Retail security has to work at the speed of the high street. Thousands of transactions an hour, distributed store networks, seasonal traffic spikes, and a customer base that expects a seamless experience whether they are shopping online or in person all create a security challenge that never really switches off. The CISOs in this feature are protecting some of the UK’s most recognisable retail and fashion names, from footwear and sportswear to discount retail and a 200-year-old high street institution reinventing itself, and their programmes reflect what it means to secure retail at genuine national scale.
Theo Botha – Global CISO, Dr. Martens plc
Theo Botha has served as global CISO at Dr. Martens plc since March 2020, defining and leading a global information and cyber security strategy that supported the company’s successful IPO. He delivered the first phase of his strategy within twelve months of starting, building a tactical programme measured against the NIST CSF framework and PCI-DSS requirements to secure a suddenly remote workforce during the pandemic, research that also formed part of his Masters thesis at Royal Holloway. His current phase of work aligns security with the business’s operational excellence strategy and includes chairing an AI working group focused on security defence and governance.
Before Dr. Martens, he spent nearly two years as CISO at Which?, doubling the organisation’s maturity level against the ISF Standard of Best Practice within 21 months and presenting the results at PCI London in 2020. Before that, he spent more than four years at Interserve progressing from infrastructure and operations manager to head of information security, achieving ISO 27001, PCI-DSS, and Cyber Essentials Plus certifications across the group and its defence division. He serves on advisory boards for ClubCISO, Trident Search, and Mimecast. More than six years leading global security at Dr. Martens, spanning a pandemic and a public listing, reflects one of the longer and more consequential single-company CISO tenures in this feature.
Al Price – Group CISO, JD Sports Fashion
Al Price has served as group CISO at JD Sports Fashion since January 2024, leading security for one of the UK’s largest sportswear and fashion retailers. Before JD Sports, he spent eleven months as head of information security operations at Marks and Spencer, and a year and a half as a CISO advisor at Gartner, providing research and advisory guidance to CISOs and CIOs on security frameworks and technology purchasing decisions across the industry.
Before Gartner, he spent nine months as head of cyber security at Chorus and a year and a half as head of security operations and intelligence at Whitbread. His earlier career includes nearly three years as head of security operations at BAE Systems Applied Intelligence, more than two years across SOC leadership roles at Alert Logic in Cardiff and Houston, and more than seven years at Fujitsu progressing from firewall engineer through service and operation manager. That path through defence intelligence, managed security services, hospitality, and industry analyst work before landing at JD Sports gives him an unusually broad vantage point on how security operations scale across very different sectors.
Andrej Kurlovic – CISO and DPO, Home Bargains
Andrej Kurlovic has served as CISO and data protection officer at Home Bargains for more than nine and a half years, since January 2017, building the security and privacy functions from the ground up for one of the UK’s fastest-growing retailers. His programme secured thousands of assets and empowered more than 27,000 colleagues while supporting a company opening a new store nearly every week. His work has spanned a full cyber maturity uplift from foundational controls to red and purple team capability, zero trust architecture rollout, OT and ICS-enabled warehouse infrastructure securing nationwide logistics, and a public vulnerability disclosure and bug bounty programme, alongside a security culture built around initiatives like HackNights and “Security with a Smile.”
Before Home Bargains, he spent seven years as network security manager at Frontline Consultancy and Business Services, transforming the business from a basic hosting provider into a fully resilient managed services platform, and nearly two years as an ICT consultant and network engineer at Servassure, part of the Daisy Group, where he delivered infrastructure and security projects for clients including the British Film Institute, Honeywell/Verizon, and ASDA. Earlier, he spent nearly four years as senior information systems manager for Carnival Cruise Line, managing shipboard IT and security operations across global cruise operations. That maritime and managed services foundation, now applied to nearly a decade building Home Bargains’ security programme from scratch, reflects a career built on creating resilient systems in environments that cannot afford downtime.
Robin Young – CISO, Tom James Company
Robin Young has served as CISO at Tom James Company since March 2025, based in the Scottish Borders. Before stepping into that role, he spent six years at Holland and Sherry, the luxury textile manufacturer, progressing from assistant IT manager to IT manager. Before Holland and Sherry, he spent more than two years as a senior IT engineer at GB Technologies, and more than seven years at Capita Managed IT Solutions across technical consultant and BSM consultant roles.
His earlier career includes technical consulting at Compuware, support management at EBS Europe, and field service engineering at CC Engineering, giving him a broad technical foundation spanning cloud computing, virtualisation, and networking before he moved into dedicated security leadership. That progression from hands-on IT engineering and managed services consulting into a first CISO role at a custom clothing and tailoring company reflects a career built on broad technical versatility rather than an early specialisation in security.
Ross Jackson – CISO, TGJones
Ross Jackson has served as CISO at TGJones since December 2025, the newly rebranded identity of WHSmith following its acquisition by specialist retail investor Modella Capital in June 2025. TGJones has been a fixture on British high streets, shopping centres, and retail parks for more than 200 years, and Jackson’s mandate is to define and deliver the security, privacy, and resilience strategy for the business as it steps into its new chapter, positioning security as something that actively creates value rather than simply protecting it.
Before TGJones, he spent nearly fifteen years at Mimecast, most recently as vice president of organisational resilience, where he reduced time to action by 14 percent through integrating generative AI into mitigation planning and achieved ISO 22301 certification with zero remediation for the company’s enterprise resilience framework. His long run at Mimecast also included roles as VP of the Trust Office directing GDPR compliance, VP of customer transformation and innovation leading growth from 27,000 to 42,000 customers, and VP of global service delivery. That deep resilience and customer operations background, built over nearly fifteen years at a major cybersecurity company, now underpins how he approaches security for a heritage retailer reinventing itself for a new era of British high street retail.
The High Street Never Really Closes
Retail security has to hold up against constant pressure: seasonal demand spikes, thousands of daily transactions, distributed store networks, and customers who expect the same seamless experience whether they are browsing online or walking into a shop. The leaders in this feature are protecting brands that are woven into the fabric of British retail, some more than two centuries old, others still scaling rapidly, and their programmes reflect the reality that in retail, security has to keep pace with a business that never really stops moving.
Discover more of the UK’s cybersecurity leaders:
- Beauty and the Breach: CISOs to Watch in Beauty, Health, and Wellness
- Behind Every Address: Cybersecurity Leaders in Property and Real Estate
- Behind the Campaign: CISOs to Watch in Advertising, Media, and Loyalty
- Foundations of Trust: CISOs to Watch in UK Construction and Engineering
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

