Welcome Jason, for those who don't know who you are, can you give a quick snapshot of your current role at Carlsberg and what security leadership looks like in a global consumer organisation.
Yeah, absolutely. I’m the Head of Security Engineering at Carlsberg, which for me is one of the most interesting roles in cybersecurity, though I would say that given it’s my role. It comes at a time when there has been a huge amount of investment and activity across cybersecurity in recent years. A major tipping point was GDPR a few years ago, which really put security on everyone’s agenda.
My role is very much an orchestration role within the organisation. We are highly technology dependent, and rightly so, but the challenge is doing this safely and in a way that is coherent. It’s about turning strategy into controls that deliver a return on investment, make the business more secure from both an architectural and control perspective, and also make the user environment easier for end users.
At a high level, that’s the primary focus. My team works across multiple cybersecurity domains, always with the question of how we improve the overall architecture. I often use an analogy from my consulting days: many organisations are like a house that was built 30 years ago, then extended over time. A bedroom added here, a garage there, maybe something bolted onto the roof, but nobody ever stopped to ask what the house should look like in the future.
In security, this often results in environments that are difficult to navigate and even harder to defend. Sometimes it’s like building a house out of wood, putting a petrol store next to it, and then handing people matches. A big part of security engineering for me is stepping back and designing an architecture that is inherently easier to defend, rather than endlessly adding more controls on top of something that was never designed coherently in the first place.
You spent a significant part of your career at Deloitte and in consulting, before moving into your role at Carlsberg, but what motivated that transition from consultancy into industry?
I’ve actually made that move before. I went from Deloitte to Pandora, the global jewellery company, so this wasn’t my first transition out of consulting. If you look at careers historically, people used to join a company, stay there for decades, and retire with a pension. Consulting is very different.
Working in consulting was a brilliant experience. You gain exposure to a huge range of organisations, from small, highly agile companies to heavily regulated and sometimes quite static ones. You see everything. It’s fast-paced, challenging, and incredibly educational. I’d genuinely recommend it to anyone considering consulting, because you learn an enormous amount in a short space of time.
For me, I like to balance my career by being on both sides of the table. I think it strengthens you professionally, whether you’re operating internally or advising externally. When I became aware of what Carlsberg was undertaking, it felt like one of those roles you simply have to take.
I used to joke that there were probably only three jobs I’d leave consulting for: working for a beer company, joining a Formula One team, or helping Sunderland Football Club for a season in exchange for tickets and shirts. When this opportunity came up, the timing felt right. It was a chance to implement and operate many of the things I’d advised on for years. The transition was relatively seamless, and it’s been a great move so far.
Always fascinated by how people get into IT, specifically security. Where did that journey start for you and when did you first start becoming aware of the interest and desire to move into a career in security?
I joined consulting after 19 years in the UK military. My background was in electronic warfare and signals intelligence, which I fell into somewhat by chance. I originally joined as a radio technician but was later moved into the intelligence branch, working in those areas.
That gave me a strong foundation in what I’d describe as more offensive security disciplines. When it comes to cybersecurity, it’s interesting because I’ve never followed the traditional IT route. I didn’t start on a service desk or as an assistant administrator, which is often described as the standard pathway into cyber.
I actually disagree with that model. I’m a security practitioner first, applying security principles within a cyber context. I think that creates a healthy tension within organisations. You have teams focused on enabling availability of systems and data, and in parallel, teams focused purely on security and risk. That balance is important.
The transition into cybersecurity felt fairly natural for me. I did additional training and completed a degree through Staffordshire University, which turned out to be much more focused on cybersecurity than I initially expected. I also entered the field at a time when there was significant hiring taking place.
With a military background, it was probably a relatively easy route in, but the industry moves in cycles. Hiring demand changes depending on market conditions, technology shifts, threat landscapes, and the availability of skilled people. That’s just the nature of the field, but it remains a brilliant industry to work in.
What is the biggest misconception that people have about enterprise security when going from consulting into industry?
I think it’s very much a two-way journey. I’ve seen people move from consulting into industry and vice versa, and the two environments are fundamentally different. Ultimately, it comes down to accountability. In industry, you own the risk. In consulting, you advise on it.
From the outside, it can be relatively easy to recommend a particular approach or solution. In reality, implementing that advice is far more complex. There are stakeholders to align, processes to change, and competing priorities to manage. While I’d love to say my job is spent deep inside platforms hunting threats with my team, a lot of the reality is working with procurement, change management, internal communications, workplace management, and many other functions.
