Building a resilient security backbone for a service-driven organization

Revolutionizing security for a global service leader

A large service organization running complex, time-sensitive operations across multiple locations faced a daunting challenge. Its digital systems, handling high transaction volumes and sensitive data, needed strong security to stay reliable, meet regulations, and maintain customer trust. But outdated legacy systems, fragmented security efforts, and shifting compliance requirements left their digital operations at risk.

Challenge: A wake-up call for proactive security transformation

The organization faced a series of interrelated challenges that highlighted the urgent need for transformation:

• A backlog of vulnerabilities: Years of unresolved security issues created a growing risk for critical systems.

• Increasingly stringent PCI compliance: New regulations expanded the scope and pace of vulnerability management, covering all levels of severity.

• Cultural and operational inertia: Shifting to a “security-left” approach required addressing ingrained practices and bridging the gap between security policies and daily operations.

• Rapid adoption of AI tools: Without clear guidelines, technology like AI posed a potential security risk, adding complexity to an already challenging security landscape.

This scenario demanded not just immediate action, but a sustainable strategy to embed security into the organization’s culture, technology, and processes.

Solution: A partnership to redefine security culture and systems

The organization partnered with Thoughtworks to address these challenges through a dedicated, embedded Security Team. With expertise and a collaborative approach, the Security Team executed a multi-faceted plan:

Transformation initiatives:

1. Systematic vulnerability management:

• The team resolved over 1,000 vulnerabilities in just one year, drastically reducing the backlog by more than 70%.
• Leveraged tools like Dependabot and Veracode to ensure compliance with updated PCI DSS requirements.

2. Embedding a "security-left" mindset:

• Partnered directly with development squads to accelerate vulnerability resolution and foster a security-first culture.
• Over 100 “security champions” were cultivated across teams, acting as advocates and agents of change.

3. Proactive threat mitigation:

• Introduced threat modeling during the design phase, reducing risks before code was written.
• Strengthened cloud infrastructure security, aligning with best practices to address potential gaps.

4. Standardizing security tools and guidance:

• Established a consistent framework of mandatory and optional security tools, ensuring a unified approach to risk management.
• Provided clear, actionable guidelines for the secure adoption of emerging technologies like Microsoft Copilot.

5. Enhanced incident and risk management:

• Developed robust protocols for incident response, ensuring faster resolution and more effective communication during crises.
• Identified and acted on broader organizational risks, such as inconsistent password management, driving cross-enterprise improvements.

Outcome: Measurable results and lasting impact

The Security Team’s approach delivered tangible, wide-ranging benefits that positioned the organization for long-term success:

• Vulnerability reduction:

   

  • Resolved over 1,079 critical, high, medium, and low-severity vulnerabilities, reducing risks and ensuring compliance with stringent PCI DSS SLA requirements.

     

• Cultural transformation:

   

  • Empowered teams to proactively integrate security into their workflows, fostering ownership and reducing late-stage risks.

     

• Improved compliance:

   

  • Achieved full PCI DSS compliance, mitigating potential financial, legal, and reputational risks.

     

• Proactive AI adoption:

   

  • Offered comprehensive guidance on data security, enabling the safe use of AI tools without compromising sensitive information.

     

• Broader organizational influence:

   

  • Shared best practices across the enterprise, fostering group-wide collaboration and preventing redundant efforts.

What’s next?

This security transformation in partnership with Thoughtworks represents more than operational resilience; it reflects a cultural evolution that embeds security into the very DNA of the organization. By fostering a proactive, collaborative approach, the organization is better equipped to adapt to future risks, leverage new technologies, and maintain trust with its stakeholders.