The restaurant industry presents a cybersecurity challenge that is deceptively complex. Thousands of point-of-sale systems across hundreds or thousands of locations, mobile ordering platforms handling millions of transactions daily, loyalty programs holding sensitive customer data, franchise networks with inconsistent technology standards, and supply chains connecting corporate systems to hundreds of independent operators all create an attack surface that rivals financial services in breadth if not in regulatory scrutiny. The leaders in this feature are protecting some of the most recognizable food brands in the world, and their programs reflect what enterprise security looks like when the customer-facing technology never stops running and a breach affects everyone who has ever swiped a card at a drive-thru.
Mike Gordon — Senior Vice President and Chief Information Security Officer, McDonald’s
Mike Gordon joined McDonald’s as SVP and CISO in March 2024, bringing more than twenty-six years of security and technology leadership at Lockheed Martin, where he served as deputy CISO, VP and global CISO, and most recently VP and chief technology officer for IT. At Lockheed, he founded the National Defense Information Sharing and Analysis Center, served as defense industry sector chairman to the Department of Defense for all hazards security, led cybersecurity integration for more than $9 billion in acquisitions and divestitures, and was awarded the Washington Executive Public Company CISO of the Year in 2021. He co-authored Fixing American Cybersecurity: Creating a Strategic Public-Private Partnership and has established partnerships with corporate boards, intelligence agencies, congressional committees, and governments worldwide. He holds an active TS/SCI clearance and sits on several corporate, higher education, and nonprofit boards including the Board of Governors for Shriners Children’s Philadelphia. Bringing that level of defense industry security leadership to McDonald’s, which operates more than 40,000 locations in over 100 countries and processes billions of digital transactions annually, reflects the scale at which the world’s largest restaurant company approaches cybersecurity governance.
Dave Estlick — Chief Information Security Officer, Chipotle Mexican Grill
Dave Estlick has served as CISO at Chipotle since December 2019, bringing a background built across nearly a decade as CISO at Starbucks, where he also served as VP of technology infrastructure and enterprise security officer. Before Starbucks, he was director of information security and compliance at PetSmart and IT risk and compliance development manager at Amazon. He began his career as a systems and technical architect at Boeing and a system support engineer at Sun Microsystems. He sits on the board of directors of the Retail Cyber Intelligence Sharing Center, the Security Advisor Alliance, and the Internet Security Alliance, served on the PCI Security Standards Council advisory board for eight years, and advises SYN Ventures and Cyberstarts. That career arc from aerospace engineering through Amazon, PetSmart, and Starbucks to Chipotle reflects a security leader whose cross-sector depth and deep retail and restaurant security expertise inform how he approaches security at a company whose digital ordering and loyalty platform handles millions of daily customer transactions.
Ilija Vadjon — Chief Information Security Officer, The Wendy’s Company
Ilija Vadjon has spent nearly fourteen years at Wendy’s, building his career from staff IT auditor through senior IT auditor, manager of IT internal audit, manager of information risk and offensive security, director, senior director, deputy CISO, and stepping into the CISO role in February 2025. Before Wendy’s, he spent three and a half years as a senior auditor at Worthington Industries and three years at Ernst and Young in IT audit. His background is heavily anchored in penetration testing, PCI compliance, information risk management, and offensive security, and his progression from audit to offensive security to risk leadership to CISO reflects a practitioner whose technical depth informs how he approaches governance. Fourteen years inside a single restaurant company gives him an institutional understanding of Wendy’s technology environment, franchise network, and operational risk profile that external hires cannot quickly replicate.
Shawn O’Shea — Senior Vice President, CISO, Cloud and Infrastructure Operations, Dutch Bros Coffee
Shawn O’Shea joined Dutch Bros Coffee as SVP and CISO in April 2025, having previously served as CISO at Aramark for more than two years and as VP of global cybersecurity at lululemon for five years. Before lululemon, he was director of enterprise cloud services security and compliance at Nuance Communications and head of global information security, risk, and compliance at CooperVision. He began his career at PwC in systems and process assurance, building cross-industry audit and risk assessment experience across Boeing, HSBC, Mass Mutual, and others. His dual mandate at Dutch Bros covering CISO responsibilities alongside cloud and infrastructure operations reflects how the fast-growing coffee chain has chosen to integrate security and technology infrastructure leadership into a single executive function as it scales rapidly toward and beyond 1,000 locations.