Without that collaboration, security becomes an isolated function rather than something embedded in the business. Taking consulting experience into industry is valuable, especially when it comes to building coherent strategies that deliver return on investment and align with business goals. However, carrying that strategy all the way through transformation and into day-to-day operations, across people, process, and technology, is where the real challenge lies.
It’s nothing to be afraid of, but it’s something people need to think about seriously. I’d always recommend finding a mentor who has made that transition before. Understanding the journey beforehand is far better than being surprised by it after the fact.
Conversely, moving from industry into consulting brings a different set of challenges. You may have less direct accountability for a single organisation, but commercial drivers come into play. Communication becomes critical, because it’s the foundation of selling projects and platforms across multiple organisations with different regulatory, financial, geographic, and scale considerations. Consulting tends to be broad, while industry roles are deep.
What changes have you seen in the boardroom in the last 5-10 years?
The most positive change is that cybersecurity is now firmly on almost every board’s agenda. Most risk indexes place cyber as either the number one or number two risk at board level. Awareness is there, which is a huge step forward.
The challenge many organisations face is understanding what they are getting for the money they spend on cybersecurity. Investment typically increases year on year due to growth in data, new sites, acquisitions, and overall digital scale. But questions like “How safe are we?” are extremely difficult to quantify. Reporting that effectively to a board is not straightforward.
There’s also the question of value. Every pound or dollar spent on security is money that could otherwise go into production, marketing, or hiring. Security is competing with other business priorities, which means it has to demonstrate tangible business value.
One example is mergers and acquisitions. If you can approach M&A security in a structured way and reduce the security integration timeline from months to weeks, you accelerate the point at which an acquisition becomes operational and revenue-generating. That’s a clear business benefit.
Another example is remote working. While it doesn’t directly generate revenue, it significantly expands the talent pool and offers flexibility that people value. That can improve retention and access to skills, often at little additional cost.
When these benefits are communicated clearly and coherently, boards begin to engage more deeply. Alongside this are regulatory concerns and the need to avoid so-called black swan events that could severely impact the organisation. What I’ve really noticed is that boards are now far more inquisitive. Instead of passive oversight, they’re asking better, more informed questions, which is a very encouraging shift.
Now that you've transitioned away from advising on risk to owning it, how does that change your decision making and your prioritisation?
That’s a really interesting question. I tend to operate with a mindset built around two key pillars. I would much rather take an imperfect decision that is “good enough” than spend too long chasing perfection. By the time something is perfect, it’s often out of date, a funding window has been missed, or momentum has been lost.
For me, there’s an element of taking some risk in order to reduce risk. There are many examples of this, but AI is a good one. A lot of people view the use of AI in cybersecurity as introducing additional risk. You could ask, are we making things worse by adding AI into the mix? At a very high level, my view is the opposite. Not using it introduces more risk than using it.
If you look at areas like attack surface management or security operations centres, the traditional model relies heavily on analysts watching screens and working through large volumes of alerts. Fatigue sets in, KPIs turn into a numbers game, and inevitably some risk is missed. An imperfect AI solution that analyses multiple data points in real time and provides an 80–90% confidence assessment for analysts to quality-assure can actually reduce risk, not increase it.
From my perspective, that approach allows us to apply human judgement where it adds the most value. It’s not about taking gambles, but about taking calculated risks that deliver a positive return on investment. That mindset is central to how I now prioritise and make decisions.
Where do you still see blind spots emerging at scale?
That’s a great question. When you really dig into most organisations, they usually have processes or technologies covering the major areas. It’s increasingly rare to find an organisation without email security, endpoint protection, or similar foundational controls in place.
Where I see the biggest blind spot is in orchestration. Even relatively simple threats can become hard to manage if you don’t have a clear, consolidated view of risk. Most tools have dashboards, but they are typically focused on individual domains. Email security has its own view, identity has another, vulnerability management another, and so on.
For me, the blind spot is not being able to bring all of that together into a single, coherent picture. That includes vulnerability data, identity risk, geolocation activity, and other contextual signals, all viewed together rather than in isolation. This orchestration layer is fundamental to security engineering.
Another major blind spot is third-party risk. Most organisations are heavily dependent on external suppliers and partners, yet visibility into those risks is often fragmented. The issue isn’t individual controls, it’s the totality of the investments and whether they are generating the insight and outcomes they should.
