Bengaluru, 25th November 2025: Security today is no longer a roadblock, it has become a strategic enabler of speed, innovation, and trust. Technology leaders are now tasked with embedding protection seamlessly into development lifecycles, aligning it with business priorities, and ensuring teams see it not as a burden but as a competitive edge. This conversation explores how security is reshaping organizations to be more resilient, agile, and future-ready.
In a thought-provoking exchange with Mr. Marquis Fernandes (Director – India Business at Quantic India), Mr. Sulabh Jain, Head of Application Security Reviews at Amazon Asia/Pacific, explains how shifting security from an afterthought to a design principle transforms it from compliance to culture. He shares his five non-negotiables for securing applications from day one, reveals how gamified challenges can make secure coding engaging, and reflects on tailoring strategies across industries from banking to e-commerce and media. From knowing when to retire outdated tools to measuring leadership growth through team empowerment, his perspective reframes security as a catalyst for innovation and resilience.
Q: If you were to secure a brand-new application from scratch, what would be your first five non-negotiable steps, and why?
When starting fresh, the goal is to build security into the DNA of the application, not treat it as an afterthought. My five non-negotiables would be:
- Start with Threat Modeling: Understand what you’re protecting, who the threat actors might be, and how they could exploit the system. This sets the tone for smart, risk-based decisions from day one.
- Design for Security: Apply secure architecture principles like least privilege, Zero Trust, and segmentation early. A strong foundation makes everything else easier to secure.
- Build Security into the Dev Process: Integrate security checks (like code scanning and dependency analysis) directly into the CI/CD pipeline. This helps catch issues before they reach production.
- Get Identity and Access Right: Strong authentication and proper access control are critical. Missteps here are hard to unwind later, so things like MFA, RBAC, and token-based auth need to be rock solid from the start.
- Manage Secrets and Config Securely: No hardcoded credentials, no exposed keys. Use secret managers and automate secure configurations to avoid common pitfalls.
- At the end of the day, it’s about making secure development the default, not the exception.
Q: Many leaders talk about building security into the culture. What’s one unconventional method you’ve used to make engineers actually enjoy secure coding practices?
One unconventional but effective approach I’ve used in the past is turning security learning into a team-based, gamified challenge, more like a “Capture the Flag,” but focused on real-world secure coding scenarios relevant to our tech stack.
We ran these challenges in a friendly, competitive format, complete with a leader board, light rewards, and open discussions afterward. Because the scenarios mirrored actual vulnerabilities (some similar to what we’ve encountered internally), engineers found them both relevant and engaging.
What made it work was that it didn’t feel like mandatory training or a checkbox exercise. It was collaborative, practical, and even fun. Over time, it helped shift the mindset: secure coding became something the team genuinely cared about and took pride in, not just something owned by the security team.
Q: In your experience across Banking, E-Commerce, and Media, how do you adapt security strategies to match the speed and risk appetite of such different industries?
Each industry operates at its own pace and with distinct risk tolerances, requiring tailored security approaches.
In banking, security is non-negotiable due to the high stakes and strict regulatory environment. The focus is on strong controls, thorough governance, and risk mitigation, even if it means slower release cycles, to protect trust and comply with regulations.
In e-commerce, the priority is speed and a seamless customer experience. Security strategies here emphasize automation and integration within fast development cycles, enabling innovation without sacrificing protection against fraud and data breaches.
In media, the emphasis shifts to content protection and service availability. Agility and resilience become key, with a focus on incident response, cloud-native security, and defending against disruptions like DDoS attacks.
Ultimately, the best security strategies align with each industry’s business priorities, balancing risk and velocity in a way that supports growth and trust.
Q: How do you decide when it’s time to sunset a tool or platform?
Deciding to sunset a tool comes down to whether it still serves the business effectively and securely. If a platform is consistently causing friction, whether through frequent outages, lack of vendor support, security gaps, or inability to scale, it’s time to evaluate alternatives.
I also look at whether the tool aligns with current technology standards and integrates smoothly with the rest of the ecosystem. When maintenance costs and risks start outweighing the benefits, and the tool no longer supports business goals or innovation, that’s a clear signal to plan a phased retirement.
Sunsetting isn’t just about replacement; it’s an opportunity to improve efficiency, reduce risk, and free up resources for more strategic initiatives.
Q: How do you measure your own growth as a leader?
I measure my growth by the growth and success of the people I lead. When team members take initiative, innovate, and feel confident owning security challenges, it reflects my effectiveness as a leader. Equally important is my ability to listen openly, adapt quickly to change, and make decisions that align security with business goals.
I also pay attention to how I handle setbacks, learning from mistakes and fostering a culture where continuous improvement is embraced. Leadership growth, to me, is about evolving alongside the team, building trust, and creating an environment where security is not just managed but championed.
Q: What’s one myth about DevOps or Security you wish you could bust forever?
One of the biggest myths is that security slows down DevOps and makes the entire process expensive. The truth is quite the opposite. Introducing security early and thoughtfully actually makes the process more efficient and faster by catching issues before they become expensive and complex problems.
Integrating security from the start reduces firefighting later, saves money by avoiding expensive fixes, and builds trust across teams. Security isn’t a hurdle, it’s a catalyst that enables agile development and delivers better, safer software.
At its heart, effective security leadership is about balance, between speed and caution, automation and oversight, innovation and responsibility. As industries continue to evolve, the leaders who succeed will be those who not only adapt strategies to shifting risks, but also empower their teams to take ownership, experiment safely, and grow with confidence. Security, when done right, is not the finish line of technology but the force that propels it forward.
Disclaimer: The views expressed in this article are solely those of the leader and do not represent the views of their organization. No confidential or company-specific information has been shared, only personal insights intended for educational and informational purposes.
