Vis Chirravuri, Software Security Technical Director at Thales

Today’s Sage Spotlight features Viswanath (Vis) Chirravuri, Software Security Technical Director at Thales Group, who shares how he's navigating AI adoption at scale, finding the best vendors to address Thales’ top challenges, and staying ahead of industry trends. Vis explains how Sagetap has become his primary source for vendor discovery, design collaboration, and subject matter expertise — transforming how he evaluates solutions and leads security conversations across a multinational org.

Key Takeaways

• Using AI Strategically without Long-Term Damage: With 30-35% of Thales' engineering practices already using AI (expected to exceed 50% in 2026), Vis is focused on investing in AI security without introducing unknown attack surfaces for cyber attackers to exploit.
• Bottom-Up Collection with Top-Down Prioritization: Thales consolidates technical and business challenges through a democratic voting process, then management prioritizes the top 5–10 "epics" each year, guiding which vendors to evaluate.
• AI Education as the Next Big Opportunity: Rather than rushing to build AI products that may be outdated within a year, Vis believes vendors should invest in education services that help organizations understand where and how to leverage AI effectively.
• Trading Conferences for Collaboration on Sagetap: Vis used to rely on conferences to find vendors and stay informed, which was less than ideal. Now, Sagetap is embedded in his process, enabling him to work with vendors as design partners and stay up on new industry approaches.
• Continuous Learning That Strengthens Internal Debates: By learning how impressive vendors like Contrast Security, NetSPI, and Oligo Security solve problems,Vis brings fresh design ideas back to his team and is better prepared for architectural discussions.

Full Transcript

Vis Chirravuri: I do three things. One, I work as a full-time software security director at a company called Thales Group. I’m also an instructor at the SANS Institute, and I'm also a doctoral student in cybersecurity and AI at George Washington University in the US.

In Thales, I am part of the central cybersecurity team, part of the governance team, basically defining security policies, guidelines, procedures, tools. And I also run an internal security community inside the company. 

Meghan Lafferty: So we're almost done with 2025. We're going into 2026. What is most pressing for you and your team right now? 

Vis: What's most pressing for me going into 2026, I will say, using AI in the right way, for the right reasons, without inducing any long-term damage.

There's a rapid growth in AI technology kind of bringing an unknown attack surface for the cyber attackers to take advantage of. So we want to make sure that we are investing in the right place in AI, especially the security of AI and AI being used for security and all of that.

In Thales, we have a top-down prioritization by the management on the collection of needs that we do in the company through a voting process, like democracy style. So all the needs from the engineers, the technical challenges, the business challenges that people put, we consolidate and we put priority to the management in the year, at the beginning of the year. And once we know the top five, top ten things, we call them as epics, that we need to address, we continue to either develop internally or look for vendors. So that is how I decide which projects to pursue on. So it's a mix of bottom-up collection with top-down prioritization.

We are a very large organization with multinational locations and everything, and I can tell you roughly about 30% to 35% of my company engineering practices are using AI today, which is only growing with time. And in 2026, I will not be surprised if it crosses 50% given the way AI is changing. 

In the past, I used to outsource to a company to develop a software, but right now, as I see the AI tools, in just two minutes, you will have an application being developed and deployed and operated on a public cloud platform at a cost of 20 cents or 50 cents. 

That's why education in AI is one of the biggest opportunities in my opinion. The education services will be the next biggest thing in the next few years at least, just letting people know where in AI to invest and how to gain advantages with the AI tools already in place and how they are changing. 

Meghan: Would you say that that's also what the industry isn't talking about enough? Is it the AI education that we're kind of missing out on? 

Vis: Exactly. People are jumping to make AI products, technological products. But the other side, AI is rapidly changing. So your product that you made one year ago is probably already outdated in just one year time frame, because whatever product that you're making, AI can do that. 

If I'm a vendor, I would not invest on products right now. I would invest on education, letting people understand how to make use of the AI in the right way.