Christopher Liles — Vice President and Chief Information Security Officer, Wingstop
Christopher Liles has served as CISO at Wingstop since June 2021, stepping into the VP title in April 2024. Before Wingstop, he spent more than three years as brand security lead and senior manager of infrastructure and security at Pizza Hut, reporting directly to the Yum! Brands CISO and responsible for security architecture, PCI and CCPA compliance, and network strategy across 5,000 US locations. His earlier career spans IT governance and security at TMX Finance, enterprise mobility program management at American Airlines, and more than twelve years at JC Penney across network engineering, project management, and IT management roles covering 80,000 devices companywide. He holds an MBA from SMU Cox School of Business and CISSP, PMP, and ITIL certifications. That combination of large-scale retail technology operations, enterprise mobility expertise, and restaurant sector security experience gives him a grounded understanding of the distributed, customer-facing technology environments that define the quick-service restaurant security challenge.
Ganjar Imansantosa — Chief Information Security Officer and Vice President of Technology Operations, Tropical Smoothie Cafe
Ganjar Imansantosa has served as CISO and VP of technology operations at Tropical Smoothie Cafe since August 2023, having joined the company as CISO in March 2022. Before Tropical Smoothie, he spent three and a half years as director of information security at Domino’s and before that nearly nine and a half years at Big 5 Sporting Goods across manager, senior manager, and director of information security roles. He began his career at Arthur Andersen and EY in technology risk consulting, serving clients across the Asia Pacific region and the United States including American Honda, HealthNet, Blizzard Entertainment, Harrah’s Casino, and Countrywide. He is a member of the National Retail Federation’s IT Security Council. His background reflects a practitioner who developed risk consulting expertise across multiple industries before building a career in retail and restaurant security, and whose dual CISO and technology operations mandate at Tropical Smoothie reflects the integrated security and operations model that growing franchise brands increasingly require.
William Hoisager — Chief Information Security Officer and Enterprise Architect, Pappas Restaurants
William Hoisager has spent nearly twenty-nine years at Pappas Restaurants in Houston, progressing from network engineer through IT infrastructure manager and information security architect before stepping into the combined CISO and enterprise architect role in October 2016. Pappas Restaurants operates a portfolio of upscale casual dining concepts including Pappadeaux Seafood Kitchen, Pappas Bros. Steakhouse, and Pappas Burger, and his dual mandate covering both security leadership and enterprise architecture reflects how closely the company integrates its security and technology strategy. His responsibilities span PCI-DSS and HIPAA compliance, disaster recovery and business continuity, and security architecture across a multi-brand, multi-location hospitality environment where both customer data and employee health information require careful governance. Nearly three decades inside a single restaurant company, progressing from network cabling to enterprise architecture and security leadership, reflects one of the more remarkable long-tenure profiles in this feature.
Restaurant Security Is a Consumer Trust Problem First
Every restaurant company in this feature is ultimately in the business of trust. Customers hand over payment card data, personal information, and location history every time they order through an app or tap their loyalty card at a register. A breach does not just create regulatory exposure. It damages the relationship between a brand and the customers who chose to engage with it digitally, often at the moment they were trying to do something as simple as order lunch. The leaders in this feature understand that, and their programs reflect a security philosophy grounded in protecting the customer experience as much as the enterprise infrastructure behind it.
Discover CISOs operating in the broader food and beverage sector:
- Michigan’s Food and Beverage CISOs: Securing the Supply Chain from Field to Fork
- CISOs to Watch in Norway’s Food and Beverage Industry
- Cybersecurity Leaders to Watch in the State of New York’s Food & Beverage Industry
- CISOs to Watch in Spain’s Food & Beverage Industry
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.