The technology exists, and the expertise certainly exists. The challenge is bringing everything together. It’s not an overnight fix, but a transition. Once that orchestration is in place, automating responses becomes much more achievable.
I know some organisations are hesitant to automate security responses due to concerns about disrupting users or production environments. But attackers’ breakout times are shrinking year on year. In many cases, the bigger risk is not moving quickly enough. That’s why orchestration across multiple areas remains the central blind spot for me.
Are organisations becoming genuinely more resilient or just better at reporting in your opinion?
That’s a good one. I think the regulatory landscape has been a strong driver for momentum and buy-in. Frameworks such as NIS2, NIST, and ISO are often the starting point, and they serve an important role in setting direction.
The real question is what happens after you commit to those frameworks. I’ve seen organisations with excellent audit documentation and very strong reporting, but less clarity on how that translates into enforced policies, technical standards, and real controls at the technology layer.
Going back to orchestration, the key is whether governance and technical implementation are actually working together. Boards are now asking more direct questions, particularly after significant investment: what have we achieved with the money we’ve spent?
Where organisations struggle is when they focus on governance or technology in isolation. Strong governance without effective technical implementation is risky, but so is deploying lots of technology without clear governance. In both cases, you end up with fragmentation and limited impact.
The organisations that really stand out are the ones where governance and technology work closely together, rather than one sitting on top of the other. Otherwise, you end up with policies stored in a folder that no one uses, or security tools that are deployed but rarely logged into. True resilience comes from joining those pieces up.
What's your take on AI a in a secure environment?
There are really two sides to this. One is securing AI itself and controlling how it’s used, and the other is using AI to improve security. In some ways it’s a chicken-and-egg problem.
Most organisations already have people using AI, either in sanctioned or unsanctioned ways, and that in itself introduces risk. However, when AI is implemented in a structured way, with the right architecture and clearly defined scope, it can be extremely powerful.
The reality is that we now deal with vast amounts of data, a growing number of applications, and complex third-party ecosystems. We’ve passed the point where humans alone can stay ahead of the curve. AI helps address that, provided it’s introduced thoughtfully.
For me, this starts with strong vendor selection and proper assessment, including understanding how data is handled and controlled as it leaves the organisation. Securing AI usage is essential, but it’s also about balance. Choosing to do nothing with AI may reduce one set of risks, but it creates another by leaving organisations behind while attackers continue to adopt these technologies.
Attackers are already using AI in various ways. While we’re not seeing fully autonomous attacks at scale every day, the difference compared to ten years ago is significant. From personal experience, I can say I’d far rather be learning how to defend systems today than doing it a decade ago, when it was far more painful and manual.
In enterprise security, what real significant practical impacts do you see occurring over the next three to five years?
A lot of people worry about whether AI is going to take jobs, and that concern comes up frequently in conversations and across platforms like LinkedIn. I don’t believe AI is going to take jobs. What it will do is enable scale.
Security teams are already under pressure, and threats are moving faster. AI helps reduce response times, improve visibility, and provide better coverage across complex global environments where architecture is constantly evolving and not always perfectly documented.
For people concerned about roles that have traditionally been more manual, such as tier-one SOC analysts, my view is that change has always been part of this industry. This isn’t something new; it’s another turn of a wheel we’ve been on for many years.
AI and automation are here to stay, and those who can use automation effectively will be the future leaders in security. The impact will compound year on year. For anyone looking to move into engineering or security roles, automation should be high on the learning agenda.
That means understanding the fundamentals of what you’re automating, whether that’s the threat landscape, IT environments, or operational technology if it’s relevant. It also means knowing how to automate safely, how to bring stakeholders with you, and how to translate automation into real risk reduction without introducing new risks through overly aggressive response actions.
If I were entering the industry today, security automation would be a core part of my learning curve.
When it comes to AI, where do you feel most organisations are underprepared? And where are we most underprepared, technology, governance, people?
I don’t think the main gap is technology. Most organisations already have technology in place, and there will always be replacements and carve-outs driven by contract lifecycles and long-term roadmaps. That evolution will continue for years.
I also don’t think people are the biggest issue. The industry is constantly changing, and what I see around me are people who are highly adaptable and genuinely eager to improve themselves. Many are excited by new technology, processes, and governance and are investing in their own development on an ongoing basis.
