Head of Security

The role

As the Lead Security Partner, you will build and lead a team of security partners and engineers assigned to an engineering domain. You will engage with the tech director and leadership to drive security partnership and all initiatives top-down. You have higher sphere of influence. You understand the threat landscape and the business appetite to make the right decisions. You possess the required diversity of experience and the depth of knowledge.

About our Security Engineering

We are 15+ and growing team that supports Tesco technology and software development teams across cloud and other cutting edge technologies at scale. We have a new role to lead security partnerships to drive and oversee security initiatives for an engineering domain. Tesco technology comprises of several domains and over 120 teams developing software who are responsible for their own security, so we act differently than a traditional security team. We’re team of security partners, not security police.. and we go as far as calling ourselves as Security Partners, not Security Architects or Consultants. Security Engineering team is part of Security & Capability group that offers the enterprise with various security solutions and capabilities. Our software engineering teams have tremendous freedom in their work and the corresponding responsibility to do the right thing for our customers. Instead of controlling our engineering teams with process and security gates, we enable them to innovate by providing security guidance to make right decisions for Tesco. The good news is that our engineering teams are (usually) willing partners in doing better security, more efficiently and earlier in the process. We want you to help us scale out and represent ourselves for the wider engineering domain. Tesco has fully embraced devops and agile methodologies to develop our enterprise APIs, services and cloud capabilities. Our 100+ delivery teams have loads of Docker, Kubernetes and microservices galore across Azure and AWS, so our security approach must work with elastic, here today, gone tomorrow infrastructure. Our security approaches should be event driven, real-time and effective. Weekly scans are so 2010.

Developing strong security partnerships for Tesco Technology

These roles are about transforming the way security is delivered to our technology domains and software engineering teams. As our software and enterprise APIs continue to move to cloud, we have different security challenges, and this role is to help teams navigate that change successfully. The boundary between infrastructure and application has virtually disappeared and being secure means supporting through the entire SDLC – from threat modelling during design, to development, then through production and ops.

As the Head of Security (Lead Security Partner), you will:

• Build a good understanding of the business domain, its strategies, investments, technology diversities and the appetite for risks.
• Work closely with tech director and leadership to drive security initiatives across the domain and various product verticals.
• Understand the threat landscape and use them in the context of the business.
• Develop security acumen and ability to negotiate and challenge.
• Facilitate prioritization; you help the business make informed decisions.
• Be the key stakeholder in all exception grant process.
• Drive adoption/deployment of security capabilities into engineering teams.
• Develop annual/quarterly road-maps, plan them with product and engineering functions.
• Produce insightful metrics at the macro-level on initiatives taken and its effectiveness.
• Be the advocate to security, take part in strengthening our internal standards and guidelines.
• Align overall security activities to the Technology group’s cyber security goals.

As the manager, you will:

• Manage activities for the members of your team and team performance.
• Develop the internal backlog and aid the team to execute in alignment with engineering teams.
• Provide guidance and direction whilst challenge the status-quo.
• Manage individual performances and play a vital role in their personal development plans.
• Effectively manage cross-functional collaboration, communications and escalations.
• Promote team work, value and recognize key contributions regularly. Mentor and lead the team from front.
• Be the advocate for change and push boundaries.

Longer-term, the nature of the role also means you are expected to identify new problem spaces, propose solutions and engage across disciplines. In other words, we want you to innovate and will give you the room to do so. If you can think of ways to do security, faster, more accurately, with greater consistency and at scale while minimising friction, you’ll be supported all the way.

What the role isn’t…

You won’t be selecting and deploying commercial endpoint solutions, building SOC (Security Operations Centre) or other capabilities. We have engineering and operational teams for all those sorts of things. We have a security architecture framework to work within, but you won’t get told how to perform the role, it’s yours to shape in whatever way works best for your product and engineering stakeholders.

To excel in this position, we expect you to have the following:

• 15+ years of work experience with a bachelor degree or at least 12 years of work experience with an master degree in relevant area.
• Work experience in several industry segments; should have delivered security programs with management and engineering functions.
• Solid experience in many security domains, understand the wider threat landscape and business risks.
• Solid experience with customer-facing solutions, large enterprise deployments, microservice architecture, distributed computing, REST APIs, integration patterns, modern application frameworks, container based development and deployments.
• Solid experience with complex Azure and AWS architectures with exposure to managed Kubernetes, popular PaaS and SaaS services.
• Excellent interpersonal, facilitation, and leadership skills along with effective communication (both written and verbal) skills.
• Very good understanding of software security, network and infrastructure architecture with knowledge of security appliances.
• Hands-on experience in implementing security principles, privacy principles, industry standards such as NIST, ISO27001, CIS, MITRE framework.
• Hands-on experience with developing threat models and attack trees.
• Good understanding of application security and dev(sec)ops, the shift-left culture.
• Some coding experience is always a plus, either with Java, JavaScript, C#, bash, python or PowerShell.
• One or more certifications such as CISSP, CISM, CISA, CompTIA, and similar is a plus.

About Tesco

Our vision at Tesco is to become every customers’ favourite place to shop, at home, in town, or on the move, anywhere in the world.

Our continuous drive for the best tools and technologies helps us to deliver this vision. We’re driving innovation and transforming our technology solutions to become one of the world’s leading retailers.

We need people who share our ambition to deliver for our customers: passionate and confident people willing to take the initiative and drive us forwards.

In return we offer an exciting environment in a world class technology department, an excellent benefits package, and amazing career development opportunities.

If that sounds exciting, then we'd love to hear from you!

The position will be based at our Tesco Office at Welwyn Garden City, London.

About Tesco

Our vision at Tesco is to become every customers’ favourite place to shop, at home, in town, or on the move, anywhere in the world.

Our continuous drive for the best tools and technologies helps us to deliver this vision. We’re driving innovation and transforming our technology solutions to become one of the world’s leading retailers.

We need people who share our ambition to deliver for our customers: passionate and confident people willing to take the initiative and drive us forwards.

In return we offer an exciting environment in a world class technology department, an excellent benefits package, and amazing career development opportunities.

If that sounds exciting, then we'd love to hear from you!

The position will be based at our Tesco Office at Welwyn Garden City, London.