How Banks Can Take

DevSecOps to the
Next Level
The only way banks can sustain or build their innovative and
competitive edge is by powering their digital transformation
strategy with effective DevSecOps

Most banks today are driving business objectives aligned to keep pace with the disruptive
born-out-of-cloud fintech startups and soaring customer demands primarily in mobile,
retail, wealth and private banking channels. DevOps practices are being followed by some
digital banking startups and other disruptive online fintech platforms by leveraging cloud
services to adapt without much spend. The customer demands have now converged into
perceivable and measurable KPIs such as:
• Login time
• Interface speed with other payment gateways
• Funds transfer
• Account opening
• Account statement generation, etc.
For a bank, the performance of these KPIs will depend on several aspects like:
• Scale of technical debt or legacy code
• Level of orchestration and automation maturity
• Vision of the bank translating into goals across the organization
• Governance and value stream visibility connected all the way from technology
to bank’s users
• Design led thinking to bake in compliance and security into every stage of
product delivery
Since most banks are still operating in silos due to historical, and in some cases strategic
reasons, most of the programs designed to address these dependencies have different
outcomes, KPIs and timelines, making the convergence of digital transformation painful.
A case in point here is that app modernization, integrated messaging and infrastructure
transformation programs, which are part of the digital transformation umbrella, have
different goals and objectives.
DevOps in a bank is a collaborative coming together of business objectives, ‘Change the
bank’ and ‘Run the bank’ to deliver speed, quality of service and an intuitive end user
experience. For the business objectives to translate into agile change projects and efficient
run operations, CxOs and Engineering Heads play pivotal roles.

3
Roles leading digital transformation and their impact on
DevOps in banks
The advent of DevOps and the more recent BizOps has brought to focus the growing
importance of engaging with the CxOs of an organization early and continuously to build a
successful digital transformation journey. If digital transformation is the “what” of the
future, DevOps and BizOps are the “how” of that journey.
Both these decisive programs need a constant engagement with the CxOs, both from the
strategic and instant implementation feedback perspective.
The impact of these programs are versatile and profound around people, process,
technology and governance towers, the backbone of DevSecOps transformation.
It is hence important to look at the changing perspectives and roles of the CxO group if we
were to achieve the successful outcomes the business and technology expects from
these programs.
Chief Technology Officer [CTO]: The CTO of any enterprise possesses a strategic view of
the organization’s technology architecture and business. The CTO develops pertinent
initiatives to lead technology transformation towards organizational success by taking
charge of overall outcomes. A CTO’s responsibilities in a banking organization include:
• Designing comprehensive product, design and technical requirements through agile
frameworks for collaboration, tracking and prioritization.
• Creating a central platform team for evangelization, evaluation, implementation and
support of tools across the bank.
• Prioritizing digital transformation programs based on risks and benefit analysis
associated with the customer – Cloud, microservices and containerization first for
new products and features while ensuring parallel focus on programs like core
banking refresh / upgrade.

In fact, the vital need of digital transformation in business strategies is such that a CTO
designation, it is said, should stand for ‘Chief Transformation Officer’.

If digital transformation is the “what” of the future, DevOps and BizOps

are the “how” of that journey.

Chief Information Officer [CIO]: A CIO role usually manages both strategic as well as
operational responsibilities. But the primary aspect of a CIO's role is to manage change.
With increasing focus on IT, the CIO's role has been expanding in proportion. The financial
industry attracts cyber criminals more than other sectors. Hence, the CIO's task in a
banking enterprise is to develop robust security models while driving digital
transformation. The CIO's role also includes:
• Dismantling silos built around different business, process and IT Functions – Create
common agile squads/pods for run and change the bank.
• Defining KPIs for successful business and technology outcomes – Mobile banking
response times, Internet fund transfer times, disaster recovery SLAs etc.
• Acquiring new skills and assuming new responsibilities while fostering internal
collaboration and creating a culture that can adapt to change seamlessly.
• Improving the front-office and back-office digital functionalities, the focus is
increasingly on improving the consumer experience across the entire
customer journey.
• Sharing insights with Marketing to enable the delivery of personalized solutions,
which can yield better customer experience.
VP of Engineering: The VP- Engineering needs to be well versed in industry digital
technologies and leading tools, automation, AI and Analytics, and should have a
proven track record of implementing Digital Finance/Insurance/Banking/CAAS
solutions. The role involves:
• Devising continuous everything – Requirements, design, build, test, deployment,
feedback and optimization.
• Handling of process diagnostics, blueprinting, storytelling and data analysis.
• Seeking customer feedback at various SDLC iteration stages –
MVP, Test and deployment.

