Senior Cyber Security Partner

Company Description

About Tesco

Our vision at Tesco is to become every customer’s favourite place to shop at home, in town, or on the move, anywhere in the world.
Our continuous drive for the best tools and technologies helps us to deliver this vision. We’re driving innovation and transforming our technology solutions to become one of the world’s leading retailers.We need people who share our ambition to deliver for our customers: passionate and confident people willing to take the initiative and drive us forwards.In return, we offer an exciting environment in a best-in-class technology department, an excellent compensation package, and outstanding career development opportunities.

If that sounds exciting, then we'd love to hear from you!

The position will be based at our Tesco Technology office in Bengaluru, India.

About the Security Partners team

We are the trusted security advisors for Tesco Technology. Our purpose is to collaborate seamlessly with the product and engineering teams, leveraging our deep expertise in cyber security to design and implement robust, resilient solutions that protect our business and customers from cyber threats.We are a dynamic and expanding global team of 15+ experts, serving as the strategic link between the wider security group and software engineering teams that develop cutting-edge services at scale to support the retail business.

Tesco Technology comprises of several technology domains with over 100+ teams, each entrusted with their own security. These teams enjoy significant autonomy, balanced by the responsibility to make customer-centric decisions and security. Rather than
imposing controls through rigid processes and security gates, we empower these engineering teams to innovate by providing security guidance that helps them make informed decisions for Tesco.

Encouragingly, these teams are enthusiastic partners in enhancing security, working more efficiently, and integrating security into every aspect of their ways of working. This collaborative approach sets us apart from traditional security teams. We proudly identify ourselves as Security Partners, not security police, emphasizing our role as the “trusted advisors” rather than enforcers. Partners engage key people in engineering to make security contextual and frictionless. After all, security is a journey and there is no one-size-fits-all.
Join the team and be part of this exciting journey!

Job Description

Following our Business Code of Conduct and always acting with integrity and due diligence and have these specific risk responsibilities:
• Provide product and engineering teams with direction and guidance on all security matters. There is a whole security group to back you up; so it is not as scary as it sounds.
• Engage engineering leadership on security roadmap and oversee security posture of what they build.
• Co-own the security roadmap; discuss; prioritise; and co-develop plans for remediation for the product areas.
• Empower security champions to succeed and creating a strong feedback loop for improvements.
• Represent security in all product and architecture meet-ups. Be part of critical decisions about security.
• Oversee product security activities; from the early development of security requirements; architecture reviews; and threat modelling; to strengthening application security; mitigating supply-chain risks; securing secrets; pipelines; reviewing vulnerabilities; and infrastructure security.
• Perform security architecture reviews of third-party services.
• Identify acceptable risk levels and assist with action plan; policy; and procedural changes for risk mitigation.
• Adopt a risk-based approach and guide management in identifying business risks and potential impact to Tesco. Continuously seek both tactical and strategic solutions to enhance security.
• As the security expert for the product area; engage across the security group to strengthen controls across identification; protection; detection; response; and recovery.
• Oversee assurance activities like security testing; purple testing; assurance; auditing.
• Reduce security fatigue for engineering and provide faster feedback within existing developer workflows; not adding another tool for them to check.
• Empower the teams you work with; but also challenge the status-quo.
• As a senior member of the team; engage across the security group on new ideas and initiatives.
• Contribute to strengthen organization standards and policies; develop cookbooks; secure patterns; take part in security research and tool evaluations.
• You are committed to continuous improvement; seizing opportunities; and inspire change for the team.
• Mentor others in the team and take part in enhancing their skills and career development.

Qualifications

As a Senior Cyber Security Partner

• you will transform the security maturity of key product areas and teams. You will be the face of security group for them. Everything you do is in the context of the product; roadmap; its risk acceptance level; the technology stack; and its architecture.
• You build a comprehensive understanding of the threat landscape and its potential risks to the business. Through effective partnership, you engage the leadership to make well-informed decisions about security and privacy.

Additional Information

To excel in this position, we expect you to have the following:
• Possess experience across multiple sectors and have undertaken diverse roles in engineering and security. Demonstratable accomplishments of collaborating with leadership and management on security programmes and initiatives.
• Good knowledge of various security domains, and solid experience in architecture practices and design patterns – the technology might have changed but most of the security challenges have not.
• Experience in designing security and privacy controls with sound understanding of standards and regulation.
• Experience in threat modelling, attack trees, vulnerability chaining, applying MITRE ATT&CK framework.
• Good understanding of web applications, REST APIs, micro services, evening, modern application frameworks, and mobile apps.
• Good understanding of software architecture, network topologies, SaaS, PaaS, IaaS (infrastructure as a service).
• Proficient in applying industry standards such as OWASP ASVS (Application Security Verification Standard), OWASP Top 10, CIS (Centre of Internet Security) controls and benchmarks.
• Experience with cloud native and hybrid architectures with an emphasis on containerized workloads and Kubernetes.
• Some development experience is always a plus - Java, cloud, Golang, python. You do not need to “be a developer” but we need you to understand the implications of security on engineering velocity.
• Degree in computer science / information systems or engineering field, or equivalent experience.
• Experience with regulations like GDPR (General Data Protection Regulation), PCI-DSS is desirable.
• Azure or AWS (Amazon Web Services) cloud security certifications is desirable.
• Excellent interpersonal skills and leadership skills.

Important Notice: 

On behalf of Tesco Bengaluru, we must caution all job seekers and educational institutions that Tesco Bengaluru does not authorise any third parties to release employment offers or conduct recruitment drives via a third party. Hence, beware of inauthentic and fraudulent job offers or recruitment drives from any individuals or websites purporting to represent Tesco. Further, Tesco Bengaluru does not charge any fee or other emoluments for any reason (including without limitation, visa fees) or seek compensation from educational institutions to participate in recruitment events. 

Accordingly, please check the authenticity of any such offers before acting on them and where acted upon, you do so at your own risk. Tesco Bengaluru shall neither be responsible for honouring or making good the promises made by fraudulent third parties, nor for any monetary or any other loss incurred by the aggrieved individual or educational institution. 

In the event that you come across any fraudulent activities in the name of Tesco Bengaluru, please feel free report the incident at recruitment_compliance_india@tesco.com