25 Years in Cybersecurity: Building Security Teams That Last

This article is based on the opening keynote by Ravi Burlagadda - a cybersecurity leader at Jio Platforms with 25 years in the field - at BSides Mumbai 2024. You can watch the full session on YouTube.
Most security talks are about breaking things. This keynote was about something harder: building the teams and the judgement that keep a 400-million-user business safe without anyone noticing. Ravi Burlagadda opened BSides Mumbai 2024 with 25 years of hard-won lessons - from writing Linux kernel code as a fresher, to securing 20,000 applications at Microsoft, to scaling security at Jio. His throughline: security is an invisible business enabler, and the best security engineers are the ones who understand the business first.
Key Takeaways
- Security's job is to enable the business, not block it - the more deeply you understand what the business is trying to do, the more effective (and trusted) your controls become.
- Great security teams are built by backing your people, treating policies as living documents, and giving engineers room to rotate across domains so they stay and grow.
- The next few years belong to zero-trust, AI on both sides of the fight, edge/hybrid cloud, quantum-safe crypto, and supply-chain scrutiny - but the fundamentals underneath never change.
From Kernel Code to Securing a National CA
Ravi's career is a case study in turning whatever opportunity lands in front of you into the next skill. He started as a developer at TCS, where an "indirect blessing" - being handed Linux kernel internals as a college fresher - set the direction for years of work. This was the 1999-2000 era, he reminded the room: it could take ten to fifteen working days just to figure out a single command, with nobody to guide you. That self-taught persistence is the trait he keeps coming back to for anyone building a security career: be consistent, be persistent, and use every opportunity you get.
Eight years at TCS (where his team built PKI infrastructure that became a certifying authority in the country) led to seven years at Microsoft, securing an estate of 20,000-plus line-of-business applications, plus stints on Xbox security and the Skype and Yammer acquisitions. The last decade has been at Jio Platforms, heading multiple security verticals across a business built on disruption. The point of the whistle-stop tour: exposure compounds. Every new landscape - consulting, product, hyperscale disruption - adds tools you can't learn any other way.
Security Is the Invisible Contributor
Would WhatsApp pass a strict enterprise infosec review? Probably not, Ravi argued - and yet it leads its category, because it wins on innovation and customer-friendliness. The lesson isn't that security doesn't matter; it's that security has to be a business enabler. The more closely a security team understands how the business competes and innovates, the more it can protect it without getting in the way.
He pointed to Jio's own scale as proof: 400-million-plus subscribers, and no major security headlines. That silence is the security team doing its job behind the scenes - building customer confidence, partner trust, and even the confidence of strategic investors who scrutinise the dark web and public data before they commit.
Scaling Security With the Business, Not Against It
The most useful part of the talk was three concrete examples of security scaling alongside a product instead of blocking it:
- Sign-in, evolved with risk. JioTV and JioCinema launched with no sign-in at all - so that a grandparent or a first-time user could simply tap and watch. As the user base and the risk grew, the team layered controls in: SIM-based sign-in, then mandatory OTP once numbers crossed the hundreds of millions, then single- and multi-device binding. Controls were added as the risk appetite demanded, not all up front.
- The IPL load spike. Making IPL streaming free drove a 3-4x concurrency surge. Keeping every control at full strength would have hurt the experience, so the team briefly tuned some controls to protect performance, then restored them - a deliberate balance of security versus experience, not a lowering of the bar.
- COVID call centres. Overnight, call-centre staff who could only ever work from fixed locations had to operate from home, often without laptops. Security's job was to prevent both business disruption and data exposure: masking so agents couldn't see raw customer data, Citrix/VPN tunnels, and OTP validation before any customer record could be opened.
The common thread: pair the hacker's vulnerability-hunting mindset with genuine empathy for the developer and the customer.
Winning Over Non-Security CXOs
Executives don't speak "vulnerability." Telling a CXO that an attacker would need a token, an entry point, and a chain of conditions doesn't land. You have to find the mechanism to translate risk into business value - and once you show the value, Ravi said, leadership will be more than happy to back you.
How to Build (and Keep) a Security Team
Nobody can master every language and platform - Java, C++, Python, Android, iOS - and the asymmetry is brutal: a security engagement might last one to three weeks, while the developer has lived in that code for six months to a year. So when your engineers get bulldozed by development, PMO, architecture, or business teams who insist "it's not an issue," you back them.
