In the first part of this blog series, I wrote about the challenge of balancing resilience requirements and disaster recovery (DR) capabilities with the investments needed to support them. In this post, I’ll explore the challenges financial institutions face in building effective cybersecurity capabilities in a regulated environment, particularly as they operate across both cloud and on-premises infrastructures. I also share how these challenges can be addressed based on our experience.
Building cybersecurity capabilities in regulated, hybrid environments and understanding segregation of duties
Cybersecurity is undergoing constant change, driven by new market dynamics and increasingly sophisticated criminal activity. Financial institutions not only need to protect customer data and services today, but also stay ahead of future threats and adaptation needs to happen relatively fast. This can be especially challenging in a hybrid environment, where legacy systems and cloud services coexist, and success depends on both technology and close collaboration across many stakeholders.
One of the key benefits of financial institutions in adopting cloud services is the opportunity to significantly enhance cybersecurity. Cloud platforms offer advanced capabilities such as real-time monitoring, automated threat detection, policy enforcement, and centralised identity management, all of which can be extended across both cloud and on-premises environments. This enables a consistent and adaptive security posture, even when legacy and modern systems coexist. Compared to traditional infrastructure, the cloud provides a more agile foundation for managing emerging threats, ensuring compliance, and reducing risk throughout the transition.
When working with financial institutions, it’s important to understand the segregation of duties in the context of cybersecurity as it is a shared responsibility that goes far beyond just IT. It requires close collaboration between risk and compliance, business operations, and other key stakeholders to build a security posture that truly supports the entire organisation. Compliance functions guide and oversee operational teams, while internal audit ensures that all activities remain aligned with regulatory requirements. Due to this multi-layered structure, cybersecurity spans everything from hands-on operational controls to the creation of high-level security policies. Leading and coordinating this process effectively is essential for success.
Also, security policies must guide development across all teams, ensuring that cybersecurity requirements are understood organisation-wide. Building cybersecurity capabilities should not be limited to technical experts alone, but the entire organisation needs to strengthen its understanding and role in security. Ownership of cybersecurity leadership is required from both the service provider and the client side and strong collaboration is essential; a narrow focus on one’s own area is no longer enough. A broader, shared responsibility is needed to ensure secure development and operations in complex, connected environments.
Recommended approach in short
Cybersecurity is always a central part of the cloud journey: it shapes planning, building, and operating modern services. Building effective cybersecurity capabilities in the cloud starts with a solid understanding of industry-specific regulations (e.g. DORA), client security policies, and compliance requirements and embedding them into everyday operations from the start. This foundation is strengthened through cloud security governance, which becomes an integral part of all cloud development activities.
In addition, practices such as DevSecOps can be applied to embed security into the entire development lifecycle from day one. This approach ensures that security is not treated as an afterthought but as a default and foundational part of every solution delivered to the client.
As important as technical capabilities and cloud adoption are for building advanced and effective cybersecurity, it’s equally critical to ensure that people stay aligned with the change. Organisations must continuously develop their security-related competencies to effectively implement cybersecurity capabilities and policies in practice, and to confidently lead their ongoing development. Without this human alignment, even the best technical solutions risk falling short of delivering the intended value and impact.
If you’re planning or already navigating your cloud journey, we’re happy to share what we’ve learned and support you in solving the toughest parts securely, pragmatically and in line with your regulatory environment. Don’t hesitate to contact me or Juuso Lehto.