There is no fortress anymore: How Tesco thinks about modern security

For a long time, security was imagined as a wall. Firewalls at the edge. A clear inside and outside.

That model no longer holds.

In the latest DevLab episode, we spoke with two leaders shaping how security works in practice at Tesco. Harry McLaren, Head of Cyber Defence, focuses on detection, response, and threat intelligence. Jason Larkin, Head of Platform Security Architecture, designs secure-by-default platforms that allow engineers to build safely at scale.

Together, they sit at different but tightly connected points of Tesco’s security ecosystem. The conversation offers a grounded look at how strong fundamentals, thoughtful architecture, and close collaboration help reduce real-world risk across a complex organisation operating at serious scale.

Security without a perimeter

One of the strongest ideas running through the conversation was simple, but uncomfortable: there is no single wall anymore.

"Almost everything that happens in a digital world happens under a form of an identity," Harry explained. Human or machine, application or service, identity now sits at the centre of how systems interact.

"When people talk about there being no fortress, no single wall like we used to think about in cybersecurity, well, the new wall is your identity," he said. "And that means it is distributed, it’s everywhere and it is also nowhere."

At Tesco’s scale, this shift has real consequences. Identity is no longer a narrow technical concern. It cuts across cloud platforms, legacy systems, third-party tools, and everyday business processes. Exceptions appear. Workarounds emerge. And security teams have to operate in the gap between how things should work and how they actually do.

Why the basics are still the hardest part

Advanced attacks tend to dominate headlines. Inside large organisations, the harder problems are usually far more fundamental.

Knowing what assets you actually have. Understanding which systems matter most to the business. Making access intentional and hard to abuse. Being able to detect and respond quickly when something goes wrong.

"The hardest problems aren’t the advanced attacks," Harry noted, "they’re getting the basics right at scale."

What came through clearly was the amount of discipline this requires. Tesco’s teams cannot treat every risk equally or prepare for every theoretical scenario. Instead, effort is directed where it will have the greatest impact, guided by threat intelligence, asset visibility, and a realistic view of how adversaries behave.

That prioritisation is what allows security to remain effective without becoming overwhelming.

Architecture and defence have to work together

Jason described his team’s role as reducing complexity before problems appear. Platform security architecture focuses on prevention, secure defaults, and well-defined patterns that help engineers move quickly without creating unnecessary risk.

“In cloud environments, identity becomes the primary control. That’s a big shift if you’re used to thinking about security mainly through networks and firewalls,” Jason said.

Harry’s teams assume that, despite best efforts, things will still go wrong. Their focus is on detection, response, and recovery, ensuring issues are handled quickly and insights are used to strengthen future decisions.

Neither approach works in isolation. Architecture without feedback drifts into theory. Defence without strong standards becomes reactive and exhausting.

At Tesco, the two reinforce each other. Clear architectural patterns reduce the likelihood and impact of incidents. Real-world incidents, in turn, inform better design decisions. That loop is what allows security to scale while still supporting delivery.

Complexity is the real enemy

Complexity came up again and again, not because systems are sophisticated, but because there are too many ways to achieve the same outcome.

"There are so many different ways to do the same thing," Jason said. Over time, that choice turns into sprawl. Configuration becomes harder to reason about. Ownership blurs. Small changes have unexpected consequences.

Reducing complexity focuses on making safe paths obvious and easy to follow. Fewer patterns. Clear defaults. Guardrails that remove unnecessary decisions.

This is where security becomes a design challenge as much as a technical one.

Looking ahead: fundamentals over hype

Progress in security still depends on getting the fundamentals right. Strong identity controls. A solid understanding of networks and systems. Teams who know how their platforms actually behave under pressure.

These are not problems that tools can abstract away. They require judgement, experience, and a clear view of how risk shows up in a real organisation.

The teams that perform best build security deliberately. They reduce unnecessary complexity, invest in people who understand the environment deeply, and create space for close collaboration.

There may be no fortress anymore. But with clear priorities, strong foundations, and teams working together, security can still be effective where it matters most.

Watch the full conversation

If you want to hear Harry and Jason go deeper on identity, architecture, threat intelligence, and what security really looks like at Tesco’s scale, watch the full DevLab episode below.