Derek Evans

Mr. Evans’ human led, and technology enabled experience encompasses the following. A proficiency in continuous improvement, managing technological shifts, aligning risks and priorities with scalable services, and mitigating process gaps ensuring client satisfaction and security. Extensive expertise in product, DevSecOps, and cloud security maintaining and enhancing security postures while reducing risks. AI analysis illuminating client insights from client audit topics and sentiment.

Regional Information Security - Security Service Governance & Strategy 

• Led enterprise-wide security program transformation with governance controls for a global organization, leading a team of 14 security professionals across security operations, security champions, product owners and various cyber security functions. 
• Established and matured the security service and control capabilities aligned with respective client risk frameworks (SOC2, NIST 800-53, ISO 27001), and regulatory requirements (HIPAA, PCI-DSS, GDPR, PII) achieving 100% compliance while further reducing audit findings by 90%. 
• Provided trusted guidance to C-suite and business leaders to translate client security requirements into business-enabling solutions, resulting in improved security trust and posture while maintaining alignment with business needs.
• Designed and managed AI-powered security compliance insights & metrics providing insights to anticipated client security risks, compliance alignment, and control effectiveness across the global security audits. 
• Achieved 30% scalability improvements in security operations through tactical transformation of the security audit services, resource management, training, and other capability optimization in a global shared services model. 
• In addition to optimizing the operational service which implemented DLP, web filtering controls and firewall rules.

Strategic Security Partnership & Business Enablement

• Served as security advisor to business stakeholders, providing risk-based guidance on secure cloud capabilities and controls regarding the protection of client data. Securing 11bn in revenue.
• Established security champions program across business units, improving security awareness and reducing risk through enhanced communication and collaboration. Implementing regional security services and autonomy. 
• Built and maintained relationships with key stakeholders including Legal, Application Development, and Cloud Engineering teams to ensure security requirements were embedded in security and data controls and business processes. 
• Executed comprehensive product security, security audit and security testing capabilities matured and added service scalability during transformations; in concert with current business risk appetite, resulting in more effective risk mitigation strategies and client trust. 
• Created and maintained global security evidence repository supporting global audit readiness and continuous compliance, with the additional benefit of reducing audit preparation time by 45%, and decreased findings to no more than three and usually zero. 

Enterprise Security Services Leadership & Transformation

Spearheaded enterprise security program serving Fortune 500 clients including Bank of America, Citi, Wells Fargo, and Walmart. Led team of 20 security professionals while transforming service delivery through strategic automation initiatives. 

Achieved 50% increase in service capacity by implementing streamlined request management system and modernizing security testing processes. Established metrics-driven approach to track and optimize service performance, significantly improving client satisfaction scores and operational efficiency.

Strategic Impact:

• Achieved 11% increase in penetration testing service productivity while expanding service offerings to include risk analytics, supporting 30+ annual client audits.
• Reduced security scanning service duration by 40% through implementation of self-service Qualys platform, integrating with JIRA for streamlined defect lifecycle management.
• Established and scaled Product Security Incident Response processes, developing robust incident response capabilities with a PSIRT framework.
• Successfully delivered M&A security due diligence through purple team operations, secure AWS architecture reviews measuring CSPM and ensuring security compliance during aggressive acquisition schedule.

Program Development & Innovation:

• Architected and implemented threat modeling framework and architectural risk analysis program, creating reusable security control patterns across detective, protective, and corrective domains.
• Modernized technical reporting processes, improving clarity and actionability for both technical teams and executive stakeholders.
• Developed comprehensive application security testing methodology incorporating industry-leading tools (BURP, App Scan, ZAP, Qualys, Kali Linux)
• Created and delivered security architecture workshops focusing on practical threat modeling and risk analysis.

Professional Experience

Certifications