As part of our Interconnection Between People, Process and Technology book produced in partnership with Tanium, we spoke to Sarah Harvie, Chief Information Security Officer, Kingfisher.

Sarah has been CISO at the home improvement brand Kingfisher for just over a year. She’s worked in security for over 20 years, previously at Amazon Web Services where she built teams to protect cloud environments, and prior to that as Head of Information Security at Merlin Entertainments, protecting theme parks worldwide, “It was a very fun job!”.

Sarah explains how context is an important factor when considering the relative impact of people, process or technology on success.

“It depends on the environment you're dealing with. Some organisations might be strong in technology but weaker in process, and there's always a people element that needs attention.”

She describes a recent networking event for security professionals she attended, where attendees took part in a realistic scenario protecting an industrial waterworks and back-office site. Participants were handed a card representing different security controls, each with associated costs and values, with the goal to apply controls according to best practices within a given budget. Interestingly, she explains that even though all the groups faced the exact same situation, every team chose different controls based on their perspectives.

This experience, she believes, really highlights the contextual nature of decision making and the fact that outcomes depend heavily on the CISO in place and the situation they face at the time. Even given the same problem and resources, different leaders will prioritise differently. Sarah acknowledges that although the common ambition of CISOs is to become more of a business partner and enabler, it can be difficult to show how security directly helps the business build value. Sarah argues that the key route to achieving this is by focusing the business on risk.

“We can talk about compliance, control frameworks and technology but unless we truly understand the business’s critical processes and assets, we can’t have meaningful conversations with business leaders. It's about framing discussions around what matters to them, rather than focusing on abstract threats that may not feel real until after an incident happens. By then, it's too late.”

Understanding the critical business operations first enables proactive, impactful security conversations. Sarah also observes how technology teams have evolved significantly over the last decade, and IT is no longer just about infrastructure and service desks.

“Now, we have digital, data and product teams which are much more embedded within the business. They are enabling business outcomes directly.”

Sarah argues that by aligning security with these teams, embedding security into products and protecting data models, security can get much closer to being a true partner to the business. Sarah is optimistic about AI and its potential as an enabler for security functions.

She explains that CISOs are already using AI to automate detection processes which reduces manual workloads and gives time back to security teams. Automation can also help streamline repetitive tasks and enhance threat detection capabilities, allowing teams to focus on higher-value activities.

“It’s not just about efficiency. It’s about fundamentally changing how we defend against threats in a landscape that's evolving faster than ever.”