Senior Security Architect

What’s in it for you

What you get out of it

We value professional & personal development - for real, not like those companies where the promised training never materializes.  We've all worked in places like that before and it sucks. 

Assuming the world gets back to normal, expect to attend an industry leading conference each year such as Blackhat, RSA, DevSecCon, or one of the OWASP or SANS events.  You’ll also have the room to spend a portion of in-work hours on professional development and we’ve got O’Reilly, Udemy and other options for self-paced training.  Our work in big data or machine learning means there are many opportunities in specific technology areas too.  We’re not fixated on certifications, but the learning paths benefit us and you. 

We offer excellent benefits that help make Tesco a great place to work. These include but aren’t limited to:

•An annual bonus scheme of up to 45% of base salary

•Privilegecard (including a 2nd card for a family member) after 6 months service with 10% off most purchases at Tesco

•Holiday starting at 25 days plus a personal day

•A retirement savings plan:  6%-10% contribution rate

•Life Assurance - 5 x contractual pay

•Buy As You Earn Scheme which allows you to buy Tesco shares and save tax after 3 months of service

•Save As You Earn Scheme which gives you the opportunity to save direct from your pay for three or five years with the option of using your savings to buy Tesco shares at a discounted price after 1 year of service

•Access to  Tesco Learning and Development Academy, Safari Books https://www.safaribooksonline.com and Plurlsight Technology Learning Platform https://www.pluralsight.com

•Deals & Discounts through Tesco including Tesco Mobile & Tesco Bank

•Deals and Discounts through many other external businesses

•Cycle to work and Car Share Schemes

•Onsite discounted Nuffield Health Gym https://www.nuffieldhealth.com

•Health Screening every 2 years  

•Subsidised Canteen

So…

If you like the sound of interesting security challenges, helping keep food on the shelves for millions of customers weekly and enabling half a million staff to do their jobs safely and more efficiently, let’s talk. And if that doesn't do it, you get a decent staff discount, good pension and bonus structure, no suits and a friendly working environment! 

About the role

What the role is

This role is about transforming the way security is delivered within our engineering teams.  As our software and enterprise APIs continue the move to the cloud, we have different security challenges and this role is to help teams navigate that change successfully.  The boundary between infrastructure and application has virtually disappeared and being secure means support through the entire SDLC – from the ideas phase into threat modelling during design, during development then through to production and ops.

What the role isn’t

You won’t be selecting and deploying commercial endpoint solutions, building SOC capabilities or doing much in the IAM or networking space.  We have engineering and operational teams for all those sorts of things.  You won’t get told how to perform the role, it’s yours to shape in whatever way works best for your product and engineering stakeholders.

What you get out of it

We value professional & personal development - for real, not like those companies where the promised training never materializes.  We've all worked in places like that before and it sucks. 

Assuming the world gets back to normal, expect to attend an industry leading conference each year such as Blackhat, RSA, DevSecCon, or one of the OWASP or SANS events.  You’ll also have the room to spend a portion of in-work hours on professional development and we’ve got O’Reilly, Udemy and other options for self-paced training.  Our work in big data or machine learning means there are many opportunities in specific technology areas too.  We’re not fixated on certifications, but the learning paths benefit us and you. 

You will be responsible for

On a day to day basis you will:

• Champion positive security change within your product team.  Teams will look to you to for direction and guidance for all security matters.  There’s a whole security organisation to back you up, so that’s not as scary as it sounds
• Help product teams deliver new business features securely while balancing and clearly articulating technical and business risk
• You will be expected to drive the deployment/integration of security capabilities into engineering teams within the product domain.  Reducing friction is paramount and we’re all about fast feedback within existing workflows, not adding another console for a developer to check
• Support teams in a collaborative manner in matters of application, cloud and data security, with threat modelling, risk treatment and security advice across all security domains.  If you can raise a PR to resolve fix a security issue, do so.

Longer-term, the nature of the role also means you are expected to identify new problem spaces, propose fixes engage across disciplines.  In other words, we want you to innovate and will give you the room to do so.  If you can think of ways to do security, faster, more accurately, with greater consistency and at scale while minimising friction, you’ll be supported all the way. 

You will need

The skills you will need

In order to excel in this position, you need to have the bring the following

• Solid security experience across common security domains.  The technology might have changed but most of the security challenges haven’t
• A thorough understanding of modern application development practices so that new security capabilities can be introduced while minimising developer friction
• Hands-on experience with complex Azure and AWS architectures with an emphasis on containerised workloads.  Command-line/API experience is highly desirable as security automation is a strategic priority
• Some coding experience in something - Java, JavaScript, C#, bash. python or PowerShell.  You don’t need to “be a developer” but you do need to understand the implications of security on engineering velocity

The human side

Tesco places a great emphasis on our colleague culture. We’re a highly collaborative company and you can expect to deal with multiple teams with different ways of working.  Our goal is to be an enabling team, so being able to adapt your style to better support engineering teams will speed success.  One of our core principles is “we treat people how they want to be treated” so empathy and understanding along with self-motivation are genuinely as important as technical skills.

About us

Our Security Architecture team supports hundreds of developers deploying cross cloud, using cutting edge technologies and at scale.  Product teams are responsible for their own security, so our we need to act differently than a traditional security team.  We’re security partners, not security police.

Our engineering teams have tremendous freedom in their work and the corresponding responsibility to do the right thing for our customers. Instead of controlling our engineering teams with process and security gates, we enable them to innovate by providing security advice to make the right decisions for Tesco. The good news is that our engineering teams are willing partners in doing better security, more efficiently and earlier in the process and we want you to help us deliver at-scale.

Why Tesco?

To set the scene, there is a huge amount of technology needed to serve our customers well, and the diversity and scale of our projects means wildly different security challenges.  Some current major initiatives include

• Our new centos/highly dockerised tills are starting to rollout – a big departure from the industry norm of off-the-shelf spaghetti code and maintenance headaches
• We’re the original big data company in the UK.  Tesco Clubcard has been going for 25 years and we’re heavily data driven
• We’re investing heavily in AI/ML in areas such as computer vision and natural language processing to better support our customer channels
• We’ve a large multi-cloud service-mesh initiative underway.  Dead simple if you’re just doing it on a single k8s cluster, but much harder at our scale and with polyglot tech stacks
• We’ve a new application security engineering team looking to improve security at scale

Tesco has fully embraced devops and agile methods to develop our enterprise APIs, services and cloud capabilities.  Our 100+ delivery teams have loads of Docker, Kubernetes and microservices galore across Azure and AWS, so our security approach must work with elastic, here today, gone tomorrow infrastructure.  Our security approaches should be event-driven, real-time and effective - weekly scans are so 2010.