Chief Information Security Officer [CISO] : As mentioned earlier, security for the
banking sector is most crucial and banks as well as other financial institutions must
realize that there is no one common tool that can protect the organization from cyber
threats. People, processes, systems and technology should be aligned and the overall
responsibility for this lies with the CISO. The CISO needs to adopt various strategies
to manage cyber security operations. His / Her responsibilities include:
• Building a lean process with IT and compliance standards.
• Prioritizing digital transformation programs based on risks and benefit analysis
associated with the customer – Cloud, microservices and containerization first for
new products and features while ensuring parallel focus on programs like core
banking refresh / upgrade.
• Focusing on security hygiene and this will help most organizations sail through the
crisis. Customizing controls, selective monitoring and focusing on comprehensive
security hygiene.
Some of the translated challenges for banks in undertaking the transformation
journey are:
• Silos across Change the Bank, Run the Bank, Security & Compliance. The siloed
structure coupled with organizational resistance to change renders making the
shift difficult.
• Different reporting structure and strategies need different methods to transform.
• Legacy applications and infrastructure involve cost and huge efforts to transition.
• Resistance to innovation appetite, a factor common in legacy enterprises, prevents
introduction of new technologies.
• Security and compliance OEMs do not keep up with diverse control requirements of
standards – PCI DSS, GDPR, ISO 27K , NIST etc.
• There is unavailability of a single pane of glass for measure and traceability of
KPIs driving business and technology outcomes.
The approach to attaining the DevSecOps end state is centered
on enabling parallelism across digital transformation programs,
with DevOps being the overarching practice across all of them.

Taking DevOps to the next level

Once the strategic vision of a bank’s business and technology is established, It
becomes imperative to outline a precise and comprehensive approach to achieving the
Agile Release Orchestrated DevSecOps end state.
The impact of the strategic and consultative approach to DevOps is quite compelling in
organizations driving several business and IT initiatives in parallel where collaborative
effort and converged outcomes are key to successful implementations.
The first pit stop of the prescriptive approach to DevOps transformation journey is
setting up teams that will drive banking product strategy, tooling landscape and policy
definitions. The recommended option is to have a central platform team to drive
tooling and process and have a federated agile scrum team across product lines and
business units for pipeline management of build, test and deploy.
The IT strategy and KPIs must be driven from the product owner’s perspectives to
ensure IT becomes a successful business enabler. For instance, there might be a need
to run core banking in a waterfall model given the impact of risking a fast-paced agile
model and run alternate channels like mobile, internet and private banking as agile
models. This could be made possible if the next generation architecture is a
distributed one with modular development, and if microservices first is the product
owner’s strategy. A prescriptive agile DevSecOps team structure will be variants of the
following 7 roles:
1. Product owner - Promotion of the benefits of DevOps, quantify business benefits
2. Scrum master - Facilitation for an agile development team
3. DevOps engineer – Pipeline and Infra as code for build and ops
4. Test automation - Application functionality, technical landscape,
test automation tools, scripts with development
5. Governance – RBAC, security and compliance
6. Process consultant – Release and change management
7. Central platform team – Tools stack design, implementation and management

