Cyber Security @ ASOS.com

George Mudie
Feb 13, 2020 · 3 min read
Do something great
Photo by Clark Tibbs on Unsplash

The old days of plugging in a misconfigured firewall and relying on a couple of specialists to save the day are long gone. Now you need a team that proactively assesses security risk and can work with the whole organisation to address these issues.

Cyber Security @ ASOS is a collective responsibility

You also need a team that has a passion for learning. Cyber Security is continually evolving to meet the ever changing threats and advances in technology. At ASOS we’ve also got the pleasant business challenges of rapid global growth of ASOS and the technical challenges of a micro services architecture.

Virtually everything ASOS does is in Microsoft Azure and our Tech colleagues have gained a reputation for pushing Azure to it’s limits and producing an innovative user experience. This results in a Cyber Security team that either develops new security tools / techniques or works with security startups who also understand the unique challenges that we face.

As we’ve expanded globally we’ve also continued to invest and grow our security capability. We also adopted an organisational design that is defined by specialism and covers the primary security vectors:

  • Governance, risk and compliance (GRC) — understand, prioritise the threats to ASOS and enforce relevant policies, procedures and standards,
  • Identity and Access Management (IAM) — making identity the new security perimeter by governing employee or contractor system and data access,
  • Cyber Security Incident Response Team (CSIRT) — a team that can work across the entire organisation and investigate and mitigate cyber security threats or incidents,
  • Security Operations (SecOps) — 24 x 7 monitoring and detection, Tier 1 and Tier 2 handle security alerts and work with CSIRT on the more tricky issues. Specialists in endpoint protection, pioneers in using Sentinel and leveraging this machine learning based platform to increase operational efficiency,
  • Physical Security — traditionally this meant guards at doorways. Now it includes CCTV placement, barrier control, liaising with local law enforcement, ensuring warehouses meet the relevant security standards for the storage, import and export of goods,
  • Global Fraud — a 24 x 7 team that monitors transactions across 218 countries and makes uses of innovative methods and procedures to deter and stop fraud,
  • Security Engineering Function — security architects, security engineers and application security assurance work with our 1000+ Tech colleagues to ensure that our home grown software is designed, coded and deployed in a secure manner.

Fortunately we’re not alone, as we work closely with our Data Protection Officer and Tech colleagues as well as follow the advice and guidance offered by the UK’s elite National Cyber Security Centre and National Crime Agency.

Helping to protect our customers, employees and brand

We are always on the look out for talented team players who want to develop their cyber security skills and you can find our vacancies here.

I’m George Mudie the Chief Information Security Office @ ASOS. Outside of the office I enjoy box sets of nordic noir crime thrillers, Mexican cuisine and the works of Iain M. Banks.

The ASOS Tech Blog

A collective effort from ASOS's Tech Team, driven and…

The ASOS Tech Blog

A collective effort from ASOS's Tech Team, driven and directed by our writers. Learn about our engineering, our culture, and anything else that's on our mind.

George Mudie

Written by

CISO @ ASOS and reformed software engineer. When not building cyber security teams I enjoy some Nordic noir crime thrillers, Mexican food and Ian M Banks books

The ASOS Tech Blog

A collective effort from ASOS's Tech Team, driven and directed by our writers. Learn about our engineering, our culture, and anything else that's on our mind.