Background

The client’s IT department wanted to leverage Agile and DevOps methodologies to be able to meet increasing business demands and tackle the banking industry’s growing challenges. In parallel, the CISO wanted to establish a ‘Secure-by-Design’ practice by embedding security practices into the Agile and DevOps value chain.

The client wanted to perform a high-level security review of its Agile development pipeline to:

  • Assess its security level (tools and processes); and
  • Define recommendations accordingly.

What did Wavestone deliver?

To perform this security review, we led several interviews over a 2-month period with ~10 key stakeholders (e.g. IT, development, security teams) as well as reviewing documentation in parallel. Based on the information obtained, Wavestone delivered a comprehensive report containing:

  • An overview of the client’s current state focusing on how security was embedded within its Agile development pipeline; highlighting areas of strengths and identifying areas for improvement (to feed into the target state);
  • A benchmark to highlight the client’s position compared to other European Financial Institutions regarding security in Agile development;
  • Wavestone thought-leadership on Agile security and DevSecOps;
  • Recommendations to improve the security of its Agile development pipeline and related target roadmap. Answering questions such as:
    • How can we effectively embed security into agile projects going forward?
    • How can we do it at scale?
    • Once security is embedded into agile delivery: how should security functions’ operating model evolve to align with the new corporate agile TOM?

Critical Success Factors

  • Strong relationship built with the client and stakeholders interviewed;
  • Wavestone expertise and thought-leadership on Agile security / DevSecOps; and
  • Wavestone experience on similar engagements with other organisations in the financial sector.