Cyber Security Partner

About the Security Partners team
We are the trusted security advisors for Tesco Technology. engineering stakeholders, leveraging our deep expertise in cyber security to design and implement robust, resilient solutions
We are a dynamic and expanding global team of 15+ experts, serving as the strategic link between the wider security group and
software engineering teams that develop cutting-edge services at scale to support the retail business. 
Tesco Technology comprises of several technology domains with over 100+ teams, each entrusted with their own security. teams enjoy significant autonomy, balanced by the responsibility to make customer-centric decisions and security. imposing controls through rigid processes and security gates, we empower these engineering teams to innovate by providing
security guidance that helps them make informed decisions for Tesco. Encouragingly, these teams are enthusiastic partners in
enhancing security, working more efficiently, and integrating security into every aspect of their ways of working. collaborative approach sets us apart from traditional security teams. We proudly identify ourselves as Security Partners, not
security police, emphasizing our role as the “trusted advisors” rather than enforcers.
Partners engage key people in engineering to make security contextual and frictionless. After all, security is a journey and there is
As a Security Partner, you will deeply engage within product areas and influence the way security is delivered by them. To achieve this, you are good at secure design principles, cloud security, secure
development practices and patterns, application security, secure pipelines, open-source security and related. As enterprise applications become more distributed, adaptive to technological advancements, and run from hybrid
infrastructure, teams need to navigate through different complexities and make key security decisions along the way. security advisor empowers teams to achieve scalable and sustainable security maturity throughout the SDLC process
Develop in-depth understanding of the product area, engage with key product and technical people for assessing the security and privacy controls.
Engage teams in security roadmap discussions and continuously improve security posture of what they build.
You should translate technical risks into business risks and potential impact to Tesco.
Engage security champions, key developers, and offer technical advisory to support completion of security initiatives, and remediation of vulnerabilities or risks.
Take part in key product and architecture decisions to embed security.
Perform product security activities, from the early development of security requirements, architecture reviews, and threat modelling, to strengthening application security, mitigating supply-chain risks, securing secrets, pipelines, reviewing vulnerabilities, and infrastructure security.
Develop and propose security controls or compensating measures as needed. Continuously seek both tactical and strategic solutions to enhance security.
Lead teams on raising the bar on security by design, and security by default.
Assist/support adoption of new capabilities to enhance security across people, process, and tools.
If you can raise a PR (pull request) to resolve a security issue, you have the freedom to do so.
Participate in assurance activities like security testing, purple testing, assurance, auditing.
Be an advocate for good security, take part in strengthening organisation standards and policies.
Hands-on product security experience from developing requirements, reviewing architecture, applying design principles, to application security, pipeline security, infrastructure, and secure monitoring.
Experience in leading security initiatives, dev(sec)ops practices with product and engineering teams.
Experience in threat modelling and designing security/privacy controls to mitigate risks.
Experience in application security, supply chain security, and using tools such as SAST, DAST, SCA, and IAC. • Experience applying industry standards like OWASP ASVS (Application Security Verification Standard), OWASP Top 10, CIS controls and benchmarks.
Good understanding of web application, REST APIs, micro services, eventing, modern application frameworks, and mobile apps.
Experience with cloud native and hybrid architectures with an emphasis on containerised workloads and Kubernetes.
Some development experience is always a plus - Java, cloud, Golang, python. You do not need to “be a developer” but we need you to understand the implications of security on engineering velocity.
Degree in computer science / information systems or engineering field, or equivalent experience.
Azure or AWS cloud security certifications is desirable.
We’re all about the little helps. That’s why we make sure our Tesco colleague benefits package takes care of you – both in and out of work. Annual bonus scheme of up to 20% of base salary 
~ Holiday starting at 25 days plus a personal day (plus Bank holidays) 
~ Private medical insurance 
~26 weeks maternity and adoption leave (after 1 years’ service) at full pay, followed by 13 weeks of Statutory Maternity Pay or Statutory Adoption Pay, we also offer 6 weeks fully paid paternity leave 
~ Free 24/7 virtual GP service, Employee Assistance Programme (EAP) for you and your family, free access to a range of experts to support your mental wellbeing 


Our vision at Tesco is to become every customer's favourite way to shop, whether they are at home or out on the move. Our core purpose is ‘Serving our customers, communities and planet a little better every day’. It means acting as a responsible and sustainable business for all stakeholders, for the communities we are part of and for the planet. 

 
At Tesco, we not only celebrate diversity, but recognise the value and opportunity it brings. We’re proud to have been accredited Disability Confident Leader and we’re committed to providing a fully inclusive and accessible recruitment process. We’re a big business and we can offer a range of diverse full-time & part-time working patterns across our many business areas, which means that we can find something that works for you. We work in a more blended pattern - combining office and remote working.