In this episode of Patch Me If You Can™, host Arek Dreyer welcomes Kane Narraway, Head of Enterprise Security at Canva, to unpack some of security’s most pressing and often overlooked issues. Kane has a wealth of experience, having switched between IT and security leadership positions at notable organizations like Shopify, Atlassian, and even within the UK government. This background informs his balanced, pragmatic approach to solving complex security problems in fast-paced technology environments.
The conversation delves into the concept of Zero Trust architecture, zooming in on what Kane calls the “last mile”: the challenge of securing non-human identities-namely, service accounts and API tokens. Kane explains that while industries have made giant strides in securing human users, the proliferation of automated service accounts has quietly expanded the attack surface. He outlines three primary strategies that organizations can employ to tighten controls around these identities: traditional IP allow-listing for sensitive services, the use of short-lived token proxies (as demonstrated by companies like Chainguard), and the much more complex route of building native integrations for automatic credential management. By improving these controls, teams can shift their focus from constantly reacting to exposures toward more proactive and strategic security work.
Beyond non-human identity, Kane weighs in on the secure adoption of AI and automation in the workplace, discussing opportunities and emerging protocols like Model Context Protocol (MCP). He also shares his career philosophy of alternating between IT and security roles to foster empathy, collaboration, and more practical solutions. Kane advises teams stuck in reactive workflows to revisit first principles, focus on high-impact outcomes, and don’t be afraid to trim unnecessary tasks in order to create real leverage. All in all, the episode offers actionable insights on bridging the practical and strategic sides of modern enterprise security.