The CISO of one: cybersecurity in the rest of the economy

Forty million customers. £600m through the apps. Half the website traffic is teen hackers. The Nando's CISO has no direct reports. The board paper has not caught up.

May 25, 2026

∙ Paid

The first 200 words are free. The full 3,300-word breakdown — the operating model, the £600 million digital business hidden inside a chicken brand, the C-suite gap, the Minimum Viable Security culture-shift framework, and the falsifiable predictive judgement on what the British consumer economy actually looks like beneath the FTSE 100 surface — sits behind the paywall.

Subscribe to read the full piece and the rest of the *Trust Is the Growth Engine* series — three pieces this week on what VantaCon UK 2026 told us about how trust is being rebuilt for the AI era.

Nando’s is a digital business with a chicken counter: 40 million customers, ~£600m a year through self-built apps, 500 UK restaurants, 1,200 worldwide.

On the morning of 7 May 2026, midway through the keynote programme at VantaCon UK, Christina Cacioppo — Vanta’s CEO and co-founder — sat down on a small stage with Jason Kirk, Chief Information Security Officer of Nando’s.[^1] What followed, in roughly fifteen minutes, was the most operationally honest description of cybersecurity in the British consumer economy I have heard in three years of conference attendance.

Kirk walked the audience through a business that, on paper, looks like a chicken restaurant. Forty million active customers. Around four million unique transactions a month in the UK alone. Five hundred restaurants on these islands and around twelve hundred worldwide.[2] Then he reframed it. “Although we’re a restaurant business, I think of it as a digital business. We build our own apps. To secure those, we have between £500 and £600 million a year in the UK flowing through them, so they need to be robust.”[1]

Then came the line that made me sit up. “More than fifty per cent of the traffic on our website is bad actors. I think part of that is we’re a really well-loved teen brand. Any teen with hacking skills thinks, ‘Well, I really like Nando’s.’”[1]

Read this as my editorial opinion, sharply put. Nando’s is not the exception in the British economy. Nando’s is the rule. The FTSE 100 attention space has trained a generation of security professionals, regulators, and journalists to treat the well-resourced enterprise SOC as the reference architecture. It is not. The reference architecture for most of the British consumer economy is what Kirk described next.

Continue reading — subscribe to The Control Layer.

Continue reading this post for free, courtesy of Amer Altaf.

Or purchase a paid subscription.