In today’s rapidly evolving digital landscape, traditional security approaches are increasingly proving unsustainable for organizations managing complex threat environments.
According to Shawn McCarthy, vice president and chief architect for Global Architecture, Risk & Governance at financial services group Manulife, the shift toward more integrated security strategies is no longer optional — it’s imperative.
“Regulators today are no longer satisfied with frameworks, documentation, and audit validation alone,” McCarthy emphasised in a recent CIO analysis, referring to a recent Deloitte banking outlook.
“They want tangible evidence, including end-to-end testing, as well as compliance program management that is baked into day-to-day operating processes.”
The transformation from reactive security gatekeeping to proactive risk enablement demands more than just technical controls. It requires a complete rethinking of how security is embedded throughout the software delivery lifecycle.
This shift, McCarthy argued, is not just about compliance but about aligning security with broader business objectives.
A key element of this approach is ‘Shift-Left’ security, which moves security considerations to the earliest stages of development.
“Rather than waiting until the end of a project to conduct security reviews, we integrate security at the requirements stage,” McCarthy explained.
This proactive stance helps organizations mitigate potential threats early, reducing costly rework and minimizing operational risks.
Security considerations
The reimagining of security from a mere compliance checkpoint to a business enabler is a central theme in McCarthy’s strategy.
“Security today must function as a trusted advisor, not a gatekeeper,” he asserted. This perspective is reinforced by a framework that prioritizes collaboration, automation, visibility, and prevention across all stages of software development.
Key areas of focus include secure coding practices and developer training, automated security testing within CI/CD pipelines, continuous monitoring and vulnerability management and incident response and rapid recovery planning.
The cultural shift toward security as a business enabler also entails fostering collaboration between security, development, and operations teams.
“Embedding security expertise into development teams ensures that security isn’t an afterthought but a foundational element,” McCarthy stated.
“Regulators today are no longer satisfied with frameworks, documentation, and audit validation alone.”
– Shawn McCarthy
For organisations transitioning to this integrated security model, measuring success is crucial. McCarthy emphasised that metrics should extend beyond traditional vulnerability counts to include broader indicators such as risk reduction, compliance readiness, and incident response efficacy.
“Effective security metrics provide actionable insights, enabling us to track progress and adjust strategies in real-time,” he explained.
For instance, metrics might include the percentage of projects with completed threat models before development, the reduction in post-release vulnerabilities, and the average time to remediate security findings.
Implementing a comprehensive security strategy requires a phased approach, McCarthy stressed.
Organisations should start by assessing their current security posture, identifying key areas for improvement, and establishing clear metrics for tracking progress, he argued.
From there, targeted pilot programs can demonstrate the value of integrated security practices, setting the stage for broader organizational adoption.
“Building a security-first culture is a long-term commitment,” McCarthy concluded.
“But by aligning security with business objectives and embedding it throughout the development lifecycle, organisations can not only reduce risk but also drive sustainable business value,” he said.
Why not become a QA Financial subscriber?
It’s entirely FREE
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
REGULATION & COMPLIANCE
Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.
WATCH NOW
READ MORE
- Inside JPMorgan’s $18bn QA push with OmniAI reshaping testing
- As AI takes hold, insurance firms face a new testing mandate
- K2view’s Amitai Richman calls out the ‘real bottleneck’ in healthcare and insurance
- AI in QA: how flexible testing is redefining assurance for financial firms
- Explainer: Why site reliability engineering is gaining momentum in banking