Meghan: Before Sagetap, how did you identify the right vendors to evaluate and then the right vendors to actually help your company? 

Vis: The only way I used to understand the industry vendors were through public conferences like RSA Conference or Black Hat conference. 

The biggest challenge is there are too many vendors. It's really hard to focus on my need in a very short time frame, like five minutes per vendor, but that was the only source for me at least, going to the conferences and understanding, or through LinkedIn connections, which was really poor in my opinion. So I would say these kind of challenges were really addressed by Sagetap when it came to me. 

Meghan: You've been on Sagetap for a couple years now. Can you tell me how you use Sagetap and how it's helped you? 

Vis: I have put Sagetap into the process of my company. I have the top challenges that we need to work in the year from the management, and I have always some need somewhere to be able to work with the internal department to connect them. Even if I say today, this vendor does not meet my need, but I want to connect and see how they evolve in one year time frame. I have a contact list of all these vendors, and I think today, Sagetap is the only way I can get this information. 

Sometimes sales engineers even work with them for different reasons. They are able to collaborate with them on design aspects. We don't want to become a customer for them, but we want to become a design partner for them, work together and then sell the product. 

The other impact that Sagetap made to me as an individual, not as an organization, is there is no other way I will know what's happening in the industry, and when I say what's happening in the industry, not just by somebody presenting something at a conference, I'm talking about the new ideas people are coming up with. 

All of these vendors, they have their own unique way of solving problems in the industry. So when I speak to all these vendors, I as an individual, I am more aware of these approaches people are taking to solve the same problem. 

It brings me new design ideas when I go back to my team. How can I approach this? See, the architectural decisions, the design decisions that we debate inside the company, I am more skilled on responding to those questions in the company, thanks to the discussions I had on Sagetap. 

Meghan: Let's talk about your favorite vendors that you've met. Can you tell me maybe a couple of those and what they've done? 

Vis: I don't know what kind of selection process you go through, but every vendor that you bring in are really good at their own product. They are really good in the problem that they solve for the industry. They are really good in terms of explaining their solutions, their own knowledge of the topic. When we speak to them, there is often something that I can learn from them. So it's really hard to say who is my top three vendors. 

One is Contrast Security. I know this company for a while, but when I heard on Sagetap they have a new product, I was willing to connect with them. It's called IAST offering, one of the product solutions that they were offering, and then they changed it to an AppSec protect. It was an amazing product that they were offering. We were willing to take it. 

NetSPI was one of them. And Oligo Security was very interesting in terms of the software composition analysis, the third-party libraries in a software product. That means every software has lots of dependencies into it. So Oligo Security was solving a major challenge right now in the industry: how a malware in a product is being addressed, how vulnerabilities are being addressed in software and everything.

The one thing that excites me a lot is the knowledge of [a] vendor on the topic they are trying to present. And the second thing is it addresses my top five or ten challenges that I bring in. I'm not going to discuss all the challenges that I have with this vendor, because I always, often have some need in the company, so I want to listen more to their offerings. 

Often we look for vendors that offer solutions to be able to deploy on our infrastructure rather than their own infrastructure. 

And the last but not least is, in terms of the roadmap, I often ask these questions to the vendor: How did you evolve either in the past six months, one year, two years of opening a company? That helps us determine the maturity, and it helps us whether you are flexible to meet our needs in the company. 

Meghan: Do you have any advice that you would give other leaders who are not on the Sagetap platform, but you think maybe they could benefit from it? 

Vis: If you want to be an SME, a subject matter expert, in your domain, you should be on Sagetap platform. I don't believe that anybody can be continuously an expert unless you know what's happening in the industry. Sagetap is a platform that keeps us updated on the new evolutions happening in the topic of our interest and our goals. 

Either it is AI or the classical softwares, everything, everything is on Sagetap for me. So Sagetap is one source of expert information of the industry to me.  

And I'm able to evaluate these vendors much easier in contact than in the past. So what else can you expect out of that? So I'm happy being on Sagetap, and I believe every other SME out there should be on Sagetap.