Where I see the biggest gap is in process. Specifically, aligning people and technology effectively through well-designed processes. Process design often isn’t seen as exciting. The exciting part is deploying a new platform, launching something innovative, or going live with new capabilities. But the hard work, which can’t be automated, sits behind that in the design of robust processes.
As organisations integrate more technology to protect increasingly interconnected business systems, process design becomes critical. This also links back to governance. It’s one thing to have policies, standards, and playbooks, but unless they are embedded into formal, effective processes that are continuously reviewed and optimised as the landscape changes, gaps will remain. That’s where I see organisations still underprepared.
If you could remove or automate one major pain point in security operations today using AI, what would it be?
That’s a really good question. If I could automate one thing perfectly, it would be a truly bulletproof asset management process.
I’ve never seen an organisation with asset management that is 100% effective. When you start automating security responses, having accurate and reliable asset data becomes critical. For example, if you’re going to contain or isolate something automatically, you need to understand ownership and context. There may be valid reasons to let something continue running temporarily, or conversely, to disconnect it immediately from the wider enterprise.
Asset ownership itself can be problematic. For many people, becoming an asset owner was never part of their original job description. They may not have the budget or authority to properly secure that asset, yet responsibility is suddenly assigned to them, often through a joiner, mover, or leaver process when someone exits the organisation.
This creates gaps and uncertainty, which makes fully automated response difficult. From my perspective, instant automated response will always depend heavily on a robust, well-understood asset management process. If I could fix one thing with the click of a finger, that would be it.
In your opinion how does security leadership differ between working for global leading established technology company/ consultancy, versus someone who is protecting their business but doesn't sell technology as a service.
The consumer industry is a good example here. It doesn’t really matter what specific product you’re selling, whether that’s beer, jewellery, or something else. Right now, the consumer sector is facing significant headwinds, particularly linked to the cost-of-living crisis.
What that means is organisations have to be exceptionally sharp. Across the entire digital journey, from sourcing and design through to production, marketing, and all supporting functions such as compliance, tax, and HR, there is very little excess capacity or margin for inefficiency.
All of these functions need to be deployed quickly, operated efficiently, and perform at a high level. People often focus on the product that ends up on a shelf, but the supporting systems and processes that make that possible have to work extremely well.
Most organisations in this space are already very good at this. I don’t see many that are standing still. That creates an opportunity for security to be embedded as part of that momentum. One of my favourite analogies is that security should act like the brakes on a car, not to stop it, but to allow it to go faster safely.
For me, that perfectly captures the role of a security team. It’s not about slowing the business down. It’s about enabling speed and confidence, knowing that security is there to support and protect what the organisation is trying to achieve.
When you look at skills and traits that make that transition from consultancy to industry successful, what are they in your opinion?
Communication is the number one trait, without question. It doesn’t matter whether you’re working in consulting or in industry. If you can’t communicate effectively, it doesn’t matter how technically strong you are, because you’re never working alone.
It can be difficult to tell people to simply “go and become a great communicator,” and it’s not necessarily everyone’s natural strength. But there needs to be an effective baseline level of communication for people to succeed and drive change.
One practical example I often share is decision-making in meetings. If you’re presenting options and need a decision, put two options on a single slide. One in red, one in green. Make it clear that no decision is still a decision, and that if nothing is agreed, the default option will be selected.
You then clearly outline the benefits of the preferred option, what it requires, and ask whether agreement can be reached in principle or what steps are needed to get there. Communication isn’t just about speaking well. It’s about enabling decisions and driving change. Without that, transformation simply doesn’t happen.
Have you noticed a distinct shift with new talent coming through and how they communicate versus that of 5-15 years ago?
I’m genuinely impressed by the newer generation coming through. This is a generalisation, but they bring a strong sense of values and curiosity that I didn’t have early in my career, particularly when I started in the military. Back then, it was very much about doing what you were told without question.
The new generation brings a fresh perspective, which the industry really needs. Cybersecurity isn’t an old industry, and we’re going through a generational shift. The people coming through now are naturally more tech-aware, but that’s not what stands out most to me.
What I really value is that they care deeply about doing meaningful work without sacrificing their personal lives. They set clear boundaries, which means the work they do needs to have real value. They’re less interested in maintaining the status quo if it doesn’t serve a purpose, and that mindset is incredibly powerful in an industry that is in constant transformation.
In many ways, I’m almost intimidated by how good they are, but that’s a positive problem to have.
