How DevOps is shaping Financial Services #1: The role of governance

Financial Services

In this series of blog posts, we speak with database professionals from Financial Services organizations around the world to better understand how DevOps is shaping the sector. On the way, we dig into key current factors including the rise of technology upstarts in fintech and insurtech, the speed of digital transformation and the ever-increasing threat of cyberattacks.

First up, we speak with Hamish Watson, DevOps Alchemist and Managing Director at Morph IT Consulting. Based in Christchurch, New Zealand, Hamish has spent the last 25 years working with clients all over the world, mostly within Financial Services, to mature and perfect their business value based on DevOps philosophies.

Can you tell us a little about your background in Financial Services?

Throughout my career I’ve worked with banks and insurance companies, both as a direct employee and external consultant. When I started out, the biggest thing we had to focus on was nice safe deployments. The bank’s view was: ‘We’re going to deploy twice a year, practicing it as much as we can, then get 20 people around the screen and deploy it that way’. This worked sometimes, but often it was a mess. Since moving into consulting, I have mostly worked for organizations in Financial Services.

Insurance companies are interesting because they have a lot of regulations and strict controls, but they have to compete because they need people to buy their services. With a bank, we’re kind of locked in because they’ve got our money. Sure, we can change banks, but it’s a complicated process.

With insurance however, it’s a very competitive market and easy for customers to transition between companies and policies. They provide a service, but there’s actually not much we need from them until something goes wrong. So, the insurance companies I’ve worked with are focused on how they can transform and stay ahead of their competitors.

What do you think is the biggest challenge facing the sector at the moment?

It’s all about governance and data. Across the sector there is governance around the whole lifecycle of not only products, but also the interactions within companies. You’ve got actuaries, data people, brokers, and the governance associated with where those people can look, and what they can see, has to be very strict.

This governance-focused mindset creates inherent silos because you need to define and divide access per role or per team. If there’s anything that you need from another department, you literally have to complete forms and get signoff. There are strong governance restrictions throughout the organization’s layers, like an onion, where some teams can only see the top layer, whereas others need access down in the core where everything runs.

Obviously, auditing forms part of the requirements for governance and strong security, but one of the things that happened with digital transformations was how to integrate with third parties because we can’t actually do everything ourselves.

There’s a new challenge of how we let those third parties into those onion layers of security we’ve built, without jeopardizing ourselves or ending up on the front page of the paper. There’s a subsequent need to balance governance and security without building silos across the organization.

The Finance, Insurance, and Banking sectors have historically been slow in adopting new technologies and processes. What do you think have been the consequences of that, particularly in your role?

At best you get left behind. When we look at the core tenets of what DevOps is about, it’s delivering value to our customers. If you’re a slow or non-adopter, you can’t deliver that value. Forget all the ones and zeros, rows and columns, and the stuff that data people care about. Customers don’t care about that; they want the value.

If you can’t deliver that value efficiently, over time you’re going to get left behind and ultimately go out of business. To succeed you’ve got to have two things: velocity to get that value to market, and a good, safe product or value. There’s no point delivering bugs quicker than you ever did before. That’s not the name of the game.

Digital transformations have been at the top of many CTO to-do lists across all sectors. Is this something you’re seeing within the Finance sector as well?

Back in 2020 when the pandemic hit, a lot changed within organizations. There’d been talk of digital transformation within companies for years, but the pandemic made it a priority. How do we enable people to work remotely? How do we engage with them remotely?

It was a huge mind shift, with many organizations suddenly implementing DevOps. After all it’s not about replacing some monolithic hardware, it’s about transforming the way you use technology and how you deliver value to your customers. And that digital transformation needed to happen fast back then.

How often are you seeing the database being considered as part of digital transformations?

I think more now than it used to be. Data has come to the forefront because people have realized, due to the indiscretions of others, just how important it is to secure your data and the pivotal roles of governance and compliance.

One thing that companies do forget in digital transformations, and no one wants to do, is cultural transformation. There’s no point creating great new processes to make ones and zeros beautiful again without the cultural transformation – to succeed, you actually have to tie those together. After all, you can lead a horse to water, but you can’t make it drink.

When you’ve got people who are disengaged, where your CTO is rolling out digital transformation but the DBA is adamant that they are still deploying manually, nothing works. That doesn’t sound like the greatest digital transformation. You need to create an environment and culture where the whole business works collaboratively to achieve a shared goal. And what is that goal? It needs to be translatable, so that every single person can understand the mindset, where they fit in, and where they are marching towards that common goal of delivering value to customers.

Given the rise of cyberattacks across the sector in recent years, what would be your advice for someone tackling compliance and security in their database processes?

Both compliance and security are major concerns, but they can get in the way of software development. What we’re interested in is the delivery, but now you’ve got to do all this compliance stuff, and some companies think that DevOps, which is trying to break down the silos, is an actual risk to their security. People think that it will circumvent the security governance and regulatory controls.

But if we start embracing some of the tenets of DevOps like auditable infrastructure as code or auditable process delivery mechanisms, we start automating things, using source control. When we’re building these out and getting signoff, we actually have far more controls than we did before. We’re mitigating the security threat of DevOps by actually creating a faster delivery pipeline to deliver that value.

If I’m writing my infrastructure as code, it would then show that we put this new thing here that relates to risk assessment. You can literally add a comment within source control to show that you’ve mitigated that risk: it’s been addressed. And then through continuous integration and continuous delivery, you can show processes where that fits in.

In years gone by, whenever you deployed to production, you went to Change Approval boards, with a lawyer, because it was judge, jury and executioner. These days, Change Approval boards have morphed into more of a collaborative discussion where all the proof has already been done, because we have our audited source control changes.

I remember back in around 2016 I read an article from someone using Octopus Deploy, and it was a lightbulb moment for me because we used to fill out pages and pages of Word documents to show every change we had made. Now I literally had an HTML page automatically created that showed every change, when it was delivered, where it was delivered and how long it took.

There has been a rise of FinTech players entering the market who are quick to adopt new technologies and are able to adapt quickly to customer needs. How do you see this impacting across the industry, especially for larger, well-established organizations who have been slow to embrace DevOps?

They bring more appreciation of compliance and security stuff. If you’re a startup and you’re delivering the next greatest something, you will be accelerating so much but you will also build governance and security in from the start. Whereas established insurance companies and banks are all safety first and it takes them longer to pivot

Again, it comes down to the tenet of what insurance companies and banks do: we trust them. We trust them both with our data, and our money. One of those is more important to us than the other, but they’re both vital things, so I think that there’s been more talk around the security.

We need to embrace security practices within our DevOps processes because these companies have made that step change and they’re bringing a different element. That element is addressing compliance, addressing governance, and addressing risk aspects, and I think that’s really helped the industry. We’re now collaborating together, because while the startups prompted this revolution, the big players are now allowing us to mature and build on it.

Next steps

For further insights, read the second post in this series, How DevOps is shaping Financial Services #2: The challenges in insurance.

You might also be interested in the insights revealed in Where Financial Services businesses should focus their digital transformation efforts in 2023, and the selection of resources on our Finance page.