Overview
Cyber Security Partner - Product Security – based at Tesco Technology offices in London.
About the Security Partners team: We are the trusted security advisors for Tesco Technology. Our purpose is to collaborate with product and engineering stakeholders, leveraging our cyber security expertise to design and implement robust, resilient solutions that protect the business and customers from cyber threats. We are a dynamic and expanding global team of 15+ experts, serving as the strategic link between the security group and software engineering teams that develop cutting-edge services at scale to support the retail business. Tesco Technology comprises several technology domains with over 100+ teams, each entrusted with their own security. Teams are autonomous but responsible for customer-centric security decisions. We empower engineering teams to innovate by providing security guidance, rather than enforcing rigid gates. We identify as Security Partners, not security police, and act as trusted advisors.
Role summary: As a Security Partner, you will engage deeply within product areas and influence how security is delivered by them. You will be supported by experts in the team and should be proficient in secure design principles, cloud security, secure development practices, application security, secure pipelines, open-source security and related areas. You should be versatile and willing to learn new topics as they arise.
You will be responsible
* Develop in-depth understanding of the product area, engaging with key product and technical people to assess security and privacy controls.
* Engage teams in security roadmap discussions and continuously improve the security posture of what they build.
* Demonstrate how weaknesses in design or code can be compromised and exploited. Translate technical risks into business risks and potential impact to Tesco.
* Engage security champions and key developers, offering technical advisory to support security initiatives and remediation of vulnerabilities or risks.
* Participate in key product and architecture decisions to embed security.
* Perform product security activities from early development of security requirements and architecture reviews to strengthening application security, mitigating supply- chain risks, securing secrets, pipelines, reviewing vulnerabilities, and infrastructure security.
* Develop and propose security controls or compensating measures as needed; seek tactical and strategic solutions to enhance security.
* Lead teams on raising the bar on security by design and security by default.
* Assist/support adoption of new capabilities to enhance security across people, process, and tools.
* Be ready to code. If you can raise a PR to resolve a security issue, you have the freedom to do so.
* Participate in assurance activities such as security testing, purple testing, auditing, and related activities.
* Empower the teams you work with, but also challenge the status quo and advocate for good security; contribute to organization standards and policies.
* Commit to continuous improvement, seize opportunities, and inspire changes for the team.
You will need
* Hands-on product security experience from developing requirements, reviewing architecture, applying design principles, to application security, pipeline security, infrastructure, and secure monitoring.
* Experience in leading security initiatives and dev(sec)ops practices with product and engineering teams.
* Experience in threat modelling and designing security/privacy controls to mitigate risks.
* Experience in application security, supply chain security, and using tools such as SAST, DAST, SCA, and IAC. Experience in reviewing code to spot weaknesses and suggesting mitigations.
* Experience applying industry standards like OWASP ASVS, OWASP Top 10, CIS controls and benchmarks.
* Good understanding of web applications, REST APIs, microservices, event-driven architectures, modern application frameworks, and mobile apps.
* Experience with cloud-native and hybrid architectures with emphasis on containerised workloads and Kubernetes.
* Some development experience is a plus—Java, cloud, Golang, Python. You do not need to be a developer, but you should understand implications of security on engineering velocity.
* Degree in computer science / information systems or engineering, or equivalent experience.
* Experience with regulations like GDPR, PCI-DSS is desirable.
* AWS or Azure cloud security certifications is desirable.
* Good communicator, listener, and influencer.
What’s in it for you?
* Annual bonus scheme of up to 20% of base salary
* Holiday starting at 25 days plus a personal day (plus Bank holidays)
* Private medical insurance
* 26 weeks maternity and adoption leave (after 1 year’s service) at full pay, followed by statutory maternity/adoption pay; 6 weeks fully paid paternity leave
* Free 24/7 virtual GP service, Employee Assistance Programme (EAP) for you and your family, mental wellbeing support
About Us
Our vision at Tesco is to become every customer's favourite way to shop, whether at home or on the move. Our core purpose is “Serving our customers, communities and planet a little better every day.” We are committed to an inclusive culture, celebrate diversity, and provide an accessible recruitment process. We offer diverse working patterns and blended office/remote working. If applying internally, please discuss arrangements with the Hiring Manager.
London, England, United Kingdom
Seniority level
* Mid-Senior level
Employment type
* Full-time
Job function
* Engineering and Information Technology
Industries
* Retail
#J-18808-Ljbffr