Information Security Application
Resume:
Derek Evans
Westfield, NJ ***** · 908-***-**** (cell) *****.*****@*****.***
Only three things happen naturally in organizations: friction, confusion, and underperformance. Everything else requires leadership - Peter Drucker PROFESSIONAL EXPERIENCE
PwC, Regional Information Security Lead - Americas January 2023 – August 2024 1. Security Audit Service
• At a very fast pace environment, implemented & managed client-requested audits and or assessments with a global team of 14 for; data, cloud, and information security controls, aligning with ISO 27001 framework and internal policies.
• Assessments of control effectiveness and sustainability in supporting security commitments, client contractual requirements and regulatory standards.
• Monitored emerging risks, internal trends, and external events for potential data security impacts.
• Provided trusted advisory services, with 22% of work focused on internal guidance related to information security, privacy, and cloud technologies.
• Managed security services organizational transformation strategies and the tactical deliverables
• Leveraged AI-driven compliance monitoring for unstructured data, enhancing trending analysis and audit insights.
2. First Line of Defense
• Managed and enforced data security, privacy, cloud capabilities, encryption, IAM, and compliance frameworks (ISO 27001, NIST 800-53).
• Developed remediation plans addressing control gaps and root causes of failures, ensuring measured resolution.
• Collaborated with application security, cloud engineering, and endpoint security teams to advise internal business units and external financial services clients on GRC and security controls for Azure and AWS environments.
• Identified service delivery constraints and optimized Information Security processes, increasing operational capacity, scalability, and service quality through data-driven continuous improvements. 3. Regional Information Security Lead
• Collaborated with Legal, GRC (ISRM), and application development teams to ensure ISO 27001 compliance across the organization, in addition to the growing CCPA compliance.
• Established security standards, best practices, and an operating model for InfoSec shared services, boosting service capacity by 30%, in a global and fast paced service.
• lead improvements for key stakeholders, with BISOs, Security Operations Managers, and Cyber Security Program Managers.
• I provided monthly reporting and program updates to Senior management
• Developed a global evidence repository supporting the first line of defense in control assessments and audits.
• Provided information security leadership to firms across North and South America, from Chile and Canada.
Derek Evans Page 2
2
Coveros Consulting
Enterprise Application Security Strategist Sept 2021 - January 2023 Provided strategic and tactical guidance to enhance and mature enterprise application security programs, driving the development of high-quality, secure software with faster delivery timelines. Client Achievements
• Delivered maturity plans and roadmaps to mature application security programs.
• Serving as a client BSIO I aligned cyber and application security transformations with business goals, integrating industry best practices and client capabilities.
• Built modern AppSec programs with self-service DevSecOps capabilities, reducing vulnerabilities and accelerating product deployments.
• Transitioned legacy GRC-based Information & Cyber Security programs to ensure compliance and alignment with industry security frameworks in cloud-native environments.
• Analyzed and create privacy controls and implantation roadmaps supporting; HIPPA & CCPA Client Services:
• Conducted cloud, app development, and cyber risk assessments, delivering actionable remediation roadmaps.
• Implemented GitHub advanced security and Jenkins-based DevSecOps solutions.
• Provided AWS secure architecture reviews and remediation plans.
• Designed and implemented DevSecOps programs and processes.
• Taught secure development and AppSec courses at industry conferences. o Notable clients include DHS, venture capital firms, and asset management companies. Synopsys - Software Integrity Group NYC April 2020 to Sept 2021 Managing Consultant
In a fast-paced company I advised clients on maturing 2nd and 3rd lines of defense through the development and implementation of software security initiatives. Integrated security into the SDLC, CI/CD pipelines, and software risk management processes, covering the following penetration areas; testing (web/mobile), SAST, DAST, SCA, SBOM, threat modeling, and software architecture analysis. Services were provided through both managed and professional channels.
● Security Management Consulting
● BSIMM Assessments
● DevSecOps implementations and program design & management
● Maturity Action Plans for Software Security Programs Derek Evans Page 3
3
● Architecture Risk Analysis
● Threat Modeling
● Data Security controls for compliance (HIPPA, PII, PCI & ISO 27001K)
● Penetration Testing
● Privacy controls analysis and gap remediation addressing: HIPPA & CCPA
● Cryptocurrency Secure Wallet Recovery design
● Managed Service Security Testing
● Operational responsibilities included the management of 5 team members consultants and recruiting, career development, and mentoring.
Skills: Application Security, Executive visibility, BSIMM, Account management. Pershing LLC a Bank of New York company
Jersey City, NJ
Director of DevSecOps Sept 2018 to March 2020
Led cultural and technology change across all four DevOps domains, driving cross-functional integration and prioritizing platform assessment and enhancements to close process and technology gaps for Operations, Development, and Continuous Testing. Achieved a 278% adoption rate in 2019, accelerating innovation and strengthening the firm’s second line of defense.
Key achievements:
• Increased vulnerability testing frequency by 400%.
• Automated code testing contributed to 25% of closed vulnerabilities in pre-production.
• 66% increase in business application owners reviewing code.
• Executed over 1,500 fully automated QA tests.
Developed strategies for Continuous Testing, Metrics & Analytics, and Continuous Deployment in Pershing’s private hybrid cloud and DevSecOps automation. Provided transformation strategy and updates to the C-suite while aligning vendor relationships to support technology goals. In concert, I managed the PSIRT process with the banks larger CSIRT team.
