When Security Became the Brake on a Bank's Transformation

About the customer

This is one of the UK's major high street banks, undertaking a significant multi-year programme to modernise its technology infrastructure. The programme involved migrating legacy services and building new cloud capabilities across more than 250 AWS accounts, with dozens of DevOps teams working simultaneously on shared platform components — encryption services, vulnerability management, data storage, analytics — that would underpin the bank's digital products for years to come. The stakes were high. Internal customers were watching closely. Strategic deadlines were set at board level.

The situation

Security was supposed to be built into the programme from the start. In practice, it had become the bottleneck nobody knew how to fix. New services were being blocked days before they were due to go live, with urgent security demands that appeared out of nowhere. Engineers were frustrated by last-minute requirements that had been entirely foreseeable but somehow went unaddressed until the final moment. Product owners were missing deadlines. Internal customers were losing faith in the promise of fast, agile cloud delivery. And underneath all of it was a risk register that nobody trusted, because nobody really had a clear view of where the risks were.

The turning point

We started with a full audit of the AWS environment. With around 60 accounts at that stage, it was a substantial exercise — we had it done within a week — and it gave both us and the bank a clear view of the infrastructure risk picture. That fed into a risk register exercise they were running and laid the groundwork for what came next: threat modeling.

The first threat model covered a single critical workload. That session did something that months of audits hadn't managed: it got engineers, product owners, risk managers and security leads in the same room, talking about the same thing, agreeing on what actually mattered. The output gave everyone the clarity they needed to make fast, confident decisions. It also revealed something that would prove important across the whole programme — around half the security work those teams were doing was addressing things that weren't real risks at all.

Scaling the programme

That first model worked well enough that they asked us to keep going. We ran one threat model a week at peak velocity, covering the full range of workloads being built across the platform — shared infrastructure, business-critical services, compliance-sensitive systems. Over the following years we delivered more than 70 threat models across the bank's cloud estate. Each one reduced duplication, redirected effort toward genuine risks, and gave the teams involved a shared understanding of where the real boundaries were.

The result

The transformation programme started moving again. Services launched on schedule. The risk register began to reflect reality. Teams that had been stuck second-guessing themselves now had a clear picture of what the security position was and where the red lines sat. Security stopped being the thing that slowed everything down and became the thing that gave teams permission to move faster.