Cyber LIVE London: Martyn Booth, CISO at dunnhumby

Martyn Booth, CISO at dunnhumby, joined the Cyber Stage at Tech & AI LIVE London 2025 to extend the discussion from an earlier cybersecurity panel. 

Martyn’s solo session gave him space to elaborate on AI, zero trust architecture, security culture and the evolving threat landscape for data-centric businesses.

Preparing for AI-powered threats with layered defences

dunnhumby, owned by Tesco and creator of the Clubcard, manages close to a billion customer profiles globally.

As Martyn explained, this data-driven business operates with cyber risk front and centre.

“We’ve seen more AI-powered threats coming through,” he said, citing the increased speed and sophistication of attacks. 

While attackers can experiment and move fast, defenders — already overstretched — must be more cautious, balancing innovation with reliability.

For Martyn, zero trust architecture is the “most important thing you can do” to defend against these evolving threats. 

But he admitted its rollout is challenging: “It probably has the biggest bang in terms of defensive capabilities, but also the biggest risk in terms of disrupting the business if you get it wrong.”

AI tools are part of the solution, but not a silver bullet. 

dunnhumby uses abnormal security to filter inbound phishing emails, freeing up attention for other critical areas. 

It also applies risk-based training tailored to specific roles — for example, finance teams are trained on secure handling of unstructured data.

Embedding security in company culture

Martyn underscored the importance of building a “security-first culture”, particularly when human error remains a top cause of breaches. 

He outlined a dual approach: grassroots and top-down.

From the bottom up, dunnhumby uses telemetry from its security stack to identify at-risk users and target training accordingly.

Security champions across the business reinforce good practice and provide accessible support. 

From the top down, leadership must model commitment: “Without your executive team taking it seriously, there’s no way everyone else will.”

In one example, dunnhumby changed its multi-factor authentication (MFA) process to block MFA fatigue attacks. 

The company introduced a two-digit prompt system and now requires government ID on video for MFA resets, validated by line managers.

“We got a lot of pushback from that last year,” Martyn admitted, “but now everyone understands why.”

He also revealed that security training has extended into employees’ personal lives.

dunnhumby issues password manager licences for staff and their families to encourage good habits at home — habits that inevitably reinforce workplace security.

Managing third-party risk and navigating AI uncertainty

The conversation turned to supply chain risk, where Martyn acknowledged the inherent limitations of traditional assurance models: “Third-party assurance has always been a bit of a fallacy... the level of assurance we actually get is relatively low.”

Instead, he advocated for deeper transparency and the ability to evaluate real-time policy profiles directly in suppliers’ cloud environments.

In the meantime, dunnhumby uses tools that cross-reference questionnaire responses with security policies to identify inconsistencies.

On AI, Martyn highlighted both its promise and its opacity: “Many of the models are black boxes. We don’t know why they’ve made a decision.” 

This makes it vital to layer AI with more traditional controls.

At dunnhumby, AI drives around 15% to 20% efficiency improvements across the security team, especially in operations and incident response, but remains part of a broader mix.

Martyn welcomed regulation and called for sustained support of global security standards, including frameworks like MITRE and CVSS. 

These open-source initiatives, he said, are critical to aligning strategy and threat intelligence and deserve long-term investment.

A call for innovation, resilience and strategic clarity

Looking ahead, Martyn noted that while most CISOs operate under pressure and in firefighting mode, the best-performing teams allocate time for strategic thinking.

At dunnhumby, three-year rolling strategies are shaped using external resources like the Information Security Forum’s risk forecasts and the company’s own threat modelling.

His final insight came from Tesco’s own playbook: a proactive “kill switch” strategy. 

“They’ve prepared a response protocol where they can cut off access to everything except customer-facing services.

”That gives them a few days to work out what’s going on.”

It’s an approach Martyn believes could benefit many others.

Whether deploying zero trust, adapting to generative AI, or strengthening culture from boardroom to service desk, Martyn’s message was clear: cyber resilience in 2025 requires layered defences, smart training, and business-wide engagement — from the front line to the executive suite.

Essential diary dates for 2025

Discover the essential diary dates for Technology Magazine and AI Magazine and its sister publications Mobile Magazine and Data Centre Magazine.

To follow Tech & AI LIVE on LinkedIn, click here. 

To enter for the Global Tech & AI Awards, click here.

• Tech & AI LIVE London + Cyber LIVE London | 14-15 May 
• The Global Tech & AI Awards | 14 May
• Tech & AI LIVE Singapore | 4 November
• Tech & AI LIVE New York | 18 November

Explore the latest edition of Technology Magazine and be part of the conversation at our global conference series, Tech & AI LIVE.

Discover all our upcoming events and secure your tickets today.

Technology Magazine is a BizClik brand