discuss moving to the cloud early on in the process.
“Security teams don’t always get to decide whether the business goes multi-cloud,” Harris said during a recent online RSA panel. “But it introduces extra costs, not just financial, but operational and technical. So, it’s critical to have honest conversations with your CIO and cloud leaders early on.”
Just as crucial, Harris knows how important securing the cloud can be – lest it lead to sprawl, shadow IT, and runaway costs.
Harris, who also sits on the RSA programme committee for cloud security and contributed to the Cloud Controls Matrix at the Cloud Security Alliance, talked on why modern cloud security must begin well before infrastructure is provisioned or code deployed.
Chipotle’s Cloud Complexity
Harris explained that multi-cloud is often framed as a resilience strategy, allowing organisations to take advantage of different providers’ strengths. Google Cloud, for instance, is frequently seen as best for Kubernetes, he says (a system for automating the deployment, scaling and management of containerised applications.)
But this approach can create its own complications.
“Each cloud provider has its own tools, its own terminology,” Harris added, explaining that engineers need to be fluent in all of them, which isn’t always realistic.
These tools act as connective tissue, helping security teams monitor configurations, identify misaligned permissions, and enforce baseline controls, even when different teams are working in different environments.
But technology alone isn’t enough. Harris emphasised the importance of platform engineering principles: embedding security into the very fabric of how teams experiment, prototype, and deploy services.
“We apply those principles from the start,” he said. “My security architecture teams are involved from the idea stage of the tech efforts.”
Chipotle’s Shadow IT
A recurring theme in the discussion was shadow IT, the phenomenon of business-led technology adoption that occurs outside official channels. It is easier than ever for teams to spin up SaaS applications or cloud infrastructure using a corporate credit card, leaving security and procurement in the dark.
Dan Glass, CISO of the firm At Large, was also part of the panel. In it, he explained that the complexities of multi-cloud environments often house apps and data that cloud security may not even know about.
“We call it partial threat surface management – you’re trying to get your arms around where your apps and data really live.”
To regain control, Harris’s team uses tools to monitor network activity and discover unsanctioned services. Secure Access Service Edge (SASE) solutions, for example, can flag when employees start using new cloud platforms. SaaS discovery tools help surface accounts created without formal approval.
But detection is only the first step. Just as important is the cultural shift toward early engagement. Harris’s teams aim to influence projects from inception, not just react after the fact.
The ‘guac’ is extra
Glass also pointed out that, while cloud was introduced to save people money, it is easy for organisations to spin up costs without realising – so how can security reduce risk, but also reduce cloud costs by giving visibility into unnecessary or uncontrolled spending?
Harris said that at another organisation he worked at, there was an “innovation garage”, a separate cloud environment for testing and proof-of-concept projects. Unlike production systems, the garage could be shut down after hours or decommissioned entirely when no longer needed.
“People would start a proof of concept (POC), then get pulled away, and things would just keep running,” Harris said. “By putting guardrails around that environment, we could avoid waste and build good habits, like infrastructure-as-code and automation.”
The innovation garage model not only reduced unnecessary spend, but also helped teams improve their resilience. “If your cloud went down today, how long would it take you to rebuild?” Harris asked. “With CI/CD pipelines and containerisation, the answer should be hours, not days.”
Chipotle’s Procurement Alliance
For Harris, cost visibility and security are becoming more entwined. Unexplained spikes in cloud billing are now considered potential security signals.
Harris points to advice he’d been given to examine suspicious surges in cloud spend that could indicate unauthorised usage: “Crypto miners, for example … or someone spinning up resources outside the approved process.”
That has changed the way security teams interact with procurement. Rather than treating them as a barrier, Harris views finance teams as partners in threat surface management.
