The UK retail and eCommerce sector is one of the most digitally exposed industries in the country. Large customer datasets, complex supply chains, omnichannel operations, and continuous innovation make cybersecurity a critical business function rather than a back-office concern. From FTSE 100 retailers to digital-native brands, CISOs in this sector are increasingly responsible for enabling growth while maintaining resilience, trust, and regulatory alignment.
Below are senior security leaders shaping cybersecurity strategies across some of the UK’s most recognisable retail and eCommerce organisations.
Steve Cottrell — Global Chief Information Security Officer, Marks & Spencer
Steve Cottrell serves as Global CISO for Marks & Spencer, one of the UK’s most established FTSE 100 retailers. In this role, he leads the global cybersecurity agenda across stores, eCommerce, logistics, sourcing, and distribution, with responsibility for aligning security strategy to business growth, resilience, and Board-level governance.
His work at M&S has included the design and implementation of a security risk and governance framework that translates cyber risk into business terms for senior leadership and Audit & Risk Committees. He has also delivered a group-wide target operating model, embedding cyber resilience across business units while optimising investment outcomes.
Steve has led a multi-year enterprise-wide security transformation covering people, process, and technology, including the evolution of the global SOC toward a threat-led, intelligence-driven defence model. With over two decades of experience across retail, financial services, telecoms, utilities, and national security, he is recognised for bridging technical complexity with executive decision-making.
Indu Sajeef — Chief Information Security Officer, ASOS
Indu Sajeef is Chief Information Security Officer at ASOS, one of the world’s largest online fashion retailers, serving millions of customers across more than 200 markets. She leads the company’s global security strategy, overseeing cyber security, fraud, AI security, data protection, physical security, and enterprise technology risk.
Her remit focuses on embedding security as a business enabler within a fast-paced, digital-first organisation. At ASOS, she is responsible for protecting customer trust while supporting continuous innovation across platforms, supply chains, and customer-facing services.
Indu’s role reflects the evolving scope of modern retail CISOs, where security leadership extends beyond traditional cyber controls into data, emerging technologies, and enterprise risk management at scale.
Barry Loftus — Chief Technology Officer, Frasers Group
Barry Loftus is Chief Technology Officer at Frasers Group, overseeing technology strategy and delivery across a diverse portfolio of retail brands. With more than a decade of experience as a CIO, CTO, and IT Director, he has led large-scale digital transformation and IT modernisation initiatives across complex retail environments.
His responsibilities include aligning technology and cybersecurity frameworks with business objectives, modernising infrastructure, and strengthening risk management capabilities. Barry is known for building and mentoring high-performing teams and delivering complex programmes that support operational efficiency and customer experience.
While holding a broader technology remit, his role plays a critical part in shaping cybersecurity posture across one of the UK’s largest retail groups.
Sarah Harvie — Chief Information Security Officer, Kingfisher PLC
Sarah Harvie is Chief Information Security Officer at Kingfisher PLC, the international home improvement group behind brands such as B&Q and Screwfix. She leads enterprise-wide information security strategy, focusing on improving organisational security posture across multiple markets and operating models.
Prior to joining Kingfisher, Sarah held senior security leadership roles at Amazon Web Services and Merlin Entertainments, bringing experience across cloud, large-scale digital platforms, and consumer-facing environments.
Her background spans security strategy, operational leadership, and transformation, with a focus on embedding security into business operations rather than treating it as a standalone function.
Joseph Kelly — Head of Information Security (Chief Information Security Officer), New Look
Joseph Kelly is Head of Information Security at New Look, where he leads the organisation’s cyber security and information risk programme. He brings experience across both retail and local government, with a strong focus on practical, business-aligned security delivery.
His expertise covers cyber security operations, ISO/IEC 27001, risk management, compliance, policy development, user awareness training, incident response, and data protection. Joseph is known for translating technical security requirements into clear, accessible language for non-technical stakeholders.
At New Look, his role supports secure retail operations while maintaining compliance and resilience across digital and physical channels.
Kieren Marchant-White — Head of Cyber Security, Gymshark
Kieren Marchant-White leads Cyber Security at Gymshark, a global fitness and eCommerce brand with more than 20 million customers worldwide. With over 15 years of experience in IT and security, he oversees application security, governance, risk and compliance, incident response, and security awareness.
His approach emphasises people-first security, positioning employees and customers as active participants in protecting the organisation. Kieren focuses on delivering sustainable, cost-effective security strategies that align with Gymshark’s culture, growth objectives, and global customer base.
His work reflects the security challenges faced by digital-native brands operating at scale in highly competitive markets.
Carlos Rombaldo — Chief Information Security Officer, Holland & Barrett
Carlos Rombaldo is Chief Information Security Officer at Holland & Barrett, bringing deep technical expertise across cloud security, application development, cryptography, penetration testing, and compliance. Over a career spanning two decades, he has worked with government agencies and organisations across more than 35 countries.
His experience includes designing and building cloud-based banking platforms and developing automated vulnerability management frameworks capable of operating at massive scale.
Alongside his industry role, Carlos is a PhD researcher at University College London, focusing on improving the cyber resilience of small and medium-sized organisations across the UK. His work bridges academic research and real-world security leadership.
Securing Growth in UK Retail & eCommerce
As UK retailers continue to scale digital platforms, expand omnichannel experiences, and manage increasingly complex supply chains, the role of the CISO has become central to commercial success. The leaders featured here demonstrate how effective cybersecurity leadership enables innovation, protects customer trust, and strengthens organisational resilience in one of the UK’s most competitive and data-intensive industries.