CISO, Chipotle

Dave Estlick

Since joining Chipotle in 2019, Dave Estlick has had a significant impact in the company’s cybersecurity posture. Upon starting his new role, he initiated a period of discovery, taking inventory of the brand’s infrastructure. He saw an opportunity to drive significant change across the organization which was equally open to prioritizing security.

Estlick had just enough time to develop his global information security roadmap and build his team of dedicated engineers, analysts, architects and project managers when the COVID-19 pandemic started. He transitioned the organization to a remote model supporting two Restaurant Support Centers (Newport Beach, Calif. and Columbus, Ohio) and 2,750 restaurants across North America and Europe. Under his direction, Chipotle launched the Single Sign-On (SSO) project in addition to a new VPN software for a safer and more reliable network connection. He drove the integration of Chipotle’s Commitment to Privacy, Data Protection & Cyber Security as an integral part of Chipotle’s new code of ethics and the brand’s new code of ethics training. Investing in both education for employees and stronger systems, he has not only built, but is executing a strategy that mitigates and identifies risk while championing the workforce as a part of the solution to drive performance.

Previously, Estlick was the Vice President and Chief Information Security Officer (CISO) for Starbucks, where he led the global technology infrastructure and global cybersecurity organization, including the establishment of the Starbucks private cloud. He was also the Director of Information Security & Compliance at PetSmart Inc.

He is most proud of leading the End-to-End (E2E) payment encryption project at PetSmart in 2008. He says, “After reaching the milestone of full PCI compliance for the enterprise in 2007, the following year we were faced with the potential of non-compliance due to end of support for our existing Windows-NT based Point of Sale (POS) systems. Lacking sufficient time to evaluate, select, procure and implement a new POS system, the CIO directed me to research and bring forward alternatives for consideration. After several weeks of research, I brought forth five alternatives with a recommendation to implement what I called E2E encryption.” Estlick’s recommendation was selected by leadership and then presented and approved for ancillary funding by the Board of Directors.

Through outstanding partnership and efforts of the both internal and external teams to the enterprise, Estlick was able to complete this initiative, from concept through deployment, in just nine months. This accomplishment stands out for several reasons, Estlick says. “First, it demonstrated creativity and innovation while directly aligning to my primary responsibilities of increasing security and protecting our customers and brand. Secondly, it delivered substantial value to our business by avoiding costly rearchitected solutions, premature or hurried investment in POS technology and unlocking new digital capabilities for customer engagement across the retail footprint (e.g. customer kiosks, digital signage, electronic shelf labels). Finally, and maybe most importantly, it later served as the case study and influential reference design for the PCI Point-to-Point Encryption (P2PE) Standard 1.0 released in 2012,” he says.

Estlick is active in the industry and has served in various board positions for Cyberstarts, Clear Sky, PCI Security Standards, Internet Security Alliance, Retail Cyber Intelligence Sharing Center, and Security Advisor Alliance.