Industry Engagement:
Regular speaker at industry forums (NYC Tech Forum, BlackHat), collaborating with vendors (Qualys, Sonatype, XebiaLabs) and Gartner-recognized companies (Black Duck). Focused on security, automation, and cultural change since 2014.
Skills: DevSecOps implementation, Executive visibility, Application Security, Application Security Architecture, Cross functional leadership
Derek Evans Page 4
4
Pershing LLC a Bank of New York company
Vice President of Global Product Security April 2016 to Sept. 2018 Led North America and Chennai teams supporting platforms managing $1.5 trillion in assets and generating $2 billion in net capital for 2016. Spearheaded AppSec and Development team maturity according to BSIMM, laying the foundation for the company’s DevOps transformation. Drove organizational change and service catalog improvements across disparate development teams. Key Responsibilities:
• Provided technical services for a J2EE application suite, including black/white box testing, static analysis, and enabling development team autonomy in security testing.
• Supported Pershing’s second line of defense with AppSec services, GRC controls, and audit compliance for FINRA, NYDFS, ISO 27001, and NIST.
• Conducted risk assessments, secure architecture design, and threat modeling for global development teams with varied technology stacks.
Key Achievements:
• Automated security testing and reporting within a CI/CD environment for Java apps, integrating static/dynamic analysis, “build breakers,” and Selenium-based testing.
• Served as the security SME on Agile POC projects, shaping story-level test requirements and security results using SonarQube for OWASP vulnerabilities.
• Converted manual testing services into automated controls while supporting iterative SDLC models.
• Led monthly meetings translating security metrics and technical data into contextual insights for Pershing Technology, focusing on control-based analytics. Leadership & Strategy:
• Enhanced organizational security maturity through BSIMM and OWASP SAMM frameworks, building a scalable software security group.
• Managed third-party security assessments and pen tests for Citigroup and supported Verizon’s Cybertrust certification.
• Led a team of 17, providing security services across all Pershing applications, including major broker- dealers.
• Skills: Application security, executive visibility, DevSecOps, pen testing, application architecture reviews, cross functional leadership.
Derek Evans Page 5
5
First Data Corporation Jersey City, NJ 2014 – 2016 Director of Global Cyber Security
Led a team of 20 providing security services for clients such as Bank of America, Citi, Wells Fargo, and Walmart. Services included ethical hacking, application scanning, third-party security audits, Java static code analysis, and risk metrics & analytics. Supported the strategy and tactical deliverables to “bridge the security gap to application development.”
Key Achievements:
• Increased shared service productivity by 11%, adding a risk analytics service and supporting over 30 client audits annually.
• Managed and increased the emerging PSIRT team.
• Simplified technical reporting for clients and business executives.
• Provided application penetration testing and security due diligence for an aggressive M&A schedule.
• Implemented self-service security scanning (Qualys WAS), reducing service duration by 40% and improving time-to-market through defect lifecycle integration in JIRA.
• Delivered seamless application security services, ensuring compliance, and supporting over 30 client audits in 2015.
• As Security Architect, delivered threat modeling and architectural risk analysis workshops, identifying vulnerabilities, and promoting secure, reusable architecture. Skills: Application Security, WAFs, Vulnerability Assessment, Penetration Testing, Security Management, Cross-Functional Leadership
Wyndham Worldwide Parsippany, NJ 2012 – 2014
Enterprise Product Security Manager
Established and managed the application security shared service across all lines of business and corporate- level applications. Services included Secure Design Review, Dynamic Security Scanning, and the rollout of Cigital Secureassist for Java developers. Provided extensive support for PCI DSS compliance. Key Achievements:
• Integrated BSIMM security controls, customizing each business unit’s SDLC and ensuring seamless PCI compliance and annual reports.
• Bridged communication gaps by translating technical requirements into business terms, justifying SDLC maturity improvements in terms of time and budget.
• Conducted vendor security reviews (Microsoft, Oracle, etc.), enhancing overall corporate security posture.
Derek Evans Page 6
6
Wyndham Exchange & Rentals Parsippany, NJ 2009 – 2012 E-Commerce & Call Center Application Development Manager Led strategy for e-commerce and call center application development, delivering major application rewrites and regular maintenance releases.
Key Achievements:
• Managed an e-commerce application rewrite, implementing Web 2.0 usability enhancements and social media integration.
• Integrated static analysis into the Java build process, reducing late-phase security scanning and remediation efforts.
• Introduced Quality of Service (QoS) controls, improving secure code delivery from offshore teams and minimizing vulnerability remediation.
• Delivered quarterly application enhancements to drive revenue opportunities.
• Managed teams of 30-50 people, both onshore and offshore, as needed.
• Skills: Application Security, PCI DSS, Vulnerability Assessment, Penetration Testing, Cross-Functional Coordination.
Further experience available upon request
Certifications
● AWS: Cloud Practitioner 2020: Security support resources
● AWS: Cloud Practitioner
● ICAgile Certified Professional – Leading with Agility, Leading with Agility & DevOps and Security Testing
● GitHub Advanced Security Foundations certification
● PMP: Not maintained.
● CISSP: Not maintained.
Education
Rutgers University – New Brunswick 2012
Executive MBA – Business Administration & Management
Contact this candidate