SAI DEVULAPALLI

Governing and Uplifting the Maturity of Security Controls
This initiative focuses on enhancing the maturity of cyber security controls through strategic governance, collaboration, and continuous improvement. The goal is to strengthen the organization's security posture by proactively managing risks, ensuring compliance, and fostering a strong security culture.

Key Objectives & Responsibilities

• Risk & Vulnerability Management: Govern the closure of identified external and internal vulnerabilities across all business functions. This includes leading Data at Rest (DAR) scanning of shared drives and SharePoint sites to identify and fix data-related vulnerabilities.
• Compliance & Assurance: Utilize the NIST Cybersecurity Framework to perform Control Monitoring and Assurance (CMA) on key controls. The objective is to assess the current risk posture and address gaps by raising issues for remediation. Additionally, map HSBC controls to CPS 234 regulations to ensure regulatory compliance.
• Threat Intelligence & Incident Response: Identify design-level threats using tools like Irius Risk and analyze emerging threats to provide strategic recommendations for system improvements. Direct incident response teams to manage security breaches efficiently, reducing response time and minimizing impact.
• Security Strategy & Protocols: Lead the development and implementation of comprehensive cybersecurity strategies to mitigate risks. This involves collaborating with cross-functional teams to enhance security protocols and conducting regular audits to identify and fix gaps promptly.
• Third-Party & Vendor Security: Evaluate third-party vendor security practices to maintain high standards of data protection and manage associated risks.
• Cybersecurity Awareness & Training: Increase cyber awareness across all teams and business functions by conducting regular training sessions. Develop comprehensive training programs for employees and mentor junior cybersecurity professionals to foster skill development and knowledge sharing.
• Business Continuity: Coordinate disaster recovery exercises to validate the effectiveness of business continuity plans and ensure organizational resilience against cyber incidents.

DevSecOps, Automation, and Security Maturity
This initiative focuses on enhancing the organization's cybersecurity posture by integrating security directly into the software development lifecycle, automating key processes, and fostering a strong security-first culture. As a Lead Security Specialist, I have driven multiple projects to mature security controls and ensure proactive risk management.

Core Projects and Achievements

• Project Shunya: As the project lead, I guided the team toward a state of Zero Defects, Zero Outages, and Zero Effort. This initiative successfully streamlined operations and improved overall efficiency by focusing on automation and quality at every stage.
• Cyberflows: I was the key architect and a primary driver behind Cyberflows, a custom-built abstraction layer. This innovation standardized communication with diverse cybersecurity tools, eliminating inconsistent implementations and delivering a more effective and consistent security output.
• Cybersecurity Awareness & Automation: I designed and implemented a comprehensive awareness program to educate employees on recognizing and mitigating malware attacks. To support this, I developed a custom Outlook add-on that automates the reporting of suspicious emails, empowering the Security Operations Center (SOC) to respond to threats more efficiently.

Key Responsibilities & Impact

• DevSecOps Integration: Championed the transition to a robust DevSecOps pipeline by embedding Static, Dynamic, and Interactive Application Security Testing (SAST, DAST, IAST) tools directly into the CI/CD process.
• Compliance & Frameworks: Ensured the organization's adherence to industry frameworks, including NIST, ISO 27001, and PCI DSS. I successfully led a PCI DSS compliance assessment to protect cardholder data and prevent potential breaches.
  
• Security Enablement: Provided expert guidance and training to development teams and business stakeholders, keeping them informed of the latest security insights and fostering a collaborative, security-conscious environment.

Agile Security & Security in DevOps Implementation

As a Lead Security Expert, my work centered on integrating agile security principles and DevSecOps practices to enhance cybersecurity and streamline development processes. I provided strategic guidance on technologies, tools, and processes, acting as a key liaison between business leadership and technical teams to ensure security was a core component of every initiative.

Key Objectives & Responsibilities

• DevSecOps Pipeline Implementation: I designed and implemented a comprehensive, end-to-end DevSecOps pipeline on AWS, from initial requirements gathering to final deployment, ensuring security was embedded at every stage.
• Business Analysis & Strategic Translation: I served as the primary Business Analysis Point of Contact (POC) for a 25-member Advisory & Transformation Services (ATS) team. In this role, I effectively translated business goals and feature concepts into prioritized product requirements and user stories, working directly with C-suite executives and the management team of a U.S.-based startup.
• Process Improvement: I conducted in-depth gap analyses to identify and address inefficiencies within test processes, including Defect Management, Metrics, Requirement Traceability, and Release Management, leading to significant improvements in overall workflow and product quality.

Information Security Specialist Services
Provided expert security services to major global clients, including TALKTALK, WALMART, and BMW, specializing in application and infrastructure security, vulnerability management, and secure software development lifecycles (SDLC).

Key Projects and Contributions

• TALKTALK (Telecommunications, UK)
  Focused on securing web applications by embedding a Secure SDLC to identify and mitigate vulnerabilities early in the development process.
  Architectural Security: Actively participated in architectural discussions to ensure security was built into the design from the ground up.
  Security Audits: Performed comprehensive architecture and process audits on all online applications to identify security gaps.
  Remediation & Training: Reviewed security scan reports, provided detailed action plans for remediation, and delivered targeted security training to developers, testers, and architects.
• WALMART (Dashboard Applications)
  Led the implementation of robust security features for Walmart's dashboard applications using OpenAM (ForgeRock' Open Identity Stack).

Access Management: Implemented key security features, including Single Sign-On (SSO), Risk-Based Authentication, and Two-Factor Authentication (2FA).

Vulnerability & Penetration Testing:

Conducted in-depth vulnerability assessments and penetration testing with a 12-member team.

Mitigation Planning: Analyzed scan reports and provided actionable plans for mitigation and corrective measures.

• BMW (Infrastructure & Applications)
  Secured and monitored BMW's internal and external infrastructure and application estates, with a focus on strategic Vulnerability Management and penetration testing.
  Team Leadership: Led an 18-member team to perform comprehensive vulnerability assessments and penetration testing on their infrastructure and portals.
  Vulnerability Remediation: Reviewed scan reports and developed effective action plans to mitigate identified vulnerabilities and ensure continuous security.

Secure Implementation of Monitor Warning Functionality for Falcon Aircraft

Roles and Responsibilities:
Vulnerability Assessment and Auditing:

As a Security System Engineer I have performed a vulnerability assessment and audit of the product to identify security flaws.
System Safety Requirements Development: Developed system safety requirements based on direct interaction with the customer.
Information Delivery System Implementation: Implemented a system to provide pilots and co-pilots with information in the form of messages, alerts, and warnings.

Software Modelling of a Railway Ticket Vending Machine (RTVM)

Roles and Responsibilities:
System Design: Designed the RTVM system using UML.
Software Development: Developed the RTVM system using C++.
Vulnerability Management: Identified and mitigated security vulnerabilities within the system.
Project Management: Handled almost the complete project, including both modeling and security assessment.

As a Training Consultant, you have a proven ability to develop and deliver technical training programs, enhance team capabilities, and strategically improve learning outcomes.

Key Responsibilities

• Delivered comprehensive training on foundational and advanced topics, including C, C++, Real-Time Operating Systems (RTOS), and Embedded systems concepts for new hires and junior staff.
• Developed and implemented impactful training programs by conducting needs assessments to identify knowledge gaps and create targeted learning solutions.
• Mentored junior trainers and facilitated workshops to foster collaboration and improve the consistency and quality of training delivery across the team.
• Analyzed participant feedback and learning metrics to continuously refine course content, ensuring high engagement and a measurable improvement in employee skills and performance.