Ravi runs his teams on three mantras: Learn (continuous learning, whatever your experience level), Contribute, and Operational Excellence - always improving the existing processes. He treats policies, standards, and procedures as living documents that get updated whenever employees or business teams give feedback. He arms teams with automation and AI tooling so they aren't drowning in manual work. And crucially, he rotates engineers across verticals - retail, media, gaming, IoT - because security people want change every year or two; rotation is how you retain the talent instead of losing it.
The Trends Ravi Is Watching
- 5G/6G and IoT. A far larger digital footprint, more devices, and a shift toward localised private networks (a housing cluster or factory running its own dedicated connectivity).
- Edge and hybrid cloud. The pendulum is swinging back from cloud-only as big organisations feel the cost pinch and rediscover that "cloud-only" isn't automatically cheaper - the future is a mix of edge, private, and public.
- AI on both sides. Everyone has to become a good prompt engineer, like it or not. And AI lowers the attacker's cost - a campaign that once took 100K can now be done for 20-30K, whether that's social engineering, ransomware simulation, or targeting an identity. Defenders have to raise their game to match.
- Zero-trust, properly understood. Not just "buy an MFA tool." Trust nothing by default; verify the user, the device, the geolocation, and the behavioural pattern. When Ravi's account suddenly generates a burst of requests at 2-3 a.m., that anomaly should fire an alert to the SOC.
- Quantum-safe crypto. Quantum computing has been "coming" for a decade and still will be, but the libraries to prepare exist now - choose quantum-safe algorithms and proper entropy for the encryption you rely on.
- Supply chain. Don't assume Cisco, Microsoft, or Adobe products are secure just because they come from established vendors - the string of Exchange Server breaches is the reminder. Bring third-party products inside your security scope.
- Privacy and regulatory compliance. To compete globally you have to meet the regulations that apply - GDPR, PCI-DSS, HIPAA, ISO 27001 - and data localisation is coming. Build these foundations into how you triage findings.
- Investing in people. The right, rightly-skilled talent is genuinely scarce; organisations have to invest in their people continuously.
Frequently Asked Questions
How do you handle insider threats?
As a company grows, its pool of privileged users grows, and insider risk scales with it. Ravi layers controls: DLP, least-privilege and just-in-time access, strict separation of production and development, and revoking elevated access the moment a task is complete. Data should move only over authorised channels, with continuous monitoring of assets. Pair the technical controls with awareness and real accountability - like the tailgating rule: if you badge someone into the building, you are equally accountable for them.
Do security frameworks change from industry to industry?
The risk framework varies - gaming, media, and banking each weigh risk differently - but the security fundamentals don't change: authentication, data protection, hardened infrastructure, sound operations. Pick a risk framework (SANS, NIST, whichever fits), customise it without losing the essence, and be ready to justify every recommendation. His HIPAA example: patients are routinely asked to consent to sharing all their reports with third parties, often with no option to decline. Real privacy means data segmentation - a chest specialist should see only the relevant sections of a report, not the patient's entire record.
What one habit shaped a 25-year career?
Use every opportunity to learn, and be consistent and persistent. Ravi's own break came from an "indirect blessing" he chose to run with - and that mindset carried him from a fresher writing kernel code to a security leader at one of India's largest platforms.
Summary
The strongest security leaders understand the business first and translate risk into language everyone can act on. Security is an invisible contributor - most visible when it fails, most valuable when it quietly enables the business to move fast and safely. Build teams by backing your people and giving them room to grow, treat your policies as living things, and remember that while zero-trust, AI, quantum, and supply-chain risk will define the next few years, the fundamentals you already know are what carry you through all of it.
About the Speaker
Ravi Burlagadda is a cybersecurity leader at Jio Platforms, where he heads verticals spanning application security, security architecture, DevSecOps, identity & access management, and PKI. Across 25 years he has worked in consulting (TCS), product security (Microsoft - line-of-business applications, Xbox, Skype/Yammer), and large-scale digital disruption (Jio). He delivered the opening keynote at BSides Mumbai 2024.
Watch the Full Talk
Want the complete keynote, including the audience Q&A? Watch the full BSides Mumbai 2024 session below.