This blog is part 5 of a series of 7 on the results of our inaugural research report The State of DevOps in Financial Services.

Earlier this year Contino reached out to IT professionals in financial services to gain a greater understanding of innovation and DevOps in the industry.

We received responses from 165 professionals, ranging from engineers to CTOs working at a range of financial services organizations from FinTech startups and investment funds to insurance firms and the biggest global banks.

This culminated in our research report The State of DevOps in Financial Services.

For an introduction to our findings, check out an earlier article here. This blog series will take a closer at each chapter of the report in turn.

Today, we tackle the issue of how the security, compliance and risk are being handled in financial services.

Security, Compliance and Risk

Is Security a Challenge?

Security and compliance remain, as ever, a major bugbear of delivery teams. A sizeable majority (58%) of respondents find ensuring security and compliance “very” or “extremely” challenging. Only 4% find it a breeze.

Even those with self-reported DevOps maturity of five out of five find it “very” challenging (36%) or “challenging” (29%). Regulatory and compliance requirements have risen significantly over the last ten years. It seems that FSIs are struggling to cope with this regulatory burden on the one hand, and the pressure to innovate on the other.

Business Strategy

Interestingly, for a majority (55%), their business strategy has only changed “a little” or “somewhat” due to the rising tide of regulatory and compliance legislation that followed the financial crisis. This is despite the fact that addressing security and regulatory concerns is a major barrier to software delivery (see What Separates DevOps Ninjas from DevOps Laggards?) and the challenges that these clearly pose to rapid software delivery.

However, a significant portion of respondents had, in fact, changed direction “very much” (20%) or “significantly” (17%). Bizarrely, this seems to have made the situation worse: 63% find it “very” or “extremely” challenging to ensure security requirements. The strategic changes apparently leave major barriers to innovation outside of the scope of their remit!

Going Fast, But Staying Secure: DevSecOps and Compliance-as-Code

Fewer respondents use DevSecOps (30%) than do not (32%). Most, however, don’t actually know either way (38%)! This rather amazing fact suggests that security is a surprisingly unknown quantity within financial services organizations themselves. Exactly how it’s done and by whom is not clear to our respondents in their varied roles.

In terms of whether DevSecOps delivers, more respondents using DevSecOps can deliver in three months or less (22%) than those not using DevSecOps (12%). However, on average those that use DevSecOps don’t necessarily have a faster time-to-market than those without. They will, however, be more secure and have a much easier time when the auditors come round!

In terms of other important factors: DevSecOps practitioners are also more likely to have changed their business strategy as a result of the financial crisis (55% “very much” or “significantly”). Those not using DevSecOps are also much more likely to be on-premises (56% on-prem) than in the cloud.

Better security is correlated with public cloud usage. Their business strategy has mainly only changed “somewhat” (40%). They have less of the skills on average.

DevSecOps correlates with higher maturity and rapid release frequency as a result of changed business strategy, public cloud usage and having the right skills.

Compliance-as-code is only utilized by a fairly small percentage of organizations (18%). But these organizations have a very high DevOps maturity (27% rate themselves five, only 8% rate themselves one).

Confusion About Risk

How businesses calculate risk is a key determinant of their future competitive advantage, particularly regarding when and how to embark upon a paradigm shift such as DevOps.

A majority of respondents (36%) hold that DevOps and cloud are “very much” viewed as risky within their organization. Only 26% view DevOps and cloud as either “a little” or “not at all” risky, demonstrating that a large majority are apprehensive of DevOps and cloud.

These are stunning statistics that speak volumes about the mediocre state of innovation in modern financial services organizations.

This becomes clearer when filtered by organization size: 61% of enterprise respondents deem DevOps “very much” risky. Meanwhile 49% of SMEs (<100 employees) judge DevOps only “somewhat” or “not at all” risky. This confirms the conservative, laggard reputation of the modern financial services enterprise versus the comparative openness of smaller organizations.

Interestingly, a DevOps mindset is reported by most to be “very widespread”. This fact, combined with the earlier finding (see 3 Truths About Innovation in Financial Services) that the biggest barrier to innovation is a lack of leadership support, suggests a split between the leadership (who view DevOps as risky) and the wider organization who are very aware of DevOps ways of working.

According to this research, DevOps maturity is correlated with fast release times. This has been

confirmed in other research ( Despite this, these same

organizations that fear FinTech competition view DevOps and cloud as risky!

Amazingly, at the same time, organizations’ risk postures are deemed to mainly be “extremely”

appropriate (37%) or “very” appropriate (23%). If organizations think that their assessment

of the riskiness of cloud and DevOps is accurate (which appears to be the case), they will not see a need to change until it the competition are already far ahead.

It’s interesting that DevOps and cloud are seen as “very risky”, even though they are judged important to innovation (not to mention “widespread”) all while companies’ risk postures are deemed to be “extremely appropriate”?! There seems to be some considerable misunderstanding here.

FSIs are struggling to deal with the challenges that security and compliance pose, but deem the potential solutions too risky without much justification. Something’s going to give!



DevOps Insights Directly to Your Inbox!

Join thousands of your peers and subscribe to our best content, news, services and events.

Ben Saunders

VP, Consulting EMEA

More Articles by Ben