Director, Technology - Security & Capability
Luke Fairless heads up Cyber Security for Tesco Retail, leading a diverse team of 200+ colleagues skilled in security, technology, risk, and operations. Luke has 18 years of retail industry experience, having completed various business roles before moving into technology back in 2010. Luke graduated from the University of Manchester Institute of Science and Technology (UMIST) with a Master’s in Chemical Engineering with Environmental Technology & Law.
Learn more about leaders in the UK & Ireland CISO community here.
Give us a brief overview of the path that led to your current role.
In 2010 I took a role as Head of IT Operations for all of Tesco e-commerce, a role which then led to becoming IT Operations Director as it grew with the launch of new businesses, including our international grocery home shopping. Fast forward to 2016; I was in a different technology role when we got a new CTO. He’d led security transformation programmes in his previous companies and recognised the need to do the same at Tesco – really waking us up to the reality of cyber threats. I had experience tackling cyber attacks from my e-commerce days, so he asked me to pull together a load of experts and form the programme. I had a good track record in business transformation programmes. Still, I needed to do some serious studying and get some professional qualifications under my belt to do the CISO role properly – which of course, is a process that never ends in cyber.
What is one of your guiding leadership principles?
Difficult to choose one, but I’m going to say Focus. When we started our transformation journey, we easily could have gotten consumed in the day-to-day, and five years later, we’d have been no further forward, still firefighting. The most important thing we did was to focus on building the capabilities we knew we needed, often at the expense of the day-to-day.
It’s like: if you want to start a car company, and people are queuing up already to buy your cars, you can either try building them in your garage one by one to try and satisfy some demand quickly, or you take the time to build a factory so you can do it properly, professionally, with skill and scale. It takes real, unwavering focus and discipline from everyone in the team to get the strategic stuff done and not get consumed by the day-to-day. The major role for the leader during this time is making sure everyone outside of the team understands the strategy and doesn’t get frustrated and lose faith. That can be really tough.
With disruption being a key theme of the past year, where do you see your role as a CISO going in the next 1-2 years?
I think the role will continue to have greater visibility, with increasing demand for discussions with senior groups around the company. Increasing internal and external scrutiny, I think, it’s inevitable. That trend was there, anyway, but as with many things, the pandemic, I think, has accelerated it by maybe 3 or 4 years. This means communication cyber risk and strategy within the company has to get slicker. It’s one thing having a continuous conversation with an Executive Committee. They support the work, they’re funding it, they get the context. However, doing a one-off, 30-minute briefing to senior teams elsewhere in the business means your messages need to be relevant, contextual, and laser focussed. With cyber, that’s incredibly difficult because the subject is so complex, but it’s pointless just bamboozling people, which wastes everyone’s time.
What advice would you give to someone just starting out in the role as a CISO?
Know your own mind and really own the problem space. An endless line of people will offer advice on what’s more important, what the latest threats are that you should panic about, that you’re asleep-at-the-wheel unless you buy x or y. You can’t form a strategy and a plan that your team and your stakeholders buy into if all you do is sweep together lots of generic and conflicting opinions. By putting in the work to understand the problem spaces (I’m not saying become an expert in everything – that’s impossible), construct your own framework/model/method of thinking about your organisation’s cyber problems, you can come up with a grounded plan. Every time the world changes or you learn something new, you put it back through the same thinking process and only then decide whether the plan needs to change. In this way, you can avoid being blown in different directions every time the wind changes – and in cyber, it can feel like the wind changes often.
Tell us 3 fun facts about yourself.
- I run quite a lot. I’m not very fast, but I can get around a half marathon distance without too much distress, and I have done a few marathons. I don’t run with music anymore. I find running gives me thinking space, gets me exploring London and visiting a lot of its green spaces, and gets me away from my phone and laptop!
- I got two kittens at the start of the UK Covid lockdown back in March 2020. I’m happy I did, but they can be very naughty and so are just one of the reasons why I’m looking forward to getting back to the office!
- The other thing Covid lockdown has taught me is that I’m absolutely abysmal at DIY. YouTube has rescued me a few times, but clearly it’s not my strength!
What is the value of participating in a professional community through Evanta?
There’s only one CISO in an organisation, so while you can talk to your team about ideas and problems, they’re not actually faced with the same decisions and dilemmas as you. I, therefore, find talking to other CISOs is tremendously useful. It helps me when I share my problems, get other perspectives, it keeps challenging my thinking and making sure it doesn’t go stale. Frankly, it can also just be a relief to learn that other people are facing the same problems as me, and they don’t have a magic fix either!
Evanta Governing Body members share their insights and leadership perspectives to shape the agendas and topics that address the top priorities impacting business leaders today.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.