The challenge for them is the sheer volume of information available. You can teach yourself almost anything at little or no cost, build systems in the cloud without owning infrastructure, and access endless advice about careers and certifications. There’s also a lot of noise, including misleading narratives about job shortages and career paths.
This is where mentorship becomes critical. Saying “I want to work in cyber” is too broad. It’s like saying you want to work in medicine without knowing whether you want to be a nurse, a surgeon, or a pharmacist. Cyber is one of the few industries where that level of ambiguity is still common.
As an industry, we need to be clearer about what roles actually look like, especially as automation increases and governance becomes more important. That clarity helps the next generation land more effectively, rather than wasting time chasing roles that may no longer be growth areas. For example, penetration testing was once a strong entry point, but today the balance has shifted, with far greater demand for governance, risk, and operational roles. The industry is changing, and our guidance needs to change with it.
Within the limits of what you can share, can you give me a quick overview of what the next couple of years will look like at Carlsberg and why right now is such a good time to be there?
One of the most refreshing things about Carlsberg is that it’s genuinely a place where you’re encouraged to dare to do things. We have strong teams, a clear view of what we want to achieve, and real backing from the organisation to go and deliver.
One of our core principles is decide quickly and deliver with excellence. Not every organisation can do that, whether due to regulation or internal constraints. At Carlsberg, we can. As a global company, we have highly capable teams across OT, governance, risk and compliance, all working cohesively. That allows us, particularly in security engineering, to architect for the future on what is effectively a blank canvas.
We operate globally, across multiple continents, which makes collaboration incredibly exciting. While I can’t go into specifics, there are some meaningful, large-scale initiatives underway that make this a very compelling time to be part of the journey.
Over the next year to two, growth is probably on the agenda for security, not just in terms of investment and tech, but also for people and headcount?
Growth is always something we consider, but for us it’s not just a headcount discussion. As a global organisation operating across many markets, the real question is where we need capability and how we position people to have the right impact locally.
Different regions come with different regulatory requirements, operating models and supplier landscapes. So we think carefully about regionality, skills, and outcomes rather than just numbers. At the same time, the security industry itself is changing, so we’re constantly assessing what skills we’ll actually need going forward.
I’m particularly focused on developing our existing people. Hiring is important, but building meaningful career paths that allow people to experiment, grow and build long-term careers at Carlsberg matters far more. Those considerations come first when we talk about recruitment.
How would you outline Carlsberg's culture to anyone thinking about having a security career or a career with Carlsberg?
Culture is something every company talks about, but I’m genuinely impressed by both the depth of expertise and the sense of community at Carlsberg. There’s a strong feeling that you’re part of something bigger.
As a global company headquartered in Copenhagen, there’s also a real connection to heritage. Carlsberg’s history and its impact on Danish society are tangible, yet it remains a fast-moving, modern organisation. There’s something quite special about watching a football match, opening a beer, and seeing your own company looking back at you on the can.
It’s a place with a strong ethos, where you’re encouraged to be ambitious, both in your career and in the work you do every day.
What is the most overused phrase in security right now?
“Skills gap.”
I don’t believe there’s a true skills gap. If you post a job advert today, you’ll easily get 100 applicants. The reality is more about alignment and quality. Typically, perhaps 30 percent are genuinely viable, and maybe 10 percent could step in and excel immediately. Those are very fine margins.
The bigger issue is whether we’re training and hiring for where the industry is actually going. If we flipped the model and asked, what should we be hiring for in 2028?, the lead time isn’t that long.
Candidates who can articulate both today’s reality and a clear view of the future state – how security will evolve and how that delivers value – stand out immediately. That’s a very difficult proposition for any hiring manager to ignore.
Finally in terms of advice, what's the best leadership advice you've ever been given?
Leadership is an interesting concept. In environments like the military, leadership can be quite static – people have to do what you tell them. That’s not the same as compelling people to follow you.
For me, leadership is the part of you that can’t be documented. It’s a blend of vision, personality, empathy, and the ability to take people on a journey. It’s a privilege of responsibility. You have people beneath you hierarchically, and your job is to put them before yourself.
In the military, officers don’t eat until everyone else has eaten. It’s a small gesture, but it says a lot. Stay connected to your people, understand them, and trust them. Good leadership compounds over time, and people will continually surprise you in the best ways.
The best advice I was ever given, though, was simple and bold: you need to leave, because you won’t grow here. It was uncomfortable to hear, but it was absolutely right.
