Security Architect

Our 20-person Security Architecture team supports hundreds of developers deploying cross cloud, using cutting edge technologies, and at scale.  We have two new roles to provide additional support to our Customer and Online engineering domains.  Product teams are responsible for their own security, so we need to act differently than a traditional security team.  We’re security partners, not security police.

Our engineering teams have tremendous freedom in their work and the corresponding responsibility to do the right thing for our customers. Instead of controlling our engineering teams with process and security gates, we enable them to innovate by providing security advice to make the right decisions for Tesco. The good news is that our engineering teams are (usually) willing partners in doing better security, more efficiently and earlier in the process. We want you to help us scale out this security engagement.

So…why Tesco?

There is a huge amount of technology needed to serve our customers well, and the diversity and scale of our projects means wildly different security challenges.  Some current major initiatives include

• Our new centos/highly dockerised tills are starting to rollout – a big departure from the industry norm of off-the-shelf spaghetti code and maintenance headaches
• We’re the original big data company in the UK.  Tesco Clubcard has been going for 25 years and we’re heavily data driven
• We’re investing heavily in AI/ML in areas such as computer vision and natural language processing to better support our customer channels
• We’ve a large multi-cloud service-mesh initiative underway.  Dead simple if you’re just doing it on a single k8s cluster, but much harder at our scale and with polyglot tech stacks
• We’ve a great application security engineering team developing tooling to improve security at scale, and who you will be working closely with

Tesco has fully embraced devops and agile methods to develop our enterprise APIs, services and cloud capabilities.  Our 100+ delivery teams have loads of Docker, Kubernetes and microservices galore across Azure and AWS, so our security approach must work with elastic, here today, gone tomorrow infrastructure.  Our security approaches should be event-driven, real-time and effective.  Weekly scans are so 2010.

You might think that retail is a bit slow and sleepy, but we’re doing some cool stuff.

These roles are about transforming the way security is delivered within our Customer and Online engineering teams.  As our software and enterprise APIs continue the move to the cloud, we have different security challenges, and this role is to help teams navigate that change successfully.  The boundary between infrastructure and application has virtually disappeared and being secure means support through the entire SDLC – from threat modelling during design, during development then through to production and ops.

On a day-to-day basis you will

• Champion positive security change within the teams you support.  Teams will look to you to for direction and guidance on all security matters but there’s a whole security organisation to back you up, so that’s not as scary as it sounds
• Help product teams deliver new business features securely, while balancing and clearly articulating technical and business risk
• You will be expected to drive the deployment/integration of security capabilities into engineering teams within the product domain.  Reducing friction is paramount and we’re all about fast feedback within existing workflows, not adding another console for a developer to check
• Support teams in a collaborative manner in matters of application, cloud and data security, with threat modelling, risk treatment and security advice across all security domains.  If you can raise a PR (Pull Request) to fix a security issue, do so.
• The Customer role is mostly supporting backend teams using Java or C#.  Online teams are responsible for front end development using React and NodeJS, but our mobile app teams use Swift and Kotlin for native Android and iOS applications.

Longer-term, the nature of the role also means you are expected to identify new problem spaces, propose fixes engage across disciplines.  In other words, we want you to innovate and will give you the room to do so.  If you can think of ways to do security, faster, more accurately, with greater consistency and at scale while minimising friction, you’ll be supported all the way.    

What the role isn’t…

You won’t be selecting and deploying commercial endpoint solutions, building SOC (Security Operations Centre) capabilities or doing much in the IAM or networking space.  We have engineering and operational teams for all those sorts of things.  We have a security architecture framework to work within, but you won’t get told how to perform the role, it’s yours to shape in whatever way works best for your product and engineering stakeholders.

Technical

To excel in this position, you ideally have the following:

• Solid security experience across common security domains.  The technology might have changed but most of the security challenges haven’t
• A thorough understanding of modern application development practices so that new security capabilities can be introduced while minimising developer friction
• Hands-on experience with complex Azure and AWS architectures with an emphasis on containerised workloads in k8s.  Command-line/API experience is highly desirable as security automation is a strategic priority
• Some coding experience in something - Java, JavaScript, C#, bash, python or PowerShell.  You don’t need to “be a developer” but you do need to understand the implications of security on engineering velocity

I’ve you’ve got AWS and Azure, great!  If you have only one, we’ll train you in the other.  If you have neither, that’s a more challenging conversation, but may not be a show-stopper if you stand out in other areas.

The human side

Tesco places a great emphasis on our colleague culture. We’re a highly collaborative company and you can expect to deal with multiple teams with different ways of working.  Our goal is to be an enabling team, so being able to adapt your style to better support engineering teams will speed success.  One of our core principles is “we treat people how they want to be treated” so empathy and understanding, along with self-motivation are genuinely as important as technical skills.  In short, you like dealing with people and building strong professional relationships.

We offer excellent benefits that help make Tesco a great place to work!  These include but are not limited to:

• Annual bonus scheme of up to 45% of base salary
• Car allowance of £7320 per annum
• Holiday starting at 25 days plus a personal day (and bank holidays)
• Private medical insurance offered through Bupa
• Retirement savings plan – save between 4% and 7.5% and Tesco will match your contribution
• Life Assurance at 5x contractual pay
• Buy as you earn and Save as you earn share schemes

Our vision at Tesco is to become every customer’s favourite way to shop, whether they are at home or out on the move.  Our core purpose is “Serving our customers, communities and planet a little better every day”.  Serving means more than a transactional relationship with our customers.  It means acting as a responsible and sustainable business for all stakeholders, for the communities we are part of, and for the planet.

We are proud to have an inclusive culture at Tesco where everyone truly feels able to be themselves.  At Tesco, we not only celebrate diversity, but recognise the value and opportunity it brings.  We’re committed to creating a workplace where differences are valued, and make sure that all colleagues are given the same opportunities.  We’re a big business with diverse working patterns and many business areas which means that we can find something that works for you.  Everyone is welcome at Tesco.

We have recently announced that we are moving to a more blended working week – combining office and remote working.  Our offices continue to be where we connect, collaborate and innovate.  Talk to us about how this can work for you.

Note: Should you be successful in your application, your employment will be subject to and conditional upon you providing your bank account details on your agreed start date.