The product owner’s perspective to implementing DevOps automatically aligns the

organization with TOGAF driven architecture strategy for apps, API and infrastructure
continuity while enabling IT4IT for managed IT services. One of the significant
outcomes of a business-driven IT strategy is the creation of a vision for automaton
and orchestration.
The IT strategy and KPIs must be driven from the product
owner’s perspectives to ensure IT becomes a successful
business enabler.
There could be different flavors of vision strategies depending on the business
objectives of a bank. With a reference vision, architecture and strategy in place, the
bank can chart the DevOps approach. The approach to attaining the DevSecOps end
state is centered on enabling parallelism across digital transformation programs, with
DevOps being the overarching practice across all of them. Hence, it is very important
to decide on the sequence and parallelism of programs such as:
1. Migration of Dev environments (In the order of non-banking, alternate channels and
corebanking) to cloud.
2. Data center exit strategy – With due consideration and compliance controls given
to customer sensitive data.
3. Application led version upgrades of the ecosystem - End of life legacy versions
followed by digital innovation.
4. Container and microservices transformation – Starting with non-critical banking
applications.
5. Enable shift left IT security and bank standards for compliance in data center
before moving to cloud – PCI DSS, NIS, GDPR, ISO 27K and so on.
6. Integration of release orchestration platform to the CI/CD tool stack – Enables
release governance through predictability, re-usability and visibility of release
status and issues.
7. Define and activate business, process, technology KPIs for:
• Issue traceability: Funds transfer pipeline stuck due to build agent overload and
wrong capacity forecast.
• Metering/chargeback: Charge for DevOps services across business units like
Wealth management, Wholesale banking, and Private banking for better
cost control.
• App and infra deployment quality: Bank’s customers look to quality of services
ahead of even innovation only preceded by security, hence quality of the
product is essential to staying ahead in competition.
• Agile delivery: Bridges the siloed gap between a business analyst of a bank’s
function, the developer and testing teams for early detection of issues, instant
feedback and greater collaborative productivity.
• Value enablement: DevSecOps will have a significant impact on mindset,
culture and skill change to an organization. It is imperative for organizations to
measure the value of investments and transformation at every level in terms of:
-- Increased scope of test automation in improvement of quality of the
released product
-- Infra as code reduced deployment failures
-- Self-service catalog blueprints reduction in onboarding time and
delivery time
• Instant feedback: In a high voltage race to be the fastest to deliver new banking
features to end customer, AI enabled instant feedback bots for collaboration,
pipeline and operations management is the key.
• Pipeline performance: There are several factors that affect the CI/CD pipeline
performance – Stable integrations, platform design and capacity forecast are
some of the key drivers.
• Sprint velocity and release frequency: The velocity of the sprints for MVP and
feature delivery is directly proportional to business and DevOps’ success.
• Predictive warnings: The analytics driven approach to predict the success of a
release or a pipeline is essential to pre-empt any bugs or issues getting leaked
into a stage of irreversible damage.
• BizOps and customer experience: All of the above KPIs will steer banks towards
the next level of DevOps – BizOps, which effectively ties DevOps initiatives to
business benefits and outcomes.

The first pit stop of the prescriptive approach to DevOps

transformation journey is setting up teams that will drive
banking product strategy, tooling landscape, and policy
definitions.

While most of what is outlined in the approach above maps best practices
recommendation followed by consultations and devops services organizations the
world over, some unique approach differentiators are exclusive only to Wipro’s
framework for banks after years of successful consulting and implementations.
Wipro’s RAPID Ops framework and platform enables transformation to the bank’s
DevOps journey. This offering that drives Agile and Release orchestrated DevSecOps
supported by Infra as Code and cloud native end state, follows these themes:
• Consulting to assess DevOps maturity level of the bank through Wipro’s flagship
framework and rating algorithms.
• Strategic planning on people, process, technologies and governance for ‘run and
change the bank’ streams.
• Enable BizOps mode of thinking by mapping business strategies to Agile ways of
working and continuous feedback to IT – Scrum, Kanban, ScrumBan etc.
• Transformation to the release-orchestrated Agile DevSecOps end state.
• Automated testing included as a mandate into the application and infrastructure
pipelines.
• Enabling of AIOps driven managed services of tools stack and workloads.
• Continuous feedback, improvement and optimization.
• Find smarter ways to include business feedback into sprints instead of a post
implementation review of a release.
Case Study: Transforming a large bank toward BizOps winning ways
A financial services major with more than $45 billion in revenue wanted Wipro to partner in
their journey towards Agile release orchestrated BizOps. Wipro recommended achieving this
through consultative assessment of their process, DevOps teams, and technology and
governance streams followed by enterprise transformation to the ‘To-Be’ state. The
consultative assessment unearthed some important gaps and shortcomings in the As-Is
DevOps state such as:
1. Agile, continuous integration and delivery in silos
2. Manual release and high cost of test and security process
3. Script based automation
4. Lack of measurement and visibility of outcomes
5. Outdated software development, support processes, which were not aligned
to new age methodologies
6. Losing out on competitive advantage due to lack of agility and automation of IT processes
7. Lack of a business vision mapped to IT strategies
Wipro embarked on a journey to validate the problem statements and come up with a
measurable maturity model. After a detailed assessment of 12 weeks, the maturity
assessment score was pegged at 23 out of 50. The To-Be state was envisaged with the
following themes:
• Central Agile pods for platform support and federated pods for
product build and deployment
• Continuous testing and release delivery
• Leveraged Wipro’s blueprint library for Infra as Code automation
• Integration of security and quality code analysis with CI/CD
• Standardized RBAC and value stream KPI dashboard
After 18 months of transformation, 3 new tools were added, 8 processes were re-designed
(including release and patching) and 1 Agile framework was created with the following
business and tech outcomes.

Technology outcomes:
1. Env provisioning time - From 3 days to 10 minutes.
2. Release cycle time - From 8 weeks to 2 weeks.
3. RBAC & onboarding time- 75% reduction.
4. Manual touchpoints – 75% reduction.
5. Cost – 30% reduction in OpEx cost.
6. Early bug detection - 60 % increase.
7. Deployment failures – Down by 95%.

Business outcomes:
1. A competitive edge in time to market.
2. Dev and OpEx cost save leveraged for innovation.
3. Fastest funds transfer module.
4. Better customer trust due to comprehensive compliance and security.
Driving transformation real quick with DevSecOps
Digital transformation of banks are being driven by agile DevOps ways of working as
an overarching theme. Statistics and successful transformation outcomes suggest
that this is the only way banks can sustain their innovative and competitive edge.
Adopting or maturing DevOps to the next level of excellence must include detailed
assessment and evaluation of existing practices, a strategic roadmap to achieve
streamlined functioning of different teams, and a robust implementation approach of
the desired end state that suits the current business environment.

Looking to drive innovation and transformation in your organization through

DevSecOps? To know more and to accelerate your DevSecOps journey,
connect with us at [email protected].

About the author

Syed Ahemed is the Presales Practice Director for DevOps with years of consulting,
evangelizing and implementation experience in DevSecOps for banks, financial
institutions and Tech BUs predominantly. His versatile experience in design and
hands on implementation in open source and commercial technologies while
adopting enterprise security, governance and IT standards has helped several
organizations attain the desire DevSecOps end state and maturity level.
Syed is based out of Bangalore, India.
Wipro Limited Wipro Limited (NYSE: WIT, BSE: strong commitment to sustainability
Doddakannelli, 507685, NSE: WIPRO) is a leading and good corporate citizenship, we
Sarjapur Road, global information technology, have over 190,000 dedicated
Bangalore-560 035, consulting and business process employees serving clients across six
India services company. We harness the continents. Together, we discover
Tel: +91 (80) 2844 0011 power of cognitive computing, ideas and connect the dots to build
Fax: +91 (80) 2844 0256 hyper-automation, robotics, cloud, a better and a bold new future.
wipro.com analytics and emerging technologies
to help our clients adapt to the digital
world and make them successful.
A company recognized globally for its For more information,
comprehensive portfolio of services, please write to us at [email protected]

IND/TBS/APR-JUN 2021