About The Cyber Security Team
Our cyber security team are the eyes and ears of our organisation. We use the latest technologies to increase visibility and protection of systems, services and data. To do this we need to stay ahead of the latest threats and continuously improve our tooling, techniques, and processes.
Responsible for developing and running security processes day-to-day for the Tesco Group, we're continually working to step change security capability to further enhance the protection and controls that we offer for our customers and colleagues across the UK, Europe and Asia, and we're looking to add great people to our growing team
We believe that skilled and passionate people are our greatest asset in reducing risk to our business and customers. We encourage and support continual development and learning, and recognise the importance of keeping up with changes in technology and an evolving threat landscape.
Communication is key - working collaboratively with our software and systems engineering teams to support security throughout the development lifecycle, as well as to build proactive monitoring and responses to security events.
About the Security Architecture Team
The Tesco Security Architecture team is responsible for facilitating the secure delivery of Tesco's APIs, platforms and services. Our role is to make Information Security relevant, simple and transformational, and support our colleagues in achieving their goals in a secure manner.
As Head of Security Architecture you will be responsible for building a new team and application security capability that ensure that applications are securely developed and a positive security culture is embedded into the working practices of application development teams. Information Security is a critical function within Tesco which operations under the office of the CIO.
The Information Security team consists of
- Cyber security though leaders
- Security architects, penetration testers and engineers
- Security incident specialists
- Security operations specialists
- Security risk and assurance analysts
The team deliver cyber security services globally to maintain and continuously improve Tesco's cyber security posture in an ever evolving cyber security landscape using state-of-the-art tools and in-house proprietary techniques.
Head of Security Architecture
- Provide leadership and oversight by setting the direction, strategy, deliverables, and operating model of Application Security within the Information Security function.
- Manage, oversee and direct a team of high technical security specialists (approximately 20) that deliver application security services to CIO teams across the organisation. Assess the applications for exposures to threats and vulnerabilities.
- Lead complex global application security improvement efforts that work across functional/regional technology and DevOps domains.
- Drive the uplift in security capability to ensure an appropriate toolset, technologies and processes are in place to achieve an effective application security service supporting the team's operational objectives.
- Defines and maintains the Application Security service and products strategy based on the evaluation of internal and external threat trends, business needs, regulatory and corporate drivers.
- Plans and manages the financing of the Application Security service (Run Tesco, Continuous Improvement budget, Change Tesco) within the Tesco financial framework.
- Manage and coordinate the effective delivery of high quality, cost effective, pragmatic and threat driven Application Security Services.
- Performs thorough assessment and analysis on new and existing changes to the Application Security service capability and its end-to-end components, ensuring fit for purpose solutions and appropriate service components are implemented.
- Act as the Tesco thought leader for Application Security and ensure the service stays ahead of competitive and industry trends.
- Institutionalise Secure SDLC across global application teams through advocacy, training and team-based coaching engagements.
- Develop and advocate the use of automated testing tools and processes, standardised frameworks and standards to enhance the agility and effectiveness of application security services
- Proactively engage with stakeholders to obtain buy-in for the service and manage the escalations and expectations accordingly.
- In-depth, hands-on working knowledge in application development with experience of application security, cryptography, identity and access management technologies and operational experience in a global organisation.
- Bachelor Degree in Software Engineering, Information Security, Computer Science/Information Technology or equivalent industry experience.
- A strong knowledge of Information Security principles and management
- Security certifications are a plus.
- Hands on experience of application security and Secure Development Lifecycles and their application in an agile environment.
- Use of SAST tools.
- Experience in cloud security in both the AWS and Azure space.
- Good understanding of DevOps with experience of Terraform, Ansible and/or Kubernetes
- Strong knowledge of web application server security
- Strong knowledge of OWASP, CVE, CWE and SANS CWE Top 10 Vulnerabilities, proactive controls and mitigation methods.
- Excellent organisational and leadership skills (successfully lead and managed end-to-end technology services and or technology operations) with ability to manage multiple deadlines and effectively prioritise.
- Experience of developing a people strategy, influencing stakeholders and decision makers, and executing decisions efficiently and consistently in the modern workplace.
- Ability to lead and control programme and/or project management in the context of a significant amount of change.
- Excellent communication skills - oral, written and presentation; technical reporting writing across various types of target audiences.
The Ideal Candidate
Key Skills and Experience
This role would suit someone with an application security / development background with experience in Security Architecture, to include:
- Good knowledge of JIRA
- In particular, we would like to target people with experience with OAuth 2.0, OpenID Connect, XACML, SCIM.
- Experience with Ping Identity, Twobo Technology and Axiomatics products would be a plus.
- Ability to demonstrate advanced understanding in the field of Information Security in terms of both concepts and technology
- Experience working with Cloud solutions and securing Amazon Web Services
- Knowledge and experience of working with OWASP
- Experience of security governance and compliance (e.g. GDPR, PCI-DSS, ISO27001)
- Strong understanding of the penetration testing lifecycle (scope, conduct, analysis, client delivery)
- An excellent level of attention to detail and a strong sense of ownership
- Ability to articulate complex technical or sensitive issues to a wide audience is essential
- Ability to work both individually with minimal supervision in addition to working as a part of larger teams on projects of varying complexity
About The Company
Our vision here at Tesco is to become every customer's favourite way to shop, whether they are at home, out shopping, on the move, anywhere in the world.
We want our customers to be inspired and whatever they are looking for, we're finding bigger and better ways to provide it.
Everything is underpinned by our continuous drive for the best tools and technology to deliver our vision. We're driving innovation and transforming our Technology to become the world's leading retailer.
We need people who share our ambition to deliver for our customers; Passionate and confident people willing to take the initiative and drive us forwards. In return we offer excitement, a great team, an excellent benefit package, and significant career development opportunities.
Joining us means playing a part in defining; building and launching an ambitious roadmap of digital products that could affect the lives of millions of people over the years to come.
If that sounds exciting then we'd love to hear from you.
The position will be based at our Campus in Welwyn Garden City.
We offer excellent benefits that help make Tesco a great place to work. These include but aren't limited to:An annual bonus scheme which you can achieve up to 3.5% of base salary
- Colleague Clubcard (including a 2nd card for a family member) after 6 months service with 10% off most purchases at Tesco
- Holiday starting at 25 days plus a personal day
- A retirement savings plan - 4%-7.5% contribution rate
- Life Assurance - 5 x contractual pay
- Buy As You Earn Scheme
- Save As You Earn Scheme
- Deals & Discounts through Tesco including Tesco Mobile & Tesco Bank
- Deals and Discounts through many other external businesses