Client: A global tier-one financial services organisation operating at significant scale across multiple regions, delivering retail and commercial banking services within a highly regulated and risk-critical environment.
Challenge
In 2022, our client underwent a regulatory audit across technology and operational resilience controls. Due to evolving standards and controls within cyber security, the audit identified several areas that required strengthening across the estate. The increase in cyber threat across financial services highlighted the need for stronger protection measures across critical infrastructure. Two of the most significant findings mandated the introduction of enhanced network segmentation and additional layers of network security to reduce the risk of lateral movement and strengthen defence against emerging threats.
To comply with regulatory expectations, our client committed to a remediation programme that required additional controls to be applied to 71 priority applications by June 2025. This remediation effort would need to follow two defined migration pathways, each dependent on application architecture, data sensitivity, and hosting environment. Given the scale, complexity, and regulatory oversight of the programme, our client engaged Airwalk Reply as a strategic systems integration partner and Project Management as a Service provider to deliver end-to-end programme governance, delivery leadership, and execution support.
Airwalk Reply was brought in not only to coordinate the migration activities but to establish robust governance structures, align technical teams, manage dependencies, and ensure that the programme met the regulatory timelines. Their involvement provided our client with the expertise, capacity, and structure needed to deliver the remediation programme with confidence and regulatory assurance.
Approach
Programme Delivery Overview
To meet the regulatory commitments, Airwalk Reply established a robust, high-performing programme team designed to challenge the status quo and ensure clarity, alignment, and accountability across all workstreams. Operating as a central command-and-control function, the team provided strong governance, rapid decision escalation, and proactive issue resolution, minimising delays and keeping delivery momentum high.
A key strength of the programme was its ability to ‘knit together’ complex technical, operational, and regulatory requirements. The team structure intentionally combined deep technical expertise with experienced delivery leadership, ensuring that engineering detail and programme execution remained tightly connected. This integrated model enabled early identification of risks, stronger cross-workstream collaboration, and consistent alignment to the June 2025 regulatory deadline.
PMO Excellence
The PMO played a critical role in maintaining programme stability and transparency. Core responsibilities included:
- Focused reporting: Which provided concise, data-driven updates for senior governance forums.
- Active planning: Maintenance of the high-level detailed plan which reflected dependencies and evolving constraints.
- RAID management: Ensuring risks, issues, assumptions, and decisions were rigorously tracked and escalated on time.
- Dependency management: Mapping and managing cross-functional dependencies to avoid conflicts and schedule impact.
- Assurance preparation: Coordination of evidence, controls, and documentation to support regulatory review and audit readiness.
This structured PMO capability ensured decision-makers had reliable, timely insights and that the programme progressed with discipline and confidence.
Migration Approach 1: Re-IP
A critical migration path was the Re-IP, the process of changing an application's underlying IP addresses to align with new network segmentation requirements. For the programme:
- 18 services were in scope
- Just under 800 servers required Re-IP activity
- Delivery spanned three global time zones
- All servers remained on track for completion within regulatory timelines
This stream of work required thorough planning, tight scheduling, and strong leadership to ensure seamless transitions.
Migration Approach 2: Build New
The second major pathway focused on the complete rebuild and migration of high-risk applications into new, segmented network zones. Key achievements included:
- End-to-end delivery of 20 extreme-risk payments and services
- Full infrastructure build, configuration, and migration into the new -aligned zones
- Management of 20 project teams, coordinated by two Airwalk Reply delivery leads
- All applications on track to meet cost and delivery obligations
This approach delivered a modernised, secure, and compliant hosting environment for some of the clients' most critical financial services.
BAU Transition
To ensure sustainability beyond programme completion, a comprehensive BAU operating model was developed, focusing on:
- Design of BAU processes to maintain compliance and operational efficiency
- Definition of the BAU target operating model
- Creation of an exceptions process for non-standard scenarios
- Implementation of guardrails to protect the integrity of the model
- Education and onboarding to ensure BAU teams could confidently operate the new processes
This helped the organisation stay stable over the long term and stopped teams from slipping back into old ways of working.
Network and Firewall Delivery
A substantial portion of the programme focused on strengthening network security and firewall controls in line with regulatory expectations. Core activities included:
- Infrastructure and zoning design to meet segmentation requirements
- Bastion design and implementation to protect administrative access
- Firewall process design, defining governance, lifecycle, and approvals
- Firewall rule implementation across multiple zones and environments
- Operationalisation of new firewall processes to embed compliance into day-to-day operations
These enhancements established a stronger and more secure cybersecurity position for our client.
The Results
The programme delivered a significant uplift in the client’s cybersecurity, operational resilience, and regulatory compliance. Through a coordinated delivery model that combined technical depth with strong governance, the team successfully met all requirements-driven milestones and maintained full alignment to the June 2025 deadline.
Top 5 Key learnings:
- Technical and delivery integration is critical for success. Combining engineering expertise with strong delivery leadership enabled faster decisions, clearer planning, smoother execution.
- A centralised command and control model maintains momentum. Clear ownership, structured governance, and proactive escalation helped avoid delays.
- Proactive planning and RAID discipline reduce risk. Early identification of issues, active dependency management and regular reviews kept the programme ahead of potential blockers.
- Clear concise reporting strengthens leadership confidence. Focused updates supported informed decision-making and improved overall governance effectiveness.
- A well-defined BAU model ensures long-term sustainability. Establishing processes, guardrails and an exceptions framework prevented regression into legacy practises and supported ongoing compliance.
