Trainline Security Director Mieke Kooij focuses on both the technical and cultural aspects of security.
"Security is about creating a culture where information and systems are protected by shifting how people interact with them," she told CIO UK.
"Where possible we use technology and automation to do this, but ultimately, it's about gaining consumer trust, winning hearts and minds and changing behaviour."
Trainline is a big and busy business. The ticket retailer sells more than 100 tickets a minute, and the website receives more 45 million visits per month.
Kooij believes it's vital that she is well-informed about all aspects of the company to maintain security and privacy for both the business and its customers.
"To do this, I need to work closely with all areas of the business," she said. "It's easy to get drawn into the day-to-day complexities of our technologies and processes, but I need to stay focused on the bigger picture."
Agile working practices help Trainline quickly adopt and adapt as new technologies and threats emerge.
Kooij adds that maintaining a solid understanding of the data under Trainline's control helps build security and privacy into the company's infrastructure and applications, and concentrate on early detection and response.
"I'm sure there is many a CIO jumping up and down about beefing up their incident response in the wake of the recent wave of malware attacks, but if they aren't also asking if they fully know the data they have, the state of their systems and whether they have controls to detect something going wrong, then they are doing their company a disservice."