Senior Security Engineer

What’s in it for you

We offer excellent benefits that help make Tesco a great place to work!  These include but are not limited to:

• Annual bonus scheme
• Holiday starting at 25 days plus a personal day (and bank holidays)
• Great colleague discounts and deals, saving you money on everyday purchases, utility bills for the home and more
• Retirement savings plan – save between 4% and 7.5% and Tesco will match your contribution
• Buy as you earn and Save as you earn share schemes
• Opportunities to get on – take advantage of our ongoing learning opportunities and award-winning training to help you achieve the career you want

About the role

About the Security Engineering team

We are 15+ and growing team that supports Tesco technology and software development teams across cloud and other cutting-edge technologies at scale. We have a new role as the security engineer for our security engineering team based in the UK. The software development teams are responsible for their own security, so we act differently than a traditional security team. We are team of security partners, not security police... and we go as far as calling ourselves as Security Partners, not Security Architects or Consultants.

Our software engineering teams have tremendous freedom in their work and the corresponding responsibility to do the right thing for our customers. Instead of controlling our engineering teams with process and security gates, we enable them to innovate by providing security guidance to make right decisions for Tesco. The good news is that our engineering teams are (usually) willing partners in doing better security, more efficiently and earlier in the process. We'd like you to help us scale out and represent ourselves for the wider engineering domains.

Tesco has fully embraced DevOps and agile methodologies to develop our enterprise APIs, services and cloud capabilities. Our 100+ delivery teams have loads of Docker, Kubernetes and microservices galore across Azure and AWS, so our security approach must work with elastic, here today, gone tomorrow infrastructure. Our security approaches should be event driven, real-time and effective. Weekly scans are so 2010.

Developing strong security partnerships for Tesco Technology

Security partnerships are about transforming the way security is delivered within our technology domains and software engineering teams, your part to play as a security partner is to actively champion positive security change within your product teams.

You will be responsible for

On a day-to-day basis:

• Provide engineering and product teams with direction and guidance for all security matters. There is a whole security organisation to back you up, so that is not as scary as it sounds.
• Help product teams deliver new business features securely while balancing and clearly articulating technical and business risk.
• Be expected to drive the deployment/integration of security capabilities into engineering teams within the product domain.
• Drive security initiatives such as developing security requirements, threat modelling, strengthening application security, vulnerability reduction, etc., with the engineering teams.
• Reducing friction is paramount and we are all about fast feedback within existing workflows, not adding another console for a developer to check.
• Support teams in a collaborative manner in matters of mobile application, web application, cloud and data security, with threat modelling, risk treatment and security advice across all security domains. If you can raise a PR to resolve fix a security issue, do so.
• Facilitate risk remediation but also challenge decisions and status-quo.
• Facilitate in assurance activities like penetration testing, purple testing, app assurance.
• Build quarterly/monthly roadmaps for security activities and plan them.
• Be an evangelist for security, take part in strengthening Tesco’s internal policies and standards.

Longer-term, the nature of the role also means you are expected to identify new problem spaces, propose fixes, engage across disciplines. In other words, we want you to innovate and will give you the room to do so. If you can think of ways to do security, faster, more accurately, with greater consistency and at scale while minimizing friction, you'll be supported all the way.

You will need

Ideally, you will bring the following:

• Solid security experience across common security domains – the technology might have changed, but most of the security challenges have not.
• A thorough understanding of modern application development practices so that security capabilities can be introduced and embedded while minimising developer friction.
• Excellent interpersonal, facilitation, and leadership skills along with effective communication (both written and verbal) skills.
• Be able to provide security guidance to engineering teams throughout the product development lifecycle.
• Be able to develop threat models, attack trees, and embed security by design in product engineering effort.
• Good understanding of web technologies, REST APIs, micro services, modern application development, and mobile apps.
• Good understanding of software architecture, dev-sec-ops, and network security.
• Experience in browser security or mobile app security is desirable.
• Good understanding of industry standards such as OWASP ASVS, OWASP Top-10, CIS benchmarks.
• Hands-on experience with complex Azure and AWS architectures with an emphasis on containerised workloads.
• Command-line/API experience is highly desirable as security automation is a strategic priority.
• Some coding experience in something is always a plus - Java, HTML, JavaScript. You do not need to “be a developer” but you do need to understand the implications of security on engineering velocity.
• Knowledge of and experience with PCI-DSS will be desirable.
• A minimum of 5 years of experience in security engineering or closely related areas.
• Bachelor’s degree in Computer Science / Information Systems or Engineering discipline.
• Azure or AWS cloud security certifications (preferred).

About us

Our vision at Tesco is to become every customer’s favourite way to shop, whether they are at home or out on the move.  Our core purpose is “Serving our customers, communities and planet a little better every day”.  Serving means more than a transactional relationship with our customers.  It means acting as a responsible and sustainable business for all stakeholders, for the communities we are part of, and for the planet.

We are proud to have an inclusive culture at Tesco where everyone truly feels able to be themselves.  At Tesco, we not only celebrate diversity, but recognise the value and opportunity it brings.  We’re committed to creating a workplace where differences are valued, and make sure that all colleagues are given the same opportunities.  We’re a big business with diverse working patterns and many business areas which means that we can find something that works for you.  Everyone is welcome at Tesco.

We have recently announced that we are moving to a more blended working week – combining office and remote working.  Our offices continue to be where we connect, collaborate and innovate.  Talk to us about how this can work for you.

Note: Should you be successful in your application, your employment will be subject to and conditional upon you providing your bank account details on your agreed start date.

We’re proud to have been accredited Disability Confident Leader and we’re committed to providing a fully inclusive and accessible recruitment process. For further information on the accessibility support we can offer, please click here.