Security transformation for a national financial services firm

The Challenge

A national financial services firm operating across 12 business units — including wealth management, insurance, and retail banking — had grown through acquisition, inheriting fragmented security practices with no unified framework. Each business unit ran its own tools, policies, and incident response procedures.

With APRA intensifying scrutiny under CPS 234 and the ACSC recommending Essential Eight as baseline, the board needed a comprehensive security transformation that could be delivered without disrupting customer-facing operations across any of the 12 units.

Our Approach

• Conducted maturity assessments across all 12 business units against Essential Eight and APRA CPS 234 requirements
• Identified common gaps and unit-specific risks, producing a prioritised remediation roadmap
• Designed a unified security architecture with centralised SIEM, identity governance, and policy enforcement
• Implemented in waves — starting with the highest-risk units and rolling out standardised controls progressively
• Established a security governance committee with representation from each business unit to ensure ongoing accountability
• Delivered training and awareness programs tailored to each unit's operational context

The Solution

We deployed a centralised security operations capability built on Microsoft Sentinel, with automated playbooks for common incident types. Zero-trust network architecture replaced the legacy perimeter model, with micro-segmentation between business units. Application whitelisting, automated patch management, MFA enforcement, and privileged access management were standardised across the entire organisation.

A unified GRC platform was implemented to provide real-time compliance dashboards for the board, automated evidence collection for auditors, and risk registers linked directly to operational controls.

Results & Impact

• Essential Eight maturity level 3 achieved across all 12 business units
• Full APRA CPS 234 compliance — confirmed by independent external audit
• 60% reduction in security incidents within the first six months
• Mean time to detect threats reduced from days to under 15 minutes
• Unified security posture and governance across the entire